Merge pull request #53 from keboola/roman-pst-2436

PST-2436: Ignore secret version when retrieving secrets from AKV

.github/workflows/push.yml

@@ -4,7 +4,7 @@ concurrency: ci
 
 env:
   TEST_TENANT_ID: 9b85ee6f-4fb0-4a46-8cb7-4dcc6b262a89
-  TEST_CLIENT_ID: 3a4162fa-43d4-4de7-a8c1-be3bc7765a8c
+  TEST_CLIENT_ID: bbd79ac8-74a2-4853-8c8c-99af4c614492
   TEST_CLIENT_SECRET: ${{ secrets.TEST_CLIENT_SECRET }}
   TEST_KEY_VAULT_URL: https://ci-object-encryptor.vault.azure.net/
   TEST_AWS_REGION: eu-central-1
@@ -29,7 +29,7 @@ jobs:
       - name: Build image
         run: |
           docker login --username "$DOCKERHUB_USER" --password "$DOCKERHUB_TOKEN"
-          docker-compose build
+          docker compose build
       - name: Run tests
         run: |          
-          docker-compose run ci
+          docker compose run ci

README.md

@@ -74,7 +74,7 @@ Prerequisites:
   * installed AWS CLI `aws` (and run `aws configure --profile YOUR_AWS_PROFILE_NAME`)
   * installed GCP CLI `gcloud` (and run `gcloud auth login` or `gcloud auth application-default login`)
 * installed `terraform` (https://www.terraform.io) and `jq` (https://stedolan.github.io/jq) to setup local env
-* installed `docker` and `docker-compose` to run & develop the app
+* installed `docker` to run & develop the app
 
 ```bash
 export NAME_PREFIX= # your name/nickname to make your resource unique & recognizable
@@ -88,7 +88,7 @@ terraform -chdir=./provisioning/local init -backend-config="key=object-encryptor
 terraform -chdir=./provisioning/local apply
 ./provisioning/local/update-env.sh aws # or azure or gcp
 
-docker-compose run --rm tests
+docker compose run --rm tests
 ```
 
 ## License

docker-compose.yml

@@ -1,4 +1,3 @@
-version: "3"
 services:
   # for development purposes
   tests: &tests

phpstan.neon

@@ -1,8 +1,10 @@
 parameters:
     level: max
-    checkMissingIterableValueType: false
     paths:
         - src
         - tests
+    ignoreErrors:
+        -
+            identifier: missingType.iterableValue
 includes:
     - vendor/phpstan/phpstan-phpunit/extension.neon

src/Wrapper/GenericAKVWrapper.php

@@ -150,10 +150,9 @@ public function decrypt(string $encryptedData): string
         }
         try {
             $decryptedContext = $this->getRetryProxy()->call(function () use ($encrypted) {
-                return $this->getClient()->getSecret(
-                    $encrypted[self::SECRET_NAME],
-                    $encrypted[self::SECRET_VERSION],
-                )->getValue();
+                return $this->getClient()
+                    ->getSecret($encrypted[self::SECRET_NAME])
+                    ->getValue();
             });
             assert(is_string($decryptedContext));
             $decryptedContext = $this->decode($decryptedContext);

tests/GenericAKVWrapperTest.php

@@ -122,6 +122,27 @@ public function testEncryptEmptyValue(?string $secret): void
         self::assertEquals($secret, $wrapper->decrypt($encrypted));
     }
 
+    public function testIgnoreSecretVersionWhenRetrievingSecret(): void
+    {
+        $secret = 'mySecretValue';
+        $wrapper = $this->getWrapper();
+        $encrypted = $wrapper->encrypt($secret);
+
+        // decode the encrypted secret and manually change the version
+        $decoded = unserialize((string) gzuncompress(base64_decode($encrypted)));
+        $secretVersionIndex = 4; // = GenericAKVWrapper::SECRET_VERSION
+        /** @var array<int, string> $decoded */
+        $decoded[$secretVersionIndex] = bin2hex(random_bytes(16));
+
+        // encode back with the changed version
+        $encrypted = base64_encode((string) gzcompress(serialize($decoded)));
+
+        // decrypt should succeed regardless of changed version
+        $decrypted = $wrapper->decrypt($encrypted);
+
+        self::assertSame($secret, $decrypted);
+    }
+
     private function getMockWrapper(Client $mockClient): GenericAKVWrapper
     {
         $mockWrapper = $this->createPartialMock(GenericAKVWrapper::class, ['getClient']);