Categories
Miscellaneous PHP

Accessing a Vault in PHP

I admit it. I was “hacked”. It was not really a hack, it was my mistake not to notice that one of my deployment logs was accessible for everyone to read and – exceptionally for a specific test performed back then – revealing configuration data including a password to an AWS service. The leakage has been fixed and the password changed. So, you don’t need to search for it anymore 🙂

However, the incident was reason enough for me to further secure my applications and introduce a vault for secret information. As most of my applications are based on PHP, I tried to find some ready-to-use code (and found a few). But all these libraries and SDKs are very heavyweight as they address much more use cases than just accessing a vault in order to fetch a secret read-only.

So I wrote a lightweight version of a PHP vault that not only accesses a Hashicorp Vault but also provides an abstract API so that my applications do not need to know what vault is being used or even where the secrets are stored.

So here is a code snippet that demonstrates how to use it with a Hashicorp Vault:

// Create configuration
$config = array(
	'type'   => 'hashicorp',
	'config' => array(
		'uri'      => 'https://127.0.0.1:8200/v1',
		'roleId'   => '<app-role-id>',
		'secretId' => '<secret-id>'
	)
);

// Create the vault instance
try {
	$vault = \Vault\VaultFactory::create($config);
} catch (\Vault\VaultException $e) {
	// Vault could not be created
}

With that vault, I can now access my secrets transparently within application code:

try {
	$mySecret = $vault->get('my/secret");
	$username = $mySecret->get('username');
	$password = $mySecret->get('password');
} catch (\Vault\VaultException $e) {
	// secret was not found
}

I even can further abstract this by not even knowing that there is a vault involved:

$callback = new \Vault\CredentialsProvider($vault, 'my/secret');

try {
	$username = $callback->getUsername();
	$password = $callback->getPassword();
} catch (\Vault\VaultException $e) {
	// Secret cannot be retrieved or does not exist
}

I can now integrate this pattern in all my PHP projects without immediately putting the secrets in a Hashicorp vault. The framework already comes with vault implementations that are based on configuration files or objects.

All code is publicly available at GitHub for reuse. The documentation there gives more code examples on how to use other vaults, e.g. when you want to start slowly and only manage your secrets in a configuration file.

Categories
Linux Miscellaneous Shell

Using sendmail with a Relay Host

It is useful when Docker containers can send e-mail to you in case there is an error condition that needs attention. Here is how to.

Install the sendmail package from your distribution and edit the file /etc/mail/sendmail.mc. Add this line to the end of it:

define('SMART_HOST', '<dns-name-of-your-relay')

Done! Just restart sendmail:

/etc/init.d/sendmail stop
/etc/init.d/sendmail start
Categories
Miscellaneous

Long Time No See

A long time has passed since the last post on this blog. Not because I was lazy. It was merely because there were more important things to do than writing blog posts about things that most people can look-up in the internet anyway.

However, the Open Source software projects were still going on. Not so frequent updates but once in a while. The current Corona pandemic now gives me some possibilities to finish things that were long time on my list. First and most importantly is to gain independance of hosting all my software on my own and maintaining the infrastructure for it. Still, some main parts will be on me. Such as build tools, issue tracking and automation.

However, I managed to host all my code now at GitHub. This task alone cost me about two weeks until each and every Subversion repository was migrated. I have been writing code now for more than 20 years. That’s why about 110 software projects piled up at my previous Subversion repository. Most of them are not public, only 26 can be accessed by everyone. But migrating all 110 physically took me 3 days. Another 10 days I was busy to update the CI/CD pipelines for the still active projects (around 50). And the last week passed with upgrading the Open Source projects to new software versions, documenting them, changing the workflows, upgrading build tools and writing CI/CD tools for these changes. Finally, I managed to bump up the versions of the major OSS projects – after 3 weeks of work. Most of them were API breaking. That’s why the major versions increased (Check Maven Central for an overview).

You will find updates on them here in this blog – and you will see more updates coming soon. The main changes are:

  • Upgrading to Java 9: My Java projects will not support any older runtime environment.
  • Documentation moves to GitHub along withe code and the respective version. It is still going on. So this blog will become less important for documentation and the respective sections will be removed from the menu (but still be available).
  • Development workflow will follow the Gitflow workflow model now.

Feel free to contact me for any of the projects, the new or the old ones. For the moment, I wish you all the best and stay healthy!

Ralph

PS: Of course, I will try to blog more IT stuff and more frequently than before 🙂

Categories
Miscellaneous

Neolog Watchface for Pebble Time

This is the homepage of the Neolog Watchface for the Pebble Time watch. Actually it is my first watchface or even Pebble development. But as I am a proud owner of the Neolog watch and a Pebble Time, I didn’t want to miss the extraordinary design of my Neolog at the Pebble. So I simply wrote this watchface. Enjoy it!

Download the watchface

You can download the latest version 1.0 at Pebble’s AppStore.

Download the source code

The source code is available at my Subversion repository

Request a Change/Report a Bug

My Jira installation can be used to report bugs or request enhancements.

Categories
Miscellaneous

DIY Calendars 2015

Here they are, in time 🙂 The DIY calendars for 2015. Good planning…

Categories
Miscellaneous

Robots.txt Recommendation for WebSVN

You are using WebSVN on your server? The I recommend to have the following robots.txt in place:

User-agent: *
Disallow: /websvn/log.php
Disallow: /websvn/comp.php
Disallow: /websvn/blame.php
Disallow: /websvn/rss.php

The reason is that search engine robots could consume your server performance, especially when your Subversion repository contains larger files. But even if not: there is no reason why robots should index each and every diff between revisions. 🙂

Categories
Miscellaneous

Server Relocated

Hi all,

I relocated the server beginning of June. This results in a few outages of Jira and Subversion. Especially SVN users shall be aware that the SVN host is svn.ralph-schuster.eu now. Older SVN URLs will not work anymore.

Almost all services are already fully functioning. The remaining services will be back within a few days.

Thank you for your patience and sorry for the inconvinience.

Ralph

PS: All sites are available with HTTPS now (using a self-signed cetificate).

Categories
Miscellaneous

DIY Calendars 2012

I am in time this year ;). The new DIY calendar is available – in English and German. Of course, the calendars differ from Ygor’s template in having week numbers on all templates.

I didn’t created a Windows executable that runs without any additional library. So you have to build the version from your own scratch. The source code is available at my Subversion repository.

 

Categories
Miscellaneous

IceScrum Release 4

I was lucky to test IceScrum, a french project, within our company. The test went quite well until we migrated to new Release 4. It seemed to be stable for a few hours. Then several users complained. They couldn’t login anymore. As an administrator I found out that the common reason for this is them missing Administrator role. By doing so, I could solve the problem.

However, several other problems stayed. Browsing projects wasn’t possible as well as browsing teams. Tasks could not be created anymore. 🙁

So here is my advice: Don’t upgrade yet to release 4. The release is an advance, definitely. But the bugs are too heavy to productively use it.

PS: Downgrading is a nightmare. Please, make a database backup before installing release 4. It will save you a lot of effort.

Categories
Miscellaneous

CSV/Excel Utility Package V2.2 released

This maintenance release was awaited for quite a long time now. Due to some personal restrictions, I wasn’t able to publish it earlier. Version 2.2 doesn’t add any functionality but upgraded Apache’s POI library that can handle newer Excel versions.

You can download the new version here or visit the Homepage of the utility where you will find some examples on how to use it.