Add Vault component for secret storage

Author: JoshuaEstes

ROADMAP.md

@@ -121,6 +121,35 @@ This roadmap outlines planned libraries and updates for the Sons of PHP monorepo
     - Release notes highlight Symfony 7 support.
     - Implementation meets the Global DoD.
 
+### Epic: Introduce Vault Component
+**Description:** Provide secure secret storage with pluggable backends.
+
+- [ ] Add filesystem storage adapter.
+  - **Acceptance Criteria**
+    - All Global DoR items are satisfied before implementation begins.
+    - Filesystem adapter encrypts and retrieves secrets reliably.
+    - Implementation meets the Global DoD.
+- [ ] Add database storage adapter.
+  - **Acceptance Criteria**
+    - All Global DoR items are satisfied before implementation begins.
+    - Database adapter persists encrypted secrets.
+    - Implementation meets the Global DoD.
+- [ ] Add Redis storage adapter.
+  - **Acceptance Criteria**
+    - All Global DoR items are satisfied before implementation begins.
+    - Redis adapter stores encrypted secrets and respects expirations.
+    - Implementation meets the Global DoD.
+- [ ] Support key rotation and secret versioning.
+  - **Acceptance Criteria**
+    - All Global DoR items are satisfied before implementation begins.
+    - Secrets can be rotated without loss using new keys.
+    - Implementation meets the Global DoD.
+- [ ] Provide CLI tools for managing secrets.
+  - **Acceptance Criteria**
+    - All Global DoR items are satisfied before implementation begins.
+    - CLI allows setting, retrieving, and rotating secrets.
+    - Implementation meets the Global DoD.
+
 ## Suggestions
 
 - Automate dependency updates with a scheduled tool (e.g., Renovate or Dependabot).

composer.json

@@ -60,6 +60,7 @@
         "sonsofphp/pager-implementation": "0.3.x-dev",
         "sonsofphp/registry-implementation": "0.3.x-dev",
         "sonsofphp/state-machine-implementation": "0.3.x-dev",
+        "sonsofphp/vault-implementation": "0.3.x-dev",
         "sonsofphp/version-implementation": "0.3.x-dev"
     },
     "require": {
@@ -136,6 +137,7 @@
         "sonsofphp/registry-contract": "self.version",
         "sonsofphp/state-machine": "self.version",
         "sonsofphp/state-machine-contract": "self.version",
+        "sonsofphp/vault": "self.version",
         "sonsofphp/version": "self.version",
         "sonsofphp/version-contract": "self.version"
     },
@@ -172,7 +174,8 @@
             "src/SonsOfPHP/Bridge/Doctrine/DBAL/Pager/Tests",
             "src/SonsOfPHP/Bridge/Doctrine/ORM/Pager/Tests",
             "src/SonsOfPHP/Component/Version/Tests",
-            "src/SonsOfPHP/Component/Registry/Tests"
+            "src/SonsOfPHP/Component/Registry/Tests",
+            "src/SonsOfPHP/Component/Vault/Tests"
         ],
         "psr-4": {
             "SonsOfPHP\\Bard\\": "src/SonsOfPHP/Bard/src",
@@ -206,6 +209,7 @@
             "SonsOfPHP\\Component\\Pager\\": "src/SonsOfPHP/Component/Pager",
             "SonsOfPHP\\Component\\Registry\\": "src/SonsOfPHP/Component/Registry",
             "SonsOfPHP\\Component\\StateMachine\\": "src/SonsOfPHP/Component/StateMachine",
+            "SonsOfPHP\\Component\\Vault\\": "src/SonsOfPHP/Component/Vault",
             "SonsOfPHP\\Component\\Version\\": "src/SonsOfPHP/Component/Version",
             "SonsOfPHP\\Contract\\Common\\": "src/SonsOfPHP/Contract/Common",
             "SonsOfPHP\\Contract\\Cookie\\": "src/SonsOfPHP/Contract/Cookie",

docs/SUMMARY.md

@@ -74,6 +74,7 @@
   * [Adapters](components/pager/adapters.md)
 * [Registry](components/registry.md)
 * [State Machine](components/state-machine.md)
+* [Vault](components/vault.md)
 * [Version](components/version.md)
 
 ## 💁 Contributing

docs/components/vault.md

@@ -0,0 +1,15 @@
+# Vault
+
+The Vault component securely stores secrets using pluggable storage backends and encryption.
+
+## Basic Usage
+
+```php
+use SonsOfPHP\Component\Vault\Cipher\OpenSSLCipher;
+use SonsOfPHP\Component\Vault\Storage\InMemoryStorage;
+use SonsOfPHP\Component\Vault\Vault;
+
+$vault = new Vault(new InMemoryStorage(), new OpenSSLCipher(), 'encryption-key');
+$vault->set('db_password', 'secret');
+$secret = $vault->get('db_password');
+```

src/SonsOfPHP/Component/Vault/AGENTS.md

@@ -0,0 +1,14 @@
+# Agents Guide for Package: src/SonsOfPHP/Component/Vault
+
+## Scope
+
+- Source: `src/SonsOfPHP/Component/Vault`
+- Tests: `src/SonsOfPHP/Component/Vault/Tests`
+- Do not edit: any `vendor/` directories
+
+## Workflows
+
+- Install once at repo root: `make install`
+- Test this package only: `PHPUNIT_OPTIONS='src/SonsOfPHP/Component/Vault/Tests' make test`
+- Style and static analysis: `make php-cs-fixer` and `make psalm`
+- Upgrade code (may modify files): `make upgrade-code`

src/SonsOfPHP/Component/Vault/Cipher/CipherInterface.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Cipher;
+
+/**
+ * Defines methods for encrypting and decrypting secrets.
+ */
+interface CipherInterface
+{
+    /**
+     * Encrypts plaintext using the provided key.
+     */
+    public function encrypt(string $plaintext, string $key): string;
+
+    /**
+     * Decrypts ciphertext using the provided key.
+     */
+    public function decrypt(string $ciphertext, string $key): string;
+}

src/SonsOfPHP/Component/Vault/Cipher/OpenSSLCipher.php

@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SonsOfPHP\Component\Vault\Cipher;
+
+use RuntimeException;
+
+/**
+ * Encrypts and decrypts secrets using OpenSSL.
+ */
+class OpenSSLCipher implements CipherInterface
+{
+    public function __construct(private readonly string $cipherMethod = 'aes-256-ctr')
+    {
+    }
+
+    public function encrypt(string $plaintext, string $key): string
+    {
+        $ivLength = openssl_cipher_iv_length($this->cipherMethod);
+        $iv       = random_bytes($ivLength);
+        $encrypted = openssl_encrypt($plaintext, $this->cipherMethod, $key, OPENSSL_RAW_DATA, $iv);
+        if (false === $encrypted) {
+            throw new RuntimeException('Unable to encrypt secret.');
+        }
+
+        return base64_encode($iv . $encrypted);
+    }
+
+    public function decrypt(string $ciphertext, string $key): string
+    {
+        $data     = base64_decode($ciphertext, true);
+        $ivLength = openssl_cipher_iv_length($this->cipherMethod);
+        $iv       = substr($data, 0, $ivLength);
+        $payload  = substr($data, $ivLength);
+        $decrypted = openssl_decrypt($payload, $this->cipherMethod, $key, OPENSSL_RAW_DATA, $iv);
+        if (false === $decrypted) {
+            throw new RuntimeException('Unable to decrypt secret.');
+        }
+
+        return $decrypted;
+    }
+}

src/SonsOfPHP/Component/Vault/LICENSE

@@ -0,0 +1,19 @@
+Copyright 2022 to Present Joshua Estes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

src/SonsOfPHP/Component/Vault/README.md

@@ -0,0 +1,16 @@
+Sons of PHP - Vault
+===================
+
+## Learn More
+
+* [Documentation][docs]
+* [Contributing][contributing]
+* [Report Issues][issues] and [Submit Pull Requests][pull-requests] in the [Mother Repository][mother-repo]
+* Get Help & Support using [Discussions][discussions]
+
+[discussions]: https://github.com/orgs/SonsOfPHP/discussions
+[mother-repo]: https://github.com/SonsOfPHP/sonsofphp
+[contributing]: https://docs.sonsofphp.com/contributing/
+[docs]: https://docs.sonsofphp.com/components/vault/
+[issues]: https://github.com/SonsOfPHP/sonsofphp/issues?q=is%3Aopen+is%3Aissue+label%3AVault
+[pull-requests]: https://github.com/SonsOfPHP/sonsofphp/pulls?q=is%3Aopen+is%3Apr+label%3AVault

src/SonsOfPHP/Component/Vault/ROADMAP.md

@@ -0,0 +1,38 @@
+# Vault Component Roadmap
+
+## Upcoming Features
+
+### Add filesystem storage adapter
+- [ ] Implementation uses encrypted files to persist secrets.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - Filesystem adapter securely reads and writes secrets.
+  - Implementation meets the Global DoD.
+
+### Add database storage adapter
+- [ ] Store secrets in a relational database using PDO.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - Secrets are encrypted before storage.
+  - Implementation meets the Global DoD.
+
+### Add Redis storage adapter
+- [ ] Store secrets in Redis for fast access.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - Redis adapter encrypts secrets and handles expirations.
+  - Implementation meets the Global DoD.
+
+### Support key rotation and secret versioning
+- [ ] Provide APIs to rotate encryption keys and maintain secret history.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - Secrets can be re-encrypted with new keys without loss.
+  - Implementation meets the Global DoD.
+
+### Provide CLI tools for managing secrets
+- [ ] Expose commands to set, get, and rotate secrets.
+- **Acceptance Criteria**
+  - All Global DoR items are satisfied before implementation begins.
+  - CLI allows basic secret management tasks.
+  - Implementation meets the Global DoD.