add decryption of vault

Author: nsnguyen

.gitignore

@@ -12,4 +12,4 @@ phpstan.tests.neon
 phpunit.xml
 vendor
 
-index.php
+.vscode

composer.json

@@ -1,5 +1,39 @@
 {
+    "name": "dotenv-org/phpdotenv-vault",
+    "description": "Loads environment variables from `.env` or `.env.vault`",
+    "keywords": [
+        "env",
+        "dotenv",
+        "environment",
+        "environment variables",
+        "dotenv-vault",
+        "configurations"
+    ],
+    "license": "BSD-3-Clause",
+    "autoload": {
+        "psr-4": {
+            "PhpdotenvVault\\": "src/"
+        }
+    },
+    "authors": [
+        {
+            "name": "dotenv",
+            "email": "[email protected]",
+            "homepage": "https://github.com/dotenv-org"
+        }
+    ],
     "require": {
+        "php": "^7.1.3 || ^8.0",
         "vlucas/phpdotenv": "^5.5"
+    },
+    "extra": {
+        "laravel": {
+            "providers": [
+                "PhpdotenvVault\\PhpdotenvVaultServiceProvider"
+            ]
+        }
+    },
+    "require-dev": {
+        "orchestra/testbench": "^3.8"
     }
-}
+}

src/DotenvVault.php

@@ -2,25 +2,25 @@
 
 namespace DotenvVault;
 use Dotenv\Dotenv;
-use Dotenv\Exception\InvalidPathException;
 use Dotenv\Loader\Loader;
 use Dotenv\Loader\LoaderInterface;
 use Dotenv\Parser\Parser;
 use Dotenv\Parser\ParserInterface;
-use Dotenv\Repository\Adapter\ArrayAdapter;
-use Dotenv\Repository\Adapter\PutenvAdapter;
 use Dotenv\Repository\RepositoryBuilder;
 use Dotenv\Repository\RepositoryInterface;
 use Dotenv\Store\StoreBuilder;
 use Dotenv\Store\StoreInterface;
-use Dotenv\Store\StringStore;
+use Exception;
+
+class DotEnvVaultError extends Exception { }
 
 class DotEnvVault extends Dotenv
 {
     private $store;
     private $parser;
     private $loader;
     private $repository;
+    private $dotenv_key;
     public function __construct(
         StoreInterface $store,
         ParserInterface $parser,
@@ -32,22 +32,100 @@ public function __construct(
         $this->parser = $parser;
         $this->loader = $loader;
         $this->repository = $repository;
-        // parent::__construct($store, $parser, $loader, $repository);
+    }
+
+    public function load()
+    {
+        $this->dotenv_key = getenv("DOTENV_KEY");
+        if ($this->dotenv_key !== false){
+
+            $entries = $this->parser->parse($this->store->read());
+            $this->loader->load($this->repository, $entries);
+
+            $plaintext = $this->parse_vault();
 
+            // parsing plaintext and loading to $_ENV
+            $test_entries = $this->parser->parse($plaintext);
+            $this->loader->load($this->repository, $test_entries);
+        }
+        else {
+            $entries = $this->parser->parse($this->store->read());
+
+            var_dump($entries[0]->getName());
+            var_dump($entries[0]->getValue());
+
+            return $this->loader->load($this->repository, $entries);
+        }
     }
 
-    public function load_vault()
+    public function parse_vault()
     {
-        echo "\n====LOAD FUNCTION====\n";
-        $entries = $this->parser->parse($this->store->read());
+        $dotenv_keys = explode(',', $this->dotenv_key);
+        $keys = array();
+        foreach($dotenv_keys as $key)
+        {
+            // parse DOTENV_KEY, format is a URI.
+            $uri = parse_url(trim($key));
+
+            // get encrypted key
+            $pass = $uri['pass'];
+            
+            // Get environment from query params.
+            parse_str($uri['query'], $params);
+            $vault_environment = $params['environment'] or throw new DotEnvVaultError('INVALID_DOTENV_KEY: Missing environment part.');
 
-        return $this->loader->load($this->repository, $entries);
+            # Getting ciphertext from correct environment in .env.vault
+            $vault_environment = strtoupper($vault_environment);
+            $environment_key = "DOTENV_VAULT_{$vault_environment}";
 
+            $ciphertext = $_ENV["{$environment_key}"] or throw new DotEnvVaultError("NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate environment {$environment_key} in your .env.vault file. Run 'npx dotenv-vault build' to include it.");
+            
+            array_push($keys, array('encrypted_key' => $pass, 'ciphertext' => $ciphertext));
+        }
+        return $this->key_rotation($keys);
     }
 
-    public static function createImmutable($paths, $names = null, bool $shortCircuit = true, string $fileEncoding = null)
+    private function key_rotation($keys){
+        $count = count($keys);
+        foreach($keys as $index=>$value) {
+            $decrypt = $this->decrypt($value['ciphertext'], $value['encrypted_key']);
+
+            if ($decrypt == false && $index + 1 >= $count){
+                throw new DotEnvVaultError('INVALID_DOTENV_KEY: Key must be valid.');
+            }
+            elseif($decrypt == false){
+                continue;
+            }
+            else{
+                return $decrypt;
+            }
+        }
+    }
+
+    private function decrypt($data, $secret)
     {
-        
+        $secret = hex2bin(substr($secret, 4, strlen($secret)));         
+        $data = base64_decode($data, true);
+        $nonce = substr($data, 0, 12);
+        $tag = substr($data, -16);
+        $ciphertext = substr($data, 12, -16);
+    
+        try {
+            return openssl_decrypt(
+                $ciphertext,
+                'aes-256-gcm',
+                $secret,
+                OPENSSL_RAW_DATA,
+                $nonce,
+                $tag
+            );
+        } catch (Exception $e) {
+            return false;
+        }
+    }
+
+    public static function createImmutable($paths, $names = null, bool $shortCircuit = true, string $fileEncoding = null)
+    {  
         $repository = RepositoryBuilder::createWithDefaultAdapters()->immutable()->make();
 
         return self::create($repository, $paths, $names, $shortCircuit, $fileEncoding);