Improve secret manager provider robustness and consistency (#65)

yordadev · web-flow · commit 5910180baa9a · 2026-02-06T19:51:08.000-07:00
- Handle base64_decode returning false in AWS binary secret handling                                                                                                                                                                                                                      
- Add recursion depth limit to Vault addSecretsFromData for consistency with Azure and Google providers
- Add missing string type hint to SecretManager::getSecrets()
diff --git a/src/Clients/AwsSecretsManagerClient.php b/src/Clients/AwsSecretsManagerClient.php
@@ -73,7 +73,12 @@ public function getSecretValue(string $secretId): array
             $secretValue = $result->get('SecretString');
             if ($secretValue === null) {
                 $binaryData = $result->get('SecretBinary');
-                $secretValue = $binaryData !== null ? base64_decode($binaryData) : '';
+                if ($binaryData !== null) {
+                    $decoded = base64_decode($binaryData);
+                    $secretValue = $decoded !== false ? $decoded : '';
+                } else {
+                    $secretValue = '';
+                }
             }
 
             return [
diff --git a/src/SecretManager/Providers/Vault.php b/src/SecretManager/Providers/Vault.php
@@ -128,8 +128,12 @@ protected static function fetchSecretsRecursively(VaultClient $client, string $p
         }
     }
 
-    protected static function addSecretsFromData(Collection $collection, string $path, array $data): void
+    protected static function addSecretsFromData(Collection $collection, string $path, array $data, int $depth = 0): void
     {
+        if ($depth >= self::MAX_RECURSION_DEPTH) {
+            return;
+        }
+
         foreach ($data as $key => $value) {
             $secretPath = $path.'.'.$key;
 
@@ -139,7 +143,7 @@ protected static function addSecretsFromData(Collection $collection, string $pat
                 // Include numeric values as strings
                 $collection->push(new Secret($secretPath, (string) $value));
             } elseif (is_array($value)) {
-                self::addSecretsFromData($collection, $secretPath, $value);
+                self::addSecretsFromData($collection, $secretPath, $value, $depth + 1);
             }
             // Skip booleans and null values
         }
diff --git a/src/SecretManager/SecretManager.php b/src/SecretManager/SecretManager.php
@@ -8,7 +8,7 @@
 
 class SecretManager
 {
-    public static function getSecrets($provider): Collection
+    public static function getSecrets(string $provider): Collection
     {
         $providerKey = self::getProviderKey($provider);
 

Original file line number	Diff line number	Diff line change
`@@ -128,8 +128,12 @@ protected static function fetchSecretsRecursively(VaultClient $client, string $p`
`128`	`128`	`}`
`129`	`129`	`}`
`130`	`130`
`131`		`- protected static function addSecretsFromData(Collection $collection, string $path, array $data): void`
	`131`	`+ protected static function addSecretsFromData(Collection $collection, string $path, array $data, int $depth = 0): void`
`132`	`132`	`{`
	`133`	`+ if ($depth >= self::MAX_RECURSION_DEPTH) {`
	`134`	`+ return;`
	`135`	`+ }`
	`136`	`+`
`133`	`137`	`foreach ($data as $key => $value) {`
`134`	`138`	`$secretPath = $path.'.'.$key;`
`135`	`139`
`@@ -139,7 +143,7 @@ protected static function addSecretsFromData(Collection $collection, string $pat`
`139`	`143`	`// Include numeric values as strings`
`140`	`144`	`$collection->push(new Secret($secretPath, (string) $value));`
`141`	`145`	`} elseif (is_array($value)) {`
`142`		`- self::addSecretsFromData($collection, $secretPath, $value);`
	`146`	`+ self::addSecretsFromData($collection, $secretPath, $value, $depth + 1);`
`143`	`147`	`}`
`144`	`148`	`// Skip booleans and null values`
`145`	`149`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`
`9`	`9`	`class SecretManager`
`10`	`10`	`{`
`11`		`- public static function getSecrets($provider): Collection`
	`11`	`+ public static function getSecrets(string $provider): Collection`
`12`	`12`	`{`
`13`	`13`	`$providerKey = self::getProviderKey($provider);`
`14`	`14`