From 68c5cc34c97069f4364776ae49a16545095fa562 Mon Sep 17 00:00:00 2001
From: Lennart Dohmann <lennart.dohmann@gdata.de>
Date: Thu, 24 Aug 2023 18:27:06 +0200
Subject: [PATCH 1/6] Include ResourceOwnerPasswordAuthenticator for SDK #289

---
 php/src/vaas/Message/Error.php                |  2 +-
 .../ResourceOwnerPasswordAuthenticator.php    | 46 +++++++++++++++++++
 php/src/vaas/composer.json                    |  3 +-
 php/tests/vaas/VaasTest.php                   | 30 ++++++++++++
 php/tests/vaas/composer.json                  |  3 +-
 5 files changed, 81 insertions(+), 3 deletions(-)
 create mode 100644 php/src/vaas/ResourceOwnerPasswordAuthenticator.php

diff --git a/php/src/vaas/Message/Error.php b/php/src/vaas/Message/Error.php
index c169cc1c..c94c33be 100644
--- a/php/src/vaas/Message/Error.php
+++ b/php/src/vaas/Message/Error.php
@@ -10,7 +10,7 @@ class Error
 
     public string $text;
 
-    public ProblemDetails $problem_details;
+    public ?ProblemDetails $problem_details;
 
     public Kind $kind;
 
diff --git a/php/src/vaas/ResourceOwnerPasswordAuthenticator.php b/php/src/vaas/ResourceOwnerPasswordAuthenticator.php
new file mode 100644
index 00000000..2c1089ed
--- /dev/null
+++ b/php/src/vaas/ResourceOwnerPasswordAuthenticator.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace VaasSdk;
+
+use League\OAuth2\Client\Provider\GenericProvider;
+use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
+use VaasSdk\Exceptions\VaasAuthenticationException;
+
+class ResourceOwnerPasswordAuthenticator {
+    private string $clientId;
+    private string $userName;
+    private string $password;
+    private string $tokenEndpoint;
+    private $verify;
+
+    public function __construct($clientId, $userName, $password, $tokenEndpoint, $verify=true) {
+        $this->clientId = $clientId;
+        $this->userName = $userName;
+        $this->password = $password;
+        $this->tokenEndpoint = $tokenEndpoint;
+        $this->verify = $verify;
+    }
+
+    /**
+     * @throws VaasAuthenticationException
+     */
+    public function getToken() {
+        $provider = new GenericProvider([
+            'clientId'                => $this->clientId,
+            'urlAuthorize'            => $this->tokenEndpoint,
+            'urlAccessToken'          => $this->tokenEndpoint,
+            'urlResourceOwnerDetails' => '',
+            'verify'                  => $this->verify,
+        ]);
+
+        try {
+            $accessToken = $provider->getAccessToken("password", [
+                'username' => $this->userName,
+                'password' => $this->password
+            ]);
+            return $accessToken->getToken();
+        } catch (IdentityProviderException $e) {
+            throw new VaasAuthenticationException($e->getMessage(), $e->getCode());
+        }
+    }
+}
diff --git a/php/src/vaas/composer.json b/php/src/vaas/composer.json
index 706e4acf..a93d52b0 100644
--- a/php/src/vaas/composer.json
+++ b/php/src/vaas/composer.json
@@ -18,7 +18,8 @@
         "textalk/websocket": "^1.6 || ^1.5",
         "netresearch/jsonmapper": "^4.1",
         "guzzlehttp/guzzle": "^7",
-        "psr/log": "^1.1 || ^2.0 || ^3.0"
+        "psr/log": "^1.1 || ^2.0 || ^3.0",
+        "league/oauth2-client": "^2.4.0"
     },
     "autoload": {
         "psr-4": {
diff --git a/php/tests/vaas/VaasTest.php b/php/tests/vaas/VaasTest.php
index e3c76c06..32d0c2b9 100644
--- a/php/tests/vaas/VaasTest.php
+++ b/php/tests/vaas/VaasTest.php
@@ -10,6 +10,7 @@
 use VaasSdk\Exceptions\TimeoutException;
 use VaasSdk\Exceptions\VaasAuthenticationException;
 use VaasSdk\Exceptions\VaasClientException;
+use VaasSdk\ResourceOwnerPasswordAuthenticator;
 use VaasSdk\Vaas;
 use Dotenv\Dotenv;
 use Monolog\Formatter\JsonFormatter;
@@ -46,6 +47,12 @@ public function setUp(): void
         if (getenv("TOKEN_URL") !== false) {
             $_ENV["TOKEN_URL"] = getenv("TOKEN_URL");
         }
+        if (getenv("USER_NAME") !== false) {
+            $_ENV["USER_NAME"] = getenv("USER_NAME");
+        }
+        if (getenv("PASSWORD") !== false) {
+            $_ENV["PASSWORD"] = getenv("PASSWORD");
+        }
     }
 
     private function _getDebugLogger(): LoggerInterface
@@ -78,6 +85,29 @@ private function getClientCredentialsGrantAuthenticator(): ClientCredentialsGran
         );
     }
 
+    private function getResourceOwnerPasswordAuthenticator(): ResourceOwnerPasswordAuthenticator
+    {
+        return new ResourceOwnerPasswordAuthenticator(
+            $_ENV['CLIENT_ID'],
+            $_ENV['USER_NAME'],
+            $_ENV["PASSWORD"],
+            $_ENV["TOKEN_ENDPOINT"]
+        );
+    }
+
+    public function testForSha256MaliciousSha256_WithResourceOwnerPasswordAuthenticator_GetsMaliciousResponse(): void
+    {
+        $uuid = $this->getUuid();
+
+        $vaas = new Vaas($_ENV["VAAS_URL"], $this->_getDebugLogger());
+        $vaas->Connect($this->getResourceOwnerPasswordAuthenticator()->getToken());
+        $verdict = $vaas->ForSha256(self::MALICIOUS_HASH, $uuid);
+
+        $this->assertEquals(Verdict::MALICIOUS, $verdict->Verdict);
+        $this->assertEquals($uuid, $verdict->Guid);
+        $this->assertEqualsIgnoringCase(self::MALICIOUS_HASH, $verdict->Sha256);
+    }
+
     public function testForConnectingWithInvalidToken_ThrowsVaasAccessDeniedException()
     {
         $this->expectException(VaasAuthenticationException::class);
diff --git a/php/tests/vaas/composer.json b/php/tests/vaas/composer.json
index c4f437c5..ea590a08 100644
--- a/php/tests/vaas/composer.json
+++ b/php/tests/vaas/composer.json
@@ -13,7 +13,8 @@
     "require": {
         "gdata/vaas": "999",
         "vlucas/phpdotenv": "^5.5",
-        "monolog/monolog": "^3.3 || ^2.9"
+        "monolog/monolog": "^3.3 || ^2.9",
+        "league/oauth2-client": "^2.4.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^9",

From d0fd7f436812d28f5e07ac47895ac9a43efcf214 Mon Sep 17 00:00:00 2001
From: Lennart Dohmann <lennart.dohmann@gdata.de>
Date: Fri, 25 Aug 2023 09:13:51 +0200
Subject: [PATCH 2/6] Add Vaas authentication examples

---
 .../VaasExample/AuthenticationExamples.php    | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 php/examples/VaasExample/AuthenticationExamples.php

diff --git a/php/examples/VaasExample/AuthenticationExamples.php b/php/examples/VaasExample/AuthenticationExamples.php
new file mode 100644
index 00000000..7e2e02af
--- /dev/null
+++ b/php/examples/VaasExample/AuthenticationExamples.php
@@ -0,0 +1,50 @@
+<?php
+
+namespace VaasExamples;
+
+use VaasSdk\ClientCredentialsGrantAuthenticator;
+use VaasSdk\Exceptions\InvalidSha256Exception;
+use VaasSdk\Exceptions\TimeoutException;
+use VaasSdk\Exceptions\VaasAuthenticationException;
+use VaasSdk\ResourceOwnerPasswordAuthenticator;
+use VaasSdk\Vaas;
+
+// If you got a username and password from us, you can use the ResourceOwnerPasswordAuthenticator like this
+$authenticator = new ResourceOwnerPasswordAuthenticator(
+    getenv("CLIENT_ID"),
+    getenv("USER_NAME"),
+    getenv("PASSWORD"),
+    getenv("TOKEN_URL")
+);
+// If you got a client id with a link you may use self registration and create a new username and password for the
+// ResourceOwnerPasswordAuthenticator by yourself like the example above.
+
+// If you got a client id and client secret from us, you can use the ClientCredentialsGrantAuthenticator like this
+$authenticator = new ClientCredentialsGrantAuthenticator(
+    getenv("CLIENT_ID"),
+    getenv("CLIENT_SECRET"),
+    getenv("TOKEN_URL")
+);
+
+$vaas = new Vaas(
+    getenv("VAAS_URL")
+);
+
+try {
+    $vaas->Connect($authenticator->getToken());
+} catch (VaasAuthenticationException $e) {
+    fwrite(STDERR, "Authentication failed: " . $e->getMessage() . "\n");
+    exit(1);
+}
+
+// Get verdict for an eicar hash
+try {
+    $vaasVerdict = $vaas->ForSha256("000005c43196142f01d615a67b7da8a53cb0172f8e9317a2ec9a0a39a1da6fe8");
+} catch (InvalidSha256Exception $e) {
+    fwrite(STDERR, "Invalid sha256: " . $e->getMessage() . "\n");
+    exit(1);
+} catch (TimeoutException $e) {
+    fwrite(STDERR, "Timeout: " . $e->getMessage() . "\n");
+    exit(1);
+}
+fwrite(STDOUT, "Verdict for $vaasVerdict->Sha256 is $vaasVerdict->Verdict \n");

From c5e580502fc518381b1e22a39816e24600dd00b9 Mon Sep 17 00:00:00 2001
From: Lennart Dohmann <lennart.dohmann@gdata.de>
Date: Fri, 25 Aug 2023 09:42:05 +0200
Subject: [PATCH 3/6] Adjust environment names for GitHub Actions

---
 php/tests/vaas/VaasTest.php | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/php/tests/vaas/VaasTest.php b/php/tests/vaas/VaasTest.php
index 32d0c2b9..346b0f53 100644
--- a/php/tests/vaas/VaasTest.php
+++ b/php/tests/vaas/VaasTest.php
@@ -47,11 +47,11 @@ public function setUp(): void
         if (getenv("TOKEN_URL") !== false) {
             $_ENV["TOKEN_URL"] = getenv("TOKEN_URL");
         }
-        if (getenv("USER_NAME") !== false) {
-            $_ENV["USER_NAME"] = getenv("USER_NAME");
+        if (getenv("RO_USERNAME") !== false) {
+            $_ENV["RO_USERNAME"] = getenv("RO_USERNAME");
         }
-        if (getenv("PASSWORD") !== false) {
-            $_ENV["PASSWORD"] = getenv("PASSWORD");
+        if (getenv("RO_PASSWORD") !== false) {
+            $_ENV["RO_PASSWORD"] = getenv("RO_PASSWORD");
         }
     }
 
@@ -89,9 +89,9 @@ private function getResourceOwnerPasswordAuthenticator(): ResourceOwnerPasswordA
     {
         return new ResourceOwnerPasswordAuthenticator(
             $_ENV['CLIENT_ID'],
-            $_ENV['USER_NAME'],
-            $_ENV["PASSWORD"],
-            $_ENV["TOKEN_ENDPOINT"]
+            $_ENV['RO_USERNAME'],
+            $_ENV["RO_PASSWORD"],
+            $_ENV["TOKEN_URL"]
         );
     }
 

From dc0b3cd48a8c9995c6b03147d05945f9ca535fdb Mon Sep 17 00:00:00 2001
From: Lennart Dohmann <lennart.dohmann@gdata.de>
Date: Fri, 25 Aug 2023 09:52:04 +0200
Subject: [PATCH 4/6] Add dynamic environment variables for
 ResourceOwnerPasswordAuthenticator in PHP Actions

---
 .github/workflows/ci-php.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci-php.yaml b/.github/workflows/ci-php.yaml
index beb06b4e..68e1ed2a 100644
--- a/.github/workflows/ci-php.yaml
+++ b/.github/workflows/ci-php.yaml
@@ -29,6 +29,8 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  RO_USERNAME: ${{ secrets.CLIENT_ID }}
+  RO_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.RO_PASSWORD || secrets.STAGING_RO_PASSWORD }}
 
 jobs:
   build-php:

From 4ec671b84d05fae61e33ed7aee498cb530add4c3 Mon Sep 17 00:00:00 2001
From: Lennart Dohmann <lennart.dohmann@gdata.de>
Date: Fri, 25 Aug 2023 09:53:17 +0200
Subject: [PATCH 5/6] Changed name of environment variable

---
 .github/workflows/ci-php.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci-php.yaml b/.github/workflows/ci-php.yaml
index 68e1ed2a..46ff84ae 100644
--- a/.github/workflows/ci-php.yaml
+++ b/.github/workflows/ci-php.yaml
@@ -29,7 +29,7 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
-  RO_USERNAME: ${{ secrets.CLIENT_ID }}
+  RO_USERNAME: ${{ secrets.RO_USERNAME }}
   RO_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.RO_PASSWORD || secrets.STAGING_RO_PASSWORD }}
 
 jobs:

From 743b054ea51456278ef5bd2316ead72de91564b4 Mon Sep 17 00:00:00 2001
From: Lennart Dohmann <lennart.dohmann@gdata.de>
Date: Fri, 25 Aug 2023 10:43:27 +0200
Subject: [PATCH 6/6] Set environments for all workflows for new authentication
 tests

---
 .github/workflows/ci-dotnet.yaml      |  3 +++
 .github/workflows/ci-golang.yaml      |  3 +++
 .github/workflows/ci-java-legacy.yaml |  3 +++
 .github/workflows/ci-java.yaml        |  3 +++
 .github/workflows/ci-php.yaml         |  5 +++--
 .github/workflows/ci-python.yaml      |  3 +++
 .github/workflows/ci-ruby.yaml        |  3 +++
 .github/workflows/ci-rust.yaml        |  3 +++
 .github/workflows/ci-typescript.yaml  |  3 +++
 php/tests/vaas/VaasTest.php           | 17 ++++++++++-------
 10 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci-dotnet.yaml b/.github/workflows/ci-dotnet.yaml
index ccdd822a..ae889517 100644
--- a/.github/workflows/ci-dotnet.yaml
+++ b/.github/workflows/ci-dotnet.yaml
@@ -29,6 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/cs')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/cs')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/cs')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-dotnet:
diff --git a/.github/workflows/ci-golang.yaml b/.github/workflows/ci-golang.yaml
index 62639d92..c4a095e4 100644
--- a/.github/workflows/ci-golang.yaml
+++ b/.github/workflows/ci-golang.yaml
@@ -29,6 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/go')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/go')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/go')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-golang:
diff --git a/.github/workflows/ci-java-legacy.yaml b/.github/workflows/ci-java-legacy.yaml
index bcb23f83..8ddef7e2 100644
--- a/.github/workflows/ci-java-legacy.yaml
+++ b/.github/workflows/ci-java-legacy.yaml
@@ -29,6 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/java')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/java')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/java')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-java-legacy:
diff --git a/.github/workflows/ci-java.yaml b/.github/workflows/ci-java.yaml
index ba871452..8da06ace 100644
--- a/.github/workflows/ci-java.yaml
+++ b/.github/workflows/ci-java.yaml
@@ -29,6 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/java')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/java')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/java')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-java:
diff --git a/.github/workflows/ci-php.yaml b/.github/workflows/ci-php.yaml
index 46ff84ae..7392a9c7 100644
--- a/.github/workflows/ci-php.yaml
+++ b/.github/workflows/ci-php.yaml
@@ -29,8 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
-  RO_USERNAME: ${{ secrets.RO_USERNAME }}
-  RO_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.RO_PASSWORD || secrets.STAGING_RO_PASSWORD }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-php:
diff --git a/.github/workflows/ci-python.yaml b/.github/workflows/ci-python.yaml
index 852e568b..a116b64c 100644
--- a/.github/workflows/ci-python.yaml
+++ b/.github/workflows/ci-python.yaml
@@ -29,6 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/py')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/py')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/py')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-python:
diff --git a/.github/workflows/ci-ruby.yaml b/.github/workflows/ci-ruby.yaml
index f4a1788f..e8cb2780 100644
--- a/.github/workflows/ci-ruby.yaml
+++ b/.github/workflows/ci-ruby.yaml
@@ -29,6 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/rb')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/rb')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/rb')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-ruby:
diff --git a/.github/workflows/ci-rust.yaml b/.github/workflows/ci-rust.yaml
index 5e3bcc9e..ee1f2674 100644
--- a/.github/workflows/ci-rust.yaml
+++ b/.github/workflows/ci-rust.yaml
@@ -29,6 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/rs')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/rs')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/rs')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-rust:
diff --git a/.github/workflows/ci-typescript.yaml b/.github/workflows/ci-typescript.yaml
index 22b76229..0f361cb4 100644
--- a/.github/workflows/ci-typescript.yaml
+++ b/.github/workflows/ci-typescript.yaml
@@ -29,6 +29,9 @@ env:
   CLIENT_SECRET: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/ts')) && secrets.CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
   VAAS_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/ts')) && 'wss://gateway.production.vaas.gdatasecurity.de' || 'wss://gateway.staging.vaas.gdatasecurity.de' }}
   TOKEN_URL: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/ts')) && 'https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token' || 'https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token' }}
+  VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
+  VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
+  VAAS_PASSWORD: ${{ (inputs.environment == 'production' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/php')) && secrets.VAAS_PASSWORD || secrets.STAGING_VAAS_PASSWORD }}
 
 jobs:
   build-typescript:
diff --git a/php/tests/vaas/VaasTest.php b/php/tests/vaas/VaasTest.php
index 346b0f53..c8819e52 100644
--- a/php/tests/vaas/VaasTest.php
+++ b/php/tests/vaas/VaasTest.php
@@ -47,11 +47,14 @@ public function setUp(): void
         if (getenv("TOKEN_URL") !== false) {
             $_ENV["TOKEN_URL"] = getenv("TOKEN_URL");
         }
-        if (getenv("RO_USERNAME") !== false) {
-            $_ENV["RO_USERNAME"] = getenv("RO_USERNAME");
+        if (getenv("VAAS_USER_NAME") !== false) {
+            $_ENV["VAAS_USER_NAME"] = getenv("VAAS_USER_NAME");
         }
-        if (getenv("RO_PASSWORD") !== false) {
-            $_ENV["RO_PASSWORD"] = getenv("RO_PASSWORD");
+        if (getenv("VAAS_PASSWORD") !== false) {
+            $_ENV["VAAS_PASSWORD"] = getenv("VAAS_PASSWORD");
+        }
+        if (getenv("VAAS_CLIENT_ID") !== false) {
+            $_ENV["VAAS_CLIENT_ID"] = getenv("VAAS_CLIENT_ID");
         }
     }
 
@@ -88,9 +91,9 @@ private function getClientCredentialsGrantAuthenticator(): ClientCredentialsGran
     private function getResourceOwnerPasswordAuthenticator(): ResourceOwnerPasswordAuthenticator
     {
         return new ResourceOwnerPasswordAuthenticator(
-            $_ENV['CLIENT_ID'],
-            $_ENV['RO_USERNAME'],
-            $_ENV["RO_PASSWORD"],
+            $_ENV['VAAS_CLIENT_ID'],
+            $_ENV['VAAS_USER_NAME'],
+            $_ENV["VAAS_PASSWORD"],
             $_ENV["TOKEN_URL"]
         );
     }