Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Restrict secrets management to sodium+filesystem
- Loading branch information
1 parent
02b5d74
commit d9aec9a
Showing
35 changed files
with
1,061 additions
and
938 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 0 additions & 70 deletions
70
src/Symfony/Bundle/FrameworkBundle/Command/SecretsAddCommand.php
This file was deleted.
Oops, something went wrong.
88 changes: 88 additions & 0 deletions
88
src/Symfony/Bundle/FrameworkBundle/Command/SecretsDecryptToLocalCommand.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the Symfony package. | ||
* | ||
* (c) Fabien Potencier <fabien@symfony.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
namespace Symfony\Bundle\FrameworkBundle\Command; | ||
|
||
use Symfony\Bundle\FrameworkBundle\Secrets\AbstractVault; | ||
use Symfony\Component\Console\Command\Command; | ||
use Symfony\Component\Console\Input\InputInterface; | ||
use Symfony\Component\Console\Input\InputOption; | ||
use Symfony\Component\Console\Output\ConsoleOutputInterface; | ||
use Symfony\Component\Console\Output\OutputInterface; | ||
use Symfony\Component\Console\Style\SymfonyStyle; | ||
|
||
/** | ||
* @author Nicolas Grekas <p@tchwork.com> | ||
*/ | ||
final class SecretsDecryptToLocalCommand extends Command | ||
{ | ||
protected static $defaultName = 'secrets:decrypt-to-local'; | ||
|
||
private $vault; | ||
private $localVault; | ||
|
||
public function __construct(AbstractVault $vault, AbstractVault $localVault = null) | ||
{ | ||
$this->vault = $vault; | ||
$this->localVault = $localVault; | ||
|
||
parent::__construct(); | ||
} | ||
|
||
protected function configure() | ||
{ | ||
$this | ||
->setDescription('Decrypts all secrets and stores them in the local vault.') | ||
->addOption('force', 'f', InputOption::VALUE_NONE, 'Forces overriding of secrets that already exist in the local vault') | ||
->setHelp(<<<'EOF' | ||
The <info>%command.name%</info> command list decrypts all secrets and stores them in the local vault.. | ||
<info>%command.full_name%</info> | ||
When the option <info>--force</info> is provided, secrets that already exist in the local vault are overriden. | ||
<info>%command.full_name% --force</info> | ||
EOF | ||
) | ||
; | ||
} | ||
|
||
protected function execute(InputInterface $input, OutputInterface $output): int | ||
{ | ||
$io = new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output); | ||
|
||
if (null === $this->localVault) { | ||
$io->error('The local vault is disabled.'); | ||
|
||
return 1; | ||
} | ||
|
||
$secrets = $this->vault->list(true); | ||
|
||
if (!$input->getOption('force')) { | ||
foreach ($this->localVault->list() as $k => $v) { | ||
unset($secrets[$k]); | ||
} | ||
} | ||
|
||
foreach ($secrets as $k => $v) { | ||
if (null === $v) { | ||
$io->error($this->vault->getLastMessage()); | ||
|
||
return 1; | ||
} | ||
|
||
$this->localVault->seal($k, $v); | ||
} | ||
|
||
return 0; | ||
} | ||
} |
88 changes: 88 additions & 0 deletions
88
src/Symfony/Bundle/FrameworkBundle/Command/SecretsEncryptFromLocalCommand.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the Symfony package. | ||
* | ||
* (c) Fabien Potencier <fabien@symfony.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
namespace Symfony\Bundle\FrameworkBundle\Command; | ||
|
||
use Symfony\Bundle\FrameworkBundle\Secrets\AbstractVault; | ||
use Symfony\Component\Console\Command\Command; | ||
use Symfony\Component\Console\Input\InputInterface; | ||
use Symfony\Component\Console\Input\InputOption; | ||
use Symfony\Component\Console\Output\ConsoleOutputInterface; | ||
use Symfony\Component\Console\Output\OutputInterface; | ||
use Symfony\Component\Console\Style\SymfonyStyle; | ||
|
||
/** | ||
* @author Nicolas Grekas <p@tchwork.com> | ||
*/ | ||
final class SecretsEncryptFromLocalCommand extends Command | ||
{ | ||
protected static $defaultName = 'secrets:encrypt-from-local'; | ||
|
||
private $vault; | ||
private $localVault; | ||
|
||
public function __construct(AbstractVault $vault, AbstractVault $localVault = null) | ||
{ | ||
$this->vault = $vault; | ||
$this->localVault = $localVault; | ||
|
||
parent::__construct(); | ||
} | ||
|
||
protected function configure() | ||
{ | ||
$this | ||
->setDescription('Encrypts all local secrets to the vault.') | ||
->addOption('force', 'f', InputOption::VALUE_NONE, 'Forces overriding of secrets that already exist in the vault') | ||
->setHelp(<<<'EOF' | ||
The <info>%command.name%</info> command list encrypts all local secrets and stores them in the vault.. | ||
<info>%command.full_name%</info> | ||
When the option <info>--force</info> is provided, secrets that already exist in the vault are overriden. | ||
<info>%command.full_name% --force</info> | ||
EOF | ||
) | ||
; | ||
} | ||
|
||
protected function execute(InputInterface $input, OutputInterface $output): int | ||
{ | ||
$io = new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output); | ||
|
||
if (null === $this->localVault) { | ||
$io->error('The local vault is disabled.'); | ||
|
||
return 1; | ||
} | ||
|
||
$secrets = $this->localVault->list(true); | ||
|
||
if (!$input->getOption('force')) { | ||
foreach ($this->vault->list() as $k => $v) { | ||
unset($secrets[$k]); | ||
} | ||
} | ||
|
||
foreach ($secrets as $k => $v) { | ||
if (null === $v) { | ||
$io->error($this->localVault->getLastMessage()); | ||
|
||
return 1; | ||
} | ||
|
||
$this->vault->seal($k, $v); | ||
} | ||
|
||
return 0; | ||
} | ||
} |
97 changes: 0 additions & 97 deletions
97
src/Symfony/Bundle/FrameworkBundle/Command/SecretsGenerateKeyCommand.php
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.