SecretsGenerateKeysCommand.php 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Bundle\FrameworkBundle\Command;
  11. use Symfony\Bundle\FrameworkBundle\Secrets\AbstractVault;
  12. use Symfony\Component\Console\Command\Command;
  13. use Symfony\Component\Console\Input\InputInterface;
  14. use Symfony\Component\Console\Input\InputOption;
  15. use Symfony\Component\Console\Output\ConsoleOutputInterface;
  16. use Symfony\Component\Console\Output\OutputInterface;
  17. use Symfony\Component\Console\Style\SymfonyStyle;
  18. /**
  19. * @author Tobias Schultze <http://tobion.de>
  20. * @author Jérémy Derussé <jeremy@derusse.com>
  21. * @author Nicolas Grekas <p@tchwork.com>
  22. *
  23. * @internal
  24. */
  25. final class SecretsGenerateKeysCommand extends Command
  26. {
  27. protected static $defaultName = 'secrets:generate-keys';
  28. private $vault;
  29. private $localVault;
  30. public function __construct(AbstractVault $vault, AbstractVault $localVault = null)
  31. {
  32. $this->vault = $vault;
  33. $this->localVault = $localVault;
  34. parent::__construct();
  35. }
  36. protected function configure()
  37. {
  38. $this
  39. ->setDescription('Generate new encryption keys')
  40. ->addOption('local', 'l', InputOption::VALUE_NONE, 'Update the local vault.')
  41. ->addOption('rotate', 'r', InputOption::VALUE_NONE, 'Re-encrypt existing secrets with the newly generated keys.')
  42. ->setHelp(<<<'EOF'
  43. The <info>%command.name%</info> command generates a new encryption key.
  44. <info>%command.full_name%</info>
  45. If encryption keys already exist, the command must be called with
  46. the <info>--rotate</info> option in order to override those keys and re-encrypt
  47. existing secrets.
  48. <info>%command.full_name% --rotate</info>
  49. EOF
  50. )
  51. ;
  52. }
  53. protected function execute(InputInterface $input, OutputInterface $output): int
  54. {
  55. $io = new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output);
  56. $vault = $input->getOption('local') ? $this->localVault : $this->vault;
  57. if (null === $vault) {
  58. $io->success('The local vault is disabled.');
  59. return 1;
  60. }
  61. if (!$input->getOption('rotate')) {
  62. if ($vault->generateKeys()) {
  63. $io->success($vault->getLastMessage());
  64. if ($this->vault === $vault) {
  65. $io->caution('DO NOT COMMIT THE DECRYPTION KEY FOR THE PROD ENVIRONMENT⚠️');
  66. }
  67. return 0;
  68. }
  69. $io->warning($vault->getLastMessage());
  70. return 1;
  71. }
  72. $secrets = [];
  73. foreach ($vault->list(true) as $name => $value) {
  74. if (null === $value) {
  75. $io->error($vault->getLastMessage());
  76. return 1;
  77. }
  78. $secrets[$name] = $value;
  79. }
  80. if (!$vault->generateKeys(true)) {
  81. $io->warning($vault->getLastMessage());
  82. return 1;
  83. }
  84. $io->success($vault->getLastMessage());
  85. if ($secrets) {
  86. foreach ($secrets as $name => $value) {
  87. $vault->seal($name, $value);
  88. }
  89. $io->comment('Existing secrets have been rotated to the new keys.');
  90. }
  91. if ($this->vault === $vault) {
  92. $io->caution('DO NOT COMMIT THE DECRYPTION KEY FOR THE PROD ENVIRONMENT⚠️');
  93. }
  94. return 0;
  95. }
  96. }