SecretsSetCommand.php 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Bundle\FrameworkBundle\Command;
  11. use Symfony\Bundle\FrameworkBundle\Secrets\AbstractVault;
  12. use Symfony\Component\Console\Command\Command;
  13. use Symfony\Component\Console\Input\InputArgument;
  14. use Symfony\Component\Console\Input\InputInterface;
  15. use Symfony\Component\Console\Input\InputOption;
  16. use Symfony\Component\Console\Output\ConsoleOutputInterface;
  17. use Symfony\Component\Console\Output\OutputInterface;
  18. use Symfony\Component\Console\Style\SymfonyStyle;
  19. /**
  20. * @author Tobias Schultze <http://tobion.de>
  21. * @author Jérémy Derussé <jeremy@derusse.com>
  22. * @author Nicolas Grekas <p@tchwork.com>
  23. *
  24. * @internal
  25. */
  26. final class SecretsSetCommand extends Command
  27. {
  28. protected static $defaultName = 'secrets:set';
  29. private $vault;
  30. private $localVault;
  31. public function __construct(AbstractVault $vault, AbstractVault $localVault = null)
  32. {
  33. $this->vault = $vault;
  34. $this->localVault = $localVault;
  35. parent::__construct();
  36. }
  37. protected function configure()
  38. {
  39. $this
  40. ->setDescription('Set a secret in the vault')
  41. ->addArgument('name', InputArgument::REQUIRED, 'The name of the secret')
  42. ->addArgument('file', InputArgument::OPTIONAL, 'A file where to read the secret from or "-" for reading from STDIN')
  43. ->addOption('local', 'l', InputOption::VALUE_NONE, 'Update the local vault.')
  44. ->addOption('random', 'r', InputOption::VALUE_OPTIONAL, 'Generate a random value.', false)
  45. ->setHelp(<<<'EOF'
  46. The <info>%command.name%</info> command stores a secret in the vault.
  47. <info>%command.full_name% <name></info>
  48. To reference secrets in services.yaml or any other config
  49. files, use <info>"%env(<name>)%"</info>.
  50. By default, the secret value should be entered interactively.
  51. Alternatively, provide a file where to read the secret from:
  52. <info>php %command.full_name% <name> filename</info>
  53. Use "-" as a file name to read from STDIN:
  54. <info>cat filename | php %command.full_name% <name> -</info>
  55. Use <info>--local</info> to override secrets for local needs.
  56. EOF
  57. )
  58. ;
  59. }
  60. protected function execute(InputInterface $input, OutputInterface $output): int
  61. {
  62. $errOutput = $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output;
  63. $io = new SymfonyStyle($input, $errOutput);
  64. $name = $input->getArgument('name');
  65. $vault = $input->getOption('local') ? $this->localVault : $this->vault;
  66. if (null === $vault) {
  67. $io->error('The local vault is disabled.');
  68. return 1;
  69. }
  70. if ($this->localVault === $vault && !\array_key_exists($name, $this->vault->list())) {
  71. $io->error(sprintf('Secret "%s" does not exist in the vault, you cannot override it locally.', $name));
  72. return 1;
  73. }
  74. if (0 < $random = $input->getOption('random') ?? 16) {
  75. $value = strtr(substr(base64_encode(random_bytes($random)), 0, $random), '+/', '-_');
  76. } elseif (!$file = $input->getArgument('file')) {
  77. $value = $io->askHidden('Please type the secret value');
  78. if (null === $value) {
  79. $io->warning('No value provided: using empty string');
  80. $value = '';
  81. }
  82. } elseif ('-' === $file) {
  83. $value = file_get_contents('php://stdin');
  84. } elseif (is_file($file) && is_readable($file)) {
  85. $value = file_get_contents($file);
  86. } elseif (!is_file($file)) {
  87. throw new \InvalidArgumentException(sprintf('File not found: "%s".', $file));
  88. } elseif (!is_readable($file)) {
  89. throw new \InvalidArgumentException(sprintf('File is not readable: "%s".', $file));
  90. }
  91. if ($vault->generateKeys()) {
  92. $io->success($vault->getLastMessage());
  93. if ($this->vault === $vault) {
  94. $io->caution('DO NOT COMMIT THE DECRYPTION KEY FOR THE PROD ENVIRONMENT⚠️');
  95. }
  96. }
  97. $vault->seal($name, $value);
  98. $io->success($vault->getLastMessage() ?? 'Secret was successfully stored in the vault.');
  99. if (0 < $random) {
  100. $errOutput->write(' // The generated random value is: <comment>');
  101. $output->write($value);
  102. $errOutput->writeln('</comment>');
  103. $io->newLine();
  104. }
  105. if ($this->vault === $vault && null !== $this->localVault->reveal($name)) {
  106. $io->comment('Note that this secret is overridden in the local vault.');
  107. }
  108. return 0;
  109. }
  110. }