[DI][FrameworkBundle] add EnvVarLoaderInterface - remove SecretEnvVarProcessor

Author: nicolas-grekas

DependencyInjection/FrameworkExtension.php

@@ -49,6 +49,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\DependencyInjection\Definition;
+use Symfony\Component\DependencyInjection\EnvVarLoaderInterface;
 use Symfony\Component\DependencyInjection\EnvVarProcessorInterface;
 use Symfony\Component\DependencyInjection\Exception\InvalidArgumentException;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
@@ -376,6 +377,8 @@ public function load(array $configs, ContainerBuilder $container)
             ->addTag('console.command');
         $container->registerForAutoconfiguration(ResourceCheckerInterface::class)
             ->addTag('config_cache.resource_checker');
+        $container->registerForAutoconfiguration(EnvVarLoaderInterface::class)
+            ->addTag('container.env_var_loader');
         $container->registerForAutoconfiguration(EnvVarProcessorInterface::class)
             ->addTag('container.env_var_processor');
         $container->registerForAutoconfiguration(ServiceLocator::class)

Resources/config/secrets.xml

@@ -6,6 +6,7 @@
 
     <services>
         <service id="secrets.vault" class="Symfony\Bundle\FrameworkBundle\Secrets\SodiumVault">
+            <tag name="container.env_var_loader" />
             <argument>%kernel.project_dir%/config/secrets/%kernel.environment%</argument>
             <argument type="service" id="secrets.decryption_key" on-invalid="ignore" />
         </service>
@@ -31,11 +32,5 @@
         <service id="secrets.local_vault" class="Symfony\Bundle\FrameworkBundle\Secrets\DotenvVault">
             <argument>%kernel.project_dir%/.env.local</argument>
         </service>
-
-        <service id="secrets.env_var_processor" class="Symfony\Bundle\FrameworkBundle\Secrets\SecretEnvVarProcessor">
-            <argument type="service" id="secrets.vault" />
-            <argument type="service" id="secrets.local_vault" on-invalid="ignore" />
-            <tag name="container.env_var_processor" />
-        </service>
     </services>
 </container>

Resources/config/services.xml

@@ -121,5 +121,11 @@
             <argument type="service" id="request_stack" />
             <tag name="kernel.event_subscriber" />
         </service>
+
+        <service id="container.env_var_processor" class="Symfony\Component\DependencyInjection\EnvVarProcessor">
+            <tag name="container.env_var_processor" />
+            <argument type="service" id="service_container" />
+            <argument type="tagged_iterator" tag="container.env_var_loader" />
+        </service>
     </services>
 </container>

Secrets/DotenvVault.php

@@ -54,7 +54,7 @@ public function reveal(string $name): ?string
     {
         $this->lastMessage = null;
         $this->validateName($name);
-        $v = \is_string($_SERVER[$name] ?? null) ? $_SERVER[$name] : ($_ENV[$name] ?? null);
+        $v = \is_string($_SERVER[$name] ?? null) && 0 !== strpos($name, 'HTTP_') ? $_SERVER[$name] : ($_ENV[$name] ?? null);
 
         if (null === $v) {
             $this->lastMessage = sprintf('Secret "%s" not found in "%s".', $name, $this->getPrettyPath($this->dotenvFile));

Secrets/SecretEnvVarProcessor.php

@@ -11,14 +11,16 @@
 
 namespace Symfony\Bundle\FrameworkBundle\Secrets;
 
+use Symfony\Component\DependencyInjection\EnvVarLoaderInterface;
+
 /**
  * @author Tobias Schultze <http://tobion.de>
  * @author Jérémy Derussé <jeremy@derusse.com>
  * @author Nicolas Grekas <p@tchwork.com>
  *
  * @internal
  */
-class SodiumVault extends AbstractVault
+class SodiumVault extends AbstractVault implements EnvVarLoaderInterface
 {
     private $encryptionKey;
     private $decryptionKey;
@@ -56,8 +58,8 @@ public function generateKeys(bool $override = false): bool
             // ignore failures to load keys
         }
 
-        if ('' !== $this->decryptionKey && !file_exists($this->pathPrefix.'sodium.encrypt.public')) {
-            $this->export('sodium.encrypt.public', $this->encryptionKey);
+        if ('' !== $this->decryptionKey && !file_exists($this->pathPrefix.'encrypt.public.php')) {
+            $this->export('encrypt.public', $this->encryptionKey);
         }
 
         if (!$override && null !== $this->encryptionKey) {
@@ -69,10 +71,10 @@ public function generateKeys(bool $override = false): bool
         $this->decryptionKey = sodium_crypto_box_keypair();
         $this->encryptionKey = sodium_crypto_box_publickey($this->decryptionKey);
 
-        $this->export('sodium.encrypt.public', $this->encryptionKey);
-        $this->export('sodium.decrypt.private', $this->decryptionKey);
+        $this->export('encrypt.public', $this->encryptionKey);
+        $this->export('decrypt.private', $this->decryptionKey);
 
-        $this->lastMessage = sprintf('Sodium keys have been generated at "%s*.{public,private}".', $this->getPrettyPath($this->pathPrefix));
+        $this->lastMessage = sprintf('Sodium keys have been generated at "%s*.public/private.php".', $this->getPrettyPath($this->pathPrefix));
 
         return true;
     }
@@ -82,12 +84,12 @@ public function seal(string $name, string $value): void
         $this->lastMessage = null;
         $this->validateName($name);
         $this->loadKeys();
-        $this->export($name.'.'.substr_replace(md5($name), '.sodium', -26), sodium_crypto_box_seal($value, $this->encryptionKey ?? sodium_crypto_box_publickey($this->decryptionKey)));
+        $this->export($name.'.'.substr(md5($name), 0, 6), sodium_crypto_box_seal($value, $this->encryptionKey ?? sodium_crypto_box_publickey($this->decryptionKey)));
 
         $list = $this->list();
         $list[$name] = null;
         uksort($list, 'strnatcmp');
-        file_put_contents($this->pathPrefix.'sodium.list', sprintf("<?php\n\nreturn %s;\n", var_export($list, true), LOCK_EX));
+        file_put_contents($this->pathPrefix.'list.php', sprintf("<?php\n\nreturn %s;\n", var_export($list, true), LOCK_EX));
 
         $this->lastMessage = sprintf('Secret "%s" encrypted in "%s"; you can commit it.', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
     }
@@ -97,7 +99,7 @@ public function reveal(string $name): ?string
         $this->lastMessage = null;
         $this->validateName($name);
 
-        if (!file_exists($file = $this->pathPrefix.$name.'.'.substr_replace(md5($name), '.sodium', -26))) {
+        if (!file_exists($file = $this->pathPrefix.$name.'.'.substr_replace(md5($name), '.php', -26))) {
             $this->lastMessage = sprintf('Secret "%s" not found in "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
 
             return null;
@@ -131,15 +133,15 @@ public function remove(string $name): bool
         $this->lastMessage = null;
         $this->validateName($name);
 
-        if (!file_exists($file = $this->pathPrefix.$name.'.'.substr_replace(md5($name), '.sodium', -26))) {
+        if (!file_exists($file = $this->pathPrefix.$name.'.'.substr_replace(md5($name), '.php', -26))) {
             $this->lastMessage = sprintf('Secret "%s" not found in "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
 
             return false;
         }
 
         $list = $this->list();
         unset($list[$name]);
-        file_put_contents($this->pathPrefix.'sodium.list', sprintf("<?php\n\nreturn %s;\n", var_export($list, true), LOCK_EX));
+        file_put_contents($this->pathPrefix.'list.php', sprintf("<?php\n\nreturn %s;\n", var_export($list, true), LOCK_EX));
 
         $this->lastMessage = sprintf('Secret "%s" removed from "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
 
@@ -150,7 +152,7 @@ public function list(bool $reveal = false): array
     {
         $this->lastMessage = null;
 
-        if (!file_exists($file = $this->pathPrefix.'sodium.list')) {
+        if (!file_exists($file = $this->pathPrefix.'list.php')) {
             return [];
         }
 
@@ -167,6 +169,11 @@ public function list(bool $reveal = false): array
         return $secrets;
     }
 
+    public function loadEnvVars(): array
+    {
+        return $this->list(true);
+    }
+
     private function loadKeys(): void
     {
         if (!\function_exists('sodium_crypto_box_seal')) {
@@ -177,12 +184,12 @@ private function loadKeys(): void
             return;
         }
 
-        if (file_exists($this->pathPrefix.'sodium.decrypt.private')) {
-            $this->decryptionKey = (string) include $this->pathPrefix.'sodium.decrypt.private';
+        if (file_exists($this->pathPrefix.'decrypt.private.php')) {
+            $this->decryptionKey = (string) include $this->pathPrefix.'decrypt.private.php';
         }
 
-        if (file_exists($this->pathPrefix.'sodium.encrypt.public')) {
-            $this->encryptionKey = (string) include $this->pathPrefix.'sodium.encrypt.public';
+        if (file_exists($this->pathPrefix.'encrypt.public.php')) {
+            $this->encryptionKey = (string) include $this->pathPrefix.'encrypt.public.php';
         } elseif ('' !== $this->decryptionKey) {
             $this->encryptionKey = sodium_crypto_box_publickey($this->decryptionKey);
         } else {
@@ -196,7 +203,7 @@ private function export(string $file, string $data): void
         $data = str_replace('%', '\x', rawurlencode($data));
         $data = sprintf("<?php // %s on %s\n\nreturn \"%s\";\n", $name, date('r'), $data);
 
-        if (false === file_put_contents($this->pathPrefix.$file, $data, LOCK_EX)) {
+        if (false === file_put_contents($this->pathPrefix.$file.'.php', $data, LOCK_EX)) {
             $e = error_get_last();
             throw new \ErrorException($e['message'] ?? 'Failed to write secrets data.', 0, $e['type'] ?? E_USER_WARNING);
         }

Secrets/SodiumVault.php

@@ -26,19 +26,19 @@ public function testGenerateKeys()
         $vault = new SodiumVault($this->secretsDir);
 
         $this->assertTrue($vault->generateKeys());
-        $this->assertFileExists($this->secretsDir.'/test.sodium.encrypt.public');
-        $this->assertFileExists($this->secretsDir.'/test.sodium.decrypt.private');
+        $this->assertFileExists($this->secretsDir.'/test.encrypt.public.php');
+        $this->assertFileExists($this->secretsDir.'/test.decrypt.private.php');
 
-        $encKey = file_get_contents($this->secretsDir.'/test.sodium.encrypt.public');
-        $decKey = file_get_contents($this->secretsDir.'/test.sodium.decrypt.private');
+        $encKey = file_get_contents($this->secretsDir.'/test.encrypt.public.php');
+        $decKey = file_get_contents($this->secretsDir.'/test.decrypt.private.php');
 
         $this->assertFalse($vault->generateKeys());
-        $this->assertStringEqualsFile($this->secretsDir.'/test.sodium.encrypt.public', $encKey);
-        $this->assertStringEqualsFile($this->secretsDir.'/test.sodium.decrypt.private', $decKey);
+        $this->assertStringEqualsFile($this->secretsDir.'/test.encrypt.public.php', $encKey);
+        $this->assertStringEqualsFile($this->secretsDir.'/test.decrypt.private.php', $decKey);
 
         $this->assertTrue($vault->generateKeys(true));
-        $this->assertStringNotEqualsFile($this->secretsDir.'/test.sodium.encrypt.public', $encKey);
-        $this->assertStringNotEqualsFile($this->secretsDir.'/test.sodium.decrypt.private', $decKey);
+        $this->assertStringNotEqualsFile($this->secretsDir.'/test.encrypt.public.php', $encKey);
+        $this->assertStringNotEqualsFile($this->secretsDir.'/test.decrypt.private.php', $decKey);
     }
 
     public function testEncryptAndDecrypt()