Skip to content

[FrameworkBundle] Add secrets management. #31101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

[FrameworkBundle] Add secrets management. #31101

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7b1e2fc
Proof of concept for encrypted secrets
Tobion Apr 6, 2019
afd2f0f
Add secrets management
jderusse Apr 8, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ CHANGELOG
* Added new `error_controller` configuration to handle system exceptions
* Added sort option for `translation:update` command.
* [BC Break] The `framework.messenger.routing.senders` config key is not deep merged anymore.
* Added secrets management.

4.3.0
-----
Expand Down
70 changes: 70 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/Command/SecretsAddCommand.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\FrameworkBundle\Command;

use Symfony\Bundle\FrameworkBundle\Exception\EncryptionKeyNotFoundException;
use Symfony\Bundle\FrameworkBundle\Secret\Storage\MutableSecretStorageInterface;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Style\SymfonyStyle;

/**
* @author Tobias Schultze <http://tobion.de>
* @author Jérémy Derussé <jeremy@derusse.com>
*/
final class SecretsAddCommand extends Command
{
protected static $defaultName = 'secrets:add';

private $secretsStorage;

public function __construct(MutableSecretStorageInterface $secretsStorage)
{
$this->secretsStorage = $secretsStorage;

parent::__construct();
}

protected function configure()
{
$this
->setDefinition([
new InputArgument('name', InputArgument::REQUIRED, 'The name of the secret'),
])
->setDescription('Adds a secret in the storage.')
->setHelp(<<<'EOF'
The <info>%command.name%</info> command stores a secret.

%command.full_name% <name>
EOF
)
;
}

protected function execute(InputInterface $input, OutputInterface $output)
{
$io = new SymfonyStyle($input, $output);

$name = $input->getArgument('name');
$secret = $io->askHidden('Value of the secret');

try {
$this->secretsStorage->setSecret($name, $secret);
} catch (EncryptionKeyNotFoundException $e) {
throw new \LogicException(sprintf('No encryption keys found. You should call the "%s" command.', SecretsGenerateKeyCommand::getDefaultName()));
}

$io->success('Secret was successfully stored.');
}
}
97 changes: 97 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/Command/SecretsGenerateKeyCommand.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\FrameworkBundle\Command;

use Symfony\Bundle\FrameworkBundle\Exception\EncryptionKeyNotFoundException;
use Symfony\Bundle\FrameworkBundle\Secret\Encoder\EncoderInterface;
use Symfony\Bundle\FrameworkBundle\Secret\Storage\MutableSecretStorageInterface;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Style\SymfonyStyle;

/**
* @author Tobias Schultze <http://tobion.de>
* @author Jérémy Derussé <jeremy@derusse.com>
*/
final class SecretsGenerateKeyCommand extends Command
{
protected static $defaultName = 'secrets:generate-key';
private $secretsStorage;
private $encoder;

public function __construct(EncoderInterface $encoder, MutableSecretStorageInterface $secretsStorage)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm right, we don't use prefixes like Mutable and Immutable in Symfony code.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would drop the prefix as well

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

naming things are hard... :(

Here I wanted to distingquihed "readonly storage" from "writable storage" do you have any idea of naming?

note: we have a Symfony\Component\Security\Acl\Model\MutableAclInterface

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

SecretStorageInterface {
    get(): string;
    set(): void;
    list(): iterable;
}

would be enough IMHO

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👎 don't just name it get, set etc without "secret". It should be obvious from the method name that this is confidential data, not a generic data store.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given:

  • At first, users only need to fetch secrets from the storage. That's the purpose of the SecretStorageInterface.
  • Symfony provides a default storage (the FileSecretStorage) and a convenient way to add new secrets in it (the SecretsAddCommand). Maybe I should inject the FileSecretStorage and remove that interface?

We have 2 interface for reasons:

  1. From our point of view, it didn't make sens to use symfony's command to manage 3rd party tools like vault. Users could use their favorite tool to add/delete secrets from them.

  2. I think that a futur implementation of SecretStorageInterface could be a ChainSecretStorage that iterate over a list of SecretStorageInterface. Implementing setSecret in a chain wouldn't make sens.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the ChainSecretStorage which will improve the DX by allowing developper/3rd party to create new SecretStorages

{
$this->secretsStorage = $secretsStorage;
$this->encoder = $encoder;
parent::__construct();
}

protected function configure()
{
$this
->setDefinition([
new InputOption('rekey', 'r', InputOption::VALUE_NONE, 'Re-encrypt previous secret with the new key.'),
])
->setDescription('Generates a new encryption key.')
->setHelp(<<<'EOF'
The <info>%command.name%</info> command generates a new encryption key.

%command.full_name%

If a previous encryption key already exists, the command must be called with
the <info>--rekey</info> option in order to override that key and re-encrypt
previous secrets.

%command.full_name% --rekey
EOF
)
;
}

protected function execute(InputInterface $input, OutputInterface $output)
{
$rekey = $input->getOption('rekey');

$previousSecrets = [];
try {
foreach ($this->secretsStorage->listSecrets(true) as $name => $decryptedSecret) {
$previousSecrets[$name] = $decryptedSecret;
}
} catch (EncryptionKeyNotFoundException $e) {
if (!$rekey) {
throw $e;
}
}

$keys = $this->encoder->generateKeys($rekey);
foreach ($previousSecrets as $name => $decryptedSecret) {
$this->secretsStorage->setSecret($name, $decryptedSecret);
}

$io = new SymfonyStyle($input, $output);
switch (\count($keys)) {
case 0:
$io->success('Keys have been generated.');
break;
case 1:
$io->success(sprintf('A key has been generated in "%s".', $keys[0]));
$io->caution('DO NOT COMMIT that file!');
break;
default:
$io->success(sprintf("Keys have been generated in :\n -%s", implode("\n -", $keys)));
$io->caution('DO NOT COMMIT those files!');
break;
}
}
}
92 changes: 92 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/Command/SecretsListCommand.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\FrameworkBundle\Command;

use Symfony\Bundle\FrameworkBundle\Exception\EncryptionKeyNotFoundException;
use Symfony\Bundle\FrameworkBundle\Secret\Storage\SecretStorageInterface;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Style\SymfonyStyle;

/**
* @author Tobias Schultze <http://tobion.de>
* @author Jérémy Derussé <jeremy@derusse.com>
*/
final class SecretsListCommand extends Command
{
protected static $defaultName = 'debug:secrets';

private $secretStorage;

public function __construct(SecretStorageInterface $secretStorage)
{
$this->secretStorage = $secretStorage;

parent::__construct();
}

protected function configure()
{
$this
->setDefinition([
new InputOption('reveal', 'r', InputOption::VALUE_NONE, 'Display decrypted values alongside names'),
])
->setDescription('Lists all secrets.')
->setHelp(<<<'EOF'
The <info>%command.name%</info> command list all stored secrets.

%command.full_name%

When the the option <info>--reveal</info> is provided, the decrypted secrets are also displayed.

%command.full_name% --reveal
EOF
)
;

$this
->setDescription('Lists all secrets.')
->addOption('reveal', 'r', InputOption::VALUE_NONE, 'Display decrypted values alongside names');
}

protected function execute(InputInterface $input, OutputInterface $output)
{
$reveal = $input->getOption('reveal');
$io = new SymfonyStyle($input, $output);

try {
$secrets = $this->secretStorage->listSecrets($reveal);
} catch (EncryptionKeyNotFoundException $e) {
throw new \LogicException(sprintf('Unable to decrypt secrets, the encryption key "%s" is missing.', $e->getKeyLocation()));
}

if ($reveal) {
$rows = [];
foreach ($secrets as $name => $value) {
$rows[] = [$name, $value];
}
$io->table(['name', 'secret'], $rows);

return;
}

$rows = [];
foreach ($secrets as $name => $_) {
$rows[] = [$name];
}

$io->comment(sprintf('To reveal the values of the secrets use <info>php %s %s --reveal</info>', $_SERVER['PHP_SELF'], $this->getName()));
$io->table(['name'], $rows);
}
}
61 changes: 61 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/Command/SecretsRemoveCommand.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\FrameworkBundle\Command;

use Symfony\Bundle\FrameworkBundle\Secret\Storage\MutableSecretStorageInterface;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Style\SymfonyStyle;

/**
* @author Jérémy Derussé <jeremy@derusse.com>
*/
final class SecretsRemoveCommand extends Command
{
protected static $defaultName = 'secrets:remove';

private $secretsStorage;

public function __construct(MutableSecretStorageInterface $secretsStorage)
{
$this->secretsStorage = $secretsStorage;

parent::__construct();
}

protected function configure()
{
$this
->setDefinition([
new InputArgument('name', InputArgument::REQUIRED, 'The name of the secret'),
])
->setDescription('Removes a secret from the storage.')
->setHelp(<<<'EOF'
The <info>%command.name%</info> command remove a secret.

%command.full_name% <name>
EOF
)
;
}

protected function execute(InputInterface $input, OutputInterface $output)
{
$io = new SymfonyStyle($input, $output);

$this->secretsStorage->removeSecret($input->getArgument('name'));

$io->success('Secret was successfully removed.');
}
}
16 changes: 16 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,26 @@ public function getConfigTreeBuilder()
$this->addRobotsIndexSection($rootNode);
$this->addHttpClientSection($rootNode);
$this->addMailerSection($rootNode);
$this->addSecretsSection($rootNode);

return $treeBuilder;
}

private function addSecretsSection(ArrayNodeDefinition $rootNode)
{
$rootNode
->children()
->arrayNode('secrets')
->canBeEnabled()
->children()
->scalarNode('encrypted_secrets_dir')->defaultValue('%kernel.project_dir%/config/secrets/%kernel.environment%')->cannotBeEmpty()->end()
->scalarNode('encryption_key')->defaultValue('%kernel.project_dir%/config/secrets/encryption_%kernel.environment%.key')->cannotBeEmpty()->end()
->end()
->end()
->end()
;
}

private function addCsrfSection(ArrayNodeDefinition $rootNode)
{
$rootNode
Expand Down
Loading