symfony
diff --git a/‎src/Symfony/Component/Secret/.gitattributes
+4 b/‎src/Symfony/Component/Secret/.gitattributes
+4
diff --git a/‎src/Symfony/Component/Secret/.gitignore
+3 b/‎src/Symfony/Component/Secret/.gitignore
+3
diff --git a/‎src/Symfony/Component/Secret/AbstractVault.php
+50 b/‎src/Symfony/Component/Secret/AbstractVault.php
+50
diff --git a/‎src/Symfony/Component/Secret/Command/SecretsDecryptToLocalCommand.php
+105 b/‎src/Symfony/Component/Secret/Command/SecretsDecryptToLocalCommand.php
+105
diff --git a/‎src/Symfony/Component/Secret/Command/SecretsEncryptFromLocalCommand.php
+80 b/‎src/Symfony/Component/Secret/Command/SecretsEncryptFromLocalCommand.php
+80
diff --git a/‎src/Symfony/Component/Secret/Command/SecretsGenerateKeysCommand.php
+126 b/‎src/Symfony/Component/Secret/Command/SecretsGenerateKeysCommand.php
+126
@@ -0,0 +1,4 @@
+/Tests export-ignore
+/phpunit.xml.dist export-ignore
+/.gitattributes export-ignore
+/.gitignore export-ignore
@@ -0,0 +1,3 @@
+/vendor/
+/phpunit.xml
+.phpunit.result.cache
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Secret;
+
+/**
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+abstract class AbstractVault
+{
+    /** @var string|null */
+    protected $lastMessage;
+
+    public function getLastMessage(): string
+    {
+        return $this->lastMessage ?? '';
+    }
+
+    abstract public function generateKeys(bool $override = false): bool;
+
+    abstract public function seal(string $name, string $value): void;
+
+    abstract public function reveal(string $name): ?string;
+
+    abstract public function remove(string $name): bool;
+
+    abstract public function list(bool $reveal = false): array;
+
+    protected function validateName(string $name): void
+    {
+        if (!preg_match('/^\w++$/D', $name)) {
+            throw new \LogicException(sprintf('Invalid secret name "%s": only "word" characters are allowed.', $name));
+        }
+    }
+
+    protected function getPrettyPath(string $path): string
+    {
+        return str_replace(getcwd().\DIRECTORY_SEPARATOR, '', $path);
+    }
+}
@@ -0,0 +1,105 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Secret\Command;
+
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\ConsoleOutputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Secret\AbstractVault;
+
+/**
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class SecretsDecryptToLocalCommand extends Command
+{
+    protected static $defaultName = 'decrypt-to-local';
+
+    private $vault;
+    private $localVault;
+
+    public function __construct(AbstractVault $vault, AbstractVault $localVault = null)
+    {
+        $this->vault = $vault;
+        $this->localVault = $localVault;
+
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this
+            ->setDescription('Decrypt all secrets and stores them in the local vault')
+            ->addOption('force', 'f', InputOption::VALUE_NONE, 'Force overriding of secrets that already exist in the local vault')
+            ->addOption('dir', 'd', InputOption::VALUE_REQUIRED, 'Target directory')
+            ->setHelp(<<<'EOF'
+The <info>%command.name%</info> command decrypts all secrets and copies them in the local vault.
+
+    <info>%command.full_name%</info>
+
+When the option <info>--force</info> is provided, secrets that already exist in the local vault are overriden.
+
+    <info>%command.full_name% --force</info>
+EOF
+            )
+        ;
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output);
+
+        if (null === $this->localVault) {
+            $io->error('The local vault is disabled.');
+
+            return 1;
+        }
+
+        $secrets = $this->vault->list(true);
+
+        $io->comment(sprintf('%d secret%s found in the vault.', \count($secrets), 1 !== \count($secrets) ? 's' : ''));
+
+        $skipped = 0;
+        if (!$input->getOption('force')) {
+            foreach ($this->localVault->list() as $k => $v) {
+                if (isset($secrets[$k])) {
+                    ++$skipped;
+                    unset($secrets[$k]);
+                }
+            }
+        }
+
+        if ($skipped > 0) {
+            $io->warning([
+                sprintf('%d secret%s already overridden in the local vault and will be skipped.', $skipped, 1 !== $skipped ? 's are' : ' is'),
+                'Use the --force flag to override these.',
+            ]);
+        }
+
+        foreach ($secrets as $k => $v) {
+            if (null === $v) {
+                $io->error($this->vault->getLastMessage());
+
+                return 1;
+            }
+
+            $this->localVault->seal($k, $v);
+            $io->note($this->localVault->getLastMessage());
+        }
+
+        return 0;
+    }
+}
@@ -0,0 +1,80 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Secret\Command;
+
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\ConsoleOutputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Secret\AbstractVault;
+
+/**
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class SecretsEncryptFromLocalCommand extends Command
+{
+    protected static $defaultName = 'encrypt-from-local';
+
+    private $vault;
+    private $localVault;
+
+    public function __construct(AbstractVault $vault, AbstractVault $localVault = null)
+    {
+        $this->vault = $vault;
+        $this->localVault = $localVault;
+
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this
+            ->setDescription('Encrypt all local secrets to the vault')
+            ->addOption('dir', 'd', InputOption::VALUE_REQUIRED, 'Target directory')
+            ->setHelp(<<<'EOF'
+The <info>%command.name%</info> command encrypts all locally overridden secrets to the vault.
+
+    <info>%command.full_name%</info>
+EOF
+            )
+        ;
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output);
+
+        if (null === $this->localVault) {
+            $io->error('The local vault is disabled.');
+
+            return 1;
+        }
+
+        foreach ($this->vault->list(true) as $name => $value) {
+            $localValue = $this->localVault->reveal($name);
+
+            if (null !== $localValue && $value !== $localValue) {
+                $this->vault->seal($name, $localValue);
+            } elseif (null !== $message = $this->localVault->getLastMessage()) {
+                $io->error($message);
+
+                return 1;
+            }
+        }
+
+        return 0;
+    }
+}
@@ -0,0 +1,126 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Symfony\Component\Secret\Command;
+
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\ConsoleOutputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Secret\AbstractVault;
+
+/**
+ * @author Tobias Schultze <http://tobion.de>
+ * @author Jérémy Derussé <jeremy@derusse.com>
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class SecretsGenerateKeysCommand extends Command
+{
+    protected static $defaultName = 'generate-keys';
+
+    private $vault;
+    private $localVault;
+
+    public function __construct(AbstractVault $vault, AbstractVault $localVault = null)
+    {
+        $this->vault = $vault;
+        $this->localVault = $localVault;
+
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this
+            ->setDescription('Generate new encryption keys')
+            ->addOption('local', 'l', InputOption::VALUE_NONE, 'Update the local vault.')
+            ->addOption('rotate', 'r', InputOption::VALUE_NONE, 'Re-encrypt existing secrets with the newly generated keys.')
+            ->addOption('dir', 'd', InputOption::VALUE_REQUIRED, 'Target directory')
+            ->setHelp(<<<'EOF'
+The <info>%command.name%</info> command generates a new encryption key.
+
+    <info>%command.full_name%</info>
+
+If encryption keys already exist, the command must be called with
+the <info>--rotate</info> option in order to override those keys and re-encrypt
+existing secrets.
+
+    <info>%command.full_name% --rotate</info>
+EOF
+            )
+        ;
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output);
+        $vault = $input->getOption('local') ? $this->localVault : $this->vault;
+
+        if (null === $vault) {
+            $io->success('The local vault is disabled.');
+
+            return 1;
+        }
+
+        if (!$input->getOption('rotate')) {
+            if ($vault->generateKeys()) {
+                $io->success($vault->getLastMessage());
+
+                if ($this->vault === $vault) {
+                    $io->caution('DO NOT COMMIT THE DECRYPTION KEY FOR THE PROD ENVIRONMENT⚠️');
+                }
+
+                return 0;
+            }
+
+            $io->warning($vault->getLastMessage());
+
+            return 1;
+        }
+
+        $secrets = [];
+        foreach ($vault->list(true) as $name => $value) {
+            if (null === $value) {
+                $io->error($vault->getLastMessage());
+
+                return 1;
+            }
+
+            $secrets[$name] = $value;
+        }
+
+        if (!$vault->generateKeys(true)) {
+            $io->warning($vault->getLastMessage());
+
+            return 1;
+        }
+
+        $io->success($vault->getLastMessage());
+
+        if ($secrets) {
+            foreach ($secrets as $name => $value) {
+                $vault->seal($name, $value);
+            }
+
+            $io->comment('Existing secrets have been rotated to the new keys.');
+        }
+
+        if ($this->vault === $vault) {
+            $io->caution('DO NOT COMMIT THE DECRYPTION KEY FOR THE PROD ENVIRONMENT⚠️');
+        }
+
+        return 0;
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+/vendor/`
	`2`	`+/phpunit.xml`
	`3`	`+.phpunit.result.cache`