Merge branch '4.4'

* 4.4:
  [DI] fix locators with numeric keys
  Add support for NO_COLOR env var
  [DI][FrameworkBundle] add EnvVarLoaderInterface - remove SecretEnvVarProcessor
  Fix error when we use VO for the marking property
  [DI] Remove LazyString from 4.4, before adding back to the String component

Author: nicolas-grekas

DependencyInjection/FrameworkExtension.php

@@ -48,6 +48,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\DependencyInjection\Definition;
+use Symfony\Component\DependencyInjection\EnvVarLoaderInterface;
 use Symfony\Component\DependencyInjection\EnvVarProcessorInterface;
 use Symfony\Component\DependencyInjection\Exception\InvalidArgumentException;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
@@ -378,6 +379,8 @@ public function load(array $configs, ContainerBuilder $container)
             ->addTag('console.command');
         $container->registerForAutoconfiguration(ResourceCheckerInterface::class)
             ->addTag('config_cache.resource_checker');
+        $container->registerForAutoconfiguration(EnvVarLoaderInterface::class)
+            ->addTag('container.env_var_loader');
         $container->registerForAutoconfiguration(EnvVarProcessorInterface::class)
             ->addTag('container.env_var_processor');
         $container->registerForAutoconfiguration(ServiceLocator::class)
@@ -1348,9 +1351,13 @@ private function registerSecretsConfiguration(array $config, ContainerBuilder $c
         }
 
         if ($config['decryption_env_var']) {
-            $container->getDefinition('secrets.decryption_key')->replaceArgument(1, $config['decryption_env_var']);
+            if (!preg_match('/^(?:\w*+:)*+\w++$/', $config['decryption_env_var'])) {
+                throw new InvalidArgumentException(sprintf('Invalid value "%s" set as "decryption_env_var": only "word" characters are allowed.', $config['decryption_env_var']));
+            }
+
+            $container->getDefinition('secrets.vault')->replaceArgument(1, "%env({$config['decryption_env_var']})%");
         } else {
-            $container->removeDefinition('secrets.decryption_key');
+            $container->getDefinition('secrets.vault')->replaceArgument(1, null);
         }
     }
 

Resources/config/secrets.xml

@@ -6,36 +6,13 @@
 
     <services>
         <service id="secrets.vault" class="Symfony\Bundle\FrameworkBundle\Secrets\SodiumVault">
+            <tag name="container.env_var_loader" />
             <argument>%kernel.project_dir%/config/secrets/%kernel.environment%</argument>
-            <argument type="service" id="secrets.decryption_key" on-invalid="ignore" />
-        </service>
-
-        <!--
-            LazyString::fromCallable() is used as a wrapper to lazily read the SYMFONY_DECRYPTION_SECRET var from the env.
-            By overriding this service and using the same strategy, the decryption key can be fetched lazily from any other service if needed.
-        -->
-        <service id="secrets.decryption_key" class="Symfony\Component\DependencyInjection\LazyString">
-            <factory class="Symfony\Component\DependencyInjection\LazyString" method="fromCallable" />
-            <argument type="service">
-                <service class="Closure">
-                    <factory class="Closure" method="fromCallable" />
-                    <argument type="collection">
-                        <argument type="service" id="service_container" />
-                        <argument>getEnv</argument>
-                    </argument>
-                </service>
-            </argument>
-            <argument>base64:default::SYMFONY_DECRYPTION_SECRET</argument>
+            <argument>%env(base64:default::SYMFONY_DECRYPTION_SECRET)%</argument>
         </service>
 
         <service id="secrets.local_vault" class="Symfony\Bundle\FrameworkBundle\Secrets\DotenvVault">
             <argument>%kernel.project_dir%/.env.local</argument>
         </service>
-
-        <service id="secrets.env_var_processor" class="Symfony\Bundle\FrameworkBundle\Secrets\SecretEnvVarProcessor">
-            <argument type="service" id="secrets.vault" />
-            <argument type="service" id="secrets.local_vault" on-invalid="ignore" />
-            <tag name="container.env_var_processor" />
-        </service>
     </services>
 </container>

Resources/config/services.xml

@@ -117,6 +117,12 @@
             <tag name="kernel.event_subscriber" />
         </service>
 
+        <service id="container.env_var_processor" class="Symfony\Component\DependencyInjection\EnvVarProcessor">
+            <tag name="container.env_var_processor" />
+            <argument type="service" id="service_container" />
+            <argument type="tagged_iterator" tag="container.env_var_loader" />
+        </service>
+
         <service id="slugger" class="Symfony\Component\String\Slugger\AsciiSlugger">
             <argument>%kernel.default_locale%</argument>
             <tag name="kernel.locale_aware" />

Secrets/DotenvVault.php

@@ -54,7 +54,7 @@ public function reveal(string $name): ?string
     {
         $this->lastMessage = null;
         $this->validateName($name);
-        $v = \is_string($_SERVER[$name] ?? null) ? $_SERVER[$name] : ($_ENV[$name] ?? null);
+        $v = \is_string($_SERVER[$name] ?? null) && 0 !== strpos($name, 'HTTP_') ? $_SERVER[$name] : ($_ENV[$name] ?? null);
 
         if (null === $v) {
             $this->lastMessage = sprintf('Secret "%s" not found in "%s".', $name, $this->getPrettyPath($this->dotenvFile));

Secrets/SecretEnvVarProcessor.php

@@ -11,14 +11,16 @@
 
 namespace Symfony\Bundle\FrameworkBundle\Secrets;
 
+use Symfony\Component\DependencyInjection\EnvVarLoaderInterface;
+
 /**
  * @author Tobias Schultze <http://tobion.de>
  * @author Jérémy Derussé <jeremy@derusse.com>
  * @author Nicolas Grekas <p@tchwork.com>
  *
  * @internal
  */
-class SodiumVault extends AbstractVault
+class SodiumVault extends AbstractVault implements EnvVarLoaderInterface
 {
     private $encryptionKey;
     private $decryptionKey;
@@ -56,8 +58,8 @@ public function generateKeys(bool $override = false): bool
             // ignore failures to load keys
         }
 
-        if ('' !== $this->decryptionKey && !file_exists($this->pathPrefix.'sodium.encrypt.public')) {
-            $this->export('sodium.encrypt.public', $this->encryptionKey);
+        if ('' !== $this->decryptionKey && !file_exists($this->pathPrefix.'encrypt.public.php')) {
+            $this->export('encrypt.public', $this->encryptionKey);
         }
 
         if (!$override && null !== $this->encryptionKey) {
@@ -69,10 +71,10 @@ public function generateKeys(bool $override = false): bool
         $this->decryptionKey = sodium_crypto_box_keypair();
         $this->encryptionKey = sodium_crypto_box_publickey($this->decryptionKey);
 
-        $this->export('sodium.encrypt.public', $this->encryptionKey);
-        $this->export('sodium.decrypt.private', $this->decryptionKey);
+        $this->export('encrypt.public', $this->encryptionKey);
+        $this->export('decrypt.private', $this->decryptionKey);
 
-        $this->lastMessage = sprintf('Sodium keys have been generated at "%s*.{public,private}".', $this->getPrettyPath($this->pathPrefix));
+        $this->lastMessage = sprintf('Sodium keys have been generated at "%s*.public/private.php".', $this->getPrettyPath($this->pathPrefix));
 
         return true;
     }
@@ -82,12 +84,12 @@ public function seal(string $name, string $value): void
         $this->lastMessage = null;
         $this->validateName($name);
         $this->loadKeys();
-        $this->export($name.'.'.substr_replace(md5($name), '.sodium', -26), sodium_crypto_box_seal($value, $this->encryptionKey ?? sodium_crypto_box_publickey($this->decryptionKey)));
+        $this->export($name.'.'.substr(md5($name), 0, 6), sodium_crypto_box_seal($value, $this->encryptionKey ?? sodium_crypto_box_publickey($this->decryptionKey)));
 
         $list = $this->list();
         $list[$name] = null;
         uksort($list, 'strnatcmp');
-        file_put_contents($this->pathPrefix.'sodium.list', sprintf("<?php\n\nreturn %s;\n", var_export($list, true), LOCK_EX));
+        file_put_contents($this->pathPrefix.'list.php', sprintf("<?php\n\nreturn %s;\n", var_export($list, true), LOCK_EX));
 
         $this->lastMessage = sprintf('Secret "%s" encrypted in "%s"; you can commit it.', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
     }
@@ -97,7 +99,7 @@ public function reveal(string $name): ?string
         $this->lastMessage = null;
         $this->validateName($name);
 
-        if (!file_exists($file = $this->pathPrefix.$name.'.'.substr_replace(md5($name), '.sodium', -26))) {
+        if (!file_exists($file = $this->pathPrefix.$name.'.'.substr_replace(md5($name), '.php', -26))) {
             $this->lastMessage = sprintf('Secret "%s" not found in "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
 
             return null;
@@ -131,15 +133,15 @@ public function remove(string $name): bool
         $this->lastMessage = null;
         $this->validateName($name);
 
-        if (!file_exists($file = $this->pathPrefix.$name.'.'.substr_replace(md5($name), '.sodium', -26))) {
+        if (!file_exists($file = $this->pathPrefix.$name.'.'.substr_replace(md5($name), '.php', -26))) {
             $this->lastMessage = sprintf('Secret "%s" not found in "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
 
             return false;
         }
 
         $list = $this->list();
         unset($list[$name]);
-        file_put_contents($this->pathPrefix.'sodium.list', sprintf("<?php\n\nreturn %s;\n", var_export($list, true), LOCK_EX));
+        file_put_contents($this->pathPrefix.'list.php', sprintf("<?php\n\nreturn %s;\n", var_export($list, true), LOCK_EX));
 
         $this->lastMessage = sprintf('Secret "%s" removed from "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
 
@@ -150,7 +152,7 @@ public function list(bool $reveal = false): array
     {
         $this->lastMessage = null;
 
-        if (!file_exists($file = $this->pathPrefix.'sodium.list')) {
+        if (!file_exists($file = $this->pathPrefix.'list.php')) {
             return [];
         }
 
@@ -167,6 +169,11 @@ public function list(bool $reveal = false): array
         return $secrets;
     }
 
+    public function loadEnvVars(): array
+    {
+        return $this->list(true);
+    }
+
     private function loadKeys(): void
     {
         if (!\function_exists('sodium_crypto_box_seal')) {
@@ -177,12 +184,12 @@ private function loadKeys(): void
             return;
         }
 
-        if (file_exists($this->pathPrefix.'sodium.decrypt.private')) {
-            $this->decryptionKey = (string) include $this->pathPrefix.'sodium.decrypt.private';
+        if (file_exists($this->pathPrefix.'decrypt.private.php')) {
+            $this->decryptionKey = (string) include $this->pathPrefix.'decrypt.private.php';
         }
 
-        if (file_exists($this->pathPrefix.'sodium.encrypt.public')) {
-            $this->encryptionKey = (string) include $this->pathPrefix.'sodium.encrypt.public';
+        if (file_exists($this->pathPrefix.'encrypt.public.php')) {
+            $this->encryptionKey = (string) include $this->pathPrefix.'encrypt.public.php';
         } elseif ('' !== $this->decryptionKey) {
             $this->encryptionKey = sodium_crypto_box_publickey($this->decryptionKey);
         } else {
@@ -196,7 +203,7 @@ private function export(string $file, string $data): void
         $data = str_replace('%', '\x', rawurlencode($data));
         $data = sprintf("<?php // %s on %s\n\nreturn \"%s\";\n", $name, date('r'), $data);
 
-        if (false === file_put_contents($this->pathPrefix.$file, $data, LOCK_EX)) {
+        if (false === file_put_contents($this->pathPrefix.$file.'.php', $data, LOCK_EX)) {
             $e = error_get_last();
             throw new \ErrorException($e['message'] ?? 'Failed to write secrets data.', 0, $e['type'] ?? E_USER_WARNING);
         }

Secrets/SodiumVault.php

@@ -34,7 +34,7 @@
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Loader\ClosureLoader;
-use Symfony\Component\DependencyInjection\ParameterBag\ParameterBag;
+use Symfony\Component\DependencyInjection\ParameterBag\EnvPlaceholderParameterBag;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpClient\ScopingHttpClient;
@@ -1202,20 +1202,6 @@ public function testCacheDefaultRedisProvider()
         $this->assertSame($redisUrl, $url);
     }
 
-    public function testCacheDefaultRedisProviderWithEnvVar()
-    {
-        $container = $this->createContainerFromFile('cache_env_var');
-
-        $redisUrl = 'redis://paas.com';
-        $providerId = '.cache_connection.'.ContainerBuilder::hash($redisUrl);
-
-        $this->assertTrue($container->hasDefinition($providerId));
-
-        $url = $container->getDefinition($providerId)->getArgument(0);
-
-        $this->assertSame($redisUrl, $url);
-    }
-
     public function testCachePoolServices()
     {
         $container = $this->createContainerFromFile('cache', [], true, false);
@@ -1383,7 +1369,7 @@ public function testMailer(): void
 
     protected function createContainer(array $data = [])
     {
-        return new ContainerBuilder(new ParameterBag(array_merge([
+        return new ContainerBuilder(new EnvPlaceholderParameterBag(array_merge([
             'kernel.bundles' => ['FrameworkBundle' => 'Symfony\\Bundle\\FrameworkBundle\\FrameworkBundle'],
             'kernel.bundles_metadata' => ['FrameworkBundle' => ['namespace' => 'Symfony\\Bundle\\FrameworkBundle', 'path' => __DIR__.'/../..']],
             'kernel.cache_dir' => __DIR__,

Tests/DependencyInjection/Fixtures/php/cache_env_var.php

@@ -26,19 +26,19 @@ public function testGenerateKeys()
         $vault = new SodiumVault($this->secretsDir);
 
         $this->assertTrue($vault->generateKeys());
-        $this->assertFileExists($this->secretsDir.'/test.sodium.encrypt.public');
-        $this->assertFileExists($this->secretsDir.'/test.sodium.decrypt.private');
+        $this->assertFileExists($this->secretsDir.'/test.encrypt.public.php');
+        $this->assertFileExists($this->secretsDir.'/test.decrypt.private.php');
 
-        $encKey = file_get_contents($this->secretsDir.'/test.sodium.encrypt.public');
-        $decKey = file_get_contents($this->secretsDir.'/test.sodium.decrypt.private');
+        $encKey = file_get_contents($this->secretsDir.'/test.encrypt.public.php');
+        $decKey = file_get_contents($this->secretsDir.'/test.decrypt.private.php');
 
         $this->assertFalse($vault->generateKeys());
-        $this->assertStringEqualsFile($this->secretsDir.'/test.sodium.encrypt.public', $encKey);
-        $this->assertStringEqualsFile($this->secretsDir.'/test.sodium.decrypt.private', $decKey);
+        $this->assertStringEqualsFile($this->secretsDir.'/test.encrypt.public.php', $encKey);
+        $this->assertStringEqualsFile($this->secretsDir.'/test.decrypt.private.php', $decKey);
 
         $this->assertTrue($vault->generateKeys(true));
-        $this->assertStringNotEqualsFile($this->secretsDir.'/test.sodium.encrypt.public', $encKey);
-        $this->assertStringNotEqualsFile($this->secretsDir.'/test.sodium.decrypt.private', $decKey);
+        $this->assertStringNotEqualsFile($this->secretsDir.'/test.encrypt.public.php', $encKey);
+        $this->assertStringNotEqualsFile($this->secretsDir.'/test.decrypt.private.php', $decKey);
     }
 
     public function testEncryptAndDecrypt()