Add the secret documentation

jderusse · jderusse · commit 526e6ec2864a · 2019-04-13T17:10:28.000+02:00
diff --git a/best_practices/configuration.rst b/best_practices/configuration.rst
@@ -44,6 +44,11 @@ to access to it, as long as the database is correctly configured.
 To override these variables with machine-specific or sensitive values, create a
 ``.env.local`` file. This file should not be added to version control.
 
+.. seealso::
+
+    You can also encrypt sensitive informations like passwords, tokens, api key,
+    secrets, etc... See :doc:`/configuration/secrets`.
+
 .. caution::
 
     Beware that dumping the contents of the ``$_SERVER`` and ``$_ENV`` variables
diff --git a/configuration.rst b/configuration.rst
@@ -36,6 +36,9 @@ instance, the framework bundle is configured in ``config/packages/framework.yaml
             php_errors:
                 log: true
 
+            # Enables secrets management
+            # secrets: true
+
     .. code-block:: xml
 
             <!-- config/packages/framework.xml -->
@@ -56,6 +59,8 @@ instance, the framework bundle is configured in ``config/packages/framework.yaml
                     <framework:session/>
 
                     <framework:php-errors log="true"/>
+
+                    <!--<framework:secrets/>-->
                 </framework:config>
             </container>
 
@@ -78,6 +83,7 @@ instance, the framework bundle is configured in ``config/packages/framework.yaml
             'php_errors' => [
                 'log' => true,
             ],
+            //'secrets' => true,
         ]);
 
 The top-level key (here ``framework``) references configuration for a specific
diff --git a/configuration/environments.rst b/configuration/environments.rst
@@ -361,4 +361,4 @@ includes the following:
 Going further
 -------------
 
-Read the article on :doc:`/configuration/environment_variables`.
+Read the article on :doc:`/configuration/environment_variables` and :doc:`/configuration/secrets`.
diff --git a/configuration/secrets.rst b/configuration/secrets.rst
@@ -0,0 +1,319 @@
+.. index::
+    single: Secrets
+
+How to Keep Sensitive Informations Secret
+=========================================
+
+In :doc:`/configuration` and :doc:`/configuration/environment_variables`, you
+learned how to manage your application configuration. In this article you'll
+learn how to easily anbd saftly configure your application with sensitive
+information such as credentials, passwords, tokens, api keys without exposing
+them.
+
+.. _secrets-configuration:
+
+Configuration
+-------------
+
+In order to use secrets you have to enable the feature in the framework's
+
+configuration:
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/framework.yaml
+        framework:
+            secrets:
+                # encrypted_secrets_dir: '%kernel.project_dir%/config/secrets/%kernel.environment%/'
+                # encryption_key: '%kernel.project_dir%/config/secrets/encryption_%kernel.environment%.key'
+
+    .. code-block:: xml
+
+            <!-- config/packages/framework.xml -->
+            <?xml version="1.0" encoding="UTF-8" ?>
+            <container xmlns="http://symfony.com/schema/dic/services"
+                xmlns:framework="http://symfony.com/schema/dic/framework"
+                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd
+                    http://symfony.com/schema/dic/framework https://symfony.com/schema/dic/framework/framework-1.0.xsd"
+            >
+                <framework:config secret="%env(APP_SECRET)%">
+                    <framework:secrets/>
+                </framework:config>
+            </container>
+
+    .. code-block:: php
+
+        // config/packages/framework.php
+        $container->loadFromExtension('framework', [
+            'secrets' => true,
+        ]);
+
+.. tip::
+
+    the ``encryption_key`` configuration parameter accept both a path to an
+    encription key or the content of the itself. It allows you, for instance,
+    to store the content of the key in an environement variable and refer it
+    with ``%env(PRIVATE_KEY)%``.
+
+.. _secrets-generate-key:
+
+Generate an Encryption Key
+--------------------------
+
+Before creating a new ``secret``, you need to create ann ``encryption key``.
+This can be done with the provided commande ``secrets:generate-key``.
+
+.. code-block:: terminal
+
+    $ APP_ENV=prod php bin/console secrets:generate-key
+
+This command will generate a new ``encryption key`` in.
+``%kernel.project_dir%/config/secrets/encryption_%kernel.environment%.key``
+
+.. note::
+
+    In order to use Symfony's built-in Secret storage, you will need the
+    `libsodium`_ PHP extension or use the `sodium_compat`_ package.
+
+Symfony generates a key with a symetrics algorithm, meaning that this key could
+be used to both encrypt **and** decrypt secrets. The number of people who
+possess this key should be as small as possible.
+
+.. caution::
+
+    This file is sensitive and **must not** be commited nor publicly shared. Every
+    developpers and CI don't need that key. If the encryption key have been
+    exposed (ex-employee leaving for instance)you should consider regenerating a
+    new one.
+
+.. _secrets-add:
+
+Create a Secret
+---------------
+
+Once the ``encryption key`` generated, you can add new secret with the command
+``secrets:add``. Symfony'll ask you to enter the text to encrypt and generate
+a new file contains the ciphered text in a file stored by default in the folder
+%kernel.project_dir%/config/secrets/%kernel.environment%/. This file should be
+commited allongside the other project's files.
+
+.. code-block:: terminal
+
+    $ APP_ENV=prod php bin/console secrets:add DATABASE_PASSWORD
+
+.. tip::
+
+    If the ``encryption key`` is compromized, you can regenerate a new key with
+    the command ``secrets:generate-key``. Symfony will decrypt the previous
+    secret with the old key, adn re-encrypt theme with the new one.
+
+.. _secrets-reference:
+
+Referencing Secrets in Configuration Files
+------------------------------------------
+
+You can reference those secrets in any configuration option enclosing their
+names using the ``secret`` :ref:`environment variable processors <env-var-processors>`.
+Their actual values will be resolved at runtime (once per request), so that
+container compilation and cache warmup don't need the ``encryption key``.
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/doctrine.yaml
+        doctrine:
+            dbal:
+                password: '%env(secret:DATABASE_PASSWORD)%'
+                # ...
+            # ...
+
+    .. code-block:: xml
+
+        <!-- config/packages/doctrine.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:doctrine="http://symfony.com/schema/dic/doctrine"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                https://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/doctrine
+                https://symfony.com/schema/dic/doctrine/doctrine-1.0.xsd">
+
+            <doctrine:config>
+                <doctrine:dbal
+                    password="%env(secret:DATABASE_PASSWORD)%"
+                />
+            </doctrine:config>
+
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/doctrine.php
+        $container->loadFromExtension('doctrine', [
+            'dbal' => [
+                'password' => '%env(secret:DATABASE_PASSWORD)%',
+            ]
+        ]);
+
+This bellow configuration requires that every environment use secrets. each
+environment would have it own ``encryption key`` and encŷpted secrets.
+
+You can also use parameters to configure diffrent strategy per environnement:
+By defining a default plaintext secret:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/doctrine.yaml
+        doctrine:
+            dbal:
+                password: '%database_password%'
+                # ...
+            # ...
+
+        parameters:
+            database_password: 'not a secret'
+
+    .. code-block:: xml
+
+        <!-- config/packages/doctrine.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:doctrine="http://symfony.com/schema/dic/doctrine"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                https://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/doctrine
+                https://symfony.com/schema/dic/doctrine/doctrine-1.0.xsd">
+
+            <doctrine:config>
+                <doctrine:dbal
+                    password="%env(secret:DATABASE_PASSWORD)%"
+                />
+            </doctrine:config>
+
+            <parameters>
+                <parameter key="database_password">not a secret</parameter>
+            </parameters>
+
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/doctrine.php
+        $container->loadFromExtension('doctrine', [
+            'dbal' => [
+                'password' => '%env(secret:DATABASE_PASSWORD)%',
+            ]
+        ]);
+        $container->setParameter('database_password', 'not a secret');
+
+Then overriding it in production environement:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/prod/doctrine.yaml
+        parameters:
+            database_password: '%env(secret:DATABASE_PASSWORD)'
+
+    .. code-block:: xml
+
+        <!-- config/packages/prod/doctrine.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:doctrine="http://symfony.com/schema/dic/doctrine"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                https://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/doctrine
+                https://symfony.com/schema/dic/doctrine/doctrine-1.0.xsd">
+
+            <parameters>
+                <parameter key="database_password">%env(secret:DATABASE_PASSWORD)</parameter>
+            </parameters>
+
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/prod/doctrine.php
+        $container->setParameter('database_password', '%env(secret:DATABASE_PASSWORD)');
+
+.. _secrets-list:
+
+List existing secrets
+---------------------
+
+Every body is allowed to list the secret's name with the command ``secrets:list``.
+If you have the ``encryption key`` you can also reveal the plain text value by
+passing the optoin ``--reveal`` to the command
+
+.. code-block:: terminal
+
+    $ APP_ENV=prod php bin/console secrets:list --reveal
+
+     ------------------- ------------------
+      key                 plaintext secret
+     ------------------- ------------------
+      DATABASE_PASSWORD   my-secret
+     ------------------- ------------------
+
+.. _secrets-deploy
+
+Deploy secret to production
+---------------------------
+
+As the ``encryption key`` is not commited, during development, you'll have to
+manualy deploy the key (once for a will) at the path referenced in the
+``encryption_key`` configuration key. Default is ``%kernel.project_dir%/config/secrets/%kernel.environment%``.
+
+.. _secrets-custom-storage
+
+Custom Secret Storage
+~~~~~~~~~~~~~~~~~~~~~
+
+It's also possible to add your own secret storage. First create a class that
+implements
+:class:`Symfony\\Bundle\\FrameworkBundle\\Secret\\SecretStorageInterface`::
+
+    use Symfony\Bundle\FrameworkBundle\Secret\SecretStorageInterface;
+
+    class EnvSecretStorage implements SecretStorageInterface
+    {
+        private $fallback;
+        public function __construct(SecretStorageInterface $fallback)
+        {
+            $this->fallback = $fallback;
+        }
+
+        public function getSecret(string $name): string;
+        {
+            if (!isset($_ENV[$name])) {
+                return $this->fallback->getSecrets($name);
+            }
+
+            return $_ENV[$name];
+        }
+
+        public static function listSecrets(bool $reveal = false): iterable
+        {
+            foreach ($_ENV as $name => $value) {
+                yield $name => $reveal ? $value : null;
+            }
+            yield from $this->fallback->listSecrets($reveal);
+        }
+    }
+
+To enable the new processor in the app, decorates the ``Symfony\\Bundle\\FrameworkBundle\\Secret\\SecretStorageInterface``
+service.
+
+
+.. _`libsodium`: https://pecl.php.net/package/libsodium
+.. _`sodium_compat`: https://packagist.org/packages/paragonie/sodium_compat
diff --git a/doctrine/pdo_session_storage.rst b/doctrine/pdo_session_storage.rst
@@ -70,7 +70,8 @@ To use it, first register a new handler service:
 
     Configure the database credentials
     :doc:`using environment variables in the config file </configuration/environment_variables>`
-    to make your application more secure.
+    or :doc:`using secrets in the config file </configuration/secrets>`to make
+    your application more secure.
 
 Next, tell Symfony to use your service as the session handler:
 
