symfony
diff --git a/‎composer.json
Lines changed: 1 addition & 0 deletions b/‎composer.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bridge/Twig/Command/LintCommand.php
Lines changed: 2 additions & 12 deletions b/‎src/Symfony/Bridge/Twig/Command/LintCommand.php
Lines changed: 2 additions & 12 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Command/SecretsAddCommand.php
Lines changed: 0 additions & 70 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Command/SecretsAddCommand.php
Lines changed: 0 additions & 70 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Command/SecretsGenerateKeyCommand.php
Lines changed: 0 additions & 97 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Command/SecretsGenerateKeyCommand.php
Lines changed: 0 additions & 97 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Command/SecretsGenerateKeysCommand.php
Lines changed: 96 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Command/SecretsGenerateKeysCommand.php
Lines changed: 96 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Command/SecretsListCommand.php
Lines changed: 16 additions & 24 deletions b/‎src/Symfony/Bundle/FrameworkBundle/Command/SecretsListCommand.php
Lines changed: 16 additions & 24 deletions
@@ -113,6 +113,7 @@
         "monolog/monolog": "^1.25.1",
         "nyholm/psr7": "^1.0",
         "ocramius/proxy-manager": "^2.1",
+        "paragonie/sodium_compat": "^1.8",
         "php-http/httplug": "^1.0|^2.0",
         "predis/predis": "~1.1",
         "psr/http-client": "^1.0",
 
@@ -81,15 +81,15 @@ protected function execute(InputInterface $input, OutputInterface $output)
         $showDeprecations = $input->getOption('show-deprecations');
 
         if (['-'] === $filenames) {
-            return $this->display($input, $output, $io, [$this->validate($this->getStdin(), uniqid('sf_', true))]);
+            return $this->display($input, $output, $io, [$this->validate(file_get_contents('php://stdin'), uniqid('sf_', true))]);
         }
 
         if (!$filenames) {
             // @deprecated to be removed in 5.0
             if (0 === ftell(STDIN)) {
                 @trigger_error('Piping content from STDIN to the "lint:twig" command without passing the dash symbol "-" as argument is deprecated since Symfony 4.4.', E_USER_DEPRECATED);
 
-                return $this->display($input, $output, $io, [$this->validate($this->getStdin(), uniqid('sf_', true))]);
+                return $this->display($input, $output, $io, [$this->validate(file_get_contents('php://stdin'), uniqid('sf_', true))]);
             }
 
             $loader = $this->twig->getLoader();
@@ -132,16 +132,6 @@ protected function execute(InputInterface $input, OutputInterface $output)
         return $this->display($input, $output, $io, $filesInfo);
     }
 
-    private function getStdin(): string
-    {
-        $template = '';
-        while (!feof(STDIN)) {
-            $template .= fread(STDIN, 1024);
-        }
-
-        return $template;
-    }
-
     private function getFilesInfo(array $filenames): array
     {
         $filesInfo = [];
 
@@ -17,7 +17,7 @@ CHANGELOG
  * Added new `error_controller` configuration to handle system exceptions
  * Added sort option for `translation:update` command.
  * [BC Break] The `framework.messenger.routing.senders` config key is not deep merged anymore.
- * Added secrets management.
+ * Added `secrets:*` commands and `%env(secret:...)%` processor to deal with secrets seamlessly.
 
 4.3.0
 -----
 
@@ -0,0 +1,96 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\FrameworkBundle\Command;
+
+use Symfony\Bundle\FrameworkBundle\Secrets\SodiumVault;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+/**
+ * @author Tobias Schultze <http://tobion.de>
+ * @author Jérémy Derussé <jeremy@derusse.com>
+ */
+final class SecretsGenerateKeysCommand extends Command
+{
+    protected static $defaultName = 'secrets:generate-keys';
+
+    private $vault;
+
+    public function __construct(SodiumVault $vault)
+    {
+        $this->vault = $vault;
+        parent::__construct();
+    }
+
+    protected function configure()
+    {
+        $this
+            ->setDefinition([
+                new InputOption('rotate', 'r', InputOption::VALUE_NONE, 'Re-encrypts existing secrets with the newly generated keys.'),
+            ])
+            ->setDescription('Generates new encryption keys.')
+            ->setHelp(<<<'EOF'
+The <info>%command.name%</info> command generates a new encryption key.
+
+    %command.full_name%
+
+If encryption keys already exist, the command must be called with
+the <info>--rotate</info> option in order to override those keys and re-encrypt
+exiting secrets.
+
+    %command.full_name% --rotate
+EOF
+            )
+        ;
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        if (!$input->getOption('rotate')) {
+            if ($this->vault->generateKeys()) {
+                $io->success('New keys have been generated.');
+                $io->caution('DO NOT COMMIT THE DECRYPTION KEY FOR THE PROD ENVIRONMENT⚠️');
+
+                return 0;
+            }
+
+            $io->error('Some keys already exist and won\'t be overridden.');
+
+            return 1;
+        }
+
+        $secrets = [];
+        foreach ($this->vault->list(true) as $name => $value) {
+            $secrets[$name] = $value;
+        }
+
+        $this->vault->generateKeys(true);
+        $io->success('New keys have been generated.');
+
+        if ($secrets) {
+            foreach ($secrets as $name => $value) {
+                $this->vault->seal($name, $value);
+            }
+
+            $io->success('Existing secrets have been rotated to the new keys.');
+        }
+
+        $io->caution('DO NOT COMMIT THE DECRYPTION KEY FOR THE PROD ENVIRONMENT⚠️');
+        return 0;
+    }
+}
@@ -11,8 +11,7 @@
 
 namespace Symfony\Bundle\FrameworkBundle\Command;
 
-use Symfony\Bundle\FrameworkBundle\Exception\EncryptionKeyNotFoundException;
-use Symfony\Bundle\FrameworkBundle\Secret\Storage\SecretStorageInterface;
+use Symfony\Bundle\FrameworkBundle\Secrets\SodiumVault;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
@@ -27,11 +26,11 @@ final class SecretsListCommand extends Command
 {
     protected static $defaultName = 'debug:secrets';
 
-    private $secretStorage;
+    private $vault;
 
-    public function __construct(SecretStorageInterface $secretStorage)
+    publi
F438
c function __construct(SodiumVault $vault)
     {
-        $this->secretStorage = $secretStorage;
+        $this->vault = $vault;
 
         parent::__construct();
     }
@@ -48,7 +47,7 @@ protected function configure()
 
     %command.full_name%
 
-When the the option <info>--reveal</info> is provided, the decrypted secrets are also displayed. 
+When the option <info>--reveal</info> is provided, the decrypted secrets are also displayed.
 
     %command.full_name% --reveal
 EOF
@@ -60,33 +59,26 @@ protected function configure()
             ->addOption('reveal', 'r', InputOption::VALUE_NONE, 'Display decrypted values alongside names');
     }
 
-    protected function execute(InputInterface $input, OutputInterface $output)
+    protected function execute(InputInterface $input, OutputInterface $output): int
     {
-        $reveal = $input->getOption('reveal');
         $io = new SymfonyStyle($input, $output);
 
-        try {
-            $secrets = $this->secretStorage->listSecrets($reveal);
-        } catch (EncryptionKeyNotFoundException $e) {
-            throw new \LogicException(sprintf('Unable to decrypt secrets, the encryption key "%s" is missing.', $e->getKeyLocation()));
+        if (!$reveal = $input->getOption('reveal')) {
+            $io->comment(sprintf('To reveal the secrets run <info>php %s %s --reveal</info>', $_SERVER['PHP_SELF'], $this->getName()));
         }
 
-        if ($reveal) {
-            $rows = [];
-            foreach ($secrets as $name => $value) {
-                $rows[] = [$name, $value];
-            }
-            $io->table(['name', 'secret'], $rows);
+        $secrets = $this->vault->list($reveal);
 
-            return;
+        $rows = [];
+        foreach ($secrets as $name => $value) {
+            $rows[] = [$name, $value ?? '********'];
         }
+        $io->table(['Name', 'Value'], $rows);
 
-        $rows = [];
-        foreach ($secrets as $name => $_) {
-            $rows[] = [$name];
+        if ($reveal && $secrets && null === $value) {
+            $io->comment('Secrets could not be revealed as not decryption key has been found.');
         }
 
-        $io->comment(sprintf('To reveal the values of the secrets use <info>php %s %s --reveal</info>', $_SERVER['PHP_SELF'], $this->getName()));
-        $io->table(['name'], $rows);
+        return 0;
     }
 }