bug #62078 [FrameworkBundle] Fix secrets:encrypt-from-local (nicolas-grekas)

nicolas-grekas · nicolas-grekas · commit 301e8c54003a · 2025-10-16T18:16:40.000+02:00
This PR was merged into the 6.4 branch. Discussion ---------- [FrameworkBundle] Fix secrets:encrypt-from-local | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | - | License | MIT The config change fixes the "local-vault" not accounting for `APP_RUNTIME_ENV` The command change skips values not found in the local-vault, because why fail? this is just annoying... (encrypting from local shouldn't fail if not all variables are listed in the local vault. When this happens, we should just keep the existing value in the encrypted vault) Commits ------- df20e13 [FrameworkBundle] Fix secrets:encrypt-from-local
diff --git a/src/Symfony/Bundle/FrameworkBundle/Command/SecretsEncryptFromLocalCommand.php b/src/Symfony/Bundle/FrameworkBundle/Command/SecretsEncryptFromLocalCommand.php
@@ -61,14 +61,13 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         }
 
         foreach ($this->vault->list(true) as $name => $value) {
-            $localValue = $this->localVault->reveal($name);
+            if (null === $localValue = $this->localVault->reveal($name)) {
+                continue;
+            }
 
-            if (null !== $localValue && $value !== $localValue) {
+            if ($value !== $localValue) {
                 $this->vault->seal($name, $localValue);
-            } elseif (null !== $message = $this->localVault->getLastMessage()) {
-                $io->error($message);
-
-                return 1;
+                $io->note($this->vault->getLastMessage());
             }
         }
 
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -204,7 +204,7 @@ private function addSecretsSection(ArrayNodeDefinition $rootNode): void
                     ->canBeDisabled()
                     ->children()
                         ->scalarNode('vault_directory')->defaultValue('%kernel.project_dir%/config/secrets/%kernel.runtime_environment%')->cannotBeEmpty()->end()
-                        ->scalarNode('local_dotenv_file')->defaultValue('%kernel.project_dir%/.env.%kernel.environment%.local')->end()
+                        ->scalarNode('local_dotenv_file')->defaultValue('%kernel.project_dir%/.env.%kernel.runtime_environment%.local')->end()
                         ->scalarNode('decryption_env_var')->defaultValue('base64:default::SYMFONY_DECRYPTION_SECRET')->end()
                     ->end()
                 ->end()
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/Command/SecretsEncryptFromLocalCommandTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/Command/SecretsEncryptFromLocalCommandTest.php
@@ -92,7 +92,7 @@ public function testDoesNotSealIfSameValue()
         $this->assertSame('same-value', $revealed);
     }
 
-    public function testFailsIfLocalSecretIsMissing()
+    public function testStillSucceedsIfLocalSecretIsMissing()
     {
         $vault = new SodiumVault($this->vaultDir);
         $vault->generateKeys();
@@ -105,7 +105,8 @@ public function testFailsIfLocalSecretIsMissing()
         $command = new SecretsEncryptFromLocalCommand($vault, $localVault);
         $tester = new CommandTester($command);
 
-        $this->assertSame(1, $tester->execute([]));
-        $this->assertStringContainsString('Secret "MISSING_IN_LOCAL" not found', $tester->getDisplay());
+        $this->assertSame(0, $tester->execute([]));
+        $revealed = $vault->reveal('MISSING_IN_LOCAL');
+        $this->assertSame('prod-only', $revealed);
     }
 }
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
@@ -856,7 +856,7 @@ class_exists(SemaphoreStore::class) && SemaphoreStore::isSupported() ? 'semaphor
             'secrets' => [
                 'enabled' => true,
                 'vault_directory' => '%kernel.project_dir%/config/secrets/%kernel.runtime_environment%',
-                'local_dotenv_file' => '%kernel.project_dir%/.env.%kernel.environment%.local',
+                'local_dotenv_file' => '%kernel.project_dir%/.env.%kernel.runtime_environment%.local',
                 'decryption_env_var' => 'base64:default::SYMFONY_DECRYPTION_SECRET',
             ],
             'http_cache' => [

Original file line number	Diff line number	Diff line change
`@@ -61,14 +61,13 @@ protected function execute(InputInterface $input, OutputInterface $output): int`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`foreach ($this->vault->list(true) as $name => $value) {`
`64`		`- $localValue = $this->localVault->reveal($name);`
	`64`	`+ if (null === $localValue = $this->localVault->reveal($name)) {`
	`65`	`+ continue;`
	`66`	`+ }`
`65`	`67`
`66`		`- if (null !== $localValue && $value !== $localValue) {`
	`68`	`+ if ($value !== $localValue) {`
`67`	`69`	`$this->vault->seal($name, $localValue);`
`68`		`- } elseif (null !== $message = $this->localVault->getLastMessage()) {`
`69`		`- $io->error($message);`
`70`		`-`
`71`		`- return 1;`
	`70`	`+ $io->note($this->vault->getLastMessage());`
`72`	`71`	`}`
`73`	`72`	`}`
`74`	`73`
Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ public function testDoesNotSealIfSameValue()`
`92`	`92`	`$this->assertSame('same-value', $revealed);`
`93`	`93`	`}`
`94`	`94`
`95`		`- public function testFailsIfLocalSecretIsMissing()`
	`95`	`+ public function testStillSucceedsIfLocalSecretIsMissing()`
`96`	`96`	`{`
`97`	`97`	`$vault = new SodiumVault($this->vaultDir);`
`98`	`98`	`$vault->generateKeys();`
`@@ -105,7 +105,8 @@ public function testFailsIfLocalSecretIsMissing()`
`105`	`105`	`$command = new SecretsEncryptFromLocalCommand($vault, $localVault);`
`106`	`106`	`$tester = new CommandTester($command);`
`107`	`107`
`108`		`- $this->assertSame(1, $tester->execute([]));`
`109`		`- $this->assertStringContainsString('Secret "MISSING_IN_LOCAL" not found', $tester->getDisplay());`
	`108`	`+ $this->assertSame(0, $tester->execute([]));`
	`109`	`+ $revealed = $vault->reveal('MISSING_IN_LOCAL');`
	`110`	`+ $this->assertSame('prod-only', $revealed);`
`110`	`111`	`}`
`111`	`112`	`}`