feat: only encrypt secrets

Intermax-Cloudsourcing · Jan 5, 2024 · e862b63 · e862b63
1 parent d02680d
commit e862b63
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 11 deletions.
diff --git a/src/Console/EnvironmentDecryptCommand.php b/src/Console/EnvironmentDecryptCommand.php
@@ -5,6 +5,7 @@
 namespace Intermax\Veil\Console;
 
 use Exception;
+use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Encryption\Encrypter;
 use Illuminate\Foundation\Console\EnvironmentDecryptCommand as BaseDecryptCommand;
 use Illuminate\Support\Env;
@@ -96,8 +97,17 @@ protected function decryptValues(string $contents, Encrypter $encrypter): string
             return $line->before('=')
                 ->append('=')
                 ->append(
-                    $line->after('=')
-                        ->pipe(fn (Stringable $value) => $encrypter->decrypt($value->toString()))
+                    $line->after('=')->pipe(function (Stringable $value) use ($encrypter) {
+                        try {
+                            return $encrypter->decrypt($value->toString());
+                        } catch (DecryptException $e) {
+                            if ($e->getMessage() == 'The payload is invalid.') {
+                                return $value->toString();
+                            }
+
+                            throw $e;
+                        }
+                    })
                 );
         })->toArray());
     }

diff --git a/src/Console/EnvironmentEncryptCommand.php b/src/Console/EnvironmentEncryptCommand.php
@@ -17,7 +17,8 @@ class EnvironmentEncryptCommand extends BaseEncryptCommand
                     {--cipher= : The encryption cipher}
                     {--env= : The environment to be encrypted}
                     {--force : Overwrite the existing encrypted environment file}
-                    {--only-values : Encrypt only the values to keep the file readable}';
+                    {--only-values : Encrypt only the values to keep the file readable}
+                    {--only=**_KEY,*_SECRET,*_PASSWORD : Encrypt only variables that match provided comma-separated patterns, by default values with *_KEY, *_SECRET and *_PASSWORD will be encrypted}';
 
     public function handle()
     {
@@ -76,13 +77,20 @@ public function handle()
 
     protected function encryptValues(string $contents, Encrypter $encrypter): string
     {
-        return implode(PHP_EOL, collect(explode(PHP_EOL, $contents))->map(function (string $line) use ($encrypter) {
+        /** @var array<int, string> $only */
+        $only = $this->option('only');
+
+        return implode(PHP_EOL, collect(explode(PHP_EOL, $contents))->map(function (string $line) use ($encrypter, $only) {
             $line = Str::of($line);
 
             if (! $line->contains('=')) {
                 return $line;
             }
 
+            if ($only !== null && ! $line->before('=')->is($only)) {
+                return $line;
+            }
+
             return $line->before('=')
                 ->append('=')
                 ->append(

diff --git a/tests/Integration/EnvironmentDecryptCommandTest.php b/tests/Integration/EnvironmentDecryptCommandTest.php
@@ -14,21 +14,23 @@
     File::swap($this->filesystem);
 });
 
-it('decrypts an encrypted environment where only values are encrypted', function () {
+it('decrypts an encrypted environment where only secrets are encrypted', function () {
     $contents = <<<'Text'
         APP_NAME=Laravel
         APP_ENV=local
         APP_DEBUG=true
         APP_URL=http://localhost
+        APP_KEY=1234
         Text;
 
     $encrypter = new Encrypter('abcdefghijklmnopabcdefghijklmnop', 'AES-256-CBC');
 
     $encryptedContents = <<<TEXT
-        APP_NAME={$encrypter->encrypt('Laravel')}
-        APP_ENV={$encrypter->encrypt('local')}
-        APP_DEBUG={$encrypter->encrypt('true')}
-        APP_URL={$encrypter->encrypt('http://localhost')}
+        APP_NAME=Laravel
+        APP_ENV=local
+        APP_DEBUG=true
+        APP_URL=http://localhost
+        APP_KEY={$encrypter->encrypt('1234')}
         TEXT;
 
     $this->filesystem->shouldReceive('exists')

diff --git a/tests/Integration/EnvironmentEncryptCommandTest.php b/tests/Integration/EnvironmentEncryptCommandTest.php
@@ -5,6 +5,7 @@
 use Illuminate\Encryption\Encrypter;
 use Illuminate\Filesystem\Filesystem;
 use Illuminate\Support\Facades\File;
+use Illuminate\Support\Str;
 use Mockery as m;
 
 beforeEach(function () {
@@ -16,8 +17,9 @@
     File::swap($this->filesystem);
 });
 
-it('encrypts the values of an environment', function () {
+it('encrypts the secrets of an environment', function () {
     $contents = <<<'Text'
+        APP_KEY=1234
         APP_NAME=Laravel
         APP_ENV=local
         APP_DEBUG=true
@@ -40,8 +42,11 @@
             $this->assertStringContainsString('APP_ENV', $contents);
             $this->assertStringContainsString('APP_DEBUG', $contents);
             $this->assertStringContainsString('APP_URL', $contents);
+            $this->assertStringContainsString('APP_KEY', $contents);
 
-            $this->assertEquals('Laravel', $encrypter->decrypt(Str::betweenFirst($contents, '=', "\n")));
+            $this->assertEquals('1234', $encrypter->decrypt(Str::betweenFirst($contents, '=', "\n")));
+
+            $this->assertEquals('http://localhost', Str::afterLast($contents, '='));
 
             return true;
         })->andReturn(true);