Chapters

29 Chapters | 3:14:24 |

01

Flex, Versioning & extra.symfony.require

8:32
02

Managing Flex, extra.symfony.require & Version Constraints

5:02
03

Upgrading to Symfony 4.4

5:46
04

Selectively Committing Recipe Updates

4:35
05

Upgrading Recipes: New Commands!

6:36
06

Recipe Upgrade: symfony/console & bootstrap.php

8:24
07

Upgrading the FrameworkBundle Recipe (Part 1)

6:17
08

FrameworkBundle Recipe Part 2: The Kernel Class

8:37
09

Updating the TwigBundle Recipe

7:35
10

Updating the Mailer Recipe(s)

4:39
11

phpunit-bridge & routing Recipes

6:17
12

Updating security, translation & validator Recipes

5:08
13

Updating the webpack-encore-bundle Recipe

6:05
14

Fixing the First Deprecations

6:14
15

Upgrading KnpPaginatorBundle & PHP Platform Version

7:18
16

Upgrading/Migrating from StofDoctrineExtensions

4:50
17

Upgrading to DoctrineBundle 2.0

6:50
18

DoctrineBundle Updates & Recipe Upgrade

11:22
19

Fixing our Deprecations: Form, Controller & Mailer

7:34
20

Hunting the Final Deprecations

5:06
21

Upgrading to Symfony 5.0

9:10
22

Secrets Management Setup

9:35
23

Production Secrets

7:10
24

Overriding Secrets Locally (Local Vault)

4:04
25

Prod Vault Optimization & Vault for Tests

4:53
26

Validation Auto-Mapping

8:49
27

Migrate Password Hashing

9:46
28

PHP 7.4 preload

3:00
29

Is your Container Running? Catch It! lint:container

5:10

> Symfony 5 > Upgrading & What's New in Symfony 5!

Buy Access to Course

25.

Prod Vault Optimization & Vault for Tests

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $10.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Now that we know that environment variables override secrets, we can use that to our advantage in two ways.

Dumping Secrets on Deploy: secrets:decrypt-to-local

The first thing is that, during deployment, we can dump our production secrets into a local file. Check it out. Run:

php bin/console secrets:decrypt-to-local --force --env=prod

And... no output. Lame! SO lame that, in Symfony 5.1, this command will have output - that pull request was already merged.

Anyways, this just created a new .env.prod.local file... which contains all our prod secrets... which is just one right now. This means that, when we're in the prod environment, it will read from this file and will never read secrets from the vault.

Why... is that interesting? Um, good question. Two reasons. First, while deploying, you can add the decrypt key file, run this command, then delete the key file. The private key file then does not need to live on your production server at all. That's one less thing that could be exposed if someone got access to your servers.

And second, this will give you a minor performance boost because the secrets don't need to be decrypted at runtime.

Now, you might be thinking:

Ryan! You crazy man, you've got the brains of a watering can! We went to all this trouble to encrypt our secrets, and now you want me to store them in plain text on production? Are you mad?

I never get mad! The truth is, your sensitive values are never fully safe on production: there is always some way - called an "attack vector" - to get them. If someone gets access to the files on your server, then they would already have your encrypted values and the private key to decrypt them. Storing the secrets in plain text but removing the decrypt key from production is really the same thing from a security standpoint.

The point is: there's no security difference. Let's delete the .env.prod.local file, because we don't need it right now.

Secrets for the test Environment

The other interesting thing that we can do now that we understand that environment variables override secrets is related to the test environment. Because... our test environment is totally broken.

Think about it: in the test environment, there is no vault! And so there is no MAILER_DSN secret. Do we also need a test vault? Nah. There's a simpler solution.

First, let's run our tests to see what's going on:

php bin/phpunit

Ignore the deprecation warnings. Woh! Huge error. If you look closely... yep:

Environment variable not found: "MAILER_DSN"

New in 4.4: Easier HTML Errors in Tests

By the way, trying to find the error message inside the HTML in a test... sucks. But it's easier in Symfony 4.4 because Symfony dumps the error as a comment on the top of the HTML. It also.... yep! Puts that same comment at the bottom. So actually... I didn't need to scroll so far up.

Secrets in the Test Environment

So we do need to specify a MAILER_DSN secret to use in the test environment. But for simplicity, instead of making another vault, let's just add it to .env.test. I'll copy my old null transport value from .env, and put it into .env.test:

8 lines | .env.test

Show Lines	// ... lines 1 - 6
	MAILER_DSN=null://null

Done! So really, when you need to add a new secret, you need to add it to your dev vault, prod vault and .env.test.

Let's try the tests again:

php bin/phpunit

Much better! So... that's it for the secrets system! Pretty freakin' cool! Let's clean up our debugging code... nobody likes data being dumped on production. I'll remove the bind:

            
Copy Code

Show All Lines

                        51 lines
            |
            config/services.yaml
        
Show Lines

                                                    // ... lines 1 - 11
                            
            services:
        
                # default configuration for services in *this* file
        
                _defaults:
        
Show Lines

                                                    // ... lines 15 - 18
                            
                    bind:
        
Show Lines

                                                    // ... lines 20 - 24
                            
                        $mailerDsn: '%env(MAILER_DSN)%'
        
Show Lines

                                                    // ... lines 26 - 51

then go to ArticleController and take out the $mailerDsn stuff there:

            
Copy Code

Show All Lines

                        66 lines
            |
            src/Controller/ArticleController.php
        
Show Lines

                                                    // ... lines 1 - 13
                            
            class ArticleController extends AbstractController
        
            {
        
Show Lines

                                                    // ... lines 16 - 28
                            
                public function homepage(ArticleRepository $repository, $mailerDsn)
        
                {
        
                    dump($mailerDsn);die;
        
Show Lines

                                                    // ... lines 32 - 36
                            
                }
        
Show Lines

                                                    // ... lines 38 - 64
                            
            }

Next, let's talk about a really cool new feature called "validation auto mapping". It's a wicked-smart feature that automatically adds validation constraints based on your Doctrine metadata and also based on the way that your PHP code is written in your class.

4 Comments

Sort By

Florian 5 months ago

Hey,
i have another Question, hoping you can help me out here.

I am trying to understand the benefit of using secrets on a security level. (understood the logistic and organizational benefits).
Am i right:

The "first" way to access the vault would be storing the base64 encoded decryption key generated locally to a env variable?
-> So everytime a variable for example %env(DEFUSE_SECRET)% would be accessed, symfony would use the stored decryption key in ENV file to decrypt the secret in the vault?
-> As result of that there is a huge lack of performance in big projects - so the suggestion is: Changing the deployment pipeline to deploy the decryption key -> decrypt the secrets to a env file on the prod server -> deleting the decryption key.. Besides: What is the point of deleting the decryption key ?

So in general: What is the point of using secrets and vault if there is no solutions for storing secrets in a safe way?
-> is there a way to store secrets in a safe way? Like External Authentication methods or something like that?

Besides that: Has someone really had huge performance issues ?

Thanks for answering :) and thanks for the great content!!

| Reply |

weaverryan SFCASTS Florian 4 months ago

Hey @Florian!

Sorry for the VERY VERY slow reply - super busy time of year! Let me do my best to reply :).

So in general: What is the point of using secrets and vault if there is no solutions for storing secrets in a safe way?
-> is there a way to store secrets in a safe way? Like External Authentication methods or something like that?

The tricky thing about secrets is that you can hide/encrypt all of them... but eventually, your application is going to need access to at least ONE key to "unlock" them. So using something like a vault allows you to minimize the number of secrets that you need to manually worry about from "many" (i.e. trying to handle all of your secret stuff individually) down to just one thing. But yea, it's still ONE thing you need to worry about. But yes, there may be some services that work around this on an infrastructure level - by deploying your decrypted secrets to your server for you in a way where only your server can access them. For example, in platform.sh, you can store secrets directly in their system (e.g. you could literally go to their web gui and "add a new secret"). These are then made available to you unencrypted in your final, deployed environment.

The "first" way to access the vault would be storing the base64 encoded decryption key generated locally to a env variable?

Yup!

-> So everytime a variable for example %env(DEFUSE_SECRET)% would be accessed, symfony would use the stored decryption key in ENV file to decrypt the secret in the vault?

Right again

-> As result of that there is a huge lack of performance in big projects - so the suggestion is: Changing the deployment pipeline to deploy the decryption key -> decrypt the secrets to a env file on the prod server -> deleting the decryption key..

I'm not sure about huge. But yes, since there's some overhead to decrypting, Symfony gives you a performance "escape hatch" so you have the option to avoid that penalty. However, I'd modify tour statement a little bit to this:

Changing the deployment pipeline to decrypt the secrets to a env file using the decryption key during a "build" step. Then, deploy the .env.prod.local file that was created (the secrets files and decryption key do not need to be deployed at this point).

This ultimately gives you a situation very much like platform.sh: when you get up to production, boom! Your secrets are waiting for you in a decrypted format.

What is the point of deleting the decryption key ?

The decryption key isn't needed at this point, so no purpose of having it on production. And since it's highly sensitive, better to not include it (if someone gets root access to your server, you have problems no matter what - but the less you have there the better).

Cheers!

| Reply |

kbond 4 years ago

How does `composer dump-env prod` ( https://symfony.com/blog/ne... ) work with `bin/console secrets:decrypt-to-local --force --env=prod`? When deploying, should I run `bin/console secrets:decrypt-to-local --force --env=prod` then `composer dump-env prod`?

| Reply |

weaverryan SFCASTS kbond 4 years ago edited

Yo Kevin B.!

Oh man, nice question. I shouldn't be surprised ;). Honestly, this hadn't occurred to me. BUT, it probably occurred to Nicolas Grekas, because it appears to work correctly in this order:


# creates .env.prod.local
bin/console secrets:decrypt-to-local --force --env=prod

# creates .env.local.php which will take "into account" the new values in .env.prod.local
composer dump-env prod

I just tested this - and the final .env.prod.local will contain the plain-text secrets as expected. If you do it in the "wrong" order, .env.local.php simply won't contain the secret... and since the other .env files aren't loaded when .env.local.php is present, the env var won't exist and it will try to load your secrets from the "vault"... which will only work if the decrypt key is present.

So, it looks like all works as expected. But if you see anything different, let me know!

Cheers!

1 | Reply |

Symfony 5

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": "^7.3.0",
        "ext-iconv": "*",
        "antishov/doctrine-extensions-bundle": "^1.4", // v1.4.2
        "aws/aws-sdk-php": "^3.87", // 3.110.11
        "composer/package-versions-deprecated": "^1.11", // 1.11.99
        "doctrine/annotations": "^1.0", // 1.10.1
        "doctrine/doctrine-bundle": "^2.0", // 2.0.6
        "doctrine/doctrine-migrations-bundle": "^1.3|^2.0", // 2.1.2
        "doctrine/orm": "^2.5.11", // v2.7.2
        "doctrine/persistence": "^1.3.7", // 1.3.8
        "easycorp/easy-log-handler": "^1.0", // v1.0.9
        "http-interop/http-factory-guzzle": "^1.0", // 1.0.0
        "knplabs/knp-markdown-bundle": "^1.7", // 1.8.1
        "knplabs/knp-paginator-bundle": "^5.0", // v5.0.0
        "knplabs/knp-snappy-bundle": "^1.6", // v1.7.0
        "knplabs/knp-time-bundle": "^1.8", // v1.11.0
        "league/flysystem-aws-s3-v3": "^1.0", // 1.0.23
        "league/flysystem-cached-adapter": "^1.0", // 1.0.9
        "league/html-to-markdown": "^4.8", // 4.8.2
        "liip/imagine-bundle": "^2.1", // 2.3.0
        "nexylan/slack-bundle": "^2.1", // v2.2.1
        "oneup/flysystem-bundle": "^3.0", // 3.3.0
        "php-http/guzzle6-adapter": "^2.0", // v2.0.1
        "phpdocumentor/reflection-docblock": "^3.0|^4.0", // 4.3.4
        "sensio/framework-extra-bundle": "^5.1", // v5.5.3
        "symfony/asset": "5.0.*", // v5.0.2
        "symfony/console": "5.0.*", // v5.0.2
        "symfony/dotenv": "5.0.*", // v5.0.2
        "symfony/flex": "^1.0", // v1.21.6
        "symfony/form": "5.0.*", // v5.0.2
        "symfony/framework-bundle": "5.0.*", // v5.0.2
        "symfony/mailer": "5.0.*", // v5.0.2
        "symfony/messenger": "5.0.*", // v5.0.2
        "symfony/monolog-bundle": "^3.5", // v3.5.0
        "symfony/property-access": "4.4.*|5.0.*", // v5.0.2
        "symfony/property-info": "4.4.*|5.0.*", // v5.0.2
        "symfony/security-bundle": "5.0.*", // v5.0.2
        "symfony/sendgrid-mailer": "5.0.*", // v5.0.2
        "symfony/serializer": "4.4.*|5.0.*", // v5.0.2
        "symfony/twig-bundle": "5.0.*", // v5.0.2
        "symfony/validator": "5.0.*", // v5.0.2
        "symfony/webpack-encore-bundle": "^1.4", // v1.7.2
        "symfony/yaml": "5.0.*", // v5.0.2
        "twig/cssinliner-extra": "^2.12", // v2.12.0
        "twig/extensions": "^1.5", // v1.5.4
        "twig/extra-bundle": "^2.12|^3.0", // v3.0.1
        "twig/inky-extra": "^2.12", // v2.12.0
        "twig/twig": "^2.12|^3.0" // v2.14.4
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.0", // 3.3.0
        "fzaninotto/faker": "^1.7", // v1.8.0
        "symfony/browser-kit": "5.0.*", // v5.0.2
        "symfony/debug-bundle": "5.0.*", // v5.0.2
        "symfony/maker-bundle": "^1.0", // v1.14.3
        "symfony/phpunit-bridge": "5.0.*", // v5.0.2
        "symfony/stopwatch": "4.4.*|5.0.*", // v5.0.2
        "symfony/var-dumper": "5.0.*", // v5.0.2
        "symfony/web-profiler-bundle": "4.4.*|5.0.*" // v5.0.2
    }
}

Previous Chapter

Next Chapter

Prod Vault Optimization & Vault for Tests

Share this awesome video!

Keep on Learning!

Dumping Secrets on Deploy: secrets:decrypt-to-local

Secrets for the test Environment

New in 4.4: Easier HTML Errors in Tests

Secrets in the Test Environment

4 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 11
	services:
	# default configuration for services in this file
	_defaults:
Show Lines	// ... lines 15 - 18
	bind:
Show Lines	// ... lines 20 - 24
	$mailerDsn: '%env(MAILER_DSN)%'
Show Lines	// ... lines 26 - 51

Show Lines	// ... lines 1 - 13
	class ArticleController extends AbstractController
	{
Show Lines	// ... lines 16 - 28
	public function homepage(ArticleRepository $repository, $mailerDsn)
	{
	dump($mailerDsn);die;
Show Lines	// ... lines 32 - 36
	}
Show Lines	// ... lines 38 - 64
	}