定制 bentools/shh-bundle 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

bentools/shh-bundle

Composer 安装命令:

composer require bentools/shh-bundle

包简介

A Symfony bundle to handle secrets.

README 文档

README

Latest Stable Version License CI Workflow Coverage Status Quality Score Total Downloads

Shh! 🤫

Shh! is a proof-of-concept aiming at dealing with secrets within your Symfony application.

Why?

I was just reading Storing secrets for Symfony applications from Matthias Pigulla which came with a solution using a Ruby-powered external program.

Then I came up with the following question: why isn't there a PHP implementation of this? 🤔

Here are the key principles:

  • Storing secrets in environment variables will actually expose them through phpinfo(), reports, logs, and child processes.
  • Thanks to Symfony's Env Var Processors, Shh will expose them encrypted. They will be decrypted at the very last moment.
  • Private key + an optional passphrase are required to decrypt secrets. They SHOULD be .gitgnored.
  • You can then commit encrypted secrets to VCS as long as the private key is stored and communicated safely.
  • You can change your passphrase a at any time.

Installation

composer require bentools/shh-bundle:^1.0

Configuration

  • Add the bundle to your kernel (come on, you're not using Flex?).
  • Generate your keys:
    • Create a shh directory into your config directory mkdir -p config/shh (or mkdir -p app/config/shh for Symfony 3)
    • Runphp bin/console shh:generate:keys
    • If you provided one, store the passphrase in the SHH_PASSPHRASE environment variable
    • Add config/shh/private.pem (or app/config/shh/private.pem for Symfony 3) to your .gitignore and upload it to your production server.

And you're ready to go!

If you want a different configuration, check out the configuration reference to discover the available options.

Usage

Check the environment is properly configured

bin/console shh:check // Will check that encryption / decryption work - both private and public keys are needed.
bin/console shh:check --encrypt-only // Will check that encryption works - only public key is needed?

Encrypt a value (public key needed)

bin/console shh:encrypt

Decrypt a value (public key + private key needed)

bin/console shh:decrypt

Decrypt secrets in environment variables

This library ships with an environment variable processor. You can use it like this:

# config/services.yaml
parameters:
    some_secret_thing: '%env(shh:SOME_ENCRYPTED_SECRET)%'

Working with a secrets file

You can store your encrypted secrets in a .secrets.json file at the root of your project directory (you can set a different path in the SHH_SECRETS_FILE environment variable).

This file can safely be committed to VCS (as soon as the private key isn't).

To encrypt and register a secret in this file, run the following command:

bin/console shh:register:secret my_secret # You will be prompted for the value of "my_secret"

You can then use your secrets in your configuration files in the following way:

# config/services.yaml
parameters:
    my_secret: '%env(shh:key:my_secret:json:file:SHH_SECRETS_FILE)%'

Changing passphrase

You can change your passphrase if needed: this will result in a new private key being generated. The public key remains unchanged.

bin/console shh:change:passphrase

As a result, a new private key will be regenerated. You just have to update it everywhere it is used, and update the SHH_PASSPHRASE environment variable as well.

You may do this every time an employee leaves the company, for instance.

Configuration reference

# config/packages/shh.yaml
parameters:
    env(SHH_SECRETS_FILE): '%kernel.project_dir%/.secrets.json'

shh:
    private_key_file:     '%kernel.project_dir%/config/shh/private.pem'
    public_key_file:      '%kernel.project_dir%/config/shh/public.pem'
    passphrase:           '%env(SHH_PASSPHRASE)%'

Tests

./vendor/bin/phpunit

Feedback

Don't hesitate to ping me on Symfony Slack: @bpolaszek.

License

MIT

bentools/shh-bundle 适用场景与选型建议

bentools/shh-bundle 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 14.16k 次下载、GitHub Stars 达 3, 最近一次更新时间为 2020 年 01 月 23 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「symfony」 「encryption」 「passphrase」 「openssl」 「encrypt」 「decryption」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 bentools/shh-bundle 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 bentools/shh-bundle 我们能提供哪些服务?
定制开发 / 二次开发

基于 bentools/shh-bundle 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 14.16k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 3
  • 点击次数: 16
  • 依赖项目数: 0
  • 推荐数: 1

GitHub 信息

  • Stars: 3
  • Watchers: 2
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2020-01-23