gawsoft/laravel-secrets

用于Laravel项目的包,可以从文件中读取密钥。第二个功能是防止在日志中显示密钥。

维护者

详细信息

github.com/gawsoftpl/laravel-secrets

源代码

问题

安装次数: 1,163

依赖者: 0

建议者: 0

安全性: 0

星标: 1

关注者: 1

分支: 0

开放问题: 0

v0.0.9 2024-07-03 09:44 UTC

Requires

Requires (Dev)

MIT 2b96d675bf5611b904a3341830112ba41120a383

  • Pitos

This package is auto-updated.

Last update: 2024-09-03 10:09:28 UTC

README

一个具有2个主要功能的Laravel包

  1. 从日志中删除密钥。防止密钥在日志中泄露。
  2. 从文件中加载Kubernetes/Docker密钥

演示 & 使用

1. 从日志中删除密钥

没有laravel-secrets。secretpassword在日志中泄露

[2022-07-20 16:11:34] local.NOTICE: This is a notice level message.
[2022-07-20 16:11:34] local.ALERT: Can't connect with https://login:secretpassword@example.com

使用laravel-secrets,secretpassword在发送日志前被隐藏

[2022-07-20 16:11:34] local.NOTICE: This is a notice level message.
[2022-07-20 16:11:34] local.ALERT: Can't connect with https://login:[redacted]@example.com

2. 从文件中读取密钥。

return [
    'connections' => [
        'mysql' => [
            'driver' => 'mysql',
            'port' => env('DB_PORT', '3306'),
            'username' => laravel_secrets('/run/secrets/db/username', env('DB_USERNAME')),
            'password' => laravel_secrets('db/password', env('DB_PASSWORD')),
        ],
]

最低要求

  • PHP 8.0
  • Laravel 8.0

安装

composer require gawsoft/laravel-secrets

安装包资源

php artisan vendor:publish --provider="Gawsoft\LaravelSecrets\LaravelSecretsServiceProvider"

配置

示例配置文件 config/secrets.php

<?php

return [
    'strategy' => [
        # String with which secrets value will be replaced
        'redaction' => '[redacted]',
        # Default strategy to load secrets
        'handler' => \Gawsoft\LaravelSecrets\Secrets\Providers\ContainerStrategy::class,

        # Config for strategy
        'config' => [
            # Default path to your secrets
            # - when you run laravel_secrets('db/password') -> Will check path /run/secrets/db/password
            # - when you run laravel_secrets('/secrets/db/password') -> Ignore default path and check /secrets/db/password
            'path' => '/run/secrets/',
            # If you encrypt secret all encrypted string will start with this string.
            # This string cannot be empty!
            'encrypted_prefix' => 'encrypted:',
        ]
    ],
    // Remove from logs sensitive keys
    'logs' => [
        // When set empty whitelist array, all config values will be redacted.
        // When set min one value only this value will be redacted.
        'whitelist' => [
          //  'app.key',
          //  'mail.mailers.smtp.password',
          //  'database.connections.mysql.password'
        ],
        'blacklist' => [
            'app.name',
            'logging.level',
        ],
    ]
];

1. 从文件中读取密钥

当你出于安全原因在Docker或Kubernetes中安装Laravel时,你的DevOps团队会将密钥注入到容器中的文件。此包将使用laravel_secrets函数读取此密钥。

laravel_secrets('<PATH-TO-FILE>', '<DEFAULT-VALUE>');

2. 从文件中读取加密密钥

您还可以使用Laravel App Key加密密钥,并在将加密字符串加载到Laravel配置后自动加密。

# Encrypt password by artisan command
echo "abc" > /tmp/password
cat /tmp/password | php artisan laravel-secrets:encrypt --stdin

# Decrypt password
echo "encrypted:eyJpdiI6InhQbEhUREJQa21mcW85M0tYSEhhOUE9PSIsInZhbHVlIjoiY2pXZ0lqUlY4YVoydDdyZzVHak9XUT09IiwibWFjIjoiMWFlZjA4MGIyN2Q2YmEwMzc4ZGNjNTYzYTgyOTNiMzFiOWM0OTVmZWFkNGYzZTFiNDAwM2Y1NzgyYWJlMDEwMCIsInRhZyI6IiJ9" > /tmp/encrypted
cat /tmp/encrypted | php artisan laravel-secrets:decrypt --stdin

3. 从日志中删除密钥

在Laravel的日志处理过程中,我的包将从日志消息中删除敏感数据。默认情况下将删除所有保存的所有配置中的值。您可以通过在config/secrets.php中设置whitelist和blacklist来更改此选项。

#config/secrets.php
return [
    // Remove sensitive keys from logs 
    'logs' => [
        // When set empty whitelist array, all config values will be redacted.
        // When set min one value only this value will be redacted.
        'whitelist' => [
          //  'app.key',
          //  'mail.mailers', # Alle mailers secrets will be redacted
          //  'database.connections.mysql.password'
        ],
        // Do not redact values from blacklist. Those values will show in logs
        'blacklist' => [
            'app.name',
            'logging.level',
        ],
    ]
];

测试

composer test

路线图

  • 添加AWS Secret Manager策略
  • 添加Hashicorp Vault策略

如何编写新策略

  1. 创建新文件 LaravelSecrets\Secrets\Providers\MySecretProvider.php
  2. 编写您的驱动程序
<?php

namespace MyCompany\MyPackage\LaravelSecrets\Secrets\Providers\MySecretProvider;

use Gawsoft\LaravelSecrets\Abstracts\SecretsProviderAbstract;
use Gawsoft\LaravelSecrets\Interfaces\SecretProviderInterface;


class ContainerStrategy extends SecretsProviderAbstract implements SecretProviderInterface
{
    function getSecret(string $name): string | null
    {
        // Get secret from your source
    }

}
  1. 在config/secrets.php中将注册为默认策略
return [
    'strategy' => [
        ...
        'handler' => \MyCompany\MyPackage\LaravelSecrets\Secrets\Providers\MySecretProvider::class,
        ...
    ]

许可协议

MIT