Add artisan encryptenv:console command to allow running console command that require decrypted env variables

Author: Matthew Guillot

CHANGELOG.md

@@ -1,3 +1,5 @@
+**v1.0.7** - Added artisan encryptenv:console command 
+
 **v1.0.6** - Updated dependencies to support Laravel 9
 
 **v1.0.5** - Updated dependencies to support Laravel 8

README.md

@@ -44,6 +44,7 @@ This publishes the following files:
 app/Helpers/secEnv.php
 config/encryptenv.php
 app/Console/Commands/EncryptEnvValues.php
+app/Console/Commands/SecEnvConsoleCommand.php
 ```
 
 #
@@ -59,7 +60,7 @@ Clear out and re-generate your autoload files, otherwise the new files entry you
 $ composer dump-autoload
 ```
 #
-#### Add the new console command to the commands array in `app/Console/Kernel.php`
+#### Add the new console commands to the commands array in `app/Console/Kernel.php`
 ```php
 
     /**
@@ -69,7 +70,8 @@ $ composer dump-autoload
      */
     protected $commands = [
         ...
-        'App\Console\Commands\EncryptEnvValues'
+        'App\Console\Commands\EncryptEnvValues',
+        'App\Console\Commands\SecEnvConsoleCommand'
     ];
 ```
 #
@@ -245,7 +247,7 @@ variables (or custom config file values).
 
 1. [Preparing for Encryption](#preparing-for-encryption)
 2. [Using the Encryption flag](#using-the-encryption-flag)
-3. [Running the Console Command](#running-the-console-command)
+3. [Running the Console Commands](#running-the-console-commands)
 4. [File Permissions](#file-permissions)
 
 
@@ -350,16 +352,20 @@ return [
 In both examples (above) the values for APP_KEY, MYSQL_USER, MYSQL_PASS, and SERVICE_API_KEY are flagged for encryption
 and will be replaced with the encrypted string when running the console command (below).
 
-### Running the Console Command
+### Running the Console Commands
 
-To run the encryption sequence in your environment variables file, execute the artisan console command included with this package
+#### Encrypting your environment variables
 
-The artisan console command encryptenv:encrypt has one optional argument `configkey`.  Having the config key as an optional
+`php artisan encryptenv:encrypt`
+
+This command will run the encryption sequence in your environment variables file, execute the artisan console command included with this package
+
+There is one optional argument `configkey`.  Having the config key as an optional
 argument allows you to add this console command to your own scripts for things like automation in your deployment process.
 If you do use the configkey argument, it is recommended that you include safeguards to prevent this console command from 
-being recorded in your shell's history (to protect your Config Key).     
+being recorded in your shell's history (to protect your Config Key).
 
-More on this here:
+More on protecting your config key here:
 https://stackoverflow.com/questions/6475524/how-do-i-prevent-commands-from-showing-up-in-bash-history
 
 ##### Generating a new CONFIGKEY (encryption key)
@@ -382,7 +388,7 @@ You will need to update your web service configuration file with this new CONFIG
 Refer to the Install [Configure your web service] section in the README for more info
 ```
 
-##### Running Console Command With An Existing CONFIGKEY
+##### Running This Command With An Existing CONFIGKEY
 
 If you already have a CONFIGKEY set up and configured for your web service, simply run the encryptenv:encrypt artisan
 command as follows:
@@ -430,6 +436,20 @@ If you set everything up correctly, Laravel should now be working with your encr
 
 Note: You should run `php artisan config:clear` to clear your config cache just to be sure everything is truly working.
 
+### Running console commands that require encrypted environment variables
+`php artisan encryptenv:console`
+
+This command exists to allow you to run console commands that require your environment variables to be decrypted during execution.
+
+For example `php artisan encryptenv:console 'php artisan migrate'`
+
+The first required argument `console_command` which must be wrapped in single quotes or regular quotes
+
+The second optional argument is `configkey`.  This allows you to add console commands that require the CONFIGKEY to deployment scripts or cron jobs.
+
+As noted above, you should do your due diligence to protect your config key from being saved in your shell's history.
+
+
 ### File Permissions
 
 You should make `public/index.php` read-only to non-privileged users. This prevents a malicious user from adding code to

src/Console/SecEnvConsoleCommand.php

@@ -0,0 +1,70 @@
+<?php namespace App\Console\Commands;
+
+use Illuminate\Console\Command;
+use mrgswift\EncryptEnv\Action\Encrypt;
+use Symfony\Component\Process\Process;
+use Symfony\Component\Process\Exception\ProcessFailedException;
+
+class SecEnvConsoleCommand extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'encryptenv:console {console_command} {configkey?}';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Runs a console command using the user-provided CONFIGKEY';
+
+    /**
+     * Create a new command instance.
+     *
+     * @return void
+     */
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    /**
+     * Execute the console command.
+     *
+     * @return boolean
+     */
+    public function handle()
+    {
+        $encrypter = new Encrypt;
+
+        $configkey = $this->argument('configkey');
+
+        while (empty($configkey)) {
+            $configkey = $this->ask('Config Key ('.$encrypter->getKeySize().' char key)');
+        }
+
+        $cmdarr = explode(' ', $this->argument('console_command'));
+
+        $process = new Process($cmdarr, null,[
+            'APP_CONFIGKEY' => $configkey
+        ]);
+
+        unset($configkey);
+
+        $process->run();
+
+        // executes after the command finishes
+        if (!$process->isSuccessful()) {
+            throw new ProcessFailedException($process);
+        }
+
+        echo $process->getOutput();
+
+        unset($process);
+
+        return true;
+    }
+}

src/Entity/ConfigFile.php

@@ -41,7 +41,7 @@ function __construct()
         $this->configarr = !empty($this->configpath) &&
         file_exists($this->configpath) ?
             require $this->configpath :
-            $_ENV;
+            (!empty($_ENV) ? $_ENV : getenv());
 
         !empty($this->configpath) && !empty($encenv_config['custom_config_output']) ?
             $this->configoutput = $encenv_config['custom_config_output'] :

src/Entity/ConfigKey.php

@@ -7,10 +7,19 @@ class ConfigKey
 
     function __construct()
     {
+
         if (!empty($_SERVER['CONFIGKEY'])) {
 
             $this->configkey = $_SERVER['CONFIGKEY'];
 
+        } else {
+            $configkey = getenv('APP_CONFIGKEY');
+
+            if ($configkey !== false) {
+
+                $this->configkey = $configkey;
+
+            }
         }
     }
     /**

src/Provider/EncryptEnvServiceProvider.php

@@ -20,6 +20,10 @@ public function boot()
         $this->publishes([
             __DIR__.'/../Console/EncryptEnvValues.php' => app_path('Console/Commands/EncryptEnvValues.php')
         ], 'console');
+
+        $this->publishes([
+            __DIR__.'/../Console/SecEnvConsoleCommand.php' => app_path('Console/Commands/SecEnvConsoleCommand.php')
+        ], 'console');
     }
 
     public function register()