diff --git a/src/Command/Archive/ArchiveExportCommand.php b/src/Command/Archive/ArchiveExportCommand.php
index e3eed864e8..fadaaa407c 100644
--- a/src/Command/Archive/ArchiveExportCommand.php
+++ b/src/Command/Archive/ArchiveExportCommand.php
@@ -26,7 +26,8 @@ protected function configure()
->addOption('file', 'f', InputOption::VALUE_REQUIRED, 'The filename for the archive')
->addOption('exclude-services', null, InputOption::VALUE_NONE, 'Exclude services')
->addOption('exclude-mounts', null, InputOption::VALUE_NONE, 'Exclude mounts')
- ->addOption('include-variables', null, InputOption::VALUE_NONE, 'Include variables');
+ ->addOption('include-variables', null, InputOption::VALUE_NONE, 'Include variables')
+ ->addOption('include-sensitive-values', null, InputOption::VALUE_NONE, 'Include sensitive variable values');
$this->addProjectOption();
$this->addEnvironmentOption();
}
@@ -189,12 +190,31 @@ protected function execute(InputInterface $input, OutputInterface $output)
];
if ($includeVariables) {
+ $includeSensitive = $input->getOption('include-sensitive-values');
$this->stdErr->writeln('');
$this->stdErr->writeln('Copying project-level variables');
foreach ($this->getSelectedProject()->getVariables() as $var) {
$metadata['variables']['project'][$var->name] = $var->getProperties();
- if ($var->is_sensitive) {
- $this->stdErr->writeln(sprintf(' Warning: cannot save value for sensitive project-level variable %s', $var->name));
+ if ($var->is_sensitive && !$var->hasProperty('value')) {
+ if ($var->visible_runtime) {
+ if ($includeSensitive) {
+ $value = false;
+ foreach ($apps as $app) {
+ try {
+ $value = $this->fetchSensitiveValue($app->getSshUrl(), $var->name, $var->is_json);
+ } catch (\RuntimeException $e) {
+ continue;
+ }
+ break;
+ }
+ if ($value !== false) {
+ $metadata['variables']['project'][$var->name]['value'] = $value;
+ }
+ } else {
+ $this->stdErr->writeln(sprintf(' Warning: cannot save value for sensitive project-level variable %s', $var->name));
+ $this->stdErr->writeln(' Use --include-sensitive-values to try to fetch this via SSH');
+ }
+ }
}
}
@@ -202,8 +222,24 @@ protected function execute(InputInterface $input, OutputInterface $output)
$this->stdErr->writeln('Copying environment-level variables');
foreach ($environment->getVariables() as $envVar) {
$metadata['variables']['environment'][$envVar->name] = $envVar->getProperties();
- if ($envVar->is_sensitive) {
- $this->stdErr->writeln(sprintf(' Warning: cannot save value for sensitive environment-level variable %s', $envVar->name));
+ if ($envVar->is_sensitive && !$envVar->hasProperty('value')) {
+ if ($includeSensitive) {
+ $value = false;
+ foreach ($apps as $app) {
+ try {
+ $value = $this->fetchSensitiveValue($app->getSshUrl(), $envVar->name, $envVar->is_json);
+ } catch (\RuntimeException $e) {
+ continue;
+ }
+ break;
+ }
+ if ($value !== false) {
+ $metadata['variables']['environment'][$envVar->name]['value'] = $value;
+ }
+ } else {
+ $this->stdErr->writeln(sprintf(' Warning: cannot save value for sensitive environment-level variable %s', $envVar->name));
+ $this->stdErr->writeln(' Use --include-sensitive-values to try to fetch this via SSH');
+ }
}
}
}
@@ -402,4 +438,27 @@ private function getSchemas(Service $service, $relationshipName)
return $schemas;
}
+
+ /**
+ * @param string $sshUrl
+ * @param string $varName
+ * @param bool $is_json
+ *
+ * @return mixed
+ */
+ private function fetchSensitiveValue($sshUrl, $varName, $is_json)
+ {
+ /** @var \Platformsh\Cli\Service\RemoteEnvVars $remoteEnvVars */
+ $remoteEnvVars = $this->getService('remote_env_vars');
+ if (substr($varName, 0, 4) === 'env:') {
+ return $remoteEnvVars->getEnvVar(substr($varName, 4), $sshUrl, true, 3600, false);
+ }
+
+ $variables = $remoteEnvVars->getArrayEnvVar('VARIABLES', $sshUrl);
+ if (array_key_exists($varName, $variables)) {
+ return $is_json ? json_encode($variables[$varName]) : $variables[$varName];
+ }
+
+ throw new \RuntimeException('Variable not found: ' . $varName);
+ }
}
diff --git a/src/Command/Archive/ArchiveImportCommand.php b/src/Command/Archive/ArchiveImportCommand.php
index aafdae3701..995d35b61c 100644
--- a/src/Command/Archive/ArchiveImportCommand.php
+++ b/src/Command/Archive/ArchiveImportCommand.php
@@ -120,12 +120,12 @@ protected function execute(InputInterface $input, OutputInterface $output)
$this->stdErr->writeln('Importing environment-level variables');
foreach ($metadata['variables']['environment'] as $name => $var) {
- if ($var['is_sensitive']) {
- $this->stdErr->writeln(' Skipping sensitive variable ' . $name . '');
- continue;
- }
$this->stdErr->writeln(' Processing variable ' . $name . '');
if (!array_key_exists('value', $var)) {
+ if ($var['is_sensitive']) {
+ $this->stdErr->writeln(' Skipping sensitive variable ' . $name . '');
+ continue;
+ }
$this->stdErr->writeln(' Error: no variable value found.');
continue;
}
@@ -158,12 +158,12 @@ protected function execute(InputInterface $input, OutputInterface $output)
$this->stdErr->writeln('Importing project-level variables');
foreach ($metadata['variables']['project'] as $name => $var) {
- if ($var['is_sensitive']) {
- $this->stdErr->writeln(' Skipping sensitive variable ' . $name . '');
- continue;
- }
$this->stdErr->writeln(' Processing variable ' . $name . '');
if (!array_key_exists('value', $var)) {
+ if ($var['is_sensitive']) {
+ $this->stdErr->writeln(' Skipping sensitive variable ' . $name . '');
+ continue;
+ }
$this->stdErr->writeln(' Error: no variable value found.');
continue;
}
diff --git a/src/Service/RemoteEnvVars.php b/src/Service/RemoteEnvVars.php
index d34b493b77..6a71cafe27 100644
--- a/src/Service/RemoteEnvVars.php
+++ b/src/Service/RemoteEnvVars.php
@@ -38,15 +38,16 @@ public function __construct(Ssh $ssh, CacheProvider $cache, Shell $shellHelper,
* @param string $sshUrl The SSH URL to the application.
* @param bool $refresh Whether to refresh the cache.
* @param int $ttl The cache lifetime of the result.
+ * @param bool $prefix Whether to prepend the service.env_prefix.
*
* @throws \Symfony\Component\Process\Exception\RuntimeException
* If the SSH command fails.
*
* @return string The environment variable or an empty string.
*/
- public function getEnvVar($variable, $sshUrl, $refresh = false, $ttl = 3600)
+ public function getEnvVar($variable, $sshUrl, $refresh = false, $ttl = 3600, $prefix = true)
{
- $varName = $this->config->get('service.env_prefix') . $variable;
+ $varName = $prefix ? $this->config->get('service.env_prefix') . $variable : $variable;
$cacheKey = 'env-' . $sshUrl . '-' . $varName;
$cached = $this->cache->fetch($cacheKey);
if ($refresh || $cached === false) {
@@ -69,12 +70,14 @@ public function getEnvVar($variable, $sshUrl, $refresh = false, $ttl = 3600)
* @param string $variable
* @param string $sshUrl
* @param bool $refresh
+ * @param int $ttl
+ * @param bool $prefix
*
* @return array
*/
- public function getArrayEnvVar($variable, $sshUrl, $refresh = false)
+ public function getArrayEnvVar($variable, $sshUrl, $refresh = false, $ttl = 3600, $prefix = true)
{
- $value = $this->getEnvVar($variable, $sshUrl, $refresh);
+ $value = $this->getEnvVar($variable, $sshUrl, $refresh, $ttl, $prefix);
return json_decode(base64_decode($value), true) ?: [];
}