[Encryption] Improve diagnostic command #898
Conversation
GromNaN
force-pushed
the
improve-diagnostic-command
branch
from
f75dee1 to
30a90d3
Compare
| } catch (Throwable $exception) { | ||
| $io->error('Could not retrieve auto encryption info: ' . $exception->getMessage()); | ||
| } | ||
| $configOk = $this->printAndCheckConnectionDiagnostic($name, $diagnostic, $io) && $configOk; |
There was a problem hiding this comment.
When multiple connections are configured, but they don't have all auto encryption enabled, then the conclusion says there is an issue. We should return "OK" when auto encryption is not configured on a connection?
There was a problem hiding this comment.
Ah, that's a good point. Indeed, if encryption wasn't configured on a connection, we should print an info line and mark it as "ok".
GromNaN
force-pushed
the
improve-diagnostic-command
branch
from
9f8a963 to
b4d1412
Compare
commit b494ea1 Author: Andreas Braun <[email protected]> Date: Thu Jun 12 13:36:37 2025 +0200 Add command to dump encrypted fields map commit a74e799 Author: Andreas Braun <[email protected]> Date: Thu Jun 12 13:10:11 2025 +0200 Extract connection diagnostics into separate print method commit 69d205d Author: Andreas Braun <[email protected]> Date: Wed Jun 11 14:58:49 2025 +0200 Extract encryption diagnostic to separate class commit 1c1b2e2 Author: Andreas Braun <[email protected]> Date: Wed Jun 11 14:41:50 2025 +0200 Improve connection diagnostics output commit f19bc06 Merge: e24dd48 e09b2a2 Author: Jérôme Tamarelle <[email protected]> Date: Thu Jun 12 10:04:33 2025 +0200 Merge remote-tracking branch 'upstream/5.4.x' into fix-kms-xsd-docs-alignment commit e24dd48 Author: Jérôme Tamarelle <[email protected]> Date: Wed Jun 11 11:36:16 2025 +0200 Add AutoEncryptionInfo to the diagnostic command commit ea7b50f Author: Jérôme Tamarelle <[email protected]> Date: Tue May 27 18:24:46 2025 +0200 Introduce connection:diagnotic command commit 60cc9c2 Author: Jérôme Tamarelle <[email protected]> Date: Mon May 26 18:21:32 2025 +0000 Add autoEncryption configuration to the client Improve connection diagnostics output
| if (isset($driverOptions['autoEncryption']['extraOptions']['cryptSharedLibPath'])) { | ||
| $fs = new Filesystem(); | ||
| $cryptSharedLibPath = $driverOptions['autoEncryption']['extraOptions']['cryptSharedLibPath']; | ||
|
|
||
| // If it's not an absolute path, resolve it relative to the project root | ||
| if (! $fs->isAbsolutePath($cryptSharedLibPath)) { | ||
| $driverOptions['autoEncryption']['extraOptions']['cryptSharedLibPath'] = realpath($cryptSharedLibPath); | ||
| } | ||
| } |
There was a problem hiding this comment.
@alcaeus I'm reverting this part. In Symfony we never convert relative paths to absolute.
I'll add documentation using %kernel.project_dir% instead.
There was a problem hiding this comment.
Sounds good - I wasn't quite sure if the kernel parameter was resolved properly. If that works, I prefer that over changing the path in the extension.
| { | ||
| public function __construct( | ||
| private readonly ServiceProviderInterface $diagnostics, | ||
| private readonly EncryptionDiagnostic $encryptionDiagnostic = new EncryptionDiagnostic(), |
There was a problem hiding this comment.
We don't declare a service for EncryptionDiagnostic. Only leverage the default value from the constructor.
GromNaN
force-pushed
the
improve-diagnostic-command
branch
from
b4d1412 to
e192526
Compare
GromNaN
force-pushed
the
improve-diagnostic-command
branch
from
381dfba to
6b300d7
Compare
GromNaN
force-pushed
the
improve-diagnostic-command
branch
from
6b300d7 to
cd2a184
Compare
|
There's a lot of commits in this. Does it need to be rebased? |
It will be squashed on merge. All the commits represent the iterations on this PR. |
| 'Key Vault Namespace: ' . $autoEncryptionInfo['keyVaultNamespace'], | ||
| 'Key Count: ' . $autoEncryptionInfo['keyCount'], | ||
| ]); | ||
| } catch (RuntimeException $e) { |
There was a problem hiding this comment.
Why not catch something broader? I'm guessing there could be other exception types that we'd want to catch here?
There was a problem hiding this comment.
I only want to catch driver errors due to the command that is run. I don't expect other kind of exception to occurs, so if there is an other error I don't want to catch it, but I want the regular error handler to display it (with the backtrace).
| Queryable Encryption (QE) allows you to run queries on encrypted fields. To use QE, you may need to provide an ``encryptedFieldsMap`` or use a schema map, depending on your driver and use case. | ||
| You can configure which fields are encrypted in each collection by specifying the | ||
| ``autoEncryption.encryptedFieldsMap`` option in the connection configuration. | ||
| This setting **recommended** for improved security and performance. |
There was a problem hiding this comment.
| This setting **recommended** for improved security and performance. | |
| This setting is **recommended** for improved security and performance. |
| @@ -44,7 +44,6 @@ | |||
| use Symfony\Component\DependencyInjection\Loader\PhpFileLoader; | |||
| use Symfony\Component\DependencyInjection\Reference; | |||
| use Symfony\Component\ExpressionLanguage\ExpressionLanguage; | |||
| use Symfony\Component\Filesystem\Filesystem; | |||
There was a problem hiding this comment.
I would use fixup to add this commit to either:
- whichever commit introduced the CS errors if that commit is part of this PR, or
- fix it up to the other
fix CScommit you already have
Not a big deal not but makes reviewing a little easier to go commit by commit
| private function printAndCheckConnectionDiagnostic(string $name, ConnectionDiagnostic $diagnostic, SymfonyStyle $io): bool | ||
| { | ||
| $io->section(sprintf('Connection: %s', $name)); | ||
|
|
||
| $configOk = $this->printAndCheckServerInfo($io, $diagnostic); | ||
| $this->printAutoEncryptionConfiguration($io, $diagnostic); | ||
| $enabled = $this->printAutoEncryptionConfiguration($io, $diagnostic); |
There was a problem hiding this comment.
Maybe rename this to autoEncryptionEnabled?
From GromNaN#1
Output:
In case of incorrect setup: