wp-cli / core-command

Downloads, installs, updates, and manages a WordPress installation.
MIT License
49 stars 50 forks source link

Read admin_password from the environment by default #262

Open ton31337 opened 6 months ago

ton31337 commented 6 months ago

Feature Request

Describe your use case and the problem you are facing

The context and the problem is defined directly in the commit: https://github.com/wp-cli/core-command/pull/261/commits/a8308bbcf51f1f1b12274176cdd6e0f4233d3c2a.

Usually, if you want to use a custom default value for an argument like that, the way to do itis via a wp-cli.yml config file. See https://make.wordpress.org/cli/handbook/references/config/ for an example of how to set default values.

wp-cli.yml is not an option, it requires unnecessary operations, creating the file, deleting the file...

Describe the solution you'd like

The solution to the current issue is https://github.com/wp-cli/core-command/pull/261.

schlessera commented 3 months ago

Copied over from #261 :

@ton31337 This is just one of many places where directly passing sensitive information can be leaked into the process list or similar, so adding environment variables for these is not really scalable.

As @danielbachhuber mentioned, WP-CLI supports file-based approaches to solve this in a more generic way:

  1. You can put the sensitive information into a configuration file. The file would be a YAML file with the following structure:
    core install:
        admin_password: 123456

    You can then point your WP-CLI execution to a custom location for that file if you generate it dynamically:

    WP_CLI_CONFIG_PATH=/path/to/custom/wp-cli.yml wp core install
  2. You can let WP-CLI require an additional PHP file that gets executed from within the context of WP-CLI. This way, you have full control of the entire execution. You can for example hook into the random_password filter to control what the generated password will be:

    <?php
    // Hook into the WP-CLI process to act when the `wp core install` command is being triggered.
    WP_CLI::add_hook( 'before_invoke:core install', static function() {
    
        // Compute the admin password in whatever way you want.
        // This can come from a file, be queried via an API, etc...
        $admin_password = '123456';
    
        // Hook into the `random_password` filter to return the computed password.
        WP_CLI::add_wp_hook( 'random_password', static function() use ( $admin_password ) {
            return $admin_password;
        } );
    } );

    This can be used via the --require=<path-to-script.php> flag:

    wp core install --require=<path/to/script.php>
  3. You can combine approaches and have a custom config (from wherever it comes) to add the --require=<path-to-script.php> to the WP-CLI binary. The config file would then look like this:
    require:
        - path/to/script.php

More detailed documentation about: