Change the way data are stored to add the algorithm to be linked to the entity

Author: johnkrovitch

composer.json

@@ -25,11 +25,14 @@
         "symfony/framework-bundle": "^4.4|^5.1",
         "doctrine/doctrine-bundle": "*",
         "doctrine/orm": "*",
-        "symfony/security":"^4.4|^5.1"
+        "symfony/security":"^4.4|^5.1",
+        "symfony/monolog-bundle": "^3.6",
+        "symfony/string": "^5.2"
     },
     "require-dev": {
         "symfony/stopwatch": "^4.4|^5.1",
-        "phpunit/phpunit": "^9.4"
+        "phpunit/phpunit": "^9.4",
+        "phpseclib/mcrypt_compat": "^1.0"
     },
     "suggest": {
         "ext-sodium": "The Sodium library is native in PHP 7.2",
@@ -40,7 +43,10 @@
     "autoload": {
         "psr-4": {
             "Sidus\\EncryptionBundle\\": "src/"
-        }
+        },
+        "exclude-from-classmap": [
+            "/Tests/"
+        ]
     },
     "autoload-dev": {
         "psr-4": {

src/Doctrine/Connection/Factory/ConnectionFactory.php

@@ -11,8 +11,7 @@
 use Doctrine\DBAL\Platforms\AbstractPlatform;
 use Doctrine\DBAL\Types\Type;
 use Sidus\EncryptionBundle\Doctrine\Type\EncryptTypeInterface;
-use Sidus\EncryptionBundle\Encryption\Enabler\EncryptionEnablerInterface;
-use Sidus\EncryptionBundle\Registry\EncryptionManagerRegistry;
+use Sidus\EncryptionBundle\Doctrine\ValueEncrypterInterface;
 
 /**
  * The default Doctrine's connection factory should be override to allow injection the encryption manager into the type.
@@ -21,18 +20,14 @@ class ConnectionFactory
 {
     private array $typesConfig;
     private bool $initialized = false;
-
-    private EncryptionManagerRegistry $encryptionManager;
-    private EncryptionEnablerInterface $encryptionEnabler;
+    private ValueEncrypterInterface $valueEncrypter;
 
     public function __construct(
         array $typesConfig,
-        EncryptionManagerRegistry $encryptionManager,
-        EncryptionEnablerInterface $encryptionEnabler
+        ValueEncrypterInterface $valueEncrypter
     ) {
         $this->typesConfig = $typesConfig;
-        $this->encryptionManager = $encryptionManager;
-        $this->encryptionEnabler = $encryptionEnabler;
+        $this->valueEncrypter = $valueEncrypter;
     }
 
     /**
@@ -136,8 +131,7 @@ private function initializeTypes() : void
             $type = Type::getType($typeName);
 
             if ($type instanceof EncryptTypeInterface) {
-                $type->setEncryptionManager($this->encryptionManager->getDefaultEncryptionManager());
-                $type->setEncryptionEnabler($this->encryptionEnabler);
+                $type->setValueEncrypter($this->valueEncrypter);
             }
         }
         $this->initialized = true;

src/Doctrine/Type/Behavior/EncryptType.php

@@ -3,42 +3,30 @@
 namespace Sidus\EncryptionBundle\Doctrine\Type\Behavior;
 
 use Doctrine\DBAL\Platforms\AbstractPlatform;
-use Sidus\EncryptionBundle\Encryption\Enabler\EncryptionEnablerInterface;
-use Sidus\EncryptionBundle\Manager\EncryptionManagerInterface;
+use Sidus\EncryptionBundle\Doctrine\ValueEncrypterInterface;
 
 trait EncryptType
 {
-    private EncryptionManagerInterface $encryptionManager;
-    private EncryptionEnablerInterface $encryptionEnabler;
+    private ValueEncrypterInterface $valueEncrypter;
 
-    public function convertToPHPValue($value, AbstractPlatform $platform)
+    public function convertToPHPValue($value, AbstractPlatform $platform): string
     {
-        // Allow to do not decrypt the value for the current request
-        if (!$this->encryptionEnabler->isEncryptionEnabled()) {
-            return $value;
-        }
+        // Decode value previously encoded in base64 for database storage
+        $value = base64_decode($value);
 
-        return $this->encryptionManager->decryptString(base64_decode($value));
+        return $this->valueEncrypter->decrypt($value);
     }
 
-    public function convertToDatabaseValue($value, AbstractPlatform $platform)
+    public function convertToDatabaseValue($value, AbstractPlatform $platform): string
     {
-        // Allow to do not decrypt the value for the current request
-        if (!$this->encryptionEnabler->isEncryptionEnabled()) {
-            return $value;
-        }
-        $value = $this->encryptionManager->encryptString($value);
-        
-        return base64_encode($value);
-    }
+        $value = $this->valueEncrypter->encrypt($value);
 
-    public function setEncryptionManager(EncryptionManagerInterface $encryptionManager): void
-    {
-        $this->encryptionManager = $encryptionManager;
+        // Encoding to base64 to avoid issue when storing binary strings
+        return base64_encode($value);
     }
 
-    public function setEncryptionEnabler(EncryptionEnablerInterface $encryptionEnabler): void
+    public function setValueEncrypter(ValueEncrypterInterface $valueEncrypter): void
     {
-        $this->encryptionEnabler = $encryptionEnabler;
+        $this->valueEncrypter = $valueEncrypter;
     }
 }

src/Doctrine/Type/EncryptStringType.php

@@ -2,10 +2,10 @@
 
 namespace Sidus\EncryptionBundle\Doctrine\Type;
 
-use Doctrine\DBAL\Types\StringType;
+use Doctrine\DBAL\Types\TextType;
 use Sidus\EncryptionBundle\Doctrine\Type\Behavior\EncryptType;
 
-class EncryptStringType extends StringType implements EncryptTypeInterface
+class EncryptStringType extends TextType implements EncryptTypeInterface
 {
     use EncryptType;
 

src/Doctrine/Type/EncryptTypeInterface.php

@@ -2,12 +2,9 @@
 
 namespace Sidus\EncryptionBundle\Doctrine\Type;
 
-use Sidus\EncryptionBundle\Encryption\Enabler\EncryptionEnablerInterface;
-use Sidus\EncryptionBundle\Manager\EncryptionManagerInterface;
+use Sidus\EncryptionBundle\Doctrine\ValueEncrypterInterface;
 
 interface EncryptTypeInterface
 {
-    public function setEncryptionManager(EncryptionManagerInterface $encryptionManager): void;
-    
-    public function setEncryptionEnabler(EncryptionEnablerInterface $encryptionEnabler): void;
+    public function setValueEncrypter(ValueEncrypterInterface $valueEncrypter): void;
 }

src/Doctrine/ValueEncrypter.php

@@ -0,0 +1,78 @@
+<?php
+
+namespace Sidus\EncryptionBundle\Doctrine;
+
+use Exception;
+use Psr\Log\LoggerInterface;
+use Sidus\EncryptionBundle\Encryption\Enabler\EncryptionEnablerInterface;
+use Sidus\EncryptionBundle\Manager\EncryptionManagerInterface;
+use Sidus\EncryptionBundle\Registry\EncryptionManagerRegistryInterface;
+use Symfony\Component\String\ByteString;
+
+class ValueEncrypter implements ValueEncrypterInterface
+{
+    private EncryptionManagerRegistryInterface $registry;
+    private LoggerInterface $logger;
+    private EncryptionEnablerInterface $encryptionEnabler;
+    
+    public function __construct(
+        EncryptionManagerRegistryInterface $registry,
+        LoggerInterface $logger,
+        EncryptionEnablerInterface $encryptionEnabler
+    ) {
+        $this->registry = $registry;
+        $this->logger = $logger;
+        $this->encryptionEnabler = $encryptionEnabler;
+    }
+    
+    public function encrypt(string $value): string
+    {
+        // Allow to do not encrypt the value for the current request
+        if (!$this->encryptionEnabler->isEncryptionEnabled()) {
+            return $value;
+        }
+        $manager = $this->registry->getDefaultEncryptionManager();
+        $value = $manager->getEncryptionAdapter()::getCode().'.'.$manager->encryptString($value);
+    
+        return $value;
+    }
+    
+    public function decrypt(string $value): string
+    {
+        // Allow to do not decrypt the value for the current request
+        if (!$this->encryptionEnabler->isEncryptionEnabled()) {
+            return $value;
+        }
+        $manager = $this->extractManagerFromEncryptedValue($value);
+        $value = (new ByteString($value))->replace($manager->getEncryptionAdapter()::getCode().'.', '')->toByteString();
+    
+        try {
+            return $manager->decryptString($value);
+        } catch (Exception $exception) {
+            foreach ($this->registry->getEncryptionManagers() as $encryptionManager) {
+                try {
+                    return $encryptionManager->decryptString($value);
+                } catch (Exception $exception) {
+                }
+            }
+        }
+    
+        return $value;
+    }
+    
+    private function extractManagerFromEncryptedValue(string $value): EncryptionManagerInterface
+    {
+        $split = (new ByteString($value))->split('.');
+        
+        if (count($split) < 3) {
+            return $this->registry->getDefaultEncryptionManager();
+        }
+        $managerCode = $split[0].'.'.$split[1];
+        
+        if ($this->registry->hasEncryptionManager($managerCode)) {
+            return $this->registry->getEncryptionManager($managerCode);
+        }
+        
+        return $this->registry->getDefaultEncryptionManager();
+    }
+}

src/Doctrine/ValueEncrypterInterface.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace Sidus\EncryptionBundle\Doctrine;
+
+interface ValueEncrypterInterface
+{
+    public function encrypt(string $value): string;
+
+    public function decrypt(string $value): string;
+}

src/Registry/EncryptionManagerRegistry.php

@@ -11,7 +11,7 @@
  *
  * @author Vincent Chalnot <[email protected]>
  */
-class EncryptionManagerRegistry
+class EncryptionManagerRegistry implements EncryptionManagerRegistryInterface
 {
     private array $managers = [];
     private string $defaultCode;

src/Registry/EncryptionManagerRegistryInterface.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Sidus\EncryptionBundle\Registry;
+
+use Sidus\EncryptionBundle\Entity\CryptableInterface;
+use Sidus\EncryptionBundle\Entity\UserEncryptionProviderInterface;
+use Sidus\EncryptionBundle\Manager\EncryptionManagerInterface;
+
+/**
+ * Registry for all available encryption managers (one for each adapter).
+ */
+interface EncryptionManagerRegistryInterface
+{
+    /**
+     * @return EncryptionManagerInterface[]
+     */
+    public function getEncryptionManagers(): array;
+    
+    public function getEncryptionManagerForEntity(CryptableInterface $entity): EncryptionManagerInterface;
+
+    public function getEncryptionManagerForUser(UserEncryptionProviderInterface $user): EncryptionManagerInterface;
+    
+    public function getEncryptionManager(string $code): EncryptionManagerInterface;
+
+    public function hasEncryptionManager(string $code): bool;
+    
+    public function getDefaultEncryptionManager(): EncryptionManagerInterface;
+}

src/Resources/config/services/doctrine.yaml

@@ -5,4 +5,4 @@ services:
         autoconfigure: true
         arguments:
             $typesConfig: "%doctrine.dbal.connection_factory.types%"
-            $encryptionManager: '@Sidus\EncryptionBundle\Registry\EncryptionManagerRegistry'
+            $valueEncrypter: '@Sidus\EncryptionBundle\Doctrine\ValueEncrypterInterface'