Merge pull request #164 from patchlevel/backport-lifecycle-and-cryptography-extension

Backport lifecycle and cryptography extension

Author: DavidBadura

phpstan-baseline.neon

@@ -18,6 +18,30 @@ parameters:
 			count: 1
 			path: src/Cryptography/PersonalDataPayloadCryptographer.php
 
+		-
+			message: '#^Parameter \#3 \$iv of class Patchlevel\\Hydrator\\Extension\\Cryptography\\Cipher\\CipherKey constructor expects non\-empty\-string, string given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/Extension/Cryptography/BaseCryptographer.php
+
+		-
+			message: '#^Method Patchlevel\\Hydrator\\Extension\\Cryptography\\Cipher\\OpensslCipher\:\:encrypt\(\) should return non\-empty\-string but returns string\.$#'
+			identifier: return.type
+			count: 1
+			path: src/Extension/Cryptography/Cipher/OpensslCipher.php
+
+		-
+			message: '#^Parameter \#1 \$key of class Patchlevel\\Hydrator\\Extension\\Cryptography\\Cipher\\CipherKey constructor expects non\-empty\-string, string given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/Extension/Cryptography/Cipher/OpensslCipherKeyFactory.php
+
+		-
+			message: '#^Parameter \#3 \$iv of class Patchlevel\\Hydrator\\Extension\\Cryptography\\Cipher\\CipherKey constructor expects non\-empty\-string, string given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/Extension/Cryptography/Cipher/OpensslCipherKeyFactory.php
+
 		-
 			message: '#^Method Patchlevel\\Hydrator\\Guesser\\BuiltInGuesser\:\:guess\(\) has parameter \$type with generic class Symfony\\Component\\TypeInfo\\Type\\ObjectType but does not specify its types\: T$#'
 			identifier: missingType.generics
@@ -108,6 +132,12 @@ parameters:
 			count: 1
 			path: src/Normalizer/ReflectionTypeUtil.php
 
+		-
+			message: '#^Property Patchlevel\\Hydrator\\Tests\\Unit\\Extension\\Cryptography\\Fixture\\ChildWithSensitiveDataWithIdentifierDto\:\:\$email is never read, only written\.$#'
+			identifier: property.onlyWritten
+			count: 1
+			path: tests/Unit/Extension/Cryptography/Fixture/ChildWithSensitiveDataWithIdentifierDto.php
+
 		-
 			message: '#^Method Patchlevel\\Hydrator\\Tests\\Unit\\Fixture\\DtoWithHooks\:\:postHydrate\(\) is unused\.$#'
 			identifier: method.unused

src/Extension/Cryptography/Attribute/DataSubjectId.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography\Attribute;
+
+use Attribute;
+
+#[Attribute(Attribute::TARGET_PROPERTY)]
+final class DataSubjectId
+{
+    public function __construct(
+        public readonly string $name = 'default',
+    ) {
+    }
+}

src/Extension/Cryptography/Attribute/SensitiveData.php

@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography\Attribute;
+
+use Attribute;
+use InvalidArgumentException;
+
+#[Attribute(Attribute::TARGET_PROPERTY)]
+final class SensitiveData
+{
+    /** @var (callable(string):mixed)|null */
+    public readonly mixed $fallbackCallable;
+
+    public function __construct(
+        public readonly mixed $fallback = null,
+        callable|null $fallbackCallable = null,
+        public readonly string $subjectIdName = 'default',
+    ) {
+        $this->fallbackCallable = $fallbackCallable;
+
+        if ($this->fallbackCallable !== null && $this->fallback !== null) {
+            throw new InvalidArgumentException('You can only set one of fallback or fallbackCallable');
+        }
+    }
+}

src/Extension/Cryptography/BaseCryptographer.php

@@ -0,0 +1,97 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography;
+
+use Patchlevel\Hydrator\Extension\Cryptography\Cipher\Cipher;
+use Patchlevel\Hydrator\Extension\Cryptography\Cipher\CipherKey;
+use Patchlevel\Hydrator\Extension\Cryptography\Cipher\CipherKeyFactory;
+use Patchlevel\Hydrator\Extension\Cryptography\Cipher\DecryptionFailed;
+use Patchlevel\Hydrator\Extension\Cryptography\Cipher\EncryptionFailed;
+use Patchlevel\Hydrator\Extension\Cryptography\Cipher\OpensslCipher;
+use Patchlevel\Hydrator\Extension\Cryptography\Cipher\OpensslCipherKeyFactory;
+use Patchlevel\Hydrator\Extension\Cryptography\Store\CipherKeyNotExists;
+use Patchlevel\Hydrator\Extension\Cryptography\Store\CipherKeyStore;
+
+use function array_key_exists;
+use function base64_decode;
+use function base64_encode;
+use function is_array;
+
+/**
+ * @phpstan-type EncryptedDataV1 array{
+ *     __enc: 'v1',
+ *     data: non-empty-string,
+ *     method?: non-empty-string,
+ *     iv?: non-empty-string,
+ * }
+ */
+final class BaseCryptographer implements Cryptographer
+{
+    public function __construct(
+        private readonly Cipher $cipher,
+        private readonly CipherKeyStore $cipherKeyStore,
+        private readonly CipherKeyFactory $cipherKeyFactory,
+    ) {
+    }
+
+    /**
+     * @return EncryptedDataV1
+     *
+     * @throws EncryptionFailed
+     */
+    public function encrypt(string $subjectId, mixed $value): array
+    {
+        try {
+            $cipherKey = $this->cipherKeyStore->get($subjectId);
+        } catch (CipherKeyNotExists) {
+            $cipherKey = ($this->cipherKeyFactory)();
+            $this->cipherKeyStore->store($subjectId, $cipherKey);
+        }
+
+        return [
+            '__enc' => 'v1',
+            'data' => $this->cipher->encrypt($cipherKey, $value),
+            'method' => $cipherKey->method,
+            'iv' => base64_encode($cipherKey->iv),
+        ];
+    }
+
+    /**
+     * @param EncryptedDataV1 $encryptedData
+     *
+     * @throws CipherKeyNotExists
+     * @throws DecryptionFailed
+     */
+    public function decrypt(string $subjectId, mixed $encryptedData): mixed
+    {
+        $cipherKey = $this->cipherKeyStore->get($subjectId);
+
+        return $this->cipher->decrypt(
+            new CipherKey(
+                $cipherKey->key,
+                $encryptedData['method'] ?? $cipherKey->method,
+                isset($encryptedData['iv']) ? base64_decode($encryptedData['iv']) : $cipherKey->iv,
+            ),
+            $encryptedData['data'],
+        );
+    }
+
+    public function supports(mixed $value): bool
+    {
+        return is_array($value) && array_key_exists('__enc', $value) && $value['__enc'] === 'v1';
+    }
+
+    /** @param non-empty-string $method */
+    public static function createWithOpenssl(
+        CipherKeyStore $cryptoStore,
+        string $method = OpensslCipherKeyFactory::DEFAULT_METHOD,
+    ): static {
+        return new self(
+            new OpensslCipher(),
+            $cryptoStore,
+            new OpensslCipherKeyFactory($method),
+        );
+    }
+}

src/Extension/Cryptography/Cipher/Cipher.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography\Cipher;
+
+interface Cipher
+{
+    /**
+     * @return non-empty-string
+     *
+     * @throws EncryptionFailed
+     */
+    public function encrypt(CipherKey $key, mixed $data): string;
+
+    /** @throws DecryptionFailed */
+    public function decrypt(CipherKey $key, string $data): mixed;
+}

src/Extension/Cryptography/Cipher/CipherKey.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography\Cipher;
+
+final class CipherKey
+{
+    /**
+     * @param non-empty-string $key
+     * @param non-empty-string $method
+     * @param non-empty-string $iv
+     */
+    public function __construct(
+        public readonly string $key,
+        public readonly string $method,
+        public readonly string $iv,
+    ) {
+    }
+}

src/Extension/Cryptography/Cipher/CipherKeyFactory.php

@@ -0,0 +1,11 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography\Cipher;
+
+interface CipherKeyFactory
+{
+    /** @throws CreateCipherKeyFailed */
+    public function __invoke(): CipherKey;
+}

src/Extension/Cryptography/Cipher/CreateCipherKeyFailed.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography\Cipher;
+
+use Patchlevel\Hydrator\HydratorException;
+use RuntimeException;
+
+final class CreateCipherKeyFailed extends RuntimeException implements HydratorException
+{
+    public function __construct()
+    {
+        parent::__construct('Create cipher key failed.');
+    }
+}

src/Extension/Cryptography/Cipher/DecryptionFailed.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography\Cipher;
+
+use Patchlevel\Hydrator\HydratorException;
+use RuntimeException;
+
+final class DecryptionFailed extends RuntimeException implements HydratorException
+{
+    public function __construct()
+    {
+        parent::__construct('Decryption failed.');
+    }
+}

src/Extension/Cryptography/Cipher/EncryptionFailed.php

@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Extension\Cryptography\Cipher;
+
+use Patchlevel\Hydrator\HydratorException;
+use RuntimeException;
+
+final class EncryptionFailed extends RuntimeException implements HydratorException
+{
+    public function __construct()
+    {
+        parent::__construct('Encryption failed.');
+    }
+}