Merge pull request #51 from shopware/feat/support-app-secret-rotation

feat: support app secret rotation

Author: Gaitholabi

src/Adapter/DynamoDB/DynamoDBRepository.php

@@ -28,16 +28,24 @@ public function createShopStruct(string $shopId, string $shopUrl, string $shopSe
 
     public function createShop(ShopInterface $shop): void
     {
+        $item = [
+            'id' => ['S' => $shop->getShopId()],
+            'active' => ['BOOL' => $shop->isShopActive() ? '1' : '0'],
+            'confirmed' => ['BOOL' => $shop->isRegistrationConfirmed() ? '1' : '0'],
+            'url' => ['S' => $shop->getShopUrl()],
+            'secret' => ['S' => $shop->getShopSecret()],
+            'clientId' => ['S' => (string) $shop->getShopClientId()],
+            'clientSecret' => ['S' => (string) $shop->getShopClientSecret()],
+            'pendingShopSecret' => ['S' => (string) $shop->getPendingShopSecret()],
+            'pendingShopUrl' => ['S' => (string) $shop->getPendingShopUrl()],
+            'previousShopSecret' => ['S' => (string) $shop->getPreviousShopSecret()],
+            'secretsRotatedAt' => ['S' => (string) ($shop->getSecretsRotatedAt()?->getTimestamp() ?? '')],
+            'hasVerifiedWithDoubleSignature' => ['BOOL' => $shop->hasVerifiedWithDoubleSignature() ? '1' : '0'],
+        ];
+
         $this->client->putItem(new PutItemInput([
             'TableName' => $this->tableName,
-            'Item' => [
-                'id' => ['S' => $shop->getShopId()],
-                'active' => ['BOOL' => $shop->isShopActive() ? '1' : '0'],
-                'url' => ['S' => $shop->getShopUrl()],
-                'secret' => ['S' => $shop->getShopSecret()],
-                'clientId' => ['S' => (string) $shop->getShopClientId()],
-                'clientSecret' => ['S' => (string) $shop->getShopClientSecret()],
-            ],
+            'Item' => $item,
         ]));
     }
 
@@ -71,13 +79,61 @@ public function getShopFromId(string $shopId): ShopInterface|null
             $active = false;
         }
 
+        $confirmed = true;
+        if (isset($item['confirmed'])) {
+            $confirmed = $item['confirmed']->getBool();
+            if ($confirmed === null) {
+                $confirmed = false;
+            }
+        }
+
+        $pendingShopSecret = isset($item['pendingShopSecret']) ? $item['pendingShopSecret']->getS() : null;
+        $pendingShopUrl = isset($item['pendingShopUrl']) ? $item['pendingShopUrl']->getS() : null;
+        $previousShopSecret = isset($item['previousShopSecret']) ? $item['previousShopSecret']->getS() : null;
+
+        if ($pendingShopSecret === '') {
+            $pendingShopSecret = null;
+        }
+
+        if ($pendingShopUrl === '') {
+            $pendingShopUrl = null;
+        }
+
+        if ($previousShopSecret === '') {
+            $previousShopSecret = null;
+        }
+
+        $secretsRotatedAt = null;
+
+        if (isset($item['secretsRotatedAt'])) {
+            $timestamp = $item['secretsRotatedAt']->getS();
+            if ($timestamp !== null && $timestamp !== '') {
+                $secretsRotatedAt = (new \DateTimeImmutable())->setTimestamp((int) $timestamp);
+            }
+        }
+
+        $hasVerifiedWithDoubleSignature = false;
+        if (isset($item['hasVerifiedWithDoubleSignature'])) {
+            $hasVerifiedWithDoubleSignature = $item['hasVerifiedWithDoubleSignature']->getBool();
+
+            if ($hasVerifiedWithDoubleSignature === null) {
+                $hasVerifiedWithDoubleSignature = false;
+            }
+        }
+
         return new DynamoDBShop(
             $item['id']->getS() ?? '',
             $item['url']->getS() ?? '',
             $item['secret']->getS() ?? '',
             $shopClientId,
             $shopClientSecret,
             $active,
+            $pendingShopSecret,
+            $pendingShopUrl,
+            $previousShopSecret,
+            $secretsRotatedAt,
+            $hasVerifiedWithDoubleSignature,
+            $confirmed,
         );
     }
 
@@ -88,16 +144,22 @@ public function updateShop(ShopInterface $shop): void
             'Key' => [
                 'id' => ['S' => $shop->getShopId()],
             ],
-            'UpdateExpression' => 'SET active = :active, #u = :url, secret = :secret, clientId = :clientId, clientSecret = :clientSecret',
+            'UpdateExpression' => 'SET active = :active, confirmed = :confirmed, #u = :url, secret = :secret, clientId = :clientId, clientSecret = :clientSecret, pendingShopSecret = :pendingShopSecret, pendingShopUrl = :pendingShopUrl, previousShopSecret = :previousShopSecret, secretsRotatedAt = :secretsRotatedAt, hasVerifiedWithDoubleSignature = :hasVerifiedWithDoubleSignature',
             'ExpressionAttributeNames' => [
                 '#u' => 'url',
             ],
             'ExpressionAttributeValues' => [
                 ':active' => ['BOOL' => $shop->isShopActive() ? '1' : '0'],
+                ':confirmed' => ['BOOL' => $shop->isRegistrationConfirmed() ? '1' : '0'],
                 ':url' => ['S' => $shop->getShopUrl()],
                 ':secret' => ['S' => $shop->getShopSecret()],
                 ':clientId' => ['S' => (string) $shop->getShopClientId()],
                 ':clientSecret' => ['S' => (string) $shop->getShopClientSecret()],
+                ':pendingShopSecret' => ['S' => (string) $shop->getPendingShopSecret()],
+                ':pendingShopUrl' => ['S' => (string) $shop->getPendingShopUrl()],
+                ':previousShopSecret' => ['S' => (string) $shop->getPreviousShopSecret()],
+                ':secretsRotatedAt' => ['S' => (string) ($shop->getSecretsRotatedAt()?->getTimestamp() ?? '')],
+                ':hasVerifiedWithDoubleSignature' => ['BOOL' => $shop->hasVerifiedWithDoubleSignature() ? '1' : '0'],
             ],
         ]));
     }

src/Adapter/DynamoDB/DynamoDBShop.php

@@ -8,8 +8,23 @@
 
 class DynamoDBShop implements ShopInterface
 {
-    public function __construct(public string $shopId, public string $shopUrl, public string $shopSecret, public ?string $shopClientId = null, public ?string $shopClientSecret = null, public bool $active = false)
-    {
+    public function __construct(
+        public string $shopId,
+        public string $shopUrl,
+        public string $shopSecret,
+        public ?string $shopClientId = null,
+        public ?string $shopClientSecret = null,
+        public bool $active = false,
+        public ?string $pendingShopSecret = null,
+        public ?string $pendingShopUrl = null,
+        public ?string $previousShopSecret = null,
+        public ?\DateTimeImmutable $secretsRotatedAt = null,
+        /**
+         * @deprecated tag:v6.0.0 - Will be removed. Double signature verification will always be enforced.
+         */
+        public bool $hasVerifiedWithDoubleSignature = false,
+        public bool $registrationConfirmed = false,
+    ) {
     }
 
     public function isShopActive(): bool
@@ -32,6 +47,16 @@ public function getShopSecret(): string
         return $this->shopSecret;
     }
 
+    public function getPreviousShopSecret(): ?string
+    {
+        return $this->previousShopSecret;
+    }
+
+    public function getPendingShopSecret(): ?string
+    {
+        return $this->pendingShopSecret;
+    }
+
     public function getShopClientId(): ?string
     {
         return $this->shopClientId;
@@ -42,6 +67,16 @@ public function getShopClientSecret(): ?string
         return $this->shopClientSecret;
     }
 
+    public function getPendingShopUrl(): ?string
+    {
+        return $this->pendingShopUrl;
+    }
+
+    public function getSecretsRotatedAt(): ?\DateTimeImmutable
+    {
+        return $this->secretsRotatedAt;
+    }
+
     public function setShopApiCredentials(string $clientId, string $clientSecret): ShopInterface
     {
         $this->shopClientId = $clientId;
@@ -50,6 +85,13 @@ public function setShopApiCredentials(string $clientId, string $clientSecret): S
         return $this;
     }
 
+    public function setShopSecret(string $secret): ShopInterface
+    {
+        $this->shopSecret = $secret;
+
+        return $this;
+    }
+
     public function setShopUrl(string $url): ShopInterface
     {
         $this->shopUrl = $url;
@@ -63,4 +105,62 @@ public function setShopActive(bool $active): ShopInterface
 
         return $this;
     }
+
+    public function setPendingShopSecret(?string $secret): ShopInterface
+    {
+        $this->pendingShopSecret = $secret;
+
+        return $this;
+    }
+
+    public function setPendingShopUrl(?string $shopUrl): ShopInterface
+    {
+        $this->pendingShopUrl = $shopUrl;
+
+        return $this;
+    }
+
+    public function setPreviousShopSecret(string $secret): ShopInterface
+    {
+        $this->previousShopSecret = $secret;
+
+        return $this;
+    }
+
+    public function setSecretsRotatedAt(\DateTimeImmutable $updatedAt): ShopInterface
+    {
+        $this->secretsRotatedAt = $updatedAt;
+
+        return $this;
+    }
+
+    public function isRegistrationConfirmed(): bool
+    {
+        return $this->registrationConfirmed;
+    }
+
+    public function setRegistrationConfirmed(): ShopInterface
+    {
+        $this->registrationConfirmed = true;
+
+        return $this;
+    }
+
+    /**
+     * @deprecated tag:v6.0.0 - Will be removed. Double signature verification will always be enforced.
+     */
+    public function setVerifiedWithDoubleSignature(): ShopInterface
+    {
+        $this->hasVerifiedWithDoubleSignature = true;
+
+        return $this;
+    }
+
+    /**
+     * @deprecated tag:v6.0.0 - Will be removed. Double signature verification will always be enforced.
+     */
+    public function hasVerifiedWithDoubleSignature(): bool
+    {
+        return $this->hasVerifiedWithDoubleSignature;
+    }
 }

src/AppConfiguration.php

@@ -9,7 +9,8 @@ class AppConfiguration
     public function __construct(
         private readonly string $appName,
         private readonly string $appSecret,
-        private readonly string $registrationConfirmationUrl
+        private readonly string $registrationConfirmationUrl,
+        private readonly bool $enforceDoubleSignature = false
     ) {
     }
 
@@ -27,4 +28,12 @@ public function getRegistrationConfirmUrl(): string
     {
         return $this->registrationConfirmationUrl;
     }
+
+    /**
+     * @deprecated tag:v6.0.0 - Will be removed. Double signature verification will always be enforced.
+     */
+    public function enforceDoubleSignature(): bool
+    {
+        return $this->enforceDoubleSignature;
+    }
 }