feat(cryptography): introduce cryptography component (#1346)

Co-authored-by: Brent Roose <[email protected]>

Author: innocenzi

composer.json

@@ -82,6 +82,7 @@
         "tempest/console": "self.version",
         "tempest/container": "self.version",
         "tempest/core": "self.version",
+        "tempest/cryptography": "self.version",
         "tempest/database": "self.version",
         "tempest/datetime": "self.version",
         "tempest/debug": "self.version",
@@ -119,6 +120,7 @@
             "Tempest\\Console\\": "packages/console/src",
             "Tempest\\Container\\": "packages/container/src",
             "Tempest\\Core\\": "packages/core/src",
+            "Tempest\\Cryptography\\": "packages/cryptography/src",
             "Tempest\\Database\\": "packages/database/src",
             "Tempest\\DateTime\\": "packages/datetime/src",
             "Tempest\\Debug\\": "packages/debug/src",
@@ -185,6 +187,7 @@
             "Tempest\\Console\\Tests\\": "packages/console/tests",
             "Tempest\\Container\\Tests\\": "packages/container/tests",
             "Tempest\\Core\\Tests\\": "packages/core/tests",
+            "Tempest\\Cryptography\\Tests\\": "packages/cryptography/tests",
             "Tempest\\Database\\Tests\\": "packages/database/tests",
             "Tempest\\DateTime\\Tests\\": "packages/datetime/tests",
             "Tempest\\EventBus\\Tests\\": "packages/event-bus/tests",

packages/clock/src/GenericClock.php

@@ -41,10 +41,9 @@ public function milliseconds(): int
 
     public function sleep(int|Duration $milliseconds): void
     {
-        if ($milliseconds instanceof Duration) {
-            $milliseconds = (int) $milliseconds->getTotalMilliseconds();
-        }
-
-        usleep($milliseconds * MILLISECONDS_PER_SECOND);
+        usleep(match (true) {
+            is_int($milliseconds) => $milliseconds * MILLISECONDS_PER_SECOND,
+            $milliseconds instanceof Duration => (int) $milliseconds->getTotalMicroseconds(),
+        });
     }
 }

packages/cryptography/.gitattributes

@@ -0,0 +1,14 @@
+# Exclude build/test files from the release
+.github/                  export-ignore
+tests/                    export-ignore
+.gitattributes            export-ignore
+.gitignore                export-ignore
+phpunit.xml               export-ignore
+README.md                 export-ignore
+
+# Configure diff output
+*.view.php diff=html
+*.php diff=php
+*.css diff=css
+*.html diff=html
+*.md diff=markdown

packages/cryptography/LICENSE.md

@@ -0,0 +1,9 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Brent Roose [email protected]
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

packages/cryptography/composer.json

@@ -0,0 +1,22 @@
+{
+    "name": "tempest/cryptography",
+    "description": "A component for working with passwords, hashing, and cryptography.",
+    "license": "MIT",
+    "minimum-stability": "dev",
+    "require": {
+        "php": "^8.4",
+        "tempest/container": "dev-main",
+        "tempest/support": "dev-main",
+        "tempest/clock": "dev-main"
+    },
+    "autoload": {
+        "psr-4": {
+            "Tempest\\Cryptography\\": "src"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "Tempest\\Cryptography\\Tests\\": "tests"
+        }
+    }
+}

packages/cryptography/phpunit.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/11.4/phpunit.xsd"
+	bootstrap="vendor/autoload.php"
+	executionOrder="depends,defects"
+	beStrictAboutOutputDuringTests="true"
+	displayDetailsOnPhpunitDeprecations="true"
+	failOnPhpunitDeprecation="false"
+	failOnRisky="true"
+	failOnWarning="true"
+>
+	<testsuites>
+		<testsuite name="Tempest cryptography">
+			<directory>tests</directory>
+		</testsuite>
+	</testsuites>
+	<source restrictNotices="true" restrictWarnings="true" ignoreIndirectDeprecations="true">
+		<include>
+			<directory>src</directory>
+		</include>
+	</source>
+</phpunit>

packages/cryptography/src/CreateSigningKeyCommand.php

@@ -0,0 +1,63 @@
+<?php
+
+namespace Tempest\Cryptography;
+
+use Tempest\Console\Console;
+use Tempest\Console\ConsoleCommand;
+use Tempest\Console\ExitCode;
+use Tempest\Cryptography\Encryption\EncryptionConfig;
+use Tempest\Cryptography\Encryption\EncryptionKey;
+use Tempest\Support\Filesystem;
+use Tempest\Support\Regex;
+use Tempest\Support\Str;
+
+use function Tempest\root_path;
+
+final readonly class CreateSigningKeyCommand
+{
+    public function __construct(
+        private EncryptionConfig $encryptionConfig,
+        private Console $console,
+    ) {}
+
+    #[ConsoleCommand('key:generate', description: 'Generates the signing key required to sign and verify data.')]
+    public function __invoke(): ExitCode
+    {
+        $key = EncryptionKey::generate($this->encryptionConfig->algorithm);
+
+        $this->console->writeln();
+        $this->console->success('Signing key generated successfully.');
+
+        $this->createDotEnvIfNotExists();
+        $this->addToDotEnv($key->toString());
+
+        return ExitCode::SUCCESS;
+    }
+
+    private function getDotEnvPath(): string
+    {
+        return root_path('.env');
+    }
+
+    private function addToDotEnv(string $key): void
+    {
+        $file = Filesystem\read_file($this->getDotEnvPath());
+
+        if (! Str\contains($file, 'SIGNING_KEY=')) {
+            $file .= "\nSIGNING_KEY={$key}\n";
+        } else {
+            $file = Regex\replace($file, '/^SIGNING_KEY=.*$/m', "SIGNING_KEY={$key}");
+        }
+
+        Filesystem\write_file($this->getDotEnvPath(), $file);
+    }
+
+    private function createDotEnvIfNotExists(): void
+    {
+        if (Filesystem\exists($this->getDotEnvPath())) {
+            return;
+        }
+
+        Filesystem\create_file($this->getDotEnvPath());
+    }
+}

packages/cryptography/src/Encryption/EncryptedData.php

@@ -0,0 +1,54 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+use Stringable;
+use Tempest\Cryptography\Encryption\Exceptions\EncryptedDataWasInvalid;
+use Tempest\Cryptography\Signing\Signature;
+use Tempest\Support\Json;
+
+final readonly class EncryptedData implements Stringable
+{
+    public function __construct(
+        private(set) string $payload,
+        private(set) string $iv,
+        private(set) string $tag,
+        private(set) Signature $signature,
+        private(set) EncryptionAlgorithm $algorithm,
+    ) {}
+
+    public function serialize(): string
+    {
+        $data = [
+            'payload' => base64_encode($this->payload),
+            'iv' => base64_encode($this->iv),
+            'tag' => base64_encode($this->tag),
+            'signature' => $this->signature->value,
+            'algorithm' => $this->algorithm->value,
+        ];
+
+        return base64_encode(Json\encode($data));
+    }
+
+    public static function unserialize(string $data): self
+    {
+        $decoded = Json\decode(base64_decode($data, strict: true));
+
+        if (! is_array($decoded) || ! isset($decoded['payload'], $decoded['iv'], $decoded['tag'], $decoded['signature'], $decoded['algorithm'])) {
+            throw EncryptedDataWasInvalid::dueToInvalidFormat();
+        }
+
+        return new self(
+            payload: base64_decode($decoded['payload'], strict: true),
+            iv: base64_decode($decoded['iv'], strict: true),
+            tag: base64_decode($decoded['tag'], strict: true),
+            signature: new Signature($decoded['signature']),
+            algorithm: EncryptionAlgorithm::from($decoded['algorithm']),
+        );
+    }
+
+    public function __toString(): string
+    {
+        return $this->serialize();
+    }
+}

packages/cryptography/src/Encryption/Encrypter.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+interface Encrypter
+{
+    public EncryptionAlgorithm $algorithm {
+        get;
+    }
+
+    /**
+     * Encrypts the specified data.
+     */
+    public function encrypt(#[\SensitiveParameter] string $data): EncryptedData;
+
+    /**
+     * Decrypts the specified data.
+     */
+    public function decrypt(string|EncryptedData $data): string;
+}

packages/cryptography/src/Encryption/EncrypterInitializer.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+use Tempest\Container\Container;
+use Tempest\Container\Initializer;
+use Tempest\Container\Singleton;
+use Tempest\Cryptography\Signing\Signer;
+
+final class EncrypterInitializer implements Initializer
+{
+    #[Singleton]
+    public function initialize(Container $container): Encrypter
+    {
+        return new GenericEncrypter(
+            signer: $container->get(Signer::class),
+            config: $container->get(EncryptionConfig::class),
+        );
+    }
+}