feat: add command to create signing key

Author: innocenzi

packages/cryptography/src/CreateSigningKeyCommand.php

@@ -0,0 +1,63 @@
+<?php
+
+namespace Tempest\Cryptography;
+
+use Tempest\Console\Console;
+use Tempest\Console\ConsoleCommand;
+use Tempest\Console\ExitCode;
+use Tempest\Cryptography\Encryption\EncryptionConfig;
+use Tempest\Cryptography\Encryption\EncryptionKey;
+use Tempest\Support\Filesystem;
+use Tempest\Support\Regex;
+use Tempest\Support\Str;
+
+use function Tempest\root_path;
+
+final readonly class CreateSigningKeyCommand
+{
+    public function __construct(
+        private EncryptionConfig $encryptionConfig,
+        private Console $console,
+    ) {}
+
+    #[ConsoleCommand('key:generate', description: 'Generates the signing key required to sign and verify data.')]
+    public function __invoke(): ExitCode
+    {
+        $key = EncryptionKey::generate($this->encryptionConfig->algorithm);
+
+        $this->console->writeln();
+        $this->console->success('Signing key generated successfully.');
+
+        $this->createDotEnvIfNotExists();
+        $this->addToDotEnv($key->toString());
+
+        return ExitCode::SUCCESS;
+    }
+
+    private function getDotEnvPath(): string
+    {
+        return root_path('.env');
+    }
+
+    private function addToDotEnv(string $key): void
+    {
+        $file = Filesystem\read_file($this->getDotEnvPath());
+
+        if (! Str\contains($file, 'SIGNING_KEY=')) {
+            $file .= "\nSIGNING_KEY={$key}\n";
+        } else {
+            $file = Regex\replace($file, '/^SIGNING_KEY=.*$/m', "SIGNING_KEY={$key}");
+        }
+
+        Filesystem\write_file($this->getDotEnvPath(), $file);
+    }
+
+    private function createDotEnvIfNotExists(): void
+    {
+        if (Filesystem\exists($this->getDotEnvPath())) {
+            return;
+        }
+
+        Filesystem\create_file($this->getDotEnvPath());
+    }
+}

packages/cryptography/src/Encryption/EncryptedData.php

@@ -32,16 +32,16 @@ public function serialize(): string
 
     public static function unserialize(string $data): self
     {
-        $decoded = Json\decode(base64_decode($data));
+        $decoded = Json\decode(base64_decode($data, strict: true));
 
         if (! is_array($decoded) || ! isset($decoded['payload'], $decoded['iv'], $decoded['tag'], $decoded['signature'], $decoded['algorithm'])) {
             throw EncryptedDataWasInvalid::dueToInvalidFormat();
         }
 
         return new self(
-            payload: base64_decode($decoded['payload']),
-            iv: base64_decode($decoded['iv']),
-            tag: base64_decode($decoded['tag']),
+            payload: base64_decode($decoded['payload'], strict: true),
+            iv: base64_decode($decoded['iv'], strict: true),
+            tag: base64_decode($decoded['tag'], strict: true),
             signature: new Signature($decoded['signature']),
             algorithm: EncryptionAlgorithm::from($decoded['algorithm']),
         );

packages/cryptography/src/Encryption/EncryptionKey.php

@@ -33,11 +33,16 @@ public static function generate(EncryptionAlgorithm $algorithm): self
      */
     public static function fromString(string $key, EncryptionAlgorithm $algorithm): self
     {
-        return new self($key, $algorithm);
+        return new self(base64_decode($key, strict: true), $algorithm);
+    }
+
+    public function toString(): string
+    {
+        return base64_encode($this->value);
     }
 
     public function __toString(): string
     {
-        return $this->value;
+        return $this->toString();
     }
 }

packages/cryptography/tests/Encryption/EncryptionTest.php

@@ -23,7 +23,7 @@ final class EncryptionTest extends TestCase
 
     private function createEncrypter(?string $key = null, false|Duration $minimumExecutionDuration = false): GenericEncrypter
     {
-        $key ??= EncryptionKey::generate(EncryptionAlgorithm::AES_256_GCM)->value;
+        $key ??= EncryptionKey::generate(EncryptionAlgorithm::AES_256_GCM)->toString();
 
         return new GenericEncrypter(
             signer: $this->createSigner(new SigningConfig(
@@ -48,7 +48,7 @@ public function test_encrypt(string $data): void
 
         $serialized = $encrypted->serialize();
 
-        $this->assertTrue(json_validate(base64_decode($serialized)));
+        $this->assertTrue(json_validate(base64_decode($serialized, strict: true)));
         $this->assertSame($data, $encrypter->decrypt($serialized));
     }
 

tests/Integration/Cryptography/CreateSigningKeyCommandTest.php

@@ -0,0 +1,67 @@
+<?php
+
+namespace Tests\Tempest\Integration\Cryptography;
+
+use Dotenv\Dotenv;
+use Tempest\Core\FrameworkKernel;
+use Tempest\Cryptography\CreateSigningKeyCommand;
+use Tempest\Support\Filesystem;
+use Tests\Tempest\Integration\FrameworkIntegrationTestCase;
+
+use function Tempest\root_path;
+
+final class CreateSigningKeyCommandTest extends FrameworkIntegrationTestCase
+{
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->container->get(FrameworkKernel::class)->root = __DIR__;
+    }
+
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+
+        Filesystem\delete_file(root_path('.env'));
+    }
+
+    public function test_creates_dot_env(): void
+    {
+        $this->assertFalse(Filesystem\is_file(root_path('.env')));
+        $this->console->call(CreateSigningKeyCommand::class)->assertSuccess();
+        $this->assertTrue(Filesystem\is_file(root_path('.env')));
+
+        $file = Filesystem\read_file(root_path('.env'));
+        $env = Dotenv::createImmutable(__DIR__)->parse($file);
+
+        $this->assertArrayHasKey('SIGNING_KEY', $env);
+        $this->assertIsString($env['SIGNING_KEY']);
+    }
+
+    public function test_updates_existing(): void
+    {
+        Filesystem\write_file(root_path('.env'), 'SIGNING_KEY=abc');
+        $this->console->call(CreateSigningKeyCommand::class)->assertSuccess();
+        $this->assertTrue(Filesystem\is_file(root_path('.env')));
+
+        $file = Filesystem\read_file(root_path('.env'));
+        $env = Dotenv::createImmutable(__DIR__)->parse($file);
+
+        $this->assertArrayHasKey('SIGNING_KEY', $env);
+        $this->assertNotSame('abc', $env['SIGNING_KEY']);
+    }
+
+    public function test_add_if_missing(): void
+    {
+        Filesystem\create_file(root_path('.env'));
+        $this->console->call(CreateSigningKeyCommand::class)->assertSuccess();
+        $this->assertTrue(Filesystem\is_file(root_path('.env')));
+
+        $file = Filesystem\read_file(root_path('.env'));
+        $env = Dotenv::createImmutable(__DIR__)->parse($file);
+
+        $this->assertArrayHasKey('SIGNING_KEY', $env);
+        $this->assertIsString($env['SIGNING_KEY']);
+    }
+}

tests/Integration/Cryptography/EncrypterTest.php

@@ -26,7 +26,7 @@ public function test_using_config(): void
     {
         $this->container->config(new EncryptionConfig(
             algorithm: EncryptionAlgorithm::AES_256_GCM,
-            key: $key = EncryptionKey::generate(EncryptionAlgorithm::AES_256_GCM),
+            key: $key = EncryptionKey::generate(EncryptionAlgorithm::AES_256_GCM)->toString(),
         ));
 
         $this->container->config(new SigningConfig(