From dc87b9ddf7252519c7a71264199bc193f702c7dd Mon Sep 17 00:00:00 2001 From: Dave Kleijn Date: Tue, 23 Jul 2024 11:25:27 +0200 Subject: [PATCH 1/4] Added re-encryption functionality for env.php --- Service/ChangeEncryptionKey.php | 75 +++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/Service/ChangeEncryptionKey.php b/Service/ChangeEncryptionKey.php index cc78b1b..23484ed 100644 --- a/Service/ChangeEncryptionKey.php +++ b/Service/ChangeEncryptionKey.php @@ -2,7 +2,18 @@ declare(strict_types=1); namespace Gene\EncryptionKeyManager\Service; +use Magento\Config\Model\Config\Structure; use Magento\EncryptionKey\Model\ResourceModel\Key\Change as MageChanger; +use Magento\Framework\App\DeploymentConfig; +use Magento\Framework\App\DeploymentConfig\Writer; +use Magento\Framework\Config\Data\ConfigData; +use Magento\Framework\Config\File\ConfigFilePool; +use Magento\Framework\Encryption\EncryptorInterface; +use Magento\Framework\Exception\FileSystemException; +use Magento\Framework\Exception\RuntimeException; +use Magento\Framework\Filesystem; +use Magento\Framework\Math\Random; +use Magento\Framework\Model\ResourceModel\Db\Context; use Symfony\Component\Console\Output\OutputInterface; class ChangeEncryptionKey extends MageChanger @@ -13,6 +24,29 @@ class ChangeEncryptionKey extends MageChanger /** @var bool */ private $skipSavedCreditCards = false; + /** + * @param Context $context + * @param Filesystem $filesystem + * @param Structure $structure + * @param EncryptorInterface $encryptor + * @param Writer $writer + * @param Random $random + * @param DeploymentConfig $deploymentConfig + * @param $connectionName + */ + public function __construct( + Context $context, + Filesystem $filesystem, + Structure $structure, + EncryptorInterface $encryptor, + Writer $writer, + Random $random, + private readonly DeploymentConfig $deploymentConfig, + $connectionName = null, + ) { + parent::__construct($context, $filesystem, $structure, $encryptor, $writer, $random, $connectionName); + } + /** * @param OutputInterface $output * @return void @@ -52,6 +86,10 @@ protected function _reEncryptSystemConfigurationValues() $this->writeOutput('_reEncryptSystemConfigurationValues - start'); parent::_reEncryptSystemConfigurationValues(); $this->writeOutput('_reEncryptSystemConfigurationValues - end'); + + $this->writeOutput('_reEncryptEnvConfigurationValues - start'); + $this->_reEncryptEnvConfigurationValues(); + $this->writeOutput('_reEncryptEnvConfigurationValues - end'); } /** @@ -87,4 +125,41 @@ protected function _reEncryptCreditCardNumbers() } $this->writeOutput('_reEncryptCreditCardNumbers - end'); } + + /** + * Gather all encrypted system config values from env.php and re-encrypt them + * + * @return void + * @throws FileSystemException + * @throws RuntimeException + */ + protected function _reEncryptEnvConfigurationValues() + { + $systemConfig = $this->deploymentConfig->get('system'); + $systemConfig = $this->iterateSystemConfig($systemConfig); + + $encryptSegment = new ConfigData(ConfigFilePool::APP_ENV); + $encryptSegment->set('system', $systemConfig); + $this->writer->saveConfig([$encryptSegment->getFileKey() => $encryptSegment->getData()]); + } + + /** + * Recursively iterate through the system configuration and re-encrypt any encrypted values + * + * @param array $systemConfig + * @return array + * @throws \Exception + */ + private function iterateSystemConfig(array $systemConfig) + { + foreach ($systemConfig as $key => &$value) { + if (is_array($value)) { + $value = $this->iterateSystemConfig($value); + } elseif (is_string($value) && preg_match('/^\d+:\d+:.*$/', $value)) { + $value = $this->encryptor->encrypt($this->encryptor->decrypt($value)); + } + } + + return $systemConfig; + } } From dd04bcd7c71d7a7809f851174b15c51bfc72ee24 Mon Sep 17 00:00:00 2001 From: Dave Kleijn Date: Tue, 23 Jul 2024 21:36:46 +0200 Subject: [PATCH 2/4] Refactored re-encryption of env.php system values --- Console/GenerateEncryptionKey.php | 1 + Service/ChangeEncryptionKey.php | 10 ++++------ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/Console/GenerateEncryptionKey.php b/Console/GenerateEncryptionKey.php index 6620f1a..b58e0fd 100644 --- a/Console/GenerateEncryptionKey.php +++ b/Console/GenerateEncryptionKey.php @@ -113,6 +113,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int (bool)$input->getOption(self::INPUT_SKIP_SAVED_CREDIT_CARDS) ); $this->changeEncryptionKey->changeEncryptionKey($newKey); + $this->changeEncryptionKey->reEncryptEnvConfigurationValues(); $this->emulation->stopEnvironmentEmulation(); $output->writeln('Cleaning cache'); diff --git a/Service/ChangeEncryptionKey.php b/Service/ChangeEncryptionKey.php index 23484ed..181552a 100644 --- a/Service/ChangeEncryptionKey.php +++ b/Service/ChangeEncryptionKey.php @@ -86,10 +86,6 @@ protected function _reEncryptSystemConfigurationValues() $this->writeOutput('_reEncryptSystemConfigurationValues - start'); parent::_reEncryptSystemConfigurationValues(); $this->writeOutput('_reEncryptSystemConfigurationValues - end'); - - $this->writeOutput('_reEncryptEnvConfigurationValues - start'); - $this->_reEncryptEnvConfigurationValues(); - $this->writeOutput('_reEncryptEnvConfigurationValues - end'); } /** @@ -133,14 +129,16 @@ protected function _reEncryptCreditCardNumbers() * @throws FileSystemException * @throws RuntimeException */ - protected function _reEncryptEnvConfigurationValues() + public function reEncryptEnvConfigurationValues(): void { + $this->writeOutput('_reEncryptEnvConfigurationValues - start'); $systemConfig = $this->deploymentConfig->get('system'); $systemConfig = $this->iterateSystemConfig($systemConfig); $encryptSegment = new ConfigData(ConfigFilePool::APP_ENV); $encryptSegment->set('system', $systemConfig); $this->writer->saveConfig([$encryptSegment->getFileKey() => $encryptSegment->getData()]); + $this->writeOutput('_reEncryptEnvConfigurationValues - end'); } /** @@ -150,7 +148,7 @@ protected function _reEncryptEnvConfigurationValues() * @return array * @throws \Exception */ - private function iterateSystemConfig(array $systemConfig) + private function iterateSystemConfig(array $systemConfig): array { foreach ($systemConfig as $key => &$value) { if (is_array($value)) { From 4ad8859821181bee99571d97fa09ece09475f380 Mon Sep 17 00:00:00 2001 From: Dave Kleijn Date: Tue, 23 Jul 2024 21:38:48 +0200 Subject: [PATCH 3/4] Also changes method name in logging --- Service/ChangeEncryptionKey.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Service/ChangeEncryptionKey.php b/Service/ChangeEncryptionKey.php index 181552a..62a87ef 100644 --- a/Service/ChangeEncryptionKey.php +++ b/Service/ChangeEncryptionKey.php @@ -131,14 +131,14 @@ protected function _reEncryptCreditCardNumbers() */ public function reEncryptEnvConfigurationValues(): void { - $this->writeOutput('_reEncryptEnvConfigurationValues - start'); + $this->writeOutput('reEncryptEnvConfigurationValues - start'); $systemConfig = $this->deploymentConfig->get('system'); $systemConfig = $this->iterateSystemConfig($systemConfig); $encryptSegment = new ConfigData(ConfigFilePool::APP_ENV); $encryptSegment->set('system', $systemConfig); $this->writer->saveConfig([$encryptSegment->getFileKey() => $encryptSegment->getData()]); - $this->writeOutput('_reEncryptEnvConfigurationValues - end'); + $this->writeOutput('reEncryptEnvConfigurationValues - end'); } /** From 2951a0c5f3957da6f9d0fa603bbc0dccc4c8aaac Mon Sep 17 00:00:00 2001 From: Dave Kleijn Date: Tue, 23 Jul 2024 23:29:20 +0200 Subject: [PATCH 4/4] Added service class for re-encrypt env system config values --- Console/GenerateEncryptionKey.php | 8 +- Service/ChangeEncryptionKey.php | 73 ------------------- .../ReencryptEnvSystemConfigurationValues.php | 66 +++++++++++++++++ 3 files changed, 72 insertions(+), 75 deletions(-) create mode 100644 Service/ReencryptEnvSystemConfigurationValues.php diff --git a/Console/GenerateEncryptionKey.php b/Console/GenerateEncryptionKey.php index b58e0fd..05bdf8a 100644 --- a/Console/GenerateEncryptionKey.php +++ b/Console/GenerateEncryptionKey.php @@ -3,6 +3,7 @@ namespace Gene\EncryptionKeyManager\Console; use Gene\EncryptionKeyManager\Service\ChangeEncryptionKey as ChangeEncryptionKeyService; +use Gene\EncryptionKeyManager\Service\ReencryptEnvSystemConfigurationValues; use Magento\Framework\App\Config\Storage\WriterInterface; use Magento\Framework\Encryption\Encryptor; use Magento\Framework\App\Config\ScopeConfigInterface; @@ -38,7 +39,8 @@ public function __construct( private readonly WriterInterface $configWriter, private readonly Emulation $emulation, private readonly State $state, - private readonly Encryptor $encryptor + private readonly Encryptor $encryptor, + private readonly ReencryptEnvSystemConfigurationValues $reencryptEnvSystemConfigurationValues ) { parent::__construct(); } @@ -113,7 +115,9 @@ protected function execute(InputInterface $input, OutputInterface $output): int (bool)$input->getOption(self::INPUT_SKIP_SAVED_CREDIT_CARDS) ); $this->changeEncryptionKey->changeEncryptionKey($newKey); - $this->changeEncryptionKey->reEncryptEnvConfigurationValues(); + $output->writeln('reEncryptEnvConfigurationValues - start'); + $this->reencryptEnvSystemConfigurationValues->execute(); + $output->writeln('reEncryptEnvConfigurationValues - end'); $this->emulation->stopEnvironmentEmulation(); $output->writeln('Cleaning cache'); diff --git a/Service/ChangeEncryptionKey.php b/Service/ChangeEncryptionKey.php index 62a87ef..cc78b1b 100644 --- a/Service/ChangeEncryptionKey.php +++ b/Service/ChangeEncryptionKey.php @@ -2,18 +2,7 @@ declare(strict_types=1); namespace Gene\EncryptionKeyManager\Service; -use Magento\Config\Model\Config\Structure; use Magento\EncryptionKey\Model\ResourceModel\Key\Change as MageChanger; -use Magento\Framework\App\DeploymentConfig; -use Magento\Framework\App\DeploymentConfig\Writer; -use Magento\Framework\Config\Data\ConfigData; -use Magento\Framework\Config\File\ConfigFilePool; -use Magento\Framework\Encryption\EncryptorInterface; -use Magento\Framework\Exception\FileSystemException; -use Magento\Framework\Exception\RuntimeException; -use Magento\Framework\Filesystem; -use Magento\Framework\Math\Random; -use Magento\Framework\Model\ResourceModel\Db\Context; use Symfony\Component\Console\Output\OutputInterface; class ChangeEncryptionKey extends MageChanger @@ -24,29 +13,6 @@ class ChangeEncryptionKey extends MageChanger /** @var bool */ private $skipSavedCreditCards = false; - /** - * @param Context $context - * @param Filesystem $filesystem - * @param Structure $structure - * @param EncryptorInterface $encryptor - * @param Writer $writer - * @param Random $random - * @param DeploymentConfig $deploymentConfig - * @param $connectionName - */ - public function __construct( - Context $context, - Filesystem $filesystem, - Structure $structure, - EncryptorInterface $encryptor, - Writer $writer, - Random $random, - private readonly DeploymentConfig $deploymentConfig, - $connectionName = null, - ) { - parent::__construct($context, $filesystem, $structure, $encryptor, $writer, $random, $connectionName); - } - /** * @param OutputInterface $output * @return void @@ -121,43 +87,4 @@ protected function _reEncryptCreditCardNumbers() } $this->writeOutput('_reEncryptCreditCardNumbers - end'); } - - /** - * Gather all encrypted system config values from env.php and re-encrypt them - * - * @return void - * @throws FileSystemException - * @throws RuntimeException - */ - public function reEncryptEnvConfigurationValues(): void - { - $this->writeOutput('reEncryptEnvConfigurationValues - start'); - $systemConfig = $this->deploymentConfig->get('system'); - $systemConfig = $this->iterateSystemConfig($systemConfig); - - $encryptSegment = new ConfigData(ConfigFilePool::APP_ENV); - $encryptSegment->set('system', $systemConfig); - $this->writer->saveConfig([$encryptSegment->getFileKey() => $encryptSegment->getData()]); - $this->writeOutput('reEncryptEnvConfigurationValues - end'); - } - - /** - * Recursively iterate through the system configuration and re-encrypt any encrypted values - * - * @param array $systemConfig - * @return array - * @throws \Exception - */ - private function iterateSystemConfig(array $systemConfig): array - { - foreach ($systemConfig as $key => &$value) { - if (is_array($value)) { - $value = $this->iterateSystemConfig($value); - } elseif (is_string($value) && preg_match('/^\d+:\d+:.*$/', $value)) { - $value = $this->encryptor->encrypt($this->encryptor->decrypt($value)); - } - } - - return $systemConfig; - } } diff --git a/Service/ReencryptEnvSystemConfigurationValues.php b/Service/ReencryptEnvSystemConfigurationValues.php new file mode 100644 index 0000000..fe6a3d1 --- /dev/null +++ b/Service/ReencryptEnvSystemConfigurationValues.php @@ -0,0 +1,66 @@ +deploymentConfig->get('system'); + $systemConfig = $this->iterateSystemConfig($systemConfig); + + $encryptSegment = new ConfigData(ConfigFilePool::APP_ENV); + $encryptSegment->set('system', $systemConfig); + $this->writer->saveConfig([$encryptSegment->getFileKey() => $encryptSegment->getData()]); + } + + /** + * Recursively iterate through the system configuration and re-encrypt any encrypted values + * + * @param array $systemConfig + * @return array + * @throws \Exception + */ + private function iterateSystemConfig(array $systemConfig): array + { + foreach ($systemConfig as $key => &$value) { + if (is_array($value)) { + $value = $this->iterateSystemConfig($value); + } elseif (is_string($value) && preg_match('/^\d+:\d+:.*$/', $value)) { + $value = $this->encryptor->encrypt($this->encryptor->decrypt($value)); + } + } + + return $systemConfig; + } +}