Skip to content

Commit 0d9e8cb

Browse files
committed
Add encryption functionality
Encryption keys can be configured directly in the configuration or through files. Keys can be rotated manually. All parameters are passed to services to facilitate caching in the service container, regardless of the given configuration. Improvements include: - Adds configuration options for encryption keys - Adds compiler pass to pass configuration to encryption services and remove sensitive parameters from the container - Adds console command to generate encryption keys - Adds custom Doctrine type for encrypted values - Convert sensitive Credentials entity fields to encrypted fields with migration that automatically encrypts the data - Generate encryption keys during initialization in the standalone image
1 parent ed76e94 commit 0d9e8cb

29 files changed

Lines changed: 865 additions & 5 deletions

.github/workflows/tests.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,9 @@ jobs:
4949
- name: Install Composer dependencies
5050
run: composer install --ansi --no-interaction --no-progress
5151

52+
- name: Generate encryption keys
53+
run: bin/console encryption:generate-keys
54+
5255
- name: Validate mapping
5356
run: bin/console doctrine:schema:validate --skip-sync -vvv --ansi --no-interaction
5457

@@ -113,6 +116,9 @@ jobs:
113116
- name: Build assets
114117
run: npm run build
115118

119+
- name: Generate encryption keys
120+
run: bin/console encryption:generate-keys
121+
116122
- name: Create database schema
117123
run: bin/console doctrine:schema:create --env=test
118124

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
/config/dirigent.php
55
/config/dirigent.yaml
66
/config/dirigent.yml
7+
/config/encryption/
78
/config/packages/dirigent.yaml
89
/storage/
910

Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ RUN set -e; \
6161
php83-phar \
6262
php83-session \
6363
php83-simplexml \
64+
php83-sodium \
6465
php83-tokenizer \
6566
php83-xml \
6667
postgresql \

composer.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
"ext-ctype": "*",
1212
"ext-curl": "*",
1313
"ext-iconv": "*",
14+
"ext-sodium": "*",
1415
"cebe/markdown": "^1.2",
1516
"composer/composer": "^2.7",
1617
"doctrine/doctrine-bundle": "^2.11",

composer.lock

Lines changed: 3 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/packages/doctrine.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ doctrine:
88

99
profiling_collect_backtrace: '%kernel.debug%'
1010
use_savepoints: true
11+
12+
types:
13+
encrypted_text: CodedMonkey\Dirigent\Doctrine\Type\EncryptedTextType
1114
orm:
1215
auto_generate_proxy_classes: true
1316
enable_lazy_ghost_objects: true

config/packages/doctrine_migrations.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,5 @@ doctrine_migrations:
44
# as migrations classes should NOT be autoloaded
55
'DoctrineMigrations': '%kernel.project_dir%/migrations'
66
enable_profiler: false
7+
services:
8+
'Doctrine\Migrations\Version\MigrationFactory': CodedMonkey\Dirigent\Doctrine\MigrationFactory

config/services.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,4 +31,5 @@ services:
3131
public: true
3232
arguments:
3333
-
34+
'encryption:generate-keys': '@CodedMonkey\Dirigent\Command\EncryptionGenerateKeysCommand'
3435
'packages:update': '@CodedMonkey\Dirigent\Command\PackagesUpdateCommand'

docker/config.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,13 @@ parameters:
22
kernel_secret: '%env(default:kernel_secret_file:KERNEL_SECRET)%'
33
kernel_secret_file: '%env(default::file:KERNEL_SECRET_FILE)%'
44

5+
dirigent:
6+
encryption:
7+
private_key: '%env(DECRYPTION_KEY)%'
8+
private_key_path: '%env(DECRYPTION_KEY_FILE)%'
9+
public_key: '%env(ENCRYPTION_KEY)%'
10+
public_key_path: '%env(ENCRYPTION_KEY_FILE)%'
11+
512
framework:
613
secret: '%kernel_secret%'
714

docker/env.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@
55
'DIRIGENT_IMAGE' => '1',
66
'SYMFONY_DOTENV_PATH' => './.env.dirigent',
77

8+
'DECRYPTION_KEY' => '',
9+
'DECRYPTION_KEY_FILE' => '/srv/config/secrets/decryption_key',
10+
'ENCRYPTION_KEY' => '',
11+
'ENCRYPTION_KEY_FILE' => '/srv/config/secrets/encryption_key',
812
'GITHUB_TOKEN' => '',
913
'KERNEL_SECRET_FILE' => '/srv/config/secrets/kernel_secret',
1014
'MAILER_DSN' => 'null://null',

0 commit comments

Comments
 (0)