Add encryption functionality

Encryption keys can be configured directly in the configuration or through files. Keys can be rotated manually. All parameters are passed to services to facilitate caching in the service container, regardless of the given configuration. Improvements include:
- Adds configuration options for encryption keys
- Adds compiler pass to pass configuration to encryption services and remove sensitive parameters from the container
- Adds console command to generate encryption keys
- Adds custom Doctrine type for encrypted values
- Convert sensitive Credentials entity fields to encrypted fields with migration that automatically encrypts the data
- Generate encryption keys during initialization in the standalone image

Author: codedmonkey

.github/workflows/tests.yaml

@@ -49,6 +49,9 @@ jobs:
       - name: Install Composer dependencies
         run: composer install --ansi --no-interaction --no-progress
 
+      - name: Generate encryption keys
+        run: bin/console encryption:generate-keys
+
       - name: Validate mapping
         run: bin/console doctrine:schema:validate --skip-sync -vvv --ansi --no-interaction
 
@@ -113,6 +116,9 @@ jobs:
       - name: Build assets
         run: npm run build
 
+      - name: Generate encryption keys
+        run: bin/console encryption:generate-keys
+
       - name: Create database schema
         run: bin/console doctrine:schema:create --env=test
 

.gitignore

@@ -4,6 +4,7 @@
 /config/dirigent.php
 /config/dirigent.yaml
 /config/dirigent.yml
+/config/encryption/
 /config/packages/dirigent.yaml
 /storage/
 

Dockerfile

@@ -61,6 +61,7 @@ RUN set -e; \
         php83-phar \
         php83-session \
         php83-simplexml \
+        php83-sodium \
         php83-tokenizer \
         php83-xml \
         postgresql \

composer.json

@@ -11,6 +11,7 @@
         "ext-ctype": "*",
         "ext-curl": "*",
         "ext-iconv": "*",
+        "ext-sodium": "*",
         "cebe/markdown": "^1.2",
         "composer/composer": "^2.7",
         "doctrine/doctrine-bundle": "^2.11",

composer.lock

@@ -8,6 +8,9 @@ doctrine:
 
         profiling_collect_backtrace: '%kernel.debug%'
         use_savepoints: true
+
+        types:
+            encrypted_text: CodedMonkey\Dirigent\Doctrine\Type\EncryptedTextType
     orm:
         auto_generate_proxy_classes: true
         enable_lazy_ghost_objects: true

config/packages/doctrine.yaml

@@ -4,3 +4,5 @@ doctrine_migrations:
         # as migrations classes should NOT be autoloaded
         'DoctrineMigrations': '%kernel.project_dir%/migrations'
     enable_profiler: false
+    services:
+        'Doctrine\Migrations\Version\MigrationFactory': CodedMonkey\Dirigent\Doctrine\MigrationFactory

config/packages/doctrine_migrations.yaml

@@ -31,4 +31,5 @@ services:
         public: true
         arguments:
             -
+                'encryption:generate-keys': '@CodedMonkey\Dirigent\Command\EncryptionGenerateKeysCommand'
                 'packages:update': '@CodedMonkey\Dirigent\Command\PackagesUpdateCommand'

config/services.yaml

@@ -2,6 +2,13 @@ parameters:
   kernel_secret: '%env(default:kernel_secret_file:KERNEL_SECRET)%'
   kernel_secret_file: '%env(default::file:KERNEL_SECRET_FILE)%'
 
+dirigent:
+  encryption:
+    private_key: '%env(DECRYPTION_KEY)%'
+    private_key_path: '%env(DECRYPTION_KEY_FILE)%'
+    public_key: '%env(ENCRYPTION_KEY)%'
+    public_key_path: '%env(ENCRYPTION_KEY_FILE)%'
+
 framework:
   secret: '%kernel_secret%'
 

docker/config.yaml

@@ -5,6 +5,10 @@
     'DIRIGENT_IMAGE' => '1',
     'SYMFONY_DOTENV_PATH' => './.env.dirigent',
 
+    'DECRYPTION_KEY' => '',
+    'DECRYPTION_KEY_FILE' => '/srv/config/secrets/decryption_key',
+    'ENCRYPTION_KEY' => '',
+    'ENCRYPTION_KEY_FILE' => '/srv/config/secrets/encryption_key',
     'GITHUB_TOKEN' => '',
     'KERNEL_SECRET_FILE' => '/srv/config/secrets/kernel_secret',
     'MAILER_DSN' => 'null://null',