Add encryption functionality

Author: codedmonkey

.gitignore

@@ -1,6 +1,7 @@
 /.env
 /compose.override.yaml
 /config/dirigent.yaml
+/config/encryption/
 /config/packages/dirigent.yaml
 /storage/
 

Dockerfile

@@ -61,6 +61,7 @@ RUN set -e; \
         php83-phar \
         php83-session \
         php83-simplexml \
+        php83-sodium \
         php83-tokenizer \
         php83-xml \
         postgresql \

composer.json

@@ -11,6 +11,7 @@
         "ext-ctype": "*",
         "ext-curl": "*",
         "ext-iconv": "*",
+        "ext-sodium": "*",
         "cebe/markdown": "^1.2",
         "composer/composer": "^2.7",
         "doctrine/doctrine-bundle": "^2.11",

composer.lock

@@ -8,6 +8,9 @@ doctrine:
 
         profiling_collect_backtrace: '%kernel.debug%'
         use_savepoints: true
+
+        types:
+            encrypted_text: CodedMonkey\Dirigent\Doctrine\Type\EncryptedTextType
     orm:
         auto_generate_proxy_classes: true
         enable_lazy_ghost_objects: true

config/packages/doctrine.yaml

@@ -4,3 +4,5 @@ doctrine_migrations:
         # as migrations classes should NOT be autoloaded
         'DoctrineMigrations': '%kernel.project_dir%/migrations'
     enable_profiler: false
+    services:
+        'Doctrine\Migrations\Version\MigrationFactory': CodedMonkey\Dirigent\Doctrine\MigrationFactory

config/packages/doctrine_migrations.yaml

@@ -1,2 +1,9 @@
 framework:
   secret: '%env(file:KERNEL_SECRET_FILE)%'
+
+dirigent:
+  encryption:
+    private_key: '%env(DECRYPTION_KEY)%'
+    private_key_path: '%env(DECRYPTION_KEY_FILE)%'
+    public_key: '%env(ENCRYPTION_KEY)%'
+    public_key_path: '%env(ENCRYPTION_KEY_FILE)%'

docker/config.yaml

@@ -3,7 +3,11 @@
 return [
     'APP_ENV' => 'prod',
     'DATABASE_URL' => 'postgresql://dirigent@127.0.0.1:5432/dirigent?serverVersion=16&charset=utf8',
+    'DECRYPTION_KEY' => '',
+    'DECRYPTION_KEY_FILE' => '/srv/config/secrets/decryption_key',
     'DIRIGENT_IMAGE' => '1',
+    'ENCRYPTION_KEY' => '',
+    'ENCRYPTION_KEY_FILE' => '/srv/config/secrets/encryption_key',
     'GITHUB_TOKEN' => '',
     'KERNEL_SECRET_FILE' => '/srv/config/secrets/kernel_secret',
     'MAILER_DSN' => 'null://null',

docker/env.php

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+set -e
+
+bin/console encryption:generate-keys --no-ansi --no-interaction

docker/scripts/init/40-encryption-generate-keys.sh

@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use CodedMonkey\Dirigent\Encryption\Encryption;
+use Doctrine\DBAL\Connection;
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+use Psr\Log\LoggerInterface;
+
+final class Version20250311205816 extends AbstractMigration
+{
+    public function __construct(
+        Connection $connection,
+        LoggerInterface $logger,
+        private readonly Encryption $encryptionUtility,
+    ) {
+        parent::__construct($connection, $logger);
+    }
+
+    public function getDescription(): string
+    {
+        return 'Encrypt sensitive credentials fields';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE credentials ALTER username TYPE TEXT');
+        $this->addSql('ALTER TABLE credentials ALTER password TYPE TEXT');
+        $this->addSql('ALTER TABLE credentials ALTER token TYPE TEXT');
+
+        $credentialsCollection = $this->connection->fetchAllAssociative('SELECT id, username, password, token FROM credentials');
+
+        foreach ($credentialsCollection as $credentials) {
+            if (null !== $credentials['username']) {
+                $sealedUsername = $this->encryptionUtility->seal($credentials['username']);
+                $this->addSql('UPDATE credentials SET username = ? WHERE id = ?', [$sealedUsername, $credentials['id']]);
+            }
+
+            if (null !== $credentials['password']) {
+                $sealedPassword = $this->encryptionUtility->seal($credentials['password']);
+                $this->addSql('UPDATE credentials SET password = ? WHERE id = ?', [$sealedPassword, $credentials['id']]);
+            }
+
+            if (null !== $credentials['token']) {
+                $sealedToken = $this->encryptionUtility->seal($credentials['token']);
+                $this->addSql('UPDATE credentials SET token = ? WHERE id = ?', [$sealedToken, $credentials['id']]);
+            }
+        }
+    }
+
+    public function down(Schema $schema): void
+    {
+        $credentialsCollection = $this->connection->fetchAllAssociative('SELECT id, username, password, token FROM credentials');
+
+        foreach ($credentialsCollection as $credentials) {
+            if (null !== $credentials['username']) {
+                $username = $this->encryptionUtility->reveal($credentials['username']);
+                $this->addSql('UPDATE credentials SET username = ? WHERE id = ?', [$username, $credentials['id']]);
+            }
+
+            if (null !== $credentials['password']) {
+                $password = $this->encryptionUtility->reveal($credentials['password']);
+                $this->addSql('UPDATE credentials SET password = ? WHERE id = ?', [$password, $credentials['id']]);
+            }
+
+            if (null !== $credentials['token']) {
+                $token = $this->encryptionUtility->reveal($credentials['token']);
+                $this->addSql('UPDATE credentials SET token = ? WHERE id = ?', [$token, $credentials['id']]);
+            }
+        }
+
+        $this->addSql('ALTER TABLE credentials ALTER username TYPE VARCHAR(255)');
+        $this->addSql('ALTER TABLE credentials ALTER password TYPE VARCHAR(255)');
+        $this->addSql('ALTER TABLE credentials ALTER token TYPE VARCHAR(255)');
+    }
+}