Add encryption functionality

Author: codedmonkey

.gitignore

@@ -1,6 +1,7 @@
 /.env
 /compose.override.yaml
 /config/dirigent.yaml
+/config/encryption/
 /config/packages/dirigent.yaml
 /storage/
 

Dockerfile

@@ -61,6 +61,7 @@ RUN set -e; \
         php82-phar \
         php82-session \
         php82-simplexml \
+        php82-sodium \
         php82-tokenizer \
         php82-xml \
         postgresql \

composer.json

@@ -11,6 +11,7 @@
         "ext-ctype": "*",
         "ext-curl": "*",
         "ext-iconv": "*",
+        "ext-sodium": "*",
         "cebe/markdown": "^1.2",
         "composer/composer": "^2.7",
         "doctrine/doctrine-bundle": "^2.11",

composer.lock

@@ -1,2 +1,7 @@
 framework:
   secret: '%env(file:KERNEL_SECRET_FILE)%'
+
+dirigent:
+  encryption:
+    private_key: '%env(DECRYPTION_KEY_FILE)%'
+    public_key: '%env(ENCRYPTION_KEY_FILE)%'

docker/config.yaml

@@ -3,7 +3,9 @@
 return [
     'APP_ENV' => 'prod',
     'DATABASE_URL' => 'postgresql://dirigent@127.0.0.1:5432/dirigent?serverVersion=16&charset=utf8',
+    'DECRYPTION_KEY_FILE' => '/srv/config/secrets/decryption_key',
     'DIRIGENT_IMAGE' => '1',
+    'ENCRYPTION_KEY_FILE' => '/srv/config/secrets/encryption_key',
     'GITHUB_TOKEN' => '',
     'KERNEL_SECRET_FILE' => '/srv/config/secrets/kernel_secret',
     'MAILER_DSN' => 'null://null',

docker/env.php

@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+set -e
+
+bin/console encryption:generate-keys --no-ansi --no-interaction

docker/scripts/init/40-encryption-generate-keys.sh

@@ -0,0 +1,90 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Command;
+
+use CodedMonkey\Dirigent\Encryption\Encryption;
+use CodedMonkey\Dirigent\Encryption\EncryptionException;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\StyleInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Filesystem\Filesystem;
+
+#[AsCommand(
+    name: 'encryption:generate-keys',
+    description: 'Generates an encryption key pair',
+)]
+class EncryptionGenerateKeysCommand extends Command
+{
+    public function __construct(
+        public readonly ?string $privateKeyPath,
+        public readonly ?string $publicKeyPath,
+    ) {
+        parent::__construct();
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        if (!$this->privateKeyPath || !$this->publicKeyPath) {
+            $io->info('Encryption key files are disabled.');
+
+            return Command::SUCCESS;
+        }
+
+        $filesystem = new Filesystem();
+
+        $decryptionKeyExists = $filesystem->exists($this->privateKeyPath);
+        $encryptionKeyExists = $filesystem->exists($this->publicKeyPath);
+
+        if (!$decryptionKeyExists && $encryptionKeyExists) {
+            $io->error('Unable to generate (private) decryption key because a (public) encryption key exists.');
+
+            return Command::FAILURE;
+        } elseif ($decryptionKeyExists && $encryptionKeyExists) {
+            $io->info('Encryption keys already exist.');
+        } elseif ($decryptionKeyExists && !$encryptionKeyExists) {
+            $decryptionKey = sodium_hex2bin($filesystem->readFile($this->privateKeyPath));
+            $encryptionKey = sodium_crypto_box_publickey($decryptionKey);
+
+            $filesystem->dumpFile($this->publicKeyPath, sodium_bin2hex($encryptionKey));
+
+            $io->success('Generated a new (public) encryption key.');
+        } else {
+            $decryptionKey = sodium_crypto_box_keypair();
+            $encryptionKey = sodium_crypto_box_publickey($decryptionKey);
+
+            $filesystem->dumpFile($this->privateKeyPath, sodium_bin2hex($decryptionKey));
+            $filesystem->dumpFile($this->publicKeyPath, sodium_bin2hex($encryptionKey));
+
+            $io->success('Generated encryption keys.');
+        }
+
+        return $this->validateKeys($io);
+    }
+
+    private function validateKeys(StyleInterface $output): int
+    {
+        $encryption = Encryption::createFromFiles($this->privateKeyPath, $this->publicKeyPath, []);
+
+        $value = 'thank you for the music';
+
+        try {
+            $sealedValue = $encryption->seal($value);
+            $revealedValue = $encryption->reveal($sealedValue);
+
+            if ($value !== $revealedValue) {
+                throw new EncryptionException('Encryption failed');
+            }
+
+            return Command::SUCCESS;
+        } catch (EncryptionException $exception) {
+            $output->error('Encryption key validation failed: ' . $exception->getMessage());
+
+            return Command::FAILURE;
+        }
+    }
+}

src/Command/EncryptionGenerateKeysCommand.php

@@ -0,0 +1,52 @@
+<?php
+
+namespace CodedMonkey\Dirigent\DependencyInjection\Compiler;
+
+use CodedMonkey\Dirigent\Command\EncryptionGenerateKeysCommand;
+use CodedMonkey\Dirigent\Encryption\Encryption;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+class EncryptionPass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container): void
+    {
+        $parameterBag = $container->getParameterBag();
+
+        $privateKey = $parameterBag->get('dirigent.encryption.private_key');
+        $publicKey = $parameterBag->get('dirigent.encryption.public_key');
+        $rotatedKeys = $parameterBag->get('dirigent.encryption.rotated_keys');
+
+        $privateKeyPath = $parameterBag->get('dirigent.encryption.private_key_path');
+        $publicKeyPath = $parameterBag->get('dirigent.encryption.public_key_path');
+        $rotatedKeyPaths = $parameterBag->get('dirigent.encryption.rotated_key_paths');
+
+        $useFiles = !$privateKey && !$publicKey;
+
+        if ($useFiles) {
+            $container->getDefinition(Encryption::class)
+                ->setLazy(true)
+                ->setFactory([Encryption::class, 'createFromFiles'])
+                ->setArguments([$privateKeyPath, $publicKeyPath, $rotatedKeyPaths]);
+
+            $container->getDefinition(EncryptionGenerateKeysCommand::class)
+                ->setArguments([$privateKeyPath, $publicKeyPath]);
+        } else {
+            $container->getDefinition(Encryption::class)
+                ->setLazy(true)
+                ->setFactory([Encryption::class, 'createFromHex'])
+                ->setArguments([$privateKey, $publicKey, $rotatedKeys]);
+
+            $container->getDefinition(EncryptionGenerateKeysCommand::class)
+                ->setArguments([null, null]);
+        }
+
+        $parameterBag->remove('dirigent.encryption.private_key');
+        $parameterBag->remove('dirigent.encryption.public_key');
+        $parameterBag->remove('dirigent.encryption.rotated_keys');
+
+        $parameterBag->remove('dirigent.encryption.private_key_path');
+        $parameterBag->remove('dirigent.encryption.public_key_path');
+        $parameterBag->remove('dirigent.encryption.rotated_key_paths');
+    }
+}

src/DependencyInjection/Compiler/EncryptionPass.php

@@ -4,6 +4,7 @@
 
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
+use function Symfony\Component\String\u;
 
 class DirigentConfiguration implements ConfigurationInterface
 {
@@ -22,6 +23,44 @@ public function getConfigTreeBuilder(): TreeBuilder
                     ->booleanNode('registration')->defaultFalse()->end()
                 ->end()
             ->end()
+            ->arrayNode('encryption')
+                ->info('Dirigent uses a X25519 keypair to encrypt sensitive info stored in the database')
+                ->addDefaultsIfNotSet()
+                ->children()
+                    ->scalarNode('private_key')
+                        ->defaultNull()
+                        ->info('The (private) decryption key, if empty, a file will be used to store the key instead')
+                    ->end()
+                    ->scalarNode('private_key_path')
+                        ->defaultValue('%kernel.project_dir%/config/encryption/private.key')
+                        ->info('Path to the (private) decryption key if private_key is empty')
+                    ->end()
+                    ->scalarNode('public_key')
+                        ->defaultNull()
+                        ->info('The (public) encryption key, if empty, a file will be used to store the key instead')
+                    ->end()
+                    ->scalarNode('public_key_path')
+                        ->defaultValue('%kernel.project_dir%/config/encryption/public.key')
+                        ->info('Path to the (public) encryption key if public_key is empty')
+                    ->end()
+                    ->arrayNode('rotated_keys')
+                        ->info('Previously used (private) decryption keys')
+                        ->beforeNormalization()
+                            ->ifString()
+                            ->then(fn (string $keys): array => u($$keys)->split(','))
+                        ->end()
+                        ->prototype('scalar')->end()
+                    ->end()
+                    ->arrayNode('rotated_key_paths')
+                        ->info('Paths to previously used (private) decryption keys')
+                        ->beforeNormalization()
+                            ->ifString()
+                            ->then(fn (string $paths): array => u($$paths)->split(','))
+                        ->end()
+                        ->prototype('scalar')->end()
+                    ->end()
+                ->end()
+            ->end()
             ->arrayNode('storage')
                 ->addDefaultsIfNotSet()
                 ->children()