From cfd24edefb2904d5295a8caa5d431bbc6b9c4d40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20H=C3=A9lias?= Date: Wed, 22 Nov 2023 10:34:38 +0100 Subject: [PATCH] Add sensitive parameter --- src/Command/GenerateIndexesCommand.php | 8 +++---- src/Encryptors/CiphersweetEncryptor.php | 16 +++++++------- src/Encryptors/EncryptorInterface.php | 8 +++---- src/Entity/IndexedEntityAttributeTrait.php | 6 ++--- src/Entity/IndexedEntityTrait.php | 6 ++--- src/Services/IndexableFieldsService.php | 10 ++++----- src/Services/IndexesGenerator.php | 4 ++-- src/Services/PropertyHydratorService.php | 4 ++-- .../DoctrineCiphersweetSubscriber.php | 22 +++++++++---------- 9 files changed, 42 insertions(+), 42 deletions(-) diff --git a/src/Command/GenerateIndexesCommand.php b/src/Command/GenerateIndexesCommand.php index 3cecb2c..4ec43e9 100644 --- a/src/Command/GenerateIndexesCommand.php +++ b/src/Command/GenerateIndexesCommand.php @@ -16,13 +16,13 @@ use Symfony\Component\Process\PhpExecutableFinder; use Symfony\Component\Process\Process; -#[AsCommand(name: 'odb:enc:indexes', description: 'Determine the Blind Index plan for a given field.')] +#[AsCommand(name: 'odb:enc:indexes', description: 'Generates matching indexes')] class GenerateIndexesCommand extends Command { /** @deprecated */ protected static $defaultName = self::CONSOLE_CMD; /** @deprecated */ - protected static $defaultDescription = 'Determine the Blind Index plan for a given field.'; + protected static $defaultDescription = 'Generates matching indexes'; protected static string $defaultAlias = 'o:e:i'; @@ -124,7 +124,7 @@ protected function validateParallelOptions(InputInterface $input): array * * @throws MissingPropertyFromReflectionException */ - protected function initAndRunFiltersGenerationSubProcesses(string $className, array $parallelConfig): void + protected function initAndRunFiltersGenerationSubProcesses(#[\SensitiveParameter] string $className, array $parallelConfig): void { $start = time(); @@ -190,7 +190,7 @@ private function runProcesses(array $pools): void /** * @throws MissingPropertyFromReflectionException */ - protected function regenerateFiltersByFieldnameAndIds(string $className, ?string $fieldnames, ?string $ids, bool $purge = false): void + protected function regenerateFiltersByFieldnameAndIds(#[\SensitiveParameter] string $className, #[\SensitiveParameter] ?string $fieldnames, ?string $ids, bool $purge = false): void { $fieldnamesAr = $fieldnames !== null ? explode(',', $fieldnames) : null; $idsAr = $ids !== null ? explode(',', $ids) : null; diff --git a/src/Encryptors/CiphersweetEncryptor.php b/src/Encryptors/CiphersweetEncryptor.php index c40719c..ce8c5a5 100644 --- a/src/Encryptors/CiphersweetEncryptor.php +++ b/src/Encryptors/CiphersweetEncryptor.php @@ -36,7 +36,7 @@ public function __construct(CipherSweet $engine) * @throws BlindIndexNameCollisionException * @throws \SodiumException */ - public function prepareForStorage(object $entity, string $fieldName, string $string, bool $index = true, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): array + public function prepareForStorage(#[\SensitiveParameter] object $entity, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $string, bool $index = true, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): array { $entitClassName = \get_class($entity); @@ -74,7 +74,7 @@ public function prepareForStorage(object $entity, string $fieldName, string $str * @throws BlindIndexNameCollisionException * @throws \SodiumException */ - protected function doEncrypt(string $entitClassName, string $fieldName, string $string, bool $index = true, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): array + protected function doEncrypt(#[\SensitiveParameter] string $entitClassName, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $string, bool $index = true, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): array { $encryptedField = (new EncryptedField($this->engine, $entitClassName, $fieldName)); if ($index) { @@ -103,7 +103,7 @@ protected function doEncrypt(string $entitClassName, string $fieldName, string $ * @throws CipherSweetException * @throws CryptoOperationException */ - public function decrypt(string $entityClassName, string $fieldName, string $string, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string + public function decrypt(#[\SensitiveParameter] string $entityClassName, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $string, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string { // If $string is not encrypted, we return it as is. if (!$this->isValueEncrypted($string)) { @@ -121,7 +121,7 @@ public function decrypt(string $entityClassName, string $fieldName, string $stri * @throws CipherSweetException * @throws CryptoOperationException */ - protected function doDecrypt(string $entityClassName, string $fieldName, string $string): string + protected function doDecrypt(#[\SensitiveParameter] string $entityClassName, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $string): string { $decryptedValue = (new EncryptedField($this->engine, $entityClassName, $fieldName)) ->decryptValue($string); @@ -141,7 +141,7 @@ protected function doDecrypt(string $entityClassName, string $fieldName, string * @throws BlindIndexNameCollisionException * @throws \SodiumException */ - public function getBlindIndex(string $entityName, string $fieldName, string $value, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string + public function getBlindIndex(#[\SensitiveParameter] string $entityName, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $value, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string { if (isset($this->biCache[$entityName][$fieldName][$value])) { return $this->biCache[$entityName][$fieldName][$value]; @@ -157,7 +157,7 @@ public function getBlindIndex(string $entityName, string $fieldName, string $val * @throws BlindIndexNameCollisionException * @throws \SodiumException */ - protected function doGetBlindIndex(string $entityName, string $fieldName, string $value, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string + protected function doGetBlindIndex(#[\SensitiveParameter] string $entityName, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $value, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string { $index = (new EncryptedField($this->engine, $entityName, $fieldName)) ->addBlindIndex( @@ -178,9 +178,9 @@ public function getPrefix(): string return $this->engine->getBackend()->getPrefix(); } - public function isValueEncrypted(?string $value): bool + public function isValueEncrypted(#[\SensitiveParameter] ?string $value): bool { - return $value !== null && strpos($value, $this->getPrefix()) === 0; + return $value !== null && str_starts_with($value, $this->getPrefix()); } public function reset(): void diff --git a/src/Encryptors/EncryptorInterface.php b/src/Encryptors/EncryptorInterface.php index d99b691..0f3896e 100644 --- a/src/Encryptors/EncryptorInterface.php +++ b/src/Encryptors/EncryptorInterface.php @@ -18,22 +18,22 @@ public function __construct(CipherSweet $engine); * * @return array{0:string, 1: array} */ - public function prepareForStorage(object $entity, string $fieldName, string $string, bool $index = true, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): array; + public function prepareForStorage(#[\SensitiveParameter] object $entity, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $string, bool $index = true, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): array; /** * Decrypt a value */ - public function decrypt(string $entityClassName, string $fieldName, string $string, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string; + public function decrypt(#[\SensitiveParameter] string $entityClassName, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $string, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string; /** * Get the blind index of the field */ - public function getBlindIndex(string $entityName, string $fieldName, string $value, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string; + public function getBlindIndex(#[\SensitiveParameter] string $entityName, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] string $value, int $filterBits = self::DEFAULT_FILTER_BITS, bool $fastIndexing = self::DEFAULT_FAST_INDEXING): string; /** * Get the prefix of the encryptor */ public function getPrefix(): string; - public function isValueEncrypted(?string $value): bool; + public function isValueEncrypted(#[\SensitiveParameter] ?string $value): bool; } diff --git a/src/Entity/IndexedEntityAttributeTrait.php b/src/Entity/IndexedEntityAttributeTrait.php index ee10b87..5383157 100644 --- a/src/Entity/IndexedEntityAttributeTrait.php +++ b/src/Entity/IndexedEntityAttributeTrait.php @@ -35,7 +35,7 @@ public function getFieldname(): string return $this->fieldname; } - public function setFieldname(string $fieldname): self + public function setFieldname(#[\SensitiveParameter] string $fieldname): self { $this->fieldname = $fieldname; return $this; @@ -46,7 +46,7 @@ public function getTargetEntity(): object return $this->targetEntity; } - public function setTargetEntity(?object $targetEntity): self + public function setTargetEntity(#[\SensitiveParameter] ?object $targetEntity): self { $this->targetEntity = $targetEntity; return $this; @@ -57,7 +57,7 @@ public function getIndexBi(): string return $this->indexBi; } - public function setIndexBi(string $indexBi): self + public function setIndexBi(#[\SensitiveParameter] string $indexBi): self { $this->indexBi = $indexBi; return $this; diff --git a/src/Entity/IndexedEntityTrait.php b/src/Entity/IndexedEntityTrait.php index 9a4377e..0fdfbba 100644 --- a/src/Entity/IndexedEntityTrait.php +++ b/src/Entity/IndexedEntityTrait.php @@ -42,7 +42,7 @@ public function getFieldname(): string return $this->fieldname; } - public function setFieldname(string $fieldname): self + public function setFieldname(#[\SensitiveParameter] string $fieldname): self { $this->fieldname = $fieldname; return $this; @@ -53,7 +53,7 @@ public function getTargetEntity(): object return $this->targetEntity; } - public function setTargetEntity(?object $targetEntity): self + public function setTargetEntity(#[\SensitiveParameter] ?object $targetEntity): self { $this->targetEntity = $targetEntity; return $this; @@ -64,7 +64,7 @@ public function getIndexBi(): string return $this->indexBi; } - public function setIndexBi(string $indexBi): self + public function setIndexBi(#[\SensitiveParameter] string $indexBi): self { $this->indexBi = $indexBi; return $this; diff --git a/src/Services/IndexableFieldsService.php b/src/Services/IndexableFieldsService.php index 00a9133..b4122ae 100644 --- a/src/Services/IndexableFieldsService.php +++ b/src/Services/IndexableFieldsService.php @@ -33,7 +33,7 @@ public function __construct(?Reader $annReader, EntityManagerInterface $em, Inde /** * Chunks all data ID of the entity */ - public function getChunksForMultiThread(string $className, int $chuncksLength): array + public function getChunksForMultiThread(#[\SensitiveParameter] string $className, int $chuncksLength): array { $repo = $this->em->getRepository($className); $result = $repo->createQueryBuilder('c') @@ -51,7 +51,7 @@ public function getChunksForMultiThread(string $className, int $chuncksLength): * * @throws MissingPropertyFromReflectionException */ - public function buildContext(string $className, ?array $fieldNames): array + public function buildContext(#[\SensitiveParameter] string $className, #[\SensitiveParameter] ?array $fieldNames): array { $contexts = []; @@ -125,7 +125,7 @@ public function purgeFiltersForContextAndIds(array $fieldsContexts, ?array $ids) * @param null|array $ids * @param array $fieldsContexts */ - public function handleFilterableFieldsForChunck(string $className, ?array $ids, array $fieldsContexts, bool $runtimeMode = false): void + public function handleFilterableFieldsForChunck(#[\SensitiveParameter] string $className, ?array $ids, array $fieldsContexts, bool $runtimeMode = false): void { $chunck = $this->em->getRepository($className)->findBy(!empty($ids) ? ['id' => $ids] : []); foreach ($chunck as $entity) { @@ -141,7 +141,7 @@ public function handleFilterableFieldsForChunck(string $className, ?array $ids, * * @throws UndefinedGeneratorException|\ReflectionException */ - public function handleIndexableFieldsForEntity(object $entity, array $fieldsContexts, bool $runtimeMode = false): void + public function handleIndexableFieldsForEntity(#[\SensitiveParameter] object $entity, array $fieldsContexts, bool $runtimeMode = false): void { $className = get_class($entity); $searchIndexes = $this->generateIndexableValuesForEntity($entity, $fieldsContexts); @@ -198,7 +198,7 @@ public function handleIndexableFieldsForEntity(object $entity, array $fieldsCont * * @throws UndefinedGeneratorException */ - public function generateIndexableValuesForEntity(object $entity, array $fieldsContexts): array + public function generateIndexableValuesForEntity(#[\SensitiveParameter] object $entity, array $fieldsContexts): array { $searchIndexes = []; diff --git a/src/Services/IndexesGenerator.php b/src/Services/IndexesGenerator.php index 4ce3126..ad703dd 100644 --- a/src/Services/IndexesGenerator.php +++ b/src/Services/IndexesGenerator.php @@ -29,7 +29,7 @@ public function __construct(ServiceLocator $container, EncryptorInterface $encry * * @throws UndefinedGeneratorException */ - public function generateAndEncryptFilters(string $value, array $methods): array + public function generateAndEncryptFilters(#[\SensitiveParameter] string $value, array $methods): array { $possibleValuesAr = [$value]; @@ -59,7 +59,7 @@ public function generateAndEncryptFilters(string $value, array $methods): array * * @return array */ - public function generateBlindIndexesFromPossibleValues(string $entityName, string $fieldName, array $possibleValues, bool $fastIndexing): array + public function generateBlindIndexesFromPossibleValues(#[\SensitiveParameter] string $entityName, #[\SensitiveParameter] string $fieldName, #[\SensitiveParameter] array $possibleValues, bool $fastIndexing): array { $possibleValues = array_unique($possibleValues); diff --git a/src/Services/PropertyHydratorService.php b/src/Services/PropertyHydratorService.php index 04ef5f9..ddadaed 100644 --- a/src/Services/PropertyHydratorService.php +++ b/src/Services/PropertyHydratorService.php @@ -25,7 +25,7 @@ public function __construct(PropertyInfoExtractorInterface $propertyInfoExtracto /** * @param mixed $value */ - public function getMappedFieldValueAsString(object $entity, ?string $propertyName, $value): string + public function getMappedFieldValueAsString(#[\SensitiveParameter] object $entity, #[\SensitiveParameter] ?string $propertyName, #[\SensitiveParameter] $value): string { if ($propertyName !== null) { $value = $this->propertyAccessor->getValue($entity, $propertyName); @@ -34,7 +34,7 @@ public function getMappedFieldValueAsString(object $entity, ?string $propertyNam return (string) $value; } - public function setValueToMappedField(object $entity, string $value, ?string $propertyName): void + public function setValueToMappedField(#[\SensitiveParameter] object $entity, #[\SensitiveParameter] string $value, #[\SensitiveParameter] ?string $propertyName): void { if ($propertyName === null) { return; diff --git a/src/Subscribers/DoctrineCiphersweetSubscriber.php b/src/Subscribers/DoctrineCiphersweetSubscriber.php index a16920d..55adaf8 100644 --- a/src/Subscribers/DoctrineCiphersweetSubscriber.php +++ b/src/Subscribers/DoctrineCiphersweetSubscriber.php @@ -201,7 +201,7 @@ public function onClear(OnClearEventArgs $args): void * @param object $entity * @param EntityManagerInterface $em */ - private function entityOnFlush(object $entity, EntityManagerInterface $em): void + private function entityOnFlush(#[\SensitiveParameter] object $entity, EntityManagerInterface $em): void { $objId = spl_object_id($entity); @@ -230,7 +230,7 @@ private function entityOnFlush(object $entity, EntityManagerInterface $em): void /** * @return \ReflectionProperty[] */ - private function getEncryptedFields(object $entity, ObjectManager $em): array + private function getEncryptedFields(#[\SensitiveParameter] object $entity, ObjectManager $em): array { $className = \get_class($entity); if (isset($this->encryptedFieldCache[$className])) { @@ -252,7 +252,7 @@ private function getEncryptedFields(object $entity, ObjectManager $em): array * Make sure you call first $unitOfWork->computeChangeSet or $unitOfWork->recomputeSingleEntityChangeSet * if you think your entity should be updated and has not been handled by entity manager. */ - public function processFields(object $entity, ObjectManager $em, bool $isEncryptOperation = true, bool $force = false): bool + public function processFields(#[\SensitiveParameter] object $entity, ObjectManager $em, bool $isEncryptOperation = true, bool $force = false): bool { $properties = $this->getEncryptedFields($entity, $em); $unitOfWork = $em->getUnitOfWork(); @@ -314,7 +314,7 @@ public function processFields(object $entity, ObjectManager $em, bool $isEncrypt * entityClassName: string * } */ - private function buildContext(string $entityClassName, \ReflectionProperty $refProperty): array + private function buildContext(#[\SensitiveParameter] string $entityClassName, #[\SensitiveParameter] \ReflectionProperty $refProperty): array { $annotationConfig = null; $indexableAnnotationConfig = null; @@ -372,7 +372,7 @@ private function buildContext(string $entityClassName, \ReflectionProperty $refP * entityClassName: string * } $context */ - private function handleEncryptOperation(object $entity, int $oid, $value, \ReflectionProperty $refProperty, array $context, bool $force): ?string + private function handleEncryptOperation(#[\SensitiveParameter] object $entity, #[\SensitiveParameter] int $oid, #[\SensitiveParameter] $value, #[\SensitiveParameter] \ReflectionProperty $refProperty, array $context, bool $force): ?string { [ 'annotationConfig' => [ @@ -417,7 +417,7 @@ private function handleEncryptOperation(object $entity, int $oid, $value, \Refle /** * @param mixed $value */ - private function handleDecryptOperation(int $oid, $value, \ReflectionProperty $refProperty, array $context): string + private function handleDecryptOperation(#[\SensitiveParameter] int $oid, #[\SensitiveParameter] $value, #[\SensitiveParameter] \ReflectionProperty $refProperty, array $context): string { /** * @var IndexableField $indexableAnnotationConfig @@ -439,12 +439,12 @@ private function handleDecryptOperation(int $oid, $value, \ReflectionProperty $r return $value; } - private function isValueEncrypted(?string $value): bool + private function isValueEncrypted(#[\SensitiveParameter] ?string $value): bool { return $this->encryptor->isValueEncrypted($value); } - private function storeValue(object $entity, \ReflectionProperty $refProperty, string $value, bool $storeBlindIndex, int $filterBits, bool $fastIndexing = true) + private function storeValue(#[\SensitiveParameter] object $entity, #[\SensitiveParameter] \ReflectionProperty $refProperty, #[\SensitiveParameter] string $value, bool $storeBlindIndex, int $filterBits, bool $fastIndexing = true) { [$value, $indexes] = $this->encryptor->prepareForStorage($entity, $refProperty->getName(), $value, $storeBlindIndex, $filterBits, $fastIndexing); @@ -461,7 +461,7 @@ private function storeValue(object $entity, \ReflectionProperty $refProperty, st /** * Generate and save indexable value */ - private function storeIndexes(object $entity, \ReflectionProperty $refProperty, ?IndexableField $indexableAnnotationConfig): void + private function storeIndexes(#[\SensitiveParameter] object $entity, #[\SensitiveParameter] \ReflectionProperty $refProperty, ?IndexableField $indexableAnnotationConfig): void { if ($indexableAnnotationConfig === null) { return; @@ -479,7 +479,7 @@ private function storeIndexes(object $entity, \ReflectionProperty $refProperty, * * @param object $entity Some doctrine entity */ - private function addToDecodedRegistry(object $entity): void + private function addToDecodedRegistry(#[\SensitiveParameter] object $entity): void { $this->decodedRegistry[spl_object_id($entity)] = true; } @@ -489,7 +489,7 @@ private function addToDecodedRegistry(object $entity): void * * @param object $entity Some doctrine entity */ - private function hasInDecodedRegistry(object $entity): bool + private function hasInDecodedRegistry(#[\SensitiveParameter] object $entity): bool { return isset($this->decodedRegistry[spl_object_id($entity)]); }