Issues in HasEncryptedFields.php (master) - Issues in master - lekoala/silverstripe-encrypt - Measure and Improve Code Quality continuously with Scrutinizer

Issues (74)

src/HasEncryptedFields.php (1 issue)

Labels

Severity

Minor 1

<?php

namespace LeKoala\Encrypt;

use SodiumException;
use SilverStripe\ORM\DataList;
use SilverStripe\ORM\DataObject;
use ParagonIE\CipherSweet\CipherSweet;
use SilverStripe\ORM\DataObjectSchema;
use ParagonIE\CipherSweet\EncryptedRow;
use SilverStripe\ORM\FieldType\DBField;
use SilverStripe\ORM\Queries\SQLSelect;
use SilverStripe\ORM\Queries\SQLUpdate;
use ParagonIE\CipherSweet\EncryptedField;
use ParagonIE\CipherSweet\KeyRotation\RowRotator;
use ParagonIE\CipherSweet\Exception\InvalidCiphertextException;

/**
 * This trait helps to override the default getField method in order to return
 * the value of a field directly instead of the db object instance
 *
 * Simply define this in your code
 *
 * public function getField($field)
 * {
 *    return $this->getEncryptedField($field);
 * }
 *
 * public function setField($fieldName, $val)
 * {
 *     return $this->setEncryptedField($fieldName, $val);
 * }
 */
trait HasEncryptedFields
{
    /**
     * This value will return exactly one record, taking care of false positives
     *
     * @param string $field
     * @param string $value
     * @return DataObject|bool
     */
    public static function getByBlindIndex($field, $value)
    {
        /** @var DataObject $singl  */
        $singl = singleton(get_called_class());
        /** @var EncryptedDBField $obj  */
        $obj = $singl->dbObject($field);
        return $obj->fetchRecord($value);
    }

    /**
     * This value will return a list of records
     *
     * @param string $field
     * @param string $value
     * @return DataList|static[]
     */
    public static function getAllByBlindIndex($field, $value)
    {
        /** @var DataObject $singl  */
        $singl = singleton(get_called_class());
        /** @var EncryptedDBField $obj  */
        $obj = $singl->dbObject($field);
        return $obj->fetchDataList($value);
    }

    /**
     * Check if the record needs to be reencrypted with a new key or algo
     * @param CipherSweet $old
     * @return bool
     */
    public function needsToRotateEncryption(CipherSweet $old)
    {
        $class = get_class($this);
        $tableName = DataObject::getSchema()->tableName($class);
        $columnIdentifier = DataObject::getSchema()->sqlColumnForField($class, 'ID');

        $new = EncryptHelper::getCipherSweet();

        $oldRow = $this->getEncryptedRow($old);
        $newRow = $this->getEncryptedRow($new);

        $rotator = new RowRotator($oldRow, $newRow);
        $query = new SQLSelect("*", $tableName, [$columnIdentifier => $this->ID]);
        $ciphertext = $query->execute()->record();
        // not needed anymore since 3.0.1
        // $ciphertext = EncryptHelper::removeNulls($ciphertext);
        if ($rotator->needsReEncrypt($ciphertext)) {
            return true;
        }
        return false;
    }

    /**
     * Rotate encryption with current engine without using orm
     * @param CipherSweet $old
     * @return bool
     * @throws SodiumException
     * @throws InvalidCiphertextException
     */
    public function rotateEncryption(CipherSweet $old)
    {
        $class = get_class($this);
        $tableName = DataObject::getSchema()->tableName($class);
        $columnIdentifier = DataObject::getSchema()->sqlColumnForField($class, 'ID');

        $new = EncryptHelper::getCipherSweet();

        $encryptedFields = array_keys(EncryptHelper::getEncryptedFields($class, true));
        if (EncryptHelper::getAadSource()) {
            $encryptedFields[] = EncryptHelper::getAadSource();
        }
        $query = new SQLSelect($encryptedFields, $tableName, [$columnIdentifier => $this->ID]);
        $ciphertext = $query->execute()->record();
        $ciphertext = array_filter($ciphertext);

        // Get only what we need
        $oldRow = $this->getEncryptedRow($old, $ciphertext);
        $newRow = $this->getEncryptedRow($new, $ciphertext);

        $rotator = new RowRotator($oldRow, $newRow);

        $indices = null;

        if ($rotator->needsReEncrypt($ciphertext)) {
            list($ciphertext, $indices) = $rotator->prepareForUpdate($ciphertext);
            $assignment = $ciphertext;
            foreach ($indices as $name => $arr) {
                $assignment[$name] = $arr["value"];
            }
            $update = new SQLUpdate($tableName, $assignment, ["ID" => $this->ID]);
            $update->execute();
            return true;
        }
        return false;
    }

    /**
     * @param CipherSweet $engine
     * @param array $onlyFields
     * @return EncryptedRow
     */
    public function getEncryptedRow(CipherSweet $engine = null, $onlyFields = [])
    {
        if ($engine === null) {
            $engine = EncryptHelper::getCipherSweet();
        }
        $class = get_class($this);
        $tableName = DataObject::getSchema()->tableName($class);
        $encryptedRow = new EncryptedRow($engine, $tableName);
        $encryptedRow->setPermitEmpty(true);
        $encryptedRow->setTypedIndexes(true);
        $encryptedFields = array_keys(EncryptHelper::getEncryptedFields($class));
        $aadSource = EncryptHelper::getAadSource();
        foreach ($encryptedFields as $field) {
            if (!empty($onlyFields) && !array_key_exists($field, $onlyFields)) {
                continue;
            }
            /** @var EncryptedDBField $dbField */
            $dbField = $this->dbObject($field);
            /** @var EncryptedField $encryptedField */
            $encryptedField = $dbField->getEncryptedField($engine);
            $blindIndexes = $encryptedField->getBlindIndexObjects();

            //TODO: review how naming is done (see: EncryptedDBField)
            if (count($blindIndexes)) {
                $encryptedRow->addOptionalTextField($field . EncryptedDBField::VALUE_SUFFIX, $aadSource);
                foreach ($encryptedField->getBlindIndexObjects() as $blindIndex) {
                    $encryptedRow->addBlindIndex($field . EncryptedDBField::VALUE_SUFFIX, $blindIndex);
                }
            } else {
                $encryptedRow->addOptionalTextField($field, $aadSource);
            }
        }
        return $encryptedRow;
    }

    /**
     * Extend getField to support retrieving encrypted value transparently
     * @param string $field The name of the field
     * @return mixed The field value
     */
    public function getEncryptedField($field)
    {
        // We cannot check directly $this->record[$field] because it may
        // contain encrypted value that needs to be decoded first

        // If it's an encrypted field
        if ($this->hasEncryptedField($field)) {
            /** @var EncryptedDBField $fieldObj  */
            $fieldObj = $this->dbObject($field);
            // Set decrypted value directly on the record for later use
            // it can be fetched by dbObject calls
            $this->record[$field] = $fieldObj->getValue();
            return $this->record[$field];
        }
        return parent::getField($field);
    }

    /**
     * Extend setField to support setting encrypted value transparently
     * @param string $field
     * @param mixed $val
     * @return $this
     */
    public function setEncryptedField($field, $val)
    {
        // If it's an encrypted field
        if ($this->hasEncryptedField($field) && $val && is_scalar($val)) {
            /** @var DataObjectSchema $schema  */
            $schema = static::getSchema();

            // In case of composite fields, return the DBField object
            // Eg: if we call MyIndexedVarchar instead of MyIndexedVarcharValue
            $compositeClass = $schema->compositeField(static::class, $field);
            if ($compositeClass) {
                /** @var EncryptedDBField $fieldObj  */
                $fieldObj = $this->dbObject($field);
                $fieldObj->setValue($val);
                // Keep a reference for isChange checks
                // and also can be queried by dbObject
                $this->record[$field] = $fieldObj;
                // Proceed with DBField instance, that will call saveInto
                // and call this method again for distinct fields
                $val = $fieldObj;
            }
        }
        parent::setField($field, $val);
        return $this;
    }

    /**
     * @param string $field
     * @return boolean
     */
    public function hasEncryptedField($field)
    {
        return EncryptHelper::isEncryptedField(get_class($this), $field);
    }

    /**
     * Rebind record value for aad
     *
     * It would be better to deal with this in writeToManipulation but it is not called
     * for CompositeFields
     *
     * @return void
     */
    protected function resetFieldValues()
    {
        if (EncryptHelper::getAadSource() === "ID") {
            $db = $this->config()->db;
            foreach ($this->record as $k => $v) {
                $dbClass = $db[$k] ?? null;
                if ($dbClass && EncryptHelper::isEncryptedDbClass($dbClass)) {
                    $this->dbObject($k)->setValue($v);
                }
            }
        }
    }
}


1			<?php
2
3			namespace LeKoala\Encrypt;
4
5			use SodiumException;
6			use SilverStripe\ORM\DataList;
7			use SilverStripe\ORM\DataObject;
8			use ParagonIE\CipherSweet\CipherSweet;
9			use SilverStripe\ORM\DataObjectSchema;
10			use ParagonIE\CipherSweet\EncryptedRow;
11			use SilverStripe\ORM\FieldType\DBField;
12			use SilverStripe\ORM\Queries\SQLSelect;
13			use SilverStripe\ORM\Queries\SQLUpdate;
14			use ParagonIE\CipherSweet\EncryptedField;
15			use ParagonIE\CipherSweet\KeyRotation\RowRotator;
16			use ParagonIE\CipherSweet\Exception\InvalidCiphertextException;
17
18			/**
19			* This trait helps to override the default getField method in order to return
20			* the value of a field directly instead of the db object instance
21			*
22			* Simply define this in your code
23			*
24			* public function getField($field)
25			* {
26			* return $this->getEncryptedField($field);
27			* }
28			*
29			* public function setField($fieldName, $val)
30			* {
31			* return $this->setEncryptedField($fieldName, $val);
32			* }
33			*/
34			trait HasEncryptedFields
35			{
36			/**
37			* This value will return exactly one record, taking care of false positives
38			*
39			* @param string $field
40			* @param string $value
41			* @return DataObject\|bool
42			*/
43			public static function getByBlindIndex($field, $value)
44			{
45			/** @var DataObject $singl */
46			$singl = singleton(get_called_class());
47			/** @var EncryptedDBField $obj */
48			$obj = $singl->dbObject($field);
49			return $obj->fetchRecord($value);
50			}
51
52			/**
53			* This value will return a list of records
54			*
55			* @param string $field
56			* @param string $value
57			* @return DataList\|static[]
58			*/
59			public static function getAllByBlindIndex($field, $value)
60			{
61			/** @var DataObject $singl */
62			$singl = singleton(get_called_class());
63			/** @var EncryptedDBField $obj */
64			$obj = $singl->dbObject($field);
65			return $obj->fetchDataList($value);
66			}
67
68			/**
69			* Check if the record needs to be reencrypted with a new key or algo
70			* @param CipherSweet $old
71			* @return bool
72			*/
73			public function needsToRotateEncryption(CipherSweet $old)
74			{
75			$class = get_class($this);
76			$tableName = DataObject::getSchema()->tableName($class);
77			$columnIdentifier = DataObject::getSchema()->sqlColumnForField($class, 'ID');
78
79			$new = EncryptHelper::getCipherSweet();
80
81			$oldRow = $this->getEncryptedRow($old);
82			$newRow = $this->getEncryptedRow($new);
83
84			$rotator = new RowRotator($oldRow, $newRow);
85			$query = new SQLSelect("*", $tableName, [$columnIdentifier => $this->ID]);
86			$ciphertext = $query->execute()->record();
87			// not needed anymore since 3.0.1
88			// $ciphertext = EncryptHelper::removeNulls($ciphertext);
89			if ($rotator->needsReEncrypt($ciphertext)) {
90			return true;
91			}
92			return false;
93			}
94
95			/**
96			* Rotate encryption with current engine without using orm
97			* @param CipherSweet $old
98			* @return bool
99			* @throws SodiumException
100			* @throws InvalidCiphertextException
101			*/
102			public function rotateEncryption(CipherSweet $old)
103			{
104			$class = get_class($this);
105			$tableName = DataObject::getSchema()->tableName($class);
106			$columnIdentifier = DataObject::getSchema()->sqlColumnForField($class, 'ID');
107
108			$new = EncryptHelper::getCipherSweet();
109
110			$encryptedFields = array_keys(EncryptHelper::getEncryptedFields($class, true));
111			if (EncryptHelper::getAadSource()) {
112			$encryptedFields[] = EncryptHelper::getAadSource();
113			}
114			$query = new SQLSelect($encryptedFields, $tableName, [$columnIdentifier => $this->ID]);
115			$ciphertext = $query->execute()->record();
116			$ciphertext = array_filter($ciphertext);
117
118			// Get only what we need
119			$oldRow = $this->getEncryptedRow($old, $ciphertext);
120			$newRow = $this->getEncryptedRow($new, $ciphertext);
121
122			$rotator = new RowRotator($oldRow, $newRow);
123
124			$indices = null;
			0 ignored issues – show Unused Code introduced 2021-07-07 16:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$indices` is dead and can be removed. Loading history...
125			if ($rotator->needsReEncrypt($ciphertext)) {
126			list($ciphertext, $indices) = $rotator->prepareForUpdate($ciphertext);
127			$assignment = $ciphertext;
128			foreach ($indices as $name => $arr) {
129			$assignment[$name] = $arr["value"];
130			}
131			$update = new SQLUpdate($tableName, $assignment, ["ID" => $this->ID]);
132			$update->execute();
133			return true;
134			}
135			return false;
136			}
137
138			/**
139			* @param CipherSweet $engine
140			* @param array $onlyFields
141			* @return EncryptedRow
142			*/
143			public function getEncryptedRow(CipherSweet $engine = null, $onlyFields = [])
144			{
145			if ($engine === null) {
146			$engine = EncryptHelper::getCipherSweet();
147			}
148			$class = get_class($this);
149			$tableName = DataObject::getSchema()->tableName($class);
150			$encryptedRow = new EncryptedRow($engine, $tableName);
151			$encryptedRow->setPermitEmpty(true);
152			$encryptedRow->setTypedIndexes(true);
153			$encryptedFields = array_keys(EncryptHelper::getEncryptedFields($class));
154			$aadSource = EncryptHelper::getAadSource();
155			foreach ($encryptedFields as $field) {
156			if (!empty($onlyFields) && !array_key_exists($field, $onlyFields)) {
157			continue;
158			}
159			/** @var EncryptedDBField $dbField */
160			$dbField = $this->dbObject($field);
161			/** @var EncryptedField $encryptedField */
162			$encryptedField = $dbField->getEncryptedField($engine);
163			$blindIndexes = $encryptedField->getBlindIndexObjects();
164
165			//TODO: review how naming is done (see: EncryptedDBField)
166			if (count($blindIndexes)) {
167			$encryptedRow->addOptionalTextField($field . EncryptedDBField::VALUE_SUFFIX, $aadSource);
168			foreach ($encryptedField->getBlindIndexObjects() as $blindIndex) {
169			$encryptedRow->addBlindIndex($field . EncryptedDBField::VALUE_SUFFIX, $blindIndex);
170			}
171			} else {
172			$encryptedRow->addOptionalTextField($field, $aadSource);
173			}
174			}
175			return $encryptedRow;
176			}
177
178			/**
179			* Extend getField to support retrieving encrypted value transparently
180			* @param string $field The name of the field
181			* @return mixed The field value
182			*/
183			public function getEncryptedField($field)
184			{
185			// We cannot check directly $this->record[$field] because it may
186			// contain encrypted value that needs to be decoded first
187
188			// If it's an encrypted field
189			if ($this->hasEncryptedField($field)) {
190			/** @var EncryptedDBField $fieldObj */
191			$fieldObj = $this->dbObject($field);
192			// Set decrypted value directly on the record for later use
193			// it can be fetched by dbObject calls
194			$this->record[$field] = $fieldObj->getValue();
195			return $this->record[$field];
196			}
197			return parent::getField($field);
198			}
199
200			/**
201			* Extend setField to support setting encrypted value transparently
202			* @param string $field
203			* @param mixed $val
204			* @return $this
205			*/
206			public function setEncryptedField($field, $val)
207			{
208			// If it's an encrypted field
209			if ($this->hasEncryptedField($field) && $val && is_scalar($val)) {
210			/** @var DataObjectSchema $schema */
211			$schema = static::getSchema();
212
213			// In case of composite fields, return the DBField object
214			// Eg: if we call MyIndexedVarchar instead of MyIndexedVarcharValue
215			$compositeClass = $schema->compositeField(static::class, $field);
216			if ($compositeClass) {
217			/** @var EncryptedDBField $fieldObj */
218			$fieldObj = $this->dbObject($field);
219			$fieldObj->setValue($val);
220			// Keep a reference for isChange checks
221			// and also can be queried by dbObject
222			$this->record[$field] = $fieldObj;
223			// Proceed with DBField instance, that will call saveInto
224			// and call this method again for distinct fields
225			$val = $fieldObj;
226			}
227			}
228			parent::setField($field, $val);
229			return $this;
230			}
231
232			/**
233			* @param string $field
234			* @return boolean
235			*/
236			public function hasEncryptedField($field)
237			{
238			return EncryptHelper::isEncryptedField(get_class($this), $field);
239			}
240
241			/**
242			* Rebind record value for aad
243			*
244			* It would be better to deal with this in writeToManipulation but it is not called
245			* for CompositeFields
246			*
247			* @return void
248			*/
249			protected function resetFieldValues()
250			{
251			if (EncryptHelper::getAadSource() === "ID") {
252			$db = $this->config()->db;
253			foreach ($this->record as $k => $v) {
254			$dbClass = $db[$k] ?? null;
255			if ($dbClass && EncryptHelper::isEncryptedDbClass($dbClass)) {
256			$this->dbObject($k)->setValue($v);
257			}
258			}
259			}
260			}
261			}
262

lekoala / silverstripe-encrypt

Issues (74)

src/HasEncryptedFields.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like