From 9d4efbd33416dd2cdddbea0a765b40753acd1e3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= Date: Wed, 19 Jun 2024 13:04:18 +0200 Subject: [PATCH 1/8] Remove `base64 --wrap=0` in local extract-variables-common.sh (not supported on macOS) --- provisioning/local/.terraform.lock.hcl | 1 + provisioning/local/env-scripts/extract-variables-common.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/provisioning/local/.terraform.lock.hcl b/provisioning/local/.terraform.lock.hcl index a24b12e..fe36afd 100644 --- a/provisioning/local/.terraform.lock.hcl +++ b/provisioning/local/.terraform.lock.hcl @@ -72,6 +72,7 @@ provider "registry.terraform.io/hashicorp/google" { constraints = "~> 4.74.0" hashes = [ "h1:WazqiKdNsMSDEIyNBNT9rIY99jN2eWuiE6qMfKAZTpY=", + "h1:ghkjuvUrHsIlzjNL5KRsYZcP3R9BoFRfb0q069BXBi4=", "zh:60904193c367b1ba9a3cb1bd86ca469ffcec2f7237e59adf4b0a34c84b2fa9ff", "zh:6e5ac12f3fefc23907a94e5f6040118c978af76ab5deb60a5b80110c1c8ade09", "zh:9fc0ae0f97ab598c27fae0a6b19e82c13fd59d020d7cdfeeebdbe41c4a8216ef", diff --git a/provisioning/local/env-scripts/extract-variables-common.sh b/provisioning/local/env-scripts/extract-variables-common.sh index cc93b91..ae7c070 100755 --- a/provisioning/local/env-scripts/extract-variables-common.sh +++ b/provisioning/local/env-scripts/extract-variables-common.sh @@ -20,7 +20,7 @@ echo "" output_var 'TEST_GCP_KMS_KEY_ID' "$(terraform_output 'gcp_kms_key_id')" PRIVATE_KEY_ENCODED="$(terraform_output 'gcp_private_key')" -PRIVATE_KEY=$(printf "%s" "$PRIVATE_KEY_ENCODED" | base64 --decode --wrap=0) +PRIVATE_KEY=$(printf "%s" "$PRIVATE_KEY_ENCODED" | base64 --decode) output_file 'var/gcp-private-key.json' "$PRIVATE_KEY" output_var 'TEST_GOOGLE_APPLICATION_CREDENTIALS' 'var/gcp-private-key.json' From 4bf77a96e7c208ac5646de9f4b09e7b6214b7ab6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= Date: Wed, 19 Jun 2024 13:33:35 +0200 Subject: [PATCH 2/8] Define gcp private key volume statically in docker-compose.yml --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index dbe32e9..b4eb68c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,4 +35,4 @@ services: TEST_GOOGLE_APPLICATION_CREDENTIALS: /code/var/gcp-private-key.json volumes: - ./build/logs/:/code/build/logs/ - - $GOOGLE_APPLICATION_CREDENTIALS:/code/var/gcp-private-key.json + - ./var/gcp-private-key.json:/code/var/gcp-private-key.json From 237cd46a443bd2fdf9104d726cfbf50ebc96257e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= Date: Wed, 19 Jun 2024 13:49:37 +0200 Subject: [PATCH 3/8] Update keboola/coding-standard to ^15.0 --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index c35ca7c..ca5f540 100644 --- a/composer.json +++ b/composer.json @@ -32,7 +32,7 @@ }, "require-dev": { "infection/infection": "^0.26", - "keboola/coding-standard": "^14.0", + "keboola/coding-standard": "^15.0", "phpstan/phpstan": "^1.8", "phpstan/phpstan-phpunit": "^1.0", "phpunit/phpunit": "^9.5", From dac631fab0e98219c4171a8d77cb226844a6317e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= Date: Wed, 19 Jun 2024 13:50:10 +0200 Subject: [PATCH 4/8] Fix phpcs --- src/EncryptorOptions.php | 2 +- src/ObjectEncryptor.php | 12 +- src/ObjectEncryptorFactory.php | 2 +- src/RegexHelper.php | 2 +- src/Wrapper/GenericAKVWrapper.php | 6 +- src/Wrapper/GenericGKMSWrapper.php | 4 +- src/Wrapper/GenericKMSWrapper.php | 2 +- src/Wrapper/GkmsClientFactory.php | 2 +- tests/BranchTypeProjectWideWrapperTest.php | 4 +- tests/EncryptorOptionsTest.php | 2 +- tests/GenericAKVWrapperTest.php | 24 ++-- tests/GenericGKMWrapperTest.php | 12 +- tests/GenericKMSWrapperTest.php | 6 +- tests/ObjectEncryptorFactoryTest.php | 14 +-- tests/ObjectEncryptorTest.php | 124 ++++++++++----------- tests/ProjectWideWrapperTest.php | 4 +- 16 files changed, 111 insertions(+), 111 deletions(-) diff --git a/src/EncryptorOptions.php b/src/EncryptorOptions.php index e4dbfe0..3dbc98b 100644 --- a/src/EncryptorOptions.php +++ b/src/EncryptorOptions.php @@ -40,7 +40,7 @@ public function __construct( ?string $kmsRole = null, ?string $akvUrl = null, ?string $gkmsKeyId = null, - ?int $backoffMaxTries = null + ?int $backoffMaxTries = null, ) { $this->stackId = $stackId; $this->kmsKeyId = $kmsKeyId; diff --git a/src/ObjectEncryptor.php b/src/ObjectEncryptor.php index 3106ff6..3cf6e01 100644 --- a/src/ObjectEncryptor.php +++ b/src/ObjectEncryptor.php @@ -414,7 +414,7 @@ private function encryptItem($key, $value, array $wrappers, CryptoWrapperInterfa return $this->encryptObject($value, $wrappers, $wrapper); } else { throw new ApplicationException( - 'Invalid item $key - only stdClass, array and scalar can be encrypted.' + 'Invalid item $key - only stdClass, array and scalar can be encrypted.', ); } } @@ -522,7 +522,7 @@ private function decryptItem($key, $value, array $wrappers) return $this->decryptObject($value, $wrappers); } else { throw new ApplicationException( - "Invalid item $key - only stdClass, array and scalar can be decrypted." + "Invalid item $key - only stdClass, array and scalar can be decrypted.", ); } } @@ -719,7 +719,7 @@ private function getGMKSWrappers( if ($branchType) { $wrapper = new BranchTypeConfigurationGKMSWrapper( $this->gkmsClient, - $this->encryptorOptions + $this->encryptorOptions, ); $wrapper->setComponentId($componentId); $wrapper->setProjectId($projectId); @@ -755,21 +755,21 @@ private function getWrappers( if ($this->encryptorOptions->getAkvUrl()) { $wrappers = array_merge( $wrappers, - $this->getAKVWrappers($componentId, $projectId, $configurationId, $branchType) + $this->getAKVWrappers($componentId, $projectId, $configurationId, $branchType), ); } if ($this->encryptorOptions->getGkmsKeyId()) { $wrappers = array_merge( $wrappers, - $this->getGMKSWrappers($componentId, $projectId, $configurationId, $branchType) + $this->getGMKSWrappers($componentId, $projectId, $configurationId, $branchType), ); } if ($this->encryptorOptions->getKmsKeyRegion() && $this->encryptorOptions->getKmsKeyId()) { $wrappers = array_merge( $wrappers, - $this->getKMSWrappers($componentId, $projectId, $configurationId, $branchType) + $this->getKMSWrappers($componentId, $projectId, $configurationId, $branchType), ); } return $wrappers; diff --git a/src/ObjectEncryptorFactory.php b/src/ObjectEncryptorFactory.php index bb6fd4f..b702679 100644 --- a/src/ObjectEncryptorFactory.php +++ b/src/ObjectEncryptorFactory.php @@ -17,7 +17,7 @@ public static function getAwsEncryptor( string $stackId, string $kmsKeyId, string $kmsRegion, - ?string $kmsRole + ?string $kmsRole, ): ObjectEncryptor { $encryptOptions = new EncryptorOptions($stackId, $kmsKeyId, $kmsRegion, $kmsRole, null); return self::getEncryptor($encryptOptions); diff --git a/src/RegexHelper.php b/src/RegexHelper.php index 77eacce..21336a4 100644 --- a/src/RegexHelper.php +++ b/src/RegexHelper.php @@ -20,7 +20,7 @@ public static function matchesVariable(string $value): bool if ($result === false) { throw new ApplicationException( - sprintf('Variable regex matching error "%s"', preg_last_error_msg()) + sprintf('Variable regex matching error "%s"', preg_last_error_msg()), ); } diff --git a/src/Wrapper/GenericAKVWrapper.php b/src/Wrapper/GenericAKVWrapper.php index 782a71b..b21afef 100644 --- a/src/Wrapper/GenericAKVWrapper.php +++ b/src/Wrapper/GenericAKVWrapper.php @@ -52,7 +52,7 @@ public function getClient(): Client $this->client = new Client( new GuzzleClientFactory(new NullLogger()), new AuthenticatorFactory(), - $this->keyVaultURL + $this->keyVaultURL, ); } return $this->client; @@ -116,7 +116,7 @@ public function encrypt(?string $data): string $secret = $this->getRetryProxy()->call(function () use ($context) { return $this->getClient()->setSecret( new SetSecretRequest($context, new SecretAttributes()), - uniqid('gen-encryptor') + uniqid('gen-encryptor'), ); }); /** @var SecretBundle $secret */ @@ -152,7 +152,7 @@ public function decrypt(string $encryptedData): string $decryptedContext = $this->getRetryProxy()->call(function () use ($encrypted) { return $this->getClient()->getSecret( $encrypted[self::SECRET_NAME], - $encrypted[self::SECRET_VERSION] + $encrypted[self::SECRET_VERSION], )->getValue(); }); assert(is_string($decryptedContext)); diff --git a/src/Wrapper/GenericGKMSWrapper.php b/src/Wrapper/GenericGKMSWrapper.php index 0f06a95..87f2fab 100644 --- a/src/Wrapper/GenericGKMSWrapper.php +++ b/src/Wrapper/GenericGKMSWrapper.php @@ -88,7 +88,7 @@ public function encrypt(?string $data): string $response = $this->client->encrypt( $this->gkmsKeyId, $key->saveToAsciiSafeString(), - ['additionalAuthenticatedData' => $this->encode($this->metadata)] + ['additionalAuthenticatedData' => $this->encode($this->metadata)], ); return $response->getCiphertext(); }); @@ -115,7 +115,7 @@ public function decrypt(string $encryptedData): string $response = $this->client->decrypt( $this->gkmsKeyId, $encrypted[self::KEY_INDEX], - ['additionalAuthenticatedData' => $this->encode($this->metadata)] + ['additionalAuthenticatedData' => $this->encode($this->metadata)], ); return $response->getPlaintext(); }); diff --git a/src/Wrapper/GenericKMSWrapper.php b/src/Wrapper/GenericKMSWrapper.php index b2a7506..9c8590a 100644 --- a/src/Wrapper/GenericKMSWrapper.php +++ b/src/Wrapper/GenericKMSWrapper.php @@ -145,7 +145,7 @@ public function decrypt(string $encryptedData): string assert(is_string($decryptedKey)); $safeKey = Encoding::saveBytesToChecksummedAsciiSafeString( Key::KEY_CURRENT_VERSION, - $decryptedKey + $decryptedKey, ); $key = Key::loadFromAsciiSafeString($safeKey); return Crypto::decrypt($encrypted[0], $key, true); diff --git a/src/Wrapper/GkmsClientFactory.php b/src/Wrapper/GkmsClientFactory.php index ebe5cef..9d3dc1e 100644 --- a/src/Wrapper/GkmsClientFactory.php +++ b/src/Wrapper/GkmsClientFactory.php @@ -37,7 +37,7 @@ public function createClient(EncryptorOptions $encryptorOptions): KeyManagementS 'httpHandler' => [$handler, 'async'], ], ], - ] + ], ); } catch (Throwable $e) { throw new ApplicationException('Cipher key settings are invalid: ' . $e->getMessage(), 0, $e); diff --git a/tests/BranchTypeProjectWideWrapperTest.php b/tests/BranchTypeProjectWideWrapperTest.php index 61b5628..c63b641 100644 --- a/tests/BranchTypeProjectWideWrapperTest.php +++ b/tests/BranchTypeProjectWideWrapperTest.php @@ -123,7 +123,7 @@ public function testInvalidSetupGKMS(): void { $options = new EncryptorOptions( stackId: 'some-stack', - akvUrl: 'some-url' + akvUrl: 'some-url', ); self::expectException(ApplicationException::class); @@ -138,7 +138,7 @@ public function testInvalidSetupKMS(): void { $options = new EncryptorOptions( stackId: 'some-stack', - akvUrl: 'some-url' + akvUrl: 'some-url', ); self::expectException(ApplicationException::class); diff --git a/tests/EncryptorOptionsTest.php b/tests/EncryptorOptionsTest.php index dc4d662..721fde2 100644 --- a/tests/EncryptorOptionsTest.php +++ b/tests/EncryptorOptionsTest.php @@ -19,7 +19,7 @@ public function testAccessors(): void kmsRole: 'role', akvUrl: 'akv-url', gkmsKeyId: 'gkms-key-id', - backoffMaxTries: 1 + backoffMaxTries: 1, ); self::assertSame('my-stack', $options->getStackId()); self::assertSame('my-kms-id', $options->getKmsKeyId()); diff --git a/tests/GenericAKVWrapperTest.php b/tests/GenericAKVWrapperTest.php index df84988..3ee68e9 100644 --- a/tests/GenericAKVWrapperTest.php +++ b/tests/GenericAKVWrapperTest.php @@ -29,7 +29,7 @@ public function setUp(): void foreach ($envs as $env) { if (!getenv($env)) { throw new RuntimeException( - sprintf('At least one of %s environment variables is empty.', implode(', ', $envs)) + sprintf('At least one of %s environment variables is empty.', implode(', ', $envs)), ); } } @@ -44,7 +44,7 @@ private function clearSecrets(): void $client = new Client( new GuzzleClientFactory(new NullLogger()), new AuthenticatorFactory(), - self::getAkvUrl() + self::getAkvUrl(), ); foreach ($client->getAllSecrets() as $secret) { $client->deleteSecret($secret->getName()); @@ -144,10 +144,10 @@ public function testRetryEncryptDecrypt(): void $secretInternal = ''; $mockClient->expects(self::exactly(3))->method('setSecret') ->willReturnCallback(function ( - SetSecretRequest $setSecretRequest + SetSecretRequest $setSecretRequest, ) use ( &$callNoSet, - &$secretInternal + &$secretInternal, ) { $callNoSet++; $secretInternal = $setSecretRequest->getArray()['value']; @@ -165,10 +165,10 @@ public function testRetryEncryptDecrypt(): void $mockClient->expects(self::exactly(3))->method('getSecret') ->willReturnCallback(function ( $secretName, - $secretVersion + $secretVersion, ) use ( &$callNoGet, - &$secretInternal + &$secretInternal, ) { $callNoGet++; if ($callNoGet < 3) { @@ -200,7 +200,7 @@ public function testRetryEncryptFail(): void ->getMock(); $mockClient->method('setSecret') ->willThrowException( - new ConnectException('mock failed to connect', new Request('GET', 'some-uri')) + new ConnectException('mock failed to connect', new Request('GET', 'some-uri')), ); $secret = 'secret'; @@ -222,13 +222,13 @@ public function testRetryDecryptFail(): void ->getMock(); $mockClient->method('getSecret') ->willThrowException( - new ConnectException('mock failed to connect', new Request('GET', 'some-uri')) + new ConnectException('mock failed to connect', new Request('GET', 'some-uri')), ); $secret = 'secret'; $wrapper = new GenericAKVWrapper(new EncryptorOptions( stackId: 'some-stack', - akvUrl: self::getAkvUrl() + akvUrl: self::getAkvUrl(), )); $encrypted = $wrapper->encrypt($secret); self::assertNotEquals($secret, $encrypted); @@ -288,9 +288,9 @@ public function testInvalidSecretCipher(): void $mockClient->method('setSecret') ->willReturnCallback(function ( SetSecretRequest $setSecretRequest, - $secretName + $secretName, ) use ( - &$secretInternal + &$secretInternal, ) { $secretInternal = $setSecretRequest->getArray()['value']; return new SecretBundle([ @@ -368,7 +368,7 @@ public function testInvalidSetupInvalidCredentials(): void putenv('AZURE_CLIENT_ID=invalid'); $wrapper = new GenericAKVWrapper(new EncryptorOptions( stackId: 'some-stack', - akvUrl: self::getAkvUrl() + akvUrl: self::getAkvUrl(), )); self::expectException(ApplicationException::class); self::expectExceptionMessage('Ciphering failed: Failed to get authentication token'); diff --git a/tests/GenericGKMWrapperTest.php b/tests/GenericGKMWrapperTest.php index 3b951ff..ce72df8 100644 --- a/tests/GenericGKMWrapperTest.php +++ b/tests/GenericGKMWrapperTest.php @@ -150,7 +150,7 @@ public function testRetryEncryptFail(): void $mockClient = $this->createMock(KeyManagementServiceClient::class); $mockClient->expects(self::exactly(1))->method('encrypt') ->willThrowException( - new ConnectException('mock failed to connect', new Request('GET', 'some-uri')) + new ConnectException('mock failed to connect', new Request('GET', 'some-uri')), ); $options = new EncryptorOptions( @@ -169,7 +169,7 @@ public function testRetryDecryptFail(): void $mockClient = $this->createMock(KeyManagementServiceClient::class); $mockClient->expects(self::exactly(1))->method('decrypt') ->willThrowException( - new ConnectException('mock failed to connect', new Request('GET', 'some-uri')) + new ConnectException('mock failed to connect', new Request('GET', 'some-uri')), ); $options = new EncryptorOptions( @@ -231,7 +231,7 @@ public function testInvalidSetupMissingKeyId(): void stackId: 'some-stack', kmsKeyId: 'test-key', kmsRegion: 'test-region', - ) + ), ); } @@ -242,7 +242,7 @@ public function testInvalidSetupInvalidKeyId(): void new EncryptorOptions( stackId: 'some-stack', gkmsKeyId: 'test-key', - ) + ), ); self::expectException(ApplicationException::class); self::expectExceptionMessage('Ciphering failed: Could not map bindings for'); @@ -256,7 +256,7 @@ public function testInvalidSetupInvalidUrlDecrypt(): void new EncryptorOptions( stackId: 'some-stack', gkmsKeyId: 'test-key', - ) + ), ); self::expectException(ApplicationException::class); self::expectExceptionMessage('Deciphering failed.'); @@ -272,7 +272,7 @@ public function testInvalidSetupInvalidCredentialsAfterConstruct(): void new EncryptorOptions( stackId: 'some-stack', gkmsKeyId: self::getGkmsKeyId(), - ) + ), ); $encrypted = $wrapper->encrypt('test'); self::assertNotEquals('test', $encrypted); diff --git a/tests/GenericKMSWrapperTest.php b/tests/GenericKMSWrapperTest.php index 6b733aa..9d04c7a 100644 --- a/tests/GenericKMSWrapperTest.php +++ b/tests/GenericKMSWrapperTest.php @@ -140,7 +140,7 @@ public function testRetryEncryptFail(): void ->getMock(); $mockKmsClient->method('execute') ->willThrowException( - new ConnectException('mock failed to connect', new Request('GET', 'some-uri')) + new ConnectException('mock failed to connect', new Request('GET', 'some-uri')), ); $mockWrapper = new GenericKMSWrapper( @@ -206,7 +206,7 @@ public function testRetryDecryptFail(): void ->getMock(); $mockKmsClient->method('execute') ->willThrowException( - new ConnectException('mock failed to connect', new Request('GET', 'some-uri')) + new ConnectException('mock failed to connect', new Request('GET', 'some-uri')), ); $mockWrapper = new GenericKMSWrapper( @@ -385,7 +385,7 @@ public function testInvalidNonExistentRegion(): void stackId: 'some-stack', kmsKeyId: self::getKmsKeyId(), kmsRegion: 'non-existent', - backoffMaxTries: 1 + backoffMaxTries: 1, ); $wrapper = new GenericKMSWrapper( diff --git a/tests/ObjectEncryptorFactoryTest.php b/tests/ObjectEncryptorFactoryTest.php index b622428..37dce7a 100644 --- a/tests/ObjectEncryptorFactoryTest.php +++ b/tests/ObjectEncryptorFactoryTest.php @@ -25,7 +25,7 @@ public function testGetAwsEncryptor(): void 'my-stack', self::getKmsKeyId(), self::getKmsRegion(), - null + null, ); $encrypted = $encryptor->encryptForComponent('secret', 'my-component'); self::assertIsString($encrypted); @@ -38,7 +38,7 @@ public function testGetAwsEncryptorRole(): void 'my-stack', self::getKmsKeyId(), self::getKmsRegion(), - self::getKmsRoleId() + self::getKmsRoleId(), ); $encrypted = $encryptor->encryptForComponent('secret', 'my-component'); self::assertIsString($encrypted); @@ -49,7 +49,7 @@ public function testGetAzureEncryptor(): void { $encryptor = ObjectEncryptorFactory::getAzureEncryptor( 'my-stack', - self::getAkvUrl() + self::getAkvUrl(), ); $encrypted = $encryptor->encryptForComponent('secret', 'my-component'); self::assertIsString($encrypted); @@ -64,8 +64,8 @@ public function testGetEncryptor(): void self::getKmsKeyId(), self::getKmsRegion(), null, - self::getAkvUrl() - ) + self::getAkvUrl(), + ), ); $encrypted = $encryptor->encryptForComponent('secret', 'my-component'); self::assertIsString($encrypted); @@ -76,7 +76,7 @@ public function testGetEncryptor(): void 'my-stack', self::getKmsKeyId(), self::getKmsRegion(), - null + null, ); $awsEncrypted = $awsEncryptor->encryptForComponent('secret', 'my-component'); self::assertIsString($awsEncrypted); @@ -84,7 +84,7 @@ public function testGetEncryptor(): void self::assertStringStartsWith('KBC::ComponentSecure::', (string) $awsEncrypted); self::assertEquals( 'secret', - $encryptor->decryptForComponent($awsEncrypted, 'my-component') + $encryptor->decryptForComponent($awsEncrypted, 'my-component'), ); } } diff --git a/tests/ObjectEncryptorTest.php b/tests/ObjectEncryptorTest.php index 546ce13..b480bfd 100644 --- a/tests/ObjectEncryptorTest.php +++ b/tests/ObjectEncryptorTest.php @@ -57,7 +57,7 @@ public function testEncryptorStackAwsNoAwsCredentials(): void 'my-stack', self::getKmsKeyId(), self::getKmsRegion(), - null + null, ); self::expectException(ApplicationException::class); self::expectExceptionMessage('Encryption failed: Ciphering failed: Failed to obtain encryption key.'); @@ -70,11 +70,11 @@ public function testEncryptorStackGcpNoGcpCredentials(): void putenv('GOOGLE_APPLICATION_CREDENTIALS=fail'); $encryptor = ObjectEncryptorFactory::getGcpEncryptor( 'my-stack', - self::getGkmsKeyId() + self::getGkmsKeyId(), ); self::expectException(ApplicationException::class); self::expectExceptionMessage( - 'Cipher key settings are invalid: Could not construct ApplicationDefaultCredentials' + 'Cipher key settings are invalid: Could not construct ApplicationDefaultCredentials', ); $encryptor->encryptGeneric('secret'); } @@ -248,11 +248,11 @@ public function testEncryptorAlreadyEncrypted(): void // decrypt the two encrypted values, everything else should remain identical self::assertSame( 'KBC::ConfigSecureKVaaaaaaaaaaaaaaaaaaaaaaaaaa', - $encryptor->decryptForComponent($encryptedValue['#Similar'], 'my-component') + $encryptor->decryptForComponent($encryptedValue['#Similar'], 'my-component'), ); self::assertSame( 'KBC::Encryptedaaaaaaaaaaaaaaaaaaaaaaaaaa', - $encryptor->decryptForComponent($encryptedValue['#LegacySimilar'], 'my-component') + $encryptor->decryptForComponent($encryptedValue['#LegacySimilar'], 'my-component'), ); unset($data['#LegacySimilar']); unset($data['#Similar']); @@ -753,7 +753,7 @@ public function testEncryptEmptyObject(): void self::assertEquals(stdClass::class, get_class($encrypted)); self::assertEquals( stdClass::class, - get_class($encryptor->decryptForComponent($encrypted, 'my-component')) + get_class($encryptor->decryptForComponent($encrypted, 'my-component')), ); } @@ -895,22 +895,22 @@ public function testGetRegisteredWrapperEncryptors( self::assertStringStartsWith($projectPrefix, $encryptedProject); self::assertEquals( 'secret1', - $encryptor->decryptForProject($encryptedGeneric, 'my-component', 'my-project') + $encryptor->decryptForProject($encryptedGeneric, 'my-component', 'my-project'), ); self::assertEquals( 'secret2', - $encryptor->decryptForProject($encryptedComponent, 'my-component', 'my-project') + $encryptor->decryptForProject($encryptedComponent, 'my-component', 'my-project'), ); self::assertEquals( 'secret3', - $encryptor->decryptForProject($encryptedProject, 'my-component', 'my-project') + $encryptor->decryptForProject($encryptedProject, 'my-component', 'my-project'), ); $encryptedConfiguration = $encryptor->encryptForConfiguration( 'secret4', 'my-component', 'my-project', - 'my-configuration' + 'my-configuration', ); self::assertStringStartsWith($configurationPrefix, $encryptedConfiguration); self::assertEquals( @@ -919,8 +919,8 @@ public function testGetRegisteredWrapperEncryptors( $encryptedGeneric, 'my-component', 'my-project', - 'my-configuration' - ) + 'my-configuration', + ), ); self::assertEquals( 'secret2', @@ -928,8 +928,8 @@ public function testGetRegisteredWrapperEncryptors( $encryptedComponent, 'my-component', 'my-project', - 'my-configuration' - ) + 'my-configuration', + ), ); self::assertEquals( 'secret3', @@ -937,8 +937,8 @@ public function testGetRegisteredWrapperEncryptors( $encryptedProject, 'my-component', 'my-project', - 'my-configuration' - ) + 'my-configuration', + ), ); self::assertEquals( 'secret4', @@ -946,8 +946,8 @@ public function testGetRegisteredWrapperEncryptors( $encryptedConfiguration, 'my-component', 'my-project', - 'my-configuration' - ) + 'my-configuration', + ), ); $encryptedProjectWide = $encryptor->encryptForProjectWide('secret2', 'my-project'); @@ -969,7 +969,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-component', 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret2', @@ -978,7 +978,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-component', 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret3', @@ -987,7 +987,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-component', 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret5', @@ -996,13 +996,13 @@ public function testGetRegisteredWrapperEncryptors( 'my-component', 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); $encryptedProjectWideBranchType = $encryptor->encryptForProjectWideBranchType( 'secret6', 'my-project', - ObjectEncryptor::BRANCH_TYPE_DEFAULT + ObjectEncryptor::BRANCH_TYPE_DEFAULT, ); self::assertStringStartsWith($projectWideBranchTypePrefix, $encryptedProjectWideBranchType); self::assertEquals( @@ -1011,7 +1011,7 @@ public function testGetRegisteredWrapperEncryptors( $encryptedGeneric, 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret6', @@ -1019,7 +1019,7 @@ public function testGetRegisteredWrapperEncryptors( $encryptedProjectWideBranchType, 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); $encryptedBranchTypeConfiguration = $encryptor->encryptForBranchTypeConfiguration( @@ -1038,7 +1038,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret2', @@ -1048,7 +1048,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret3', @@ -1058,7 +1058,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret4', @@ -1068,7 +1068,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret5', @@ -1078,7 +1078,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret2', @@ -1088,7 +1088,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret6', @@ -1098,7 +1098,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( 'secret7', @@ -1108,7 +1108,7 @@ public function testGetRegisteredWrapperEncryptors( 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); } @@ -1130,22 +1130,22 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void self::assertEquals('{{ my_variable-3 }}', $encryptedProject); self::assertEquals( '{{ my_variable }}', - $encryptor->decryptForProject($encryptedGeneric, 'my-component', 'my-project') + $encryptor->decryptForProject($encryptedGeneric, 'my-component', 'my-project'), ); self::assertEquals( '{{ my_variable-2 }}', - $encryptor->decryptForProject($encryptedComponent, 'my-component', 'my-project') + $encryptor->decryptForProject($encryptedComponent, 'my-component', 'my-project'), ); self::assertEquals( '{{ my_variable-3 }}', - $encryptor->decryptForProject($encryptedProject, 'my-component', 'my-project') + $encryptor->decryptForProject($encryptedProject, 'my-component', 'my-project'), ); $encryptedConfiguration = $encryptor->encryptForConfiguration( '{{ my_variable-4 }}', 'my-component', 'my-project', - 'my-configuration' + 'my-configuration', ); self::assertEquals('{{ my_variable-4 }}', $encryptedConfiguration); self::assertEquals( @@ -1154,8 +1154,8 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void $encryptedGeneric, 'my-component', 'my-project', - 'my-configuration' - ) + 'my-configuration', + ), ); self::assertEquals( '{{ my_variable-2 }}', @@ -1163,8 +1163,8 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void $encryptedComponent, 'my-component', 'my-project', - 'my-configuration' - ) + 'my-configuration', + ), ); self::assertEquals( '{{ my_variable-3 }}', @@ -1172,8 +1172,8 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void $encryptedProject, 'my-component', 'my-project', - 'my-configuration' - ) + 'my-configuration', + ), ); self::assertEquals( '{{ my_variable-4 }}', @@ -1181,19 +1181,19 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void $encryptedConfiguration, 'my-component', 'my-project', - 'my-configuration' - ) + 'my-configuration', + ), ); $encryptedProjectWide = $encryptor->encryptForProjectWide('{{ my_variable-2 }}', 'my-project'); self::assertEquals('{{ my_variable-2 }}', $encryptedProjectWide); self::assertEquals( '{{ my_variable }}', - $encryptor->decryptForProjectWide($encryptedGeneric, 'my-project') + $encryptor->decryptForProjectWide($encryptedGeneric, 'my-project'), ); self::assertEquals( '{{ my_variable-2 }}', - $encryptor->decryptForProjectWide($encryptedProjectWide, 'my-project') + $encryptor->decryptForProjectWide($encryptedProjectWide, 'my-project'), ); $encryptedBranchType = $encryptor->encryptForBranchType( @@ -1210,7 +1210,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-component', 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-2 }}', @@ -1219,7 +1219,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-component', 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-3 }}', @@ -1228,7 +1228,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-component', 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-5 }}', @@ -1237,13 +1237,13 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-component', 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); $encryptedProjectWideBranchType = $encryptor->encryptForProjectWideBranchType( '{{ my_variable-6 }}', 'my-project', - ObjectEncryptor::BRANCH_TYPE_DEFAULT + ObjectEncryptor::BRANCH_TYPE_DEFAULT, ); self::assertEquals('{{ my_variable-6 }}', $encryptedProjectWideBranchType); self::assertEquals( @@ -1252,7 +1252,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void $encryptedGeneric, 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-6 }}', @@ -1260,7 +1260,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void $encryptedProjectWideBranchType, 'my-project', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); $encryptedBranchTypeConfiguration = $encryptor->encryptForBranchTypeConfiguration( @@ -1279,7 +1279,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-2 }}', @@ -1289,7 +1289,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-3 }}', @@ -1299,7 +1299,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-4 }}', @@ -1309,7 +1309,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-5 }}', @@ -1319,7 +1319,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-2 }}', @@ -1329,7 +1329,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-6 }}', @@ -1339,7 +1339,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); self::assertEquals( '{{ my_variable-7 }}', @@ -1349,7 +1349,7 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void 'my-project', 'my-configuration', ObjectEncryptor::BRANCH_TYPE_DEFAULT, - ) + ), ); } } diff --git a/tests/ProjectWideWrapperTest.php b/tests/ProjectWideWrapperTest.php index d38200d..07aab3e 100644 --- a/tests/ProjectWideWrapperTest.php +++ b/tests/ProjectWideWrapperTest.php @@ -118,7 +118,7 @@ public function testInvalidSetupGKMS(): void { $options = new EncryptorOptions( stackId: 'some-stack', - akvUrl: 'some-url' + akvUrl: 'some-url', ); self::expectException(ApplicationException::class); @@ -134,7 +134,7 @@ public function testInvalidSetupKMS(): void { $options = new EncryptorOptions( stackId: 'some-stack', - akvUrl: 'some-url' + akvUrl: 'some-url', ); self::expectException(ApplicationException::class); From ad114edd129afba41c263b3a9b2ed523df02dc88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= Date: Wed, 19 Jun 2024 14:00:08 +0200 Subject: [PATCH 5/8] Update GA actions --- .github/workflows/push.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 4a3c2f8..30224a2 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -18,9 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Google Login - uses: 'google-github-actions/auth@v1' + uses: 'google-github-actions/auth@v2' with: credentials_json: ${{ secrets.TEST_GCP_SERVICE_ACCOUNT_KEY }} export_environment_variables: true From 12a58845ca2ff911e9138ce0b6166a2c33dc2eb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= Date: Wed, 19 Jun 2024 14:10:51 +0200 Subject: [PATCH 6/8] Revert "Define gcp private key volume statically in docker-compose.yml" This reverts commit 4bf77a96e7c208ac5646de9f4b09e7b6214b7ab6. --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index b4eb68c..dbe32e9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,4 +35,4 @@ services: TEST_GOOGLE_APPLICATION_CREDENTIALS: /code/var/gcp-private-key.json volumes: - ./build/logs/:/code/build/logs/ - - ./var/gcp-private-key.json:/code/var/gcp-private-key.json + - $GOOGLE_APPLICATION_CREDENTIALS:/code/var/gcp-private-key.json From 9fb95bf1003f2aaf807f218acad30b8f6d704622 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= Date: Wed, 19 Jun 2024 14:25:09 +0200 Subject: [PATCH 7/8] Skip decryption (return '') if value is an empty string in ObjectEncryptor::decryptValue() --- src/ObjectEncryptor.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ObjectEncryptor.php b/src/ObjectEncryptor.php index 3cf6e01..2d7443f 100644 --- a/src/ObjectEncryptor.php +++ b/src/ObjectEncryptor.php @@ -376,7 +376,7 @@ private function findWrapper(string $value, array $wrappers): ?CryptoWrapperInte private function decryptValue(string $value, array $wrappers): string { - if (RegexHelper::matchesVariable($value)) { + if ($value === '' || RegexHelper::matchesVariable($value)) { return $value; } From b533f9a2964904b77d526165fb73226efca49743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= Date: Wed, 19 Jun 2024 16:28:15 +0200 Subject: [PATCH 8/8] Cover empty string decryption with tests --- tests/ObjectEncryptorTest.php | 37 +++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/tests/ObjectEncryptorTest.php b/tests/ObjectEncryptorTest.php index b480bfd..352f937 100644 --- a/tests/ObjectEncryptorTest.php +++ b/tests/ObjectEncryptorTest.php @@ -1352,4 +1352,41 @@ public function testIgnoreVariables(ObjectEncryptor $encryptor): void ), ); } + + /** + * @dataProvider cloudEncryptorProvider + */ + public function testDecryptEmptyStrings(ObjectEncryptor $encryptor): void + { + self::assertEquals('', $encryptor->decryptGeneric('')); + self::assertEquals('', $encryptor->decryptForComponent('', 'my-component')); + self::assertEquals( + '', + $encryptor->decryptForProjectWideBranchType('', 'my-project', 'default'), + ); + + $json = '{ + "#emptyToken1": "", + "key1": { + "#emptyToken2": "", + "key2": { + "#emptyToken2": "" + } + } + }'; + + $result = $encryptor->decryptForConfiguration( + json_decode($json), + 'my-component', + 'my-project', + 'my-configuration', + ); + self::assertEquals('', $result->{'#emptyToken1'}); + self::assertEquals('', $result->key1->{'#emptyToken2'}); + self::assertEquals('', $result->key1->key2->{'#emptyToken2'}); + + $this->expectException(UserException::class); + $this->expectExceptionMessage('Value " " is not an encrypted value.'); + self::assertEquals('', $encryptor->decryptGeneric(' ')); + } }