Merge pull request #3072 from magento-earl-grey/ENGCOM-2088

[earl] ENGCOM-2088: Sodium Encryption #135

Author: rganin

app/code/Magento/Config/Model/Config/Structure.php

@@ -281,6 +281,10 @@ protected function _createEmptyElement(array $pathParts)
     public function getFieldPathsByAttribute($attributeName, $attributeValue)
     {
         $result = [];
+        if (empty($this->_data['sections'])) {
+            return $result;
+        }
+
         foreach ($this->_data['sections'] as $section) {
             if (!isset($section['children'])) {
                 continue;

app/code/Magento/EncryptionKey/Setup/Patch/Data/SodiumChachaPatch.php

@@ -0,0 +1,114 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\EncryptionKey\Setup\Patch\Data;
+
+use Magento\Framework\Setup\Patch\DataPatchInterface;
+
+/**
+ * Migrate encrypted configuration values to the latest cipher
+ */
+class SodiumChachaPatch implements DataPatchInterface
+{
+    /**
+     * @var \Magento\Framework\Setup\ModuleDataSetupInterface
+     */
+    private $moduleDataSetup;
+
+    /**
+     * @var \Magento\Config\Model\Config\Structure
+     */
+    private $structure;
+
+    /**
+     * @var \Magento\Framework\Encryption\EncryptorInterface
+     */
+    private $encryptor;
+
+    /**
+     * @var \Magento\Framework\App\State
+     */
+    private $state;
+
+    /**
+     * @param \Magento\Framework\Setup\ModuleDataSetupInterface $moduleDataSetup
+     * @param \Magento\Config\Model\Config\Structure\Proxy $structure
+     * @param \Magento\Framework\Encryption\EncryptorInterface $encryptor
+     * @param \Magento\Framework\App\State $state
+     */
+    public function __construct(
+        \Magento\Framework\Setup\ModuleDataSetupInterface $moduleDataSetup,
+        \Magento\Config\Model\Config\Structure\Proxy $structure,
+        \Magento\Framework\Encryption\EncryptorInterface $encryptor,
+        \Magento\Framework\App\State $state
+    ) {
+        $this->moduleDataSetup = $moduleDataSetup;
+        $this->structure = $structure;
+        $this->encryptor = $encryptor;
+        $this->state = $state;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function apply()
+    {
+        $this->moduleDataSetup->startSetup();
+
+        $this->reEncryptSystemConfigurationValues();
+
+        $this->moduleDataSetup->endSetup();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public static function getDependencies()
+    {
+        return [];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getAliases()
+    {
+        return [];
+    }
+
+    private function reEncryptSystemConfigurationValues()
+    {
+        $structure = $this->structure;
+        $paths = $this->state->emulateAreaCode(
+            \Magento\Framework\App\Area::AREA_ADMINHTML,
+            function () use ($structure) {
+                return $structure->getFieldPathsByAttribute(
+                    'backend_model',
+                    \Magento\Config\Model\Config\Backend\Encrypted::class
+                );
+            }
+        );
+        // walk through found data and re-encrypt it
+        if ($paths) {
+            $table = $this->moduleDataSetup->getTable('core_config_data');
+            $values = $this->moduleDataSetup->getConnection()->fetchPairs(
+                $this->moduleDataSetup->getConnection()
+                    ->select()
+                    ->from($table, ['config_id', 'value'])
+                    ->where('path IN (?)', $paths)
+                    ->where('value NOT LIKE ?', '')
+            );
+            foreach ($values as $configId => $value) {
+                $this->moduleDataSetup->getConnection()->update(
+                    $table,
+                    ['value' => $this->encryptor->encrypt($this->encryptor->decrypt($value))],
+                    ['config_id = ?' => (int)$configId]
+                );
+            }
+        }
+    }
+}

app/code/Magento/Sales/Console/Command/EncryptionPaymentDataUpdateCommand.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Sales\Console\Command;
+
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Command\Command;
+use Magento\Framework\Console\Cli;
+
+/**
+ * Command for updating encrypted credit card data to the latest cipher
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
+class EncryptionPaymentDataUpdateCommand extends Command
+{
+    /** Command name */
+    const NAME = 'encryption:payment-data:update';
+
+    /**
+     * @var \Magento\Sales\Model\ResourceModel\Order\Payment\EncryptionUpdate
+     */
+    private $paymentResource;
+
+    /**
+     * @param \Magento\Sales\Model\ResourceModel\Order\Payment\EncryptionUpdate $paymentResource
+     */
+    public function __construct(
+        \Magento\Sales\Model\ResourceModel\Order\Payment\EncryptionUpdate $paymentResource
+    ) {
+        $this->paymentResource = $paymentResource;
+        parent::__construct();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function configure()
+    {
+        $this->setName(self::NAME)
+            ->setDescription(
+                'Re-encrypts encrypted credit card data with latest encryption cipher.'
+            );
+        parent::configure();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function execute(InputInterface $input, OutputInterface $output)
+    {
+        try {
+            $this->paymentResource->reEncryptCreditCardNumbers();
+        } catch (\Exception $e) {
+            $output->writeln('<error>' . $e->getMessage() . '</error>');
+            return Cli::RETURN_FAILURE;
+        }
+
+        return Cli::RETURN_SUCCESS;
+    }
+}

app/code/Magento/Sales/Model/ResourceModel/Order/Payment/EncryptionUpdate.php

@@ -0,0 +1,65 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Sales\Model\ResourceModel\Order\Payment;
+
+/**
+ * Resource for updating encrypted credit card data to the latest cipher
+ */
+class EncryptionUpdate
+{
+    const LEGACY_PATTERN = '^[[:digit:]]+:[^%s]:.*$';
+
+    /**
+     * @var \Magento\Sales\Model\ResourceModel\Order\Payment
+     */
+    private $paymentResource;
+
+    /**
+     * @var \Magento\Framework\Encryption\Encryptor
+     */
+    private $encryptor;
+
+    /**
+     * @param \Magento\Sales\Model\ResourceModel\Order\Payment $paymentResource
+     * @param \Magento\Framework\Encryption\Encryptor $encryptor
+     */
+    public function __construct(
+        \Magento\Sales\Model\ResourceModel\Order\Payment $paymentResource,
+        \Magento\Framework\Encryption\Encryptor $encryptor
+    ) {
+        $this->paymentResource = $paymentResource;
+        $this->encryptor = $encryptor;
+    }
+
+    /**
+     * Fetch encrypted credit card numbers using legacy ciphers and re-encrypt with latest cipher
+     * @throws \Magento\Framework\Exception\LocalizedException
+     */
+    public function reEncryptCreditCardNumbers()
+    {
+        $connection = $this->paymentResource->getConnection();
+        $table = $this->paymentResource->getMainTable();
+        $select = $connection->select()->from($table, ['entity_id', 'cc_number_enc'])
+            ->where(
+                'cc_number_enc REGEXP ?',
+                sprintf(self::LEGACY_PATTERN, \Magento\Framework\Encryption\Encryptor::CIPHER_LATEST)
+            )->limit(1000);
+
+        while ($attributeValues = $connection->fetchPairs($select)) {
+                // save new values
+            foreach ($attributeValues as $valueId => $value) {
+                $connection->update(
+                    $table,
+                    ['cc_number_enc' => $this->encryptor->encrypt($this->encryptor->decrypt($value))],
+                    ['entity_id = ?' => (int)$valueId, 'cc_number_enc = ?' => (string)$value]
+                );
+            }
+        }
+    }
+}

app/code/Magento/Sales/etc/di.xml

@@ -980,6 +980,13 @@
     <type name="Magento\Sales\Model\ResourceModel\Order\Handler\Address">
         <plugin name="addressUpdate" type="Magento\Sales\Model\Order\Invoice\Plugin\AddressUpdate"/>
     </type>
+    <type name="Magento\Framework\Console\CommandListInterface">
+        <arguments>
+            <argument name="commands" xsi:type="array">
+                <item name="encyption_payment_data_update" xsi:type="object">Magento\Sales\Console\Command\EncryptionPaymentDataUpdateCommand</item>
+            </argument>
+        </arguments>
+    </type>
     <type name="Magento\Config\Model\Config\TypePool">
         <arguments>
             <argument name="sensitive" xsi:type="array">

composer.json

@@ -41,6 +41,7 @@
         "magento/zendframework1": "~1.14.1",
         "monolog/monolog": "^1.17",
         "oyejorge/less.php": "~1.7.0",
+        "paragonie/sodium_compat": "^1.6",
         "pelago/emogrifier": "^2.0.0",
         "php-amqplib/php-amqplib": "~2.7.0",
         "phpseclib/mcrypt_compat": "1.0.5",