Code Coverage for /Users/austinheap/Development/laravel-database-encryption/src/Console/Commands/MigrateEncryptionCommand.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	54.55% covered (warning)	54.55%	6 / 11	CRAP	75.00% covered (warning)	75.00%	78 / 104
AustinHeap\Database\Encryption\Console\Commands\MigrateEncryptionCommand	0.00% covered (danger)	0.00%	0 / 1	54.55% covered (warning)	54.55%	6 / 11	65.00	75.00% covered (warning)	75.00%	78 / 104
getEncryptionPrefix				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	1 / 1
isEncrypted				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	1 / 1
encryptedAttribute				0.00% covered (danger)	0.00%	0 / 1	6.00	0.00% covered (danger)	0.00%	0 / 1
decryptedAttribute				0.00% covered (danger)	0.00%	0 / 1	6.00	0.00% covered (danger)	0.00%	0 / 1
setupKeys				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	1 / 1
handle				0.00% covered (danger)	0.00%	0 / 1	28.32	72.50% covered (warning)	72.50%	58 / 80
writeln				0.00% covered (danger)	0.00%	0 / 1	2.06	75.00% covered (warning)	75.00%	3 / 4
buildStatsString				0.00% covered (danger)	0.00%	0 / 1	6.05	88.89% covered (warning)	88.89%	8 / 9
stylizeStatsString				100.00% covered (success)	100.00%	1 / 1	3	100.00% covered (success)	100.00%	2 / 2
setStats				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	2 / 2
getStats				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	2 / 2

1	<?php
2	/**
3	* src/Console/Commands/MigrateEncryptionCommand.php.
4	*
5	* @author Austin Heap <me@austinheap.com>
6	* @version v0.2.0
7	*/
8	declare(strict_types=1);
9
10	namespace AustinHeap\Database\Encryption\Console\Commands;
11
12	use Exception;
13	use RuntimeException;
14	use Illuminate\Support\Facades\DB;
15	use Illuminate\Support\Facades\Log;
16	use Illuminate\Encryption\Encrypter;
17	use Illuminate\Support\Facades\Config;
18	use AustinHeap\Database\Encryption\EncryptionFacade as DatabaseEncryption;
19
20	/**
21	* Class MigrateEncryptionCommand.
22	*
23	* This console job locates data in the database that contains data encrypted
24	* using a wrong/deprecated encryption key, and re-encrypts it using the
25	* correct/new encryption key.
26	*
27	* It can be used to fix badly encrypted data, or can be used to decrypt data using
28	* one key and re-encrypt using another key.
29	*
30	* ### Installation
31	*
32	* * Override this class and change the setupKeys() function to set the keys that
33	* are to be used ($old_keys and $new_key) as well as the array of $table names.
34	*
35	* * Add 'App\Console\Commands\MigrateEncryptionCommand' to the $commands array in
36	* your 'App\Console\Kernel' package.
37	*
38	* ### Example
39	*
40	* <code>
41	* php artisan migrate:encryption
42	* </code>
43	*/
44	class MigrateEncryptionCommand extends \Illuminate\Console\Command
45	{
46	/**
47	* The stats of the last run of the console command.
48	*
49	* @var array
50	*/
51	private static $stats = null;
52
53	/**
54	* The name and signature of the console command.
55	*
56	* @var string
57	*/
58	protected $signature = 'migrate:encryption';
59
60	/**
61	* The console command description.
62	*
63	* @var string
64	*/
65	protected $description = 'Rotate keys used for database encryption';
66
67	/**
68	* An array of old keys. Each one is to be tried in turn.
69	*
70	* @var array
71	*/
72	protected $old_keys = null;
73
74	/**
75	* The new encryption key.
76	*
77	* @var string
78	*/
79	protected $new_key = null;
80
81	/**
82	* The list of tables to be scanned.
83	*
84	* @var array
85	*/
86	protected $tables = null;
87
88	/**
89	* Get the configuration setting for the prefix used to determine if a string is encrypted.
90	*
91	* @return string
92	*/
93	protected function getEncryptionPrefix(): string
94	{
95	return DatabaseEncryption::getPrefix();
96	}
97
98	/**
99	* Determine whether a string has already been encrypted.
100	*
101	* @param mixed $value
102	*
103	* @return bool
104	*/
105	protected function isEncrypted($value): bool
106	{
107	return strpos((string) $value, $this->getEncryptionPrefix()) === 0;
108	}
109
110	/**
111	* Return the encrypted value of an attribute's value.
112	*
113	* @param string $value
114	* @param Encrypter $cipher
115	*
116	* @return null\|string
117	*/
118	public function encryptedAttribute($value, $cipher): ?string
119	{
120	return $this->getEncryptionPrefix().$cipher->encrypt($value);
121	}
122
123	/**
124	* Return the decrypted value of an attribute's encrypted value.
125	*
126	* @param string $value
127	* @param Encrypter $cipher
128	*
129	* @return null\|string
130	*/
131	public function decryptedAttribute($value, $cipher): ?string
132	{
133	return $cipher->decrypt(str_replace($this->getEncryptionPrefix(), '', $value));
134	}
135
136	/**
137	* Set up keys.
138	*
139	* @return void
140	*/
141	protected function setupKeys()
142	{
143	// Over-ride this function to set:
144	//
145	// * $this->old_keys
146	// * $this->new_key
147	// * $this->tables
148	}
149
150	/**
151	* Execute the console command.
152	*
153	* @return mixed
154	*/
155	public function handle()
156	{
157	// Keys
158	$this->setupKeys();
159
160	throw_if(! is_array($this->old_keys) \|\| empty($this->old_keys) \|\| count($this->old_keys) == 0,
161	RuntimeException::class,
162	'You must override this class with (array)$old_keys set correctly.');
163	throw_if(! is_string($this->new_key) \|\| empty($this->new_key), RuntimeException::class,
164	'You must override this class with (string)$new_key set correctly.');
165	throw_if(! is_array($this->tables) \|\| empty($this->tables) \|\| count($this->tables) == 0, RuntimeException::class,
166	'You must override this class with (array)$tables set correctly.');
167
168	// Encrypter objects
169	$cipher = Config::get('app.cipher', 'AES-256-CBC');
170	$base_encrypter = new Encrypter($this->new_key, $cipher);
171	$old_encrypter = [];
172
173	foreach ($this->old_keys as $key => $value) {
174	$old_encrypter[$key] = new Encrypter($value, $cipher);
175	}
176
177	// Stats
178	$stats = [
179	'tables' => count($this->tables),
180	'rows' => 0,
181	'attributes' => 0,
182	'failed' => 0,
183	'migrated' => 0,
184	'skipped' => 0,
185	];
186
187	// Main
188	$this->writeln('<fg=green>Migrating <fg=blue>'.count($this->old_keys).'</> old database encryption key(s) on <fg=blue>'.$stats['tables'].'</> table(s).</>');
189
190	foreach ($this->tables as $table_name) {
191	// Process table
192	$this->writeln('<fg=yellow>Fetching data from: <fg=white>"</><fg=green>'.$table_name.'<fg=white>"</>.</>');
193
194	// Setup table stats
195	$table_stats = ['rows' => 0, 'attributes' => 0, 'failed' => 0, 'migrated' => 0, 'skipped' => 0];
196
197	// Get count of records
198	$count = DB::table($table_name)
199	->count();
200
201	// Create progress bar
202	$bar = defined('LARAVEL_DATABASE_ENCRYPTION_TESTS') ? null : $this->output->createProgressBar($count);
203
204	$this->writeln('<fg=yellow>Found <fg=blue>'.number_format($count, 0).'</> record(s) in database; checking encryption keys.</>');
205
206	// Get table object
207	$table_data = DB::table($table_name)
208	->orderBy('id');
209
210	// Cycle through table data 1k records at a time
211	$chunk = 1000;
212	$table_data->chunk($chunk, function ($data) use (
213	&$stats,
214	&$table_stats,
215	$bar,
216	$chunk,
217	$base_encrypter,
218	$old_encrypter,
219	$table_name
220	) {
221	foreach ($data as $datum) {
222	// Check every column of the table for an encrypted value. If the value is
223	// encrypted then try to decrypt it with the base encrypter.
224	$datum_array = get_object_vars($datum);
225	$adjust = [];
226
227	$table_stats['rows'] += 1;
228
229	foreach ($datum_array as $key => $value) {
230	$table_stats['attributes'] += 1;
231
232	if (! $this->isEncrypted($value)) {
233	$table_stats['skipped'] += 1;
234	continue;
235	}
236
237	try {
238	$test = $this->decryptedAttribute($value, $base_encrypter);
239	continue;
240	} catch (Exception $e) {
241
242	// If the base encrypter fails then try to decrypt it with each
243	// other encrypter until one works or they all fail.
244	$new_value = '';
245
246	foreach ($old_encrypter as $cipher) {
247	try {
248	$test = $this->decryptedAttribute($value, $cipher);
249
250	// If that did not throw an exception then we have a match
251	// between the old encrypter and the encrypted value, so
252	// adjust the new value.
253	$new_value = $this->encryptedAttribute($test, $base_encrypter);
254	continue;
255	} catch (\Exception $e) {
256	// Do nothing, keep trying.
257	}
258	}
259
260	// If we got a match then empty($new_value) != true
261	if (empty($new_value)) {
262	Log::error(
263	__CLASS__.':'.__TRAIT__.':'.__FILE__.':'.__LINE__.':'.__FUNCTION__.':'.
264	'Unable to find encryption key for: '.$table_name->key.' #'.$datum->id
265	);
266
267	$table_stats['failed'] += 1;
268	continue;
269	}
270
271	// We got a match
272	$adjust[$key] = $new_value;
273	$table_stats['migrated'] += 1;
274	}
275
276	$table_stats['attributes'] += 1;
277	}
278
279	// If we have anything in $adjust, write that back to the database
280	if (count($adjust) == 0) {
281	continue;
282	}
283
284	DB::table($table_name)
285	->where('id', '=', $datum->id)
286	->update($adjust);
287	}
288
289	// Advance progress bar
290	if (! defined('LARAVEL_DATABASE_ENCRYPTION_TESTS')) {
291	$bar->advance($chunk);
292	}
293	});
294
295	// Finish progress bar
296	if (! defined('LARAVEL_DATABASE_ENCRYPTION_TESTS')) {
297	$bar->finish();
298	}
299
300	// And display stats
301	foreach ($table_stats as $key => $value) {
302	$stats[$key] += $value;
303	}
304
305	$this->writeln('');
306	$this->writeln('<fg=blue>Database encryption migration for table <fg=white>"</><fg=green>'.$table_name.'</><fg=white>"</> complete: '.self::buildStatsString($table_stats).'.</>');
307	}
308
309	$this->writeln('<fg=green>Database encryption migration for all <fg=blue>'.$stats['tables'].'</> table(s) complete: '.self::buildStatsString($stats).'.</>');
310	self::setStats($stats);
311	}
312
313	private function writeln(string $line): void
314	{
315	$output = $this->getOutput();
316
317	if (! is_null($output)) {
318	$output->writeln($line);
319	}
320	}
321
322	private static function buildStatsString(array $stats, string $stat = null, bool $stylize = true): string
323	{
324	$string = '';
325
326	foreach ($stats as $key => $value) {
327	if (! is_null($stat) && $key != $stat) {
328	continue;
329	}
330
331	$string .= self::stylizeStatsString($key, 'fg=white', $stylize).
332	self::stylizeStatsString(' = ', 'fg=yellow', $stylize).
333	self::stylizeStatsString(is_int($value) ? number_format($value, 0) : $value, 'fg=magenta',
334	$stylize).'; ';
335	}
336
337	return empty($string) ? '' : substr($string, 0, -2);
338	}
339
340	private static function stylizeStatsString(string $string, string $style, bool $stylize = true): string
341	{
342	return ! $stylize ? $string : '<'.$style.'>'.$string.'</'.(strpos($style,
343	'<fg') === 0 ? '' : $style).'>';
344	}
345
346	private static function setStats(array $stats): void
347	{
348	self::$stats = $stats;
349	}
350
351	public static function getStats(): array
352	{
353	throw_if(is_null(self::$stats), RuntimeException::class, 'Stats do not exist; command has not been executed.');
354
355	return self::$stats;
356	}
357	}