Encryption key prefixes + Gitleaks rules to scan for them in Git (#269)

 - spaze/encryption updated from v1.0.2 to v2.0.0 major
   See changes: spaze/[email protected]
   Release notes: https://github.com/spaze/encryption/releases/tag/v2.0.0

 - spaze/mysql-session-handler updated from v2.3.3 to v3.0.0 major
   See changes: spaze/[email protected]
   Release notes: https://github.com/spaze/mysql-session-handler/releases/tag/v3.0.0

.gitleaks.toml

@@ -31,13 +31,20 @@ stopwords = [
   '''_training''',
 ]
 
+[[rules]]
+id = "michalspacek.cz-encryption-keys"
+description = "Identified an encryption key, risking data decryption and unauthorized access to sensitive information."
+regex = '''(?:mspe|msee|msse)(?:test)?_([a-fA-F0-9]{32,64})'''
+keywords = [
+  "mspe",
+  "msee",
+  "msse",
+]
+
 [allowlist]
 paths = [
   '''js/openpgp\.min\.js''',
   # Paths otherwise .gitignored should be listed here if you want to run with --no-git
   '''i/build/''',
-  '''site/config/local.*\.neon''',
-  '''site/config/remote.*\.neon''',
   '''site/temp/cache/''',
 ]
-

.gitleaksignore

@@ -5,3 +5,12 @@
 4eea8b8b4a748558fc9d148e870c046e70f02e93:site/app/config/config.local.template.neon:generic-api-key-extra-keywords:73
 8e2f5d8924f633825fdd9e83431ac83166fb2ba4:site/app/config/config.local.template.neon:generic-api-key-extra-keywords:80
 bcedeb91aedc5501ee37ef6e71e0abe5ec5f8622:app/config/config.neon:generic-api-key-extra-keywords:37
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:michalspacek.cz-encryption-keys:52
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:generic-api-key-extra-keywords:52
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:michalspacek.cz-encryption-keys:54
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:generic-api-key-extra-keywords:54
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:generic-api-key-extra-keywords:56
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/tests.neon:michalspacek.cz-encryption-keys:16
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/tests.neon:michalspacek.cz-encryption-keys:18
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/tests.neon:michalspacek.cz-encryption-keys:20
+0a582d9b6820eec34b371c48ac33c95512013fcf:site/config/local.template.neon:michalspacek.cz-encryption-keys:56

site/Makefile

@@ -1,4 +1,4 @@
-.PHONY: test audit cs-fix check-file-patterns check-makefile lint-php lint-latte lint-neon lint-xml lint-xml-auto-install phpcs phpstan phpstan-latte-templates phpstan-vendor psalm tester tester-include-skipped
+.PHONY: test audit cs-fix check-file-patterns check-makefile lint-php lint-latte lint-neon lint-xml lint-xml-auto-install phpcs phpstan phpstan-latte-templates phpstan-vendor psalm tester tester-include-skipped gitleaks
 
 test: audit check-file-patterns check-makefile lint-php lint-latte lint-neon lint-xml phpcs phpstan tester psalm phpstan-vendor
 
@@ -50,3 +50,6 @@ tester:
 tester-include-skipped:
 	TEST_CASE_RUNNER_INCLUDE_SKIPPED=1 \
 	$(MAKE) tester
+
+gitleaks:
+	gitleaks detect --verbose --source $(realpath ..)

site/app/Training/Applications/TrainingApplicationFactory.php

@@ -11,15 +11,15 @@
 use Nette\Database\Row;
 use ParagonIE\Halite\Alerts\HaliteAlert;
 use SodiumException;
-use Spaze\Encryption\Symmetric\StaticKey;
+use Spaze\Encryption\SymmetricKeyEncryption;
 
 readonly class TrainingApplicationFactory
 {
 
 	public function __construct(
 		private Statuses $trainingStatuses,
 		private TrainingMailMessageFactory $trainingMailMessageFactory,
-		private StaticKey $emailEncryption,
+		private SymmetricKeyEncryption $emailEncryption,
 		private TexyFormatter $texyFormatter,
 		private TrainingApplicationSources $trainingApplicationSources,
 		private TrainingFiles $trainingFiles,

site/app/Training/Applications/TrainingApplicationStorage.php

@@ -16,7 +16,7 @@
 use ParagonIE\Halite\Alerts\HaliteAlert;
 use RuntimeException;
 use SodiumException;
-use Spaze\Encryption\Symmetric\StaticKey;
+use Spaze\Encryption\SymmetricKeyEncryption;
 use Tracy\Debugger;
 
 readonly class TrainingApplicationStorage
@@ -26,7 +26,7 @@ public function __construct(
 		private Explorer $database,
 		private Statuses $trainingStatuses,
 		private TrainingApplicationSources $trainingApplicationSources,
-		private StaticKey $emailEncryption,
+		private SymmetricKeyEncryption $emailEncryption,
 		private Prices $prices,
 	) {
 	}

site/app/User/Manager.php

@@ -27,7 +27,7 @@
 use Nette\Utils\Random;
 use Override;
 use ParagonIE\Halite\Alerts\HaliteAlert;
-use Spaze\Encryption\Symmetric\StaticKey;
+use Spaze\Encryption\SymmetricKeyEncryption;
 use Tracy\Debugger;
 
 readonly class Manager implements Authenticator
@@ -47,7 +47,7 @@ public function __construct(
 		private IRequest $httpRequest,
 		private Cookies $cookies,
 		private Passwords $passwords,
-		private StaticKey $passwordEncryption,
+		private SymmetricKeyEncryption $passwordEncryption,
 		LinkGenerator $linkGenerator,
 		private string $permanentLoginInterval,
 	) {

site/composer.json

@@ -33,9 +33,9 @@
 		"paragonie/halite": "^5.1",
 		"php-parallel-lint/php-console-color": "^1.0.1",
 		"spaze/csp-config": "^4.0",
-		"spaze/encryption": "^1.0",
+		"spaze/encryption": "^2.0",
 		"spaze/feed-exports": "^1.0",
-		"spaze/mysql-session-handler": "^2.3",
+		"spaze/mysql-session-handler": "^3.0",
 		"spaze/nonce-generator": "^4.0",
 		"spaze/phpinfo": "^1.0",
 		"spaze/sri-macros": "^2.0",

site/config/local.template.neon

@@ -49,15 +49,19 @@ parameters:
 	encryption:
 		keys:
 			password:
-				dev1: "abadcafec15c0d06f00dcafed00dbeef" # [0-9A-F]{64}
+				dev1: "mspe_abadcafec15c0d06f00dcafed00dbeef" # [0-9A-F]{64}
 			email:
-				dev1: "cafebabe25da1768d69ee80717cc2f30" # [0-9A-F]{64}
+				dev1: "msee_cafebabe25da1768d69ee80717cc2f30" # [0-9A-F]{64}
 			session:
-				dev1: "25da1768d69ee80717cc2f30cafebabe" # [0-9A-F]{64}
+				dev1: "msse_25da1768d69ee80717cc2f30cafebabe" # [0-9A-F]{64}
 		activeKeyIds:
 			password: dev1
 			email: dev1
 			session: dev1
+		keyPrefixes:
+			password: mspe
+			email: msee
+			session: msse
 
 	awsLambda:
 		upcKeys:

site/config/parameters.neon

@@ -66,9 +66,17 @@ parameters:
 		phoneNumber: "123456789"
 	encryption:
 		keys:
-			-
+			password: []
+			email: []
+			session: []
 		activeKeyIds:
-			-
+			password: ""
+			email: ""
+			session: ""
+		keyPrefixes:
+			password: ""
+			email: ""
+			session: ""
 	awsLambda:
 		upcKeys:
 			url:

site/config/services.neon

@@ -154,8 +154,8 @@ services:
 	- Nette\Schema\Processor
 	security.passwords: Nette\Security\Passwords(::PASSWORD_ARGON2ID, [memory_cost: 65536, time_cost: 16, threads: 16])
 	- PHP_Parallel_Lint\PhpConsoleColor\ConsoleColor
-	emailEncryption: Spaze\Encryption\Symmetric\StaticKey('email', %encryption.keys%, %encryption.activeKeyIds%)
-	passwordEncryption: Spaze\Encryption\Symmetric\StaticKey('password', %encryption.keys%, %encryption.activeKeyIds%)
-	sessionEncryption: Spaze\Encryption\Symmetric\StaticKey('session', %encryption.keys%, %encryption.activeKeyIds%)
+	emailEncryption: Spaze\Encryption\SymmetricKeyEncryption(%encryption.keys.email%, %encryption.activeKeyIds.email%, %encryption.keyPrefixes.email%)
+	passwordEncryption: Spaze\Encryption\SymmetricKeyEncryption(%encryption.keys.password%, %encryption.activeKeyIds.password%, %encryption.keyPrefixes.password%)
+	sessionEncryption: Spaze\Encryption\SymmetricKeyEncryption(%encryption.keys.session%, %encryption.activeKeyIds.session%, %encryption.keyPrefixes.session%)
 	- Spaze\PhpInfo\PhpInfo
 	texyFormatterPhpFilesAdapter: Symfony\Component\Cache\Adapter\PhpFilesAdapter(namespace: 'TexyFormatter', directory: '%tempDir%/cache', appendOnly: true)

site/config/tests.neon

@@ -12,13 +12,20 @@ parameters:
 			longWords: false
 	encryption:
 		keys:
-			password:
-				test: "f015033d6b0b24e77bc9cbd86ec52ed5bc94ca4901c9f1378768423ec0278d66"
-			email:
-				test: "17fa3225effc107a689eb72fd8c20983bbc690bf9ea42a2f0306e0c226720845"
+			password!:
+				test: "mspetest_f015033d6b0b24e77bc9cbd86ec52ed5bc94ca4901c9f1378768423ec0278d66"
+			email!:
+				test: "mseetest_17fa3225effc107a689eb72fd8c20983bbc690bf9ea42a2f0306e0c226720845"
+			session!:
+				test: "mssetest_0d89ba7b95bce3a1f5092faf7aa038bffcaca2a98d264ab18c81aec8f74b90ab"
 		activeKeyIds:
 			password: test
 			email: test
+			session: test
+		keyPrefixes:
+			password: mspetest
+			email: mseetest
+			session: mssetest
 	awsLambda:
 		upcKeys:
 			url: "https://was.example/%s/%s"

site/tests/User/ManagerTest.phpt

@@ -21,7 +21,7 @@ use Nette\Security\Passwords;
 use Nette\Security\SimpleIdentity;
 use Nette\Security\User;
 use Override;
-use Spaze\Encryption\Symmetric\StaticKey;
+use Spaze\Encryption\SymmetricKeyEncryption;
 use Tester\Assert;
 use Tester\TestCase;
 
@@ -31,7 +31,7 @@ require __DIR__ . '/../bootstrap.php';
 class ManagerTest extends TestCase
 {
 
-	private readonly StaticKey $passwordEncryption;
+	private readonly SymmetricKeyEncryption $passwordEncryption;
 
 
 	public function __construct(
@@ -43,8 +43,8 @@ class ManagerTest extends TestCase
 		Container $container,
 	) {
 		$service = $container->getService('passwordEncryption');
-		if (!$service instanceof StaticKey) {
-			throw new ShouldNotHappenException(sprintf('passwordEncryption should be a %s instance, but it is a %s', StaticKey::class, $service::class));
+		if (!$service instanceof SymmetricKeyEncryption) {
+			throw new ShouldNotHappenException(sprintf('passwordEncryption should be a %s instance, but it is a %s', SymmetricKeyEncryption::class, $service::class));
 		}
 		$this->passwordEncryption = $service;
 	}