absolute-quantum / doctrineencryptbundle Goto Github PK

If you have multiple enity managers it uses the default one, any way to select which one to use or to use them all?

Right now the only way I'm aware of is to change the default Entity Manager or to override the services definitions:

services:
    ambta_doctrine_encrypt.command.decrypt.database:
        class: Ambta\DoctrineEncryptBundle\Command\DoctrineDecryptDatabaseCommand
        tags: ['console.command']
        arguments:
            - "@doctrine.orm.custom_entity_manager"
            - "@annotation_reader"
            - "@ambta_doctrine_encrypt.subscriber"

    ambta_doctrine_encrypt.command.encrypt.database:
        class: Ambta\DoctrineEncryptBundle\Command\DoctrineEncryptDatabaseCommand
        tags: ['console.command']
        arguments:
            - "@doctrine.orm.custom_entity_manager"
            - "@annotation_reader"
            - "@ambta_doctrine_encrypt.subscriber"

    ambta_doctrine_encrypt.command.encrypt.status:
        class: Ambta\DoctrineEncryptBundle\Command\DoctrineEncryptStatusCommand
        tags: ['console.command']
        arguments:
            - "@doctrine.orm.custom_entity_manager"
            - "@annotation_reader"
            - "@ambta_doctrine_encrypt.subscriber"

Maybe on the bundle's configuration you might be able to specify the entity manager (and default to the default entity manger if it is not set)

• Add database to travis build
• Create functional tests that interact with database
• Enable coverage report
• Try to get as high enough coverage as possible
• Create edge cases testing (items from current issue list for example)

I upgraded the bundle to 5.1.0 on a project. This was the only updated dependency, no change of code except adding type hinting on classes extending some classes of this bundle.

Our tests are failing with the following message /bin/bash: line 1: 11194 Killed and then display Exited with code exit status 137 on CircleCI.
Locking the bundle in our composer to 5.0.3 (leaving the type hint of our inherited classes) makes the tests pass. This is very strange.

There are 20 files that were changed from 5.0.3 so I will try to isolate the change and submit a PR if I find anything. This is very strange.

Except not loading the bundle for all, is there any way to disable encryption for specific env?
Halite seems to be applied when config is null or unknown

Doing something like that ?

ambta_doctrine_encrypt:
    encryptor_class: null
    secret_directory_path: '%kernel.project_dir%'

Does this still uses ext-mcrypt, which is deprecated starting with PHP 7.1 ?

Hi,
Not sure if this an issue or not because I'm not using your bundle. Actually we're doing our encryption almost the same way as your bundle does and I was curious about why you're encrypting/decrypting on preUpdate/postUpdate events. It looks like preFlush/postFlush already does that for changed entities as well, so it would mean double encryption/decryption IMO, am I right?

currently, the key mapping process is considered using Halite and Defuse only if i give a custom call path for my Encrypter class then it expected the key to be at that path .
eg :
at line 37 in src/DependencyInjection/DoctrineEncryptExtension.php
$config['encryptor_class_full'] = $config['encryptor_class'];
and for mapping the key path below code is used
$config['secret_directory_path'].'/.'.$config['encryptor_class'].'.key'
issue is if i give my Encryptor calls Path as App\Encryptors\CustomEncryption
and my secret_directory_path path as /opt/application/keypath/

the formation of the key will be expected /opt/application/keypath/App\Encryptors\CustomEncryption
which is not the case.

my proposed solution is to add a new config param as "secret_key_name" if set then it will make the encryption key path accordingly.

PR: #55

Hello, I was wondering, what's the difference between your bundle version and the one you forked? I'm not sure I saw it or that there is one.

And do you have any feature additions planned for this one or are you just updating the security?

Thank for your reply!

I've tried to get this working on a symfony 4 project and it doesn't register the bundle, The commands are not available. I have managed to get other symfony 3 bundles to work in symfony 4, but with this one, its just not working.

Any help or assistance would be welcomed. If there are similar bundles that do work in symfony 4 I'd be interested to know, but after spending a while searching Google, nothing really seems to be developed for symfony 4 and data encryption.

I saw only examples using annotations. Is there support for entities which mappings are defined using YAML?

A tree builder without a root node is deprecated since Symfony 4.2 and will not be supported anymore in 5.0.

The "Symfony\Component\Config\Definition\Builder\TreeBuilder::root()" method called for the "ambta_doctrine_encrypt" configuration is deprecated since Symfony 4.3, pass the root name to the constructor instead.
.......vendor/michaeldegroot/doctrine-encrypt-bundle/Ambta/DoctrineEncryptBundle/DependencyInjection/Configuration.php:26

Il's possible to merge this pull ?
#21

Is there a way to create multiple keys? The following allows us to generate a single key file (called .Halite.key):

ambta_doctrine_encrypt:
  encryptor_class: Halite
  secret_directory_path: '%kernel.project_dir%/data/keys'   # Path where to store the keyfiles

However, our project requires multiple keys, something like .key1.Halite.key, .key2.Halite.key, etc.

Is there a way to do this via the config file?

Hi
I wanted to try a decrypt/encrypt over the console but none of the commands exists under Symfony 4
Is that a normal behaviour?

When using Docker deployments we cannot save files/keys into the machine: is it possible to feed directly the key string into the bundle instead of using key files?

ambta_doctrine_encrypt:
    secret_key_path: '%encryption_key%'   # 32 byte hexadecimal string

Bundle-Version:

4.0

Description:

When I try to encrypt a json column, the following error occurs:

  [ErrorException]                                                 
  Warning: substr() expects parameter 1 to be string, array given 

The warning is similar to the #8 Bug. Is there a workaround or fix? Because of this error, the encryption process cannot be completed and the bundle doesn't work!

thanks

Hi,

i've build a DQL query where i want to select only a partial from my entity and this partial is not encrypted.

$query = $em->createQueryBuilder()
            ->from(Offer::class, 'o')
            ->select('PARTIAL o.{id}')
            ->leftJoin('o.assocEntity', 'ae')
            ->addSelect('PARTIAL ae.{id, encryptedField}')
            ->setMaxResults(1)
        ;

        $result = $query ->getQuery()->getArrayResult();

I'm getting the ids and the assoc entity with the fields but the encrypted field is not decrypted.

[0] => [
    ['id'] => 1
    ['assocEntity'] => [
        ['id'] => 100,
        ['encryptedField'] => "b1B2WTVtZzJZRkRsOGJBSHlXc21BcE5nb ....",
    ]
]

How i can fix this or could this be fixed in this bundle pls?

For local dev, it'd be nice to not have the entity properties encrypted. Right now I have all my attributes commented (using an # vs @) to note which fields I'm going to encrypt later when we're production ready.

When I use the doctrine:decrypt:database command, I get the following error :
In DoctrineDecryptDatabaseCommand.php line 102: Cannot use object of type App\Entity\User as array

The bug fix is quite easy, I believe. You just have to modify line 102 in DoctrineDecryptDatabaseCommand.php:

Actual code :
$entity = $row[0];

Fixed code :
$entity = (is_array($row) ? $row[0] : $row);

Sorry I did not make a pull request, but I'm not sure how to do that...

I get the following error:
Compile Error: Declaration of Ambta\DoctrineEncryptBundle\AmbtaDoctrineEncryptBundle::getContainerExtension() must be compatible with Symfony\Component\HttpKernel\Bundle\Bundle::getContainerExtension(): ?Symfony\Component\DependencyInjection\Extension\ExtensionInterface

michaeldegroot/doctrine-encrypt-bundle 3.0.3, Symfony 6.0

Hello, i use the 5.1.0 version of your excellent bundle, it is very easy to use.

But i have find an error in doctrine:decrypt:database 'src/Command/DoctrineDecryptDatabaseCommand.php' on line 102 : you can replace '$entity = $row[0];' by '$entity = $row;' Otherwise the error 'Cannot use object of type App\Entity\Demande as array' appears when you decrypt fields.

Thank you for the correction

I get this error on decrypt using 5.1

The encryption happens on a different project using paragonie/halite 4.6 which matches the version that this bundle uses

I can echo out the value of $data on line 44 of vendor/michaeldegroot/doctrine-encrypt-bundle/src/Encryptors/HaliteEncryptor.php and it shows the decrypted value without a problem

Something happens after that which generates the error "Invalid message authentication code" In Crypto.php line 193

After further investigation, the error is triggered from this check - if ($config->MAC_ALGO === 'BLAKE2b')

Hi,

Thanks for this great bundle, I'm try to lunch the command without asking using the -n or -q parameter but nothing happend.

Is like the automatically response "n" to the the question.

Does exist any way to lunch the encryptation commando automatically?

Thanks in advance
Best regards

Return value of "Ambta\DoctrineEncryptBundle\Command\DoctrineEncryptDatabaseCommand::execute()" must be of the type int, "null" returned.

Annotations are being removed in favor of PHP 8 attributes.

Could we get an #[Encrypted] attribute, just like the current @Encrypted annotation?

This will likely result in the need of adjusting the subscriber as well, as it currently uses the Doctrine\Common\Annotations\Reader.

It is currently possible combine Doctrine attributes and the Encrypted annotation. However, when using the #[ORM\Embeddable] attribute, the subscriber does not decrypt embeddables as it only scans for annotations: https://github.com/absolute-quantum/DoctrineEncryptBundle/blob/master/src/Subscribers/DoctrineEncryptSubscriber.php#L246.

When I tried to run ./app/console doctrine:decrypt:database I got this

In DoctrineDecryptDatabaseCommand.php line 43:
Access to undeclared static property: Ambta\DoctrineEncryptBundle\DependencyInjection\DoctrineEncryptExtension::$supportedEncryptorClasses 

Hi for security reasons (not have only one key to access data). If I understand well now, the system can be corrupt if you can have access to this key. If we have to in different localisation it will increase secure data,
it's possible to share the key and put into different server localisation. maybe access by restApi

// Config.yml
ambta_doctrine_encrypt:
    secret_directory_path-1:   # Default value
    secret_directory_path-2:   # Default value

maybe not possible ?

Thank

It might not been an issue, but it's something I'm struggling with.

I'm working a project based on Symfony 4. I'm trying to make the @UniqueEntity works on an @Encrypted field, and I can't figure out how.

Without the @Encrypted annotation, the @UniqueEntity annotation prevents the duplication
With the @Encrypted annotation, the @UniqueEntity annotation allows the duplication
I feel like I'm missing something obvious here :)

/**
 * @ORM\Entity(repositoryClass="App\Repository\DemoRepository")
 * @ORM\HasLifecycleCallbacks()
 * @UniqueEntity(
 *      fields={"example"},
 *      ignoreNull=true,
 * )
 *
 */
class Demo implements LoggableEntityInterface
{
    /**
     * @ORM\Column(type="text", nullable=true)
     * @Encrypted
     */
    private $example;

Any idea ?

Maybe I'm not doing this right. But I want to encrypt stuff in my db and still avoid duplication. How else could I tackle this ?

Symfony (3.4 in my case) is throwing deprecation warnings.

Autowiring services based on the types they implement is deprecated since Symfony 3.3 and won't be supported in version 4.0. You should rename (or alias) the "ambta_doctrine_encrypt.encryptor" service to "Ambta\DoctrineEncryptBundle\Encryptors\EncryptorInterface" instead.

The encript commnad is missing the persist call.

$this->subscriber->processFields($row[0]); .. this should be changed to:

$entity = $row[0];

$this->subscriber->processFields($entity);

$this->entityManager->persist($entity);

It is not possible to install the library if the abandoned sensio/framework-extra-bundle library is not installed.
DoctrineEncryptBundle should use Symfony if it is installed.

The service "ambta_doctrine_annotation_reader" has a dependency on a non-existent service "annotations.reader". Did you mean this: "translation.reader"?

[2024-01-05T16:31:32.291870+00:00] deprecation.INFO: User Deprecated: Since symfony/doctrine-bridge 6.3: Registering "Ambta\DoctrineEncryptBundle\Subscribers\DoctrineEncryptSubscriber" as a Doctrine subscriber is deprecated. Register it as a listener instead, using e.g. the #[AsDoctrineListener] or #[AsDocumentListener] attribute. {"exception":"[object] (ErrorException(code: 0): User Deprecated: Since symfony/doctrine-bridge 6.3: Registering \"Ambta\\DoctrineEncryptBundle\\Subscribers\\DoctrineEncryptSubscriber\" as a Doctrine subscriber is deprecated. Register it as a listener instead, using e.g. the #[AsDoctrineListener] or #[AsDocumentListener] attribute. at vendor/symfony/doctrine-bridge/ContainerAwareEventManager.php:211)"} {"tenant":1}

Is there a reason why every encrypted property are updated all the time even if the value did not change? This causes a lot of traffic on my database server and sometimes causes deadlocks. Updated only the changed properties would fix this (I guess).

Thank you,

i would love to see a possibility to have one key per user, so each user can encrypt its own data.

the key should be some kind of based on the password of the logged in user. so only the users have the key to their data.

some things to think about:

• password forgotten -> access to data lost
• additional encrypt with a backup/admin key (which the admin only has offline just to recover lost data)?
• allow the user to set a key not based on the password
• ?

Warning: substr() expects parameter 1 to be string, object given
in vendor/michaeldegroot/doctrine-encrypt-bundle/Ambta/DoctrineEncryptBundle/Subscribers/DoctrineEncryptSubscriber.php (line 247)

On latest version 4.0

To safely upgrade to SF 6 these two depreciations need to be fixed:
Method "Symfony\Component\Console\Command\Command::execute()" might add "int" as a native return type declaration in the future. Do the same in child class "Ambta\DoctrineEncryptBundle\Command\DoctrineEncryptDatabaseCommand" now to avoid errors or add an explicit @return annotation to suppress this message.
Method "Symfony\Component\Console\Command\Command::execute()" might add "int" as a native return type declaration in the future. Do the same in child class "Ambta\DoctrineEncryptBundle\Command\DoctrineDecryptDatabaseCommand" now to avoid errors or add an explicit @return annotation to suppress this message.
Thank you for making these small fixes!
Already in pull requst #41
Could this request be merged?

In 5.1 support for PHP attributes was added and the default doctrine annotations reader was replaced. This change slows down our systems by almost 100%, i.e. rendering a page takes almost twice as long.

If we replace in services.yaml the new annotation reader arguments ("@ambta_doctrine_annotation_reader") with the default one from doctrine "@annotation_reader" the system is fast again.

@flavou45 do you have any idea why this is? Could this be annotation caching issue?

2023-08-04T20:49:38+02:00 [info] User Deprecated: Since symfony/doctrine-bridge 6.3: Registering "App\EventSubscriber\PurifyPrePersistSubscriber" as a Doctrine subscriber is deprecated. Register it as a listener instead, using e.g. the #[AsDoctrineListener] attribute.
2023-08-04T20:49:38+02:00 [info] User Deprecated: Since symfony/doctrine-bridge 6.3: Registering "Ambta\DoctrineEncryptBundle\Subscribers\DoctrineEncryptSubscriber" as a Doctrine subscriber is deprecated. Register it as a listener instead, using e.g. the #[AsDoctrineListener] attribute.

Method Doctrine\ORM\Event\LifecycleEventArgs::getEntity() is deprecated and will be removed in Doctrine ORM 3.0. Use getObject() instead. (LifecycleEventArgs.php:44 called by DoctrineEncryptSubscriber.php:148, doctrine/orm#9875, package doctrine/orm) in /var/www/html/vendor/doctrine/deprecations/lib/Doctrine/Deprecations/Deprecation.php on line 209

I'm trying to switch from Defuse to Halite. So I first used bin/sf doctrine:decrypt:database it went OK.
Switched config to Halite and run bin/sf doctrine:encrypt:database and it failed with Invalid message authentication code. I figured out it still tries to decrypt fields on postLoad event.

https://github.com/GiveMeAllYourCats/DoctrineEncryptBundle/blob/b24750061f838e7c9caab6d6effa6b301b709028/src/Subscribers/DoctrineEncryptSubscriber.php#L149

I was excepting it will not decrypt nothing when encrypt cli command was called.

As I wrote in the title.

The "constructor not matching the interface bug" from 4.0.0 is preventing any installation on php < 7.2.

That bug was fixed in 4.0.1 but the older version of halite has been disabled in that release, effectively blocking any possible usage on php < 7.2.

Let's say we want to use Defuse, it is not possible because of the Halite requirement.

We are using php 7.1 with libsodium installed.

@absolute-quantum Thank your for maintaining this project!

Looking at the issues and pull requests, there seems to be not much activity. So we would like the know what the state of this project is. We do want to use it (and contribute if required), but are uncertain about its future and like to avoid any technical dept.

If you don't have the time to maintain it, what do you think about moving this project to an organisation where more people could have a look on issues and pull requests?

@Zombaya brought the idea up in this PR (comment) an we think it might be a good one.

@absolute-quantum What do you think?

I would like to know it is possible and if yes, how to store the key with Symfony Secret ?

Thank's a lot :-)

In an user entity, I have

/**
 * @ORM\Column(type="string", length=255, nullable=true)
 * @Encrypted
 * @var int
 */
private $privateKey;

When I set a value it gets encrypted, but when I get it I doesn't get get decrypted, and the command php bin/console doctrine:decrypt:database does nothing.

Using symfony 5.

Hello,

Can you please tell us what the configuration in Symfony 5 would be like, I am an inexperienced user. Thank you.

Hello,

I'm using your bundle to encrypt last names in my database. When I want to retireve some people based on a Doctrine query search like give me people with last names starts with "Che" there is no result.

Is there any way to make queries on encrypted fields ?

When trying to install it in a Symfony 7 project, I received the following message:

Problem 1
- Root composer.json requires michaeldegroot/doctrine-encrypt-bundle ^5.1 -> satisfiable by michaeldegroot/doctrine-encrypt-bundle[v5.1.0].
- michaeldegroot/doctrine-encrypt-bundle v5.1.0 requires symfony/property-access ^4.1|^5.0|^6.0 -> found symfony/property-access[v4.1.0, ..., v4.4.44, v5.0.0, ..., v5.4.26, v6.0.0, ..., v6.4.0] but it conflicts with your root composer.json require (7.0.*).

I'm trying to update the bundle to latest version, since I'm having weird issues (sometimes password decryption takes longer than 30seconds and make the server not respond, or right now using form_widget(form.smtpPassword) has weird behavior where is includes another twig file.....I have no idea why).

The problem is it says halite v4.5.1 requires php 7.2 and I'm using php 7.1...Is there a way to use php7.1 ?

I have tried v4.0.0 but, it has the constructor not matching the interface.

I have a class User that implements UserInterface.

When I set a field, it gets encrypted, and php bin/console doctrine:encrypt:database works fine

But when I do a get it doesn't get decrypted and php bin/console doctrine:decrypt:database doesn't decrypt for that table.
On another entity it works fine, so I assume is has to do with the UserInterface

Halite version 5 was released today, which contains a few security improvements and may be worth the effort to upgrade to v5.

https://github.com/paragonie/halite/releases/tag/v5.0.0

(You're receiving this issue because Packagist says you depend on Halite.)

One really useful feature would be to allow decryption on a per role / voter basis.
Also an user should be able to manipulate and alter an object even if he can't decrypt all the fields.
You can even go the extra mile and configure fields so that they may be:

• wrote by a certain roles, but read others
• getter should return a wrapper object like EncryptedValueWrapper instead of the raw encrypted value. This may throw an exception if the getter is type hinted, but this is a desired behaviour.

Right now it's all or nothing, the encryption / decryption is handled transparently. This has, in my opinion, really little value. If I wanted that a better option would be using encryption at rest on the database level.

Handling encryption at the framework level has the potential to be much more powerful.

Too few arguments to function Symfony\Component\Config\Definition\Builder\TreeBuilder::__construct(), 0 passed in /
vendor/michaeldegroot/doctrine-encrypt-bundle/Ambta/DoctrineEncryptBundle/Dependenc
yInjection/Configuration.php on line 25 and at least 1 expected

I cannot install the latest version (4.0.3), because my symfony/yaml doest not satisfy the 4.x constraint, currently is at 5.x.