onramplab / laravel-security-model Goto Github PK

Problem Statement

after integrating this package into other project, we found that all the command provided by this package can not execute.

Requirements

1. should make all commands in this package can be execute properly

Problem Statement

currently, after the developer integrated this package on an Eloquent model, there wouldn’t be able to search the value of the encrypted field anymore. however, it might be the common use case that developers need to search certain fields even if that one has been encrypted.

Requirements

1. should make the encrypted field searchable
2. should provide methods on query builder to search encrypted field

Problem Statement

currently when developer try to access redacted attribute on model (eg. $model->email_redacted), model would use redactor to redact original value in real time. however, there might be chance that the redactor have complicate logic or relay on third-party service to do redaction. thus, we might need to provide cache feature to lower loading for redaction.

Requirements

1. provide cache feature for redacted attribute on model

Problem Statement

currently, when we use redactor to redact model attribute, we only can use field value to do redaction. however, sometimes we might need some additional information from model instance for redaction logic.

Requirements

1. should pass model instance into redactor

Problem Statement

For security purposes, we should treat PII data carefully to avoid malicious users accessing it. therefore, we need a way to do redaction on those attributes we thought are critical before showing on UI or responding to the server.

Requirements

1. Support defining redactable attributes on a model
2. Support accessing a redacted attribute via a model
3. Provide built-in redactor classes

Basic redaction rules

• 10-digit phone numbers, with or without special characters such as dashes or spaces: keep 1st 3 and last 2 numbers.
• Credit card number patterns: keep 1st 4 and last 2 numbers.
• 5-digit zip codes: keep 1st and last digits.
• Names: keep 1st initial of 1st and last names if the word length is less than 5. Keep 1st initial and last of the word if it’s longer or equal to 5.
  • John → J***
  • Shelly → S****y
• Email Address: keep 1st initial of the email username if the username length is less than 5. Keep 1st initial and last of the username if it’s longer or equal to 5.
  • [email protected] → j**@test.com
  • [email protected] → j*******[email protected]
• Address: Look for format (xxx main st / city, state names, etc.) and redact all.
• Etc.

Problem Statement

currently, when developers use the Securable trait on the model, every model is encrypted no matter what situation occurs. therefore, we might provide a flexible way to make developers decide whether a model should be encrypted.

Requirements

1. provide a method on trait that can be overwrote by developer to decide if a model should be encrypted

Problem Statement

currently we only provide AWS KMS key provider, it is not convenient for developer to integrate in local development environment and might generate extract cost. therefore, we hope to provide a key provider powered by local master key to encrypt/decrypt data key.

Requirements

1. Provide a new key provider using local master key to encrypt/decrypt data key