dbu/DoctrineEncryptListener.php

## README.md

      
    Raw
  

              README.md
            
          
    An alternate approach to https://github.com/michaeldegroot/DoctrineEncryptBundle
The bundle is more elegant and "feels" more Doctrine, as you simply add an annotation to the entities.
However, because the property that is tracked by Doctrine is modified by the decryption, Doctrine sees changes when there are none: absolute-quantum/DoctrineEncryptBundle#25
Rather than digging deeper into the Doctrine internals, with the potential of side effects, this approach is very explicit and Doctrine does not really need to know about encryption/decryption at all.

  
## DoctrineEncryptListener.php
<?php

namespace App\EventListener;

use App\Doctrine\Encryption\EncryptingEntityInterface;
use App\Doctrine\Encryption\EncryptorInterface;
use Doctrine\Common\EventSubscriber;
use Doctrine\ORM\Event\LifecycleEventArgs;
use Doctrine\ORM\Event\PreFlushEventArgs;
use Doctrine\ORM\Events;

/**
 * Doctrine event subscriber to encrypt/decrypt entity properties.
 *
 * Inspired from https://github.com/michaeldegroot/DoctrineEncryptBundle
 *
 * Instead of using an annotation, we programmatically encrypted/decrypted field relations.
 */
class DoctrineEncryptListener implements EventSubscriber
{
    /**
     * @var EncryptorInterface
     */
    private $encryptor;

    public function __construct(EncryptorInterface $encryptor)
    {
        $this->encryptor = $encryptor;
    }

    public function getSubscribedEvents(): array
    {
        return [
            Events::postLoad,
            Events::preFlush,
        ];
    }

    /**
     * After loading an entity, populate the decrypted properties by decrypting the encrypted tracked property.
     *
     * Track the entity so that we also update fields in preFlush.
     */
    public function postLoad(LifecycleEventArgs $args): void
    {
        $entity = $args->getEntity();
        if (!$entity instanceof EncryptingEntityInterface) {
            return;
        }

        $entity->decrypt($this->encryptor);
    }

    /**
     * Encrypt properties of entities that are newly inserted into the database or that have previously been loaded from the database.
     */
    public function preFlush(PreFlushEventArgs $preFlushEventArgs): void
    {
        // encrypt entities that we are about to insert
        $unitOfWork = $preFlushEventArgs->getEntityManager()->getUnitOfWork();
        foreach ($unitOfWork->getScheduledEntityInsertions() as $entity) {
            if ($entity instanceof EncryptingEntityInterface) {
                $entity->encrypt($this->encryptor);
            }
        }
    }
}

## EncryptingEntityInterface.php
<?php

namespace App\Doctrine\Encryption;

/**
 * Interface for entities that encrypt/decrypt some of their properties.
 *
 * Recommended implementation:
 *   - field: Decrypted, exposed with getter/setter, NOT mapped to Doctrine.
 *   - encryptedField: Encrypted, not exposed, mapped to Doctrine.
 *
 * Optionally, use `decryptedField` to copy the value of the field on decryption, to decide
 * during encryption whether encryptedField needs to be updated, as the encryption can be resource intensive.
 */
interface EncryptingEntityInterface
{
    public function encrypt(EncryptorInterface $encryptor): void;

    public function decrypt(EncryptorInterface $encryptor): void;
}

## SampleEntity.php
<?php

namespace App\Entity;

use App\Doctrine\Encryption\EncryptingEntityInterface;
use App\Doctrine\Encryption\EncryptorInterface; // https://github.com/michaeldegroot/DoctrineEncryptBundle/blob/master/Encryptors/EncryptorInterface.php
use Doctrine\ORM\Mapping as ORM;

class SampleEntity implements EncryptingEntityInterface
{
    /**
     * The IBAN of this entity.
     *
     * @var string
     */
    private $bankAccountNumber;

    /**
     * The decrypted IBAN value when the entity has been loaded from the database, to know if the IBAN changed.
     *
     * @var string
     */
    private $decryptedBankAccountNumber;

    /**
     * Encrypted field for $bankAccountNumber
     *
     * @var string
     *
     * @ORM\Column(type="string", name="bank_account_number")
     */
    private $encryptedBankAccountNumber;


    public function encrypt(EncryptorInterface $encryptor): void
    {
        if ($this->decryptedBankAccountNumber !== $this->bankAccountNumber) {
            $this->decryptedBankAccountNumber = $this->bankAccountNumber;
            $this->encryptedBankAccountNumber = $encryptor->encrypt($this->decryptedBankAccountNumber);
        }

        // continue if you have more encrypted fields
    }

    public function decrypt(EncryptorInterface $encryptor): void
    {
        $this->bankAccountNumber = $this->decryptedBankAccountNumber = $encryptor->decrypt($this->encryptedBankAccountNumber);

        // continue if you have more encrypted fields
    }
}
	<?php

	namespace App\EventListener;

	use App\Doctrine\Encryption\EncryptingEntityInterface;
	use App\Doctrine\Encryption\EncryptorInterface;
	use Doctrine\Common\EventSubscriber;
	use Doctrine\ORM\Event\LifecycleEventArgs;
	use Doctrine\ORM\Event\PreFlushEventArgs;
	use Doctrine\ORM\Events;

	/**
	* Doctrine event subscriber to encrypt/decrypt entity properties.
	*
	* Inspired from https://github.com/michaeldegroot/DoctrineEncryptBundle
	*
	* Instead of using an annotation, we programmatically encrypted/decrypted field relations.
	*/
	class DoctrineEncryptListener implements EventSubscriber
	{
	/**
	* @var EncryptorInterface
	*/
	private $encryptor;

	public function __construct(EncryptorInterface $encryptor)
	{
	$this->encryptor = $encryptor;
	}

	public function getSubscribedEvents(): array
	{
	return [
	Events::postLoad,
	Events::preFlush,
	];
	}

	/**
	* After loading an entity, populate the decrypted properties by decrypting the encrypted tracked property.
	*
	* Track the entity so that we also update fields in preFlush.
	*/
	public function postLoad(LifecycleEventArgs $args): void
	{
	$entity = $args->getEntity();
	if (!$entity instanceof EncryptingEntityInterface) {
	return;
	}

	$entity->decrypt($this->encryptor);
	}

	/**
	* Encrypt properties of entities that are newly inserted into the database or that have previously been loaded from the database.
	*/
	public function preFlush(PreFlushEventArgs $preFlushEventArgs): void
	{
	// encrypt entities that we are about to insert
	$unitOfWork = $preFlushEventArgs->getEntityManager()->getUnitOfWork();
	foreach ($unitOfWork->getScheduledEntityInsertions() as $entity) {
	if ($entity instanceof EncryptingEntityInterface) {
	$entity->encrypt($this->encryptor);
	}
	}
	}
	}
	<?php

	namespace App\Doctrine\Encryption;

	/**
	* Interface for entities that encrypt/decrypt some of their properties.
	*
	* Recommended implementation:
	* - field: Decrypted, exposed with getter/setter, NOT mapped to Doctrine.
	* - encryptedField: Encrypted, not exposed, mapped to Doctrine.
	*
	* Optionally, use `decryptedField` to copy the value of the field on decryption, to decide
	* during encryption whether encryptedField needs to be updated, as the encryption can be resource intensive.
	*/
	interface EncryptingEntityInterface
	{
	public function encrypt(EncryptorInterface $encryptor): void;

	public function decrypt(EncryptorInterface $encryptor): void;
	}
	<?php

	namespace App\Entity;

	use App\Doctrine\Encryption\EncryptingEntityInterface;
	use App\Doctrine\Encryption\EncryptorInterface; // https://github.com/michaeldegroot/DoctrineEncryptBundle/blob/master/Encryptors/EncryptorInterface.php
	use Doctrine\ORM\Mapping as ORM;

	class SampleEntity implements EncryptingEntityInterface
	{
	/**
	* The IBAN of this entity.
	*
	* @var string
	*/
	private $bankAccountNumber;

	/**
	* The decrypted IBAN value when the entity has been loaded from the database, to know if the IBAN changed.
	*
	* @var string
	*/
	private $decryptedBankAccountNumber;

	/**
	* Encrypted field for $bankAccountNumber
	*
	* @var string
	*
	* @ORM\Column(type="string", name="bank_account_number")
	*/
	private $encryptedBankAccountNumber;


	public function encrypt(EncryptorInterface $encryptor): void
	{
	if ($this->decryptedBankAccountNumber !== $this->bankAccountNumber) {
	$this->decryptedBankAccountNumber = $this->bankAccountNumber;
	$this->encryptedBankAccountNumber = $encryptor->encrypt($this->decryptedBankAccountNumber);
	}

	// continue if you have more encrypted fields
	}

	public function decrypt(EncryptorInterface $encryptor): void
	{
	$this->bankAccountNumber = $this->decryptedBankAccountNumber = $encryptor->decrypt($this->encryptedBankAccountNumber);

	// continue if you have more encrypted fields
	}
	}