added app:rotate:app-secret command

Author: lukasbecvar

.env.dev

@@ -1,4 +1,4 @@
-APP_SECRET=0ec3c0e9ae0961bb9e1d7ae47f458f3f
+APP_SECRET=6514635062ba34f218535f9f106fd20b
 
 # allow access only with https protocol
 SSL_ONLY=false
@@ -7,7 +7,7 @@ SSL_ONLY=false
 MAINTENANCE_MODE=false
 
 # enable paste content encryption
-ENCRYPTION_MODE=false
+ENCRYPTION_MODE=true
 
 # admin contact email
 CONTACT_EMAIL=lukas@becvar.xyz

.env.test

@@ -7,7 +7,7 @@ SSL_ONLY=false
 MAINTENANCE_MODE=false
 
 # enable paste content encryption
-ENCRYPTION_MODE=false
+ENCRYPTION_MODE=true
 
 # admin contact email
 CONTACT_EMAIL=lukas@becvar.xyz

src/Command/RotateAppSecretCommand.php

@@ -0,0 +1,68 @@
+<?php
+
+namespace App\Command;
+
+use Exception;
+use App\Util\AppUtil;
+use App\Manager\PasteManager;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+/**
+ * Class RotateAppSecretCommand
+ *
+ * Command to rotate APP_SECRET key value in environment configuration
+ *
+ * @package App\Command
+ */
+#[AsCommand(name: 'app:rotate:app-secret', description: 'Rotate the APP_SECRET key value in environment configuration')]
+class RotateAppSecretCommand extends Command
+{
+    private AppUtil $appUtil;
+    private PasteManager $pasteManager;
+
+    public function __construct(AppUtil $appUtil, PasteManager $pasteManager)
+    {
+        $this->appUtil = $appUtil;
+        $this->pasteManager = $pasteManager;
+        parent::__construct();
+    }
+
+    /**
+     * Execute rotate APP_SECRET command
+     *
+     * @param InputInterface $input The input interface
+     * @param OutputInterface $output The output interface
+     *
+     * @return int The command exit code
+     */
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        try {
+            // get old APP_SECRET key
+            $oldSecret = $this->appUtil->getEnvValue('APP_SECRET');
+
+            // generate new APP_SECRET key
+            $newSecret = $this->appUtil->generateKey(16);
+
+            // re-encrypt all pastes
+            $this->pasteManager->reEncryptPastes($oldSecret, $newSecret);
+
+            // update value in environment configuration
+            $this->appUtil->updateEnvValue('APP_SECRET', $newSecret);
+
+            // success output
+            $io->success('APP_SECRET has been rotated successfully!');
+            $io->note('Remember: Sessions, remember-me tokens, and encrypted data may become invalid.');
+            return Command::SUCCESS;
+        } catch (Exception $e) {
+            $io->error('Error during rotation: ' . $e->getMessage());
+            return Command::FAILURE;
+        }
+    }
+}

src/Manager/PasteManager.php

@@ -232,4 +232,50 @@ public function getTotalViews(): int
     {
         return $this->pasteRepository->getTotalViews();
     }
+
+    /**
+     * Re-encrypt all pastes
+     *
+     * @param string $oldKey The old encryption key
+     * @param string $newKey The new encryption key
+     *
+     * @return void
+     */
+    public function reEncryptPastes(string $oldKey, string $newKey): void
+    {
+        // check if encryption mode is disabled
+        if (!$this->appUtil->isEncryptionMode()) {
+            return;
+        }
+
+        // get all pastes
+        $pastes = $this->pasteRepository->findAll();
+
+        // re-encrypt pastes
+        foreach ($pastes as $paste) {
+            // get old encrypted content
+            $content = $paste->getContent();
+            if ($content == null) {
+                continue;
+            }
+
+            // decrypt paste content to get original content
+            $content = $this->securityUtil->decryptAes(encryptedData: $content, key: $oldKey);
+            if ($content == null) {
+                $this->errorManager->handleError(
+                    msg: 'error decrypting paste content',
+                    code: Response::HTTP_INTERNAL_SERVER_ERROR
+                );
+            }
+
+            // re-encrypt paste content
+            $paste->setContent($this->securityUtil->encryptAes(plainText: $content, key: $newKey));
+
+            // persist paste to database
+            $this->entityManager->persist($paste);
+        }
+
+        // flush changes to database
+        $this->entityManager->flush();
+    }
 }

src/Util/AppUtil.php

@@ -3,6 +3,7 @@
 namespace App\Util;
 
 use Exception;
+use InvalidArgumentException;
 use Symfony\Component\Yaml\Yaml;
 use Symfony\Component\HttpKernel\KernelInterface;
 
@@ -22,6 +23,23 @@ public function __construct(KernelInterface $kernelInterface)
         $this->kernelInterface = $kernelInterface;
     }
 
+    /**
+     * Generate random key
+     *
+     * @param int $length The key length
+     *
+     * @return string The generated key
+     */
+    public function generateKey(int $length = 16): string
+    {
+        // check if length is valid
+        if ($length < 1) {
+            throw new InvalidArgumentException('Length must be greater than 0.');
+        }
+
+        return bin2hex(random_bytes($length));
+    }
+
     /**
      * Get environment variable value
      *

src/Util/SecurityUtil.php

@@ -40,12 +40,16 @@ public function unescapeString(string $string): string
      *
      * @param string $plainText The plain text to encrypt
      * @param string $method The encryption method (default: AES-128-CBC)
+     * @param string|null $key The encryption key (default: APP_SECRET)
      *
      * @return string The base64-encoded encrypted string
      */
-    public function encryptAes(string $plainText, string $method = 'AES-128-CBC'): string
+    public function encryptAes(string $plainText, string $method = 'AES-128-CBC', ?string $key = null): string
     {
-        $key = $_ENV['APP_SECRET'];
+        // get default encryption key
+        if ($key == null) {
+            $key = $_ENV['APP_SECRET'];
+        }
 
         // derive a fixed-size key using PBKDF2 with SHA-256
         $derivedKey = hash_pbkdf2("sha256", $key, "", 10000, 32);
@@ -67,12 +71,16 @@ public function encryptAes(string $plainText, string $method = 'AES-128-CBC'): s
      *
      * @param string $encryptedData The base64-encoded encrypted string
      * @param string $method The encryption method (default: AES-128-CBC)
+     * @param string|null $key The encryption key (default: APP_SECRET)
      *
      * @return string|null The decrypted string or null on error
      */
-    public function decryptAes(string $encryptedData, string $method = 'AES-128-CBC'): ?string
+    public function decryptAes(string $encryptedData, string $method = 'AES-128-CBC', ?string $key = null): ?string
     {
-        $key = $_ENV['APP_SECRET'];
+        // get default encryption key
+        if ($key == null) {
+            $key = $_ENV['APP_SECRET'];
+        }
 
         // derive a fixed-size key using PBKDF2 with SHA-256
         $derivedKey = hash_pbkdf2("sha256", $key, "", 10000, 32);

tests/Command/RotateAppSecretCommandTest.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace App\Tests\Command;
+
+use Exception;
+use App\Util\AppUtil;
+use App\Manager\PasteManager;
+use PHPUnit\Framework\TestCase;
+use App\Command\RotateAppSecretCommand;
+use PHPUnit\Framework\MockObject\MockObject;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * Class RotateAppSecretCommandTest
+ *
+ * Test cases for execute secret key rotation command
+ *
+ * @package App\Tests\Command
+ */
+class RotateAppSecretCommandTest extends TestCase
+{
+    private CommandTester $commandTester;
+    private AppUtil & MockObject $appUtil;
+    private RotateAppSecretCommand $command;
+    private PasteManager & MockObject $pasteManager;
+
+    protected function setUp(): void
+    {
+        // mock dependencies
+        $this->appUtil = $this->createMock(AppUtil::class);
+        $this->pasteManager = $this->createMock(PasteManager::class);
+
+        // initialize command instance
+        $this->command = new RotateAppSecretCommand($this->appUtil, $this->pasteManager);
+        $this->commandTester = new CommandTester($this->command);
+    }
+
+    /**
+     * Test execute command successfully
+     *
+     * @return void
+     */
+    public function testExecuteSuccess(): void
+    {
+        // mock generateKey
+        $this->appUtil->expects($this->once())->method('generateKey')->with(16)->willReturn('new-secret-value');
+
+        // mock updateEnvValue
+        $this->appUtil->expects($this->once())->method('updateEnvValue')->with('APP_SECRET', 'new-secret-value');
+
+        // execute command
+        $exitCode = $this->commandTester->execute([]);
+
+        // get command output
+        $output = $this->commandTester->getDisplay();
+
+        // assert output
+        $this->assertStringContainsString('APP_SECRET has been rotated successfully', $output);
+        $this->assertEquals(Command::SUCCESS, $exitCode);
+    }
+
+    /**
+     * Test execute command with exception
+     *
+     * @return void
+     */
+    public function testExecuteThrowsException(): void
+    {
+        // mock generateKey to throw exception
+        $this->appUtil->method('generateKey')->willThrowException(new Exception('Something went wrong'));
+
+        // execute command
+        $exitCode = $this->commandTester->execute([]);
+
+        // get command output
+        $output = $this->commandTester->getDisplay();
+
+        // assert output
+        $this->assertStringContainsString('Error during rotation: Something went wrong', $output);
+        $this->assertEquals(Command::FAILURE, $exitCode);
+    }
+}

tests/Manager/PasteManagerTest.php

@@ -152,4 +152,34 @@ public function testGetTotalViews(): void
         // assert result
         $this->assertSame(10, $result);
     }
+
+    /**
+     * Test re-encrypt pastes
+     *
+     * @return void
+     */
+    public function testReEncryptPastes(): void
+    {
+        $oldKey = 'old-key';
+        $newKey = 'new-key';
+
+        // simulate encryption mode
+        $this->appUtilMock->method('isEncryptionMode')->willReturn(true);
+
+        // mock paste repository
+        $pasteMock = $this->createMock(Paste::class);
+        $pasteMock->method('getContent')->willReturn('encrypted-content');
+        $this->pasteRepositoryMock->method('findAll')->willReturn([$pasteMock]);
+
+        // mock encryption methods to return expected values
+        $this->securityUtilMock->method('decryptAes')->willReturn('decrypted-content');
+        $this->securityUtilMock->method('encryptAes')->willReturn('re-encrypted-content');
+
+        // expect entity manager to call persist and flush
+        $this->entityManagerMock->expects($this->once())->method('persist')->with($pasteMock);
+        $this->entityManagerMock->expects($this->once())->method('flush');
+
+        // call tested method
+        $this->pasteManager->reEncryptPastes($oldKey, $newKey);
+    }
 }

tests/Util/AppUtilTest.php

@@ -3,6 +3,7 @@
 namespace App\Tests\Util;
 
 use App\Util\AppUtil;
+use InvalidArgumentException;
 use PHPUnit\Framework\TestCase;
 use PHPUnit\Framework\MockObject\MockObject;
 use Symfony\Component\HttpKernel\KernelInterface;
@@ -28,6 +29,35 @@ protected function setUp(): void
         $this->appUtil = new AppUtil($this->kernelInterface);
     }
 
+    /**
+     * Test generate key with invalid length
+     *
+     * @return void
+     */
+    public function testGenerateKeyWithInvalidLength(): void
+    {
+        // expect exception
+        $this->expectException(InvalidArgumentException::class);
+
+        // call tested method
+        $this->appUtil->generateKey(0);
+    }
+
+    /**
+     * Test generate key with valid length
+     *
+     * @return void
+     */
+    public function testGenerateKeyWithValidLength(): void
+    {
+        // call tested method
+        $result = $this->appUtil->generateKey(16);
+
+        // assert result
+        $this->assertIsString($result);
+        $this->assertEquals(32, strlen($result));
+    }
+
     /**
      * Test get environment variable
      *