CodeIgniter4/system/Encryption/KeyRotationDecorator.php at 611b0d834d4e233f8639fc365a70a5a743249944 · michalsn/CodeIgniter4 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<?php

declare(strict_types=1);

/**
 * This file is part of CodeIgniter 4 framework.
 *
 * (c) CodeIgniter Foundation <[email protected]>
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace CodeIgniter\Encryption;

use CodeIgniter\Encryption\Exceptions\EncryptionException;
use SensitiveParameter;

/**
 * Key Rotation Decorator
 *
 * Wraps any EncrypterInterface implementation to provide automatic
 * fallback to previous encryption keys during decryption. This enables
 * seamless key rotation without requiring re-encryption of existing data.
 */
class KeyRotationDecorator implements EncrypterInterface
{
    /**
     * @param EncrypterInterface $innerHandler The wrapped encryption handler
     * @param list<string>       $previousKeys Array of previous encryption keys
     */
    public function __construct(
        private readonly EncrypterInterface $innerHandler,
        private readonly array $previousKeys,
    ) {
    }

    /**
     * {@inheritDoc}
     *
     * Encryption always uses the inner handler's current key.
     */
    public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null)
    {
        return $this->innerHandler->encrypt($data, $params);
    }

    /**
     * {@inheritDoc}
     *
     * Attempts decryption with current key first. If that fails and no
     * explicit key was provided in $params, tries each previous key.
     *
     * @throws EncryptionException
     */
    public function decrypt($data, #[SensitiveParameter] $params = null)
    {
        try {
            return $this->innerHandler->decrypt($data, $params);
        } catch (EncryptionException $e) {
            // Don't try previous keys if an explicit key was provided
            if (is_string($params) || (is_array($params) && isset($params['key']))) {
                throw $e;
            }

            if ($this->previousKeys === []) {
                throw $e;
            }

            foreach ($this->previousKeys as $previousKey) {
                try {
                    $previousParams = is_array($params)
                        ? array_merge($params, ['key' => $previousKey])
                        : $previousKey;

                    return $this->innerHandler->decrypt($data, $previousParams);
                } catch (EncryptionException) {
                    continue;
                }
            }

            throw $e;
        }
    }

    /**
     * Delegate property access to the inner handler.
     *
     * @return array|bool|int|string|null
     */
    public function __get(string $key)
    {
        if (method_exists($this->innerHandler, '__get')) {
            return $this->innerHandler->__get($key);
        }

        return null;
    }

    /**
     * Delegate property existence check to inner handler.
     */
    public function __isset(string $key): bool
    {
        if (method_exists($this->innerHandler, '__isset')) {
            return $this->innerHandler->__isset($key);
        }

        return false;
    }
}