rewrite cryptography

phpstan-baseline.neon

@@ -1,22 +1,22 @@
 parameters:
 	ignoreErrors:
 		-
-			message: '#^Parameter \#1 \$key of class Patchlevel\\Hydrator\\Cryptography\\Cipher\\CipherKey constructor expects non\-empty\-string, string given\.$#'
-			identifier: argument.type
+			message: '#^Method Patchlevel\\Hydrator\\Cryptography\\Cipher\\OpensslCipher\:\:encrypt\(\) should return non\-empty\-string but returns string\.$#'
+			identifier: return.type
 			count: 1
-			path: src/Cryptography/Cipher/OpensslCipherKeyFactory.php
+			path: src/Cryptography/Cipher/OpensslCipher.php
 
 		-
-			message: '#^Parameter \#3 \$iv of class Patchlevel\\Hydrator\\Cryptography\\Cipher\\CipherKey constructor expects non\-empty\-string, string given\.$#'
+			message: '#^Parameter \#1 \$key of class Patchlevel\\Hydrator\\Cryptography\\Cipher\\CipherKey constructor expects non\-empty\-string, string given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/Cryptography/Cipher/OpensslCipherKeyFactory.php
 
 		-
-			message: '#^Parameter \#2 \$data of method Patchlevel\\Hydrator\\Cryptography\\Cipher\\Cipher\:\:decrypt\(\) expects string, mixed given\.$#'
+			message: '#^Parameter \#3 \$iv of class Patchlevel\\Hydrator\\Cryptography\\Cipher\\CipherKey constructor expects non\-empty\-string, string given\.$#'
 			identifier: argument.type
 			count: 1
-			path: src/Cryptography/SensitiveDataPayloadCryptographer.php
+			path: src/Cryptography/Cipher/OpensslCipherKeyFactory.php
 
 		-
 			message: '#^Method Patchlevel\\Hydrator\\Guesser\\BuiltInGuesser\:\:guess\(\) has parameter \$type with generic class Symfony\\Component\\TypeInfo\\Type\\ObjectType but does not specify its types\: T$#'
@@ -120,12 +120,6 @@ parameters:
 			count: 2
 			path: tests/Unit/Normalizer/ArrayNormalizerTest.php
 
-		-
-			message: '#^Parameter \#1 \$normalizer of class Patchlevel\\Hydrator\\Normalizer\\ArrayNormalizer constructor expects Patchlevel\\Hydrator\\Normalizer\\Normalizer, PHPUnit\\Framework\\MockObject\\MockObject given\.$#'
-			identifier: argument.type
-			count: 1
-			path: tests/Unit/Normalizer/ArrayNormalizerTest.php
-
 		-
 			message: '#^Cannot cast mixed to int\.$#'
 			identifier: cast.int
@@ -137,9 +131,3 @@ parameters:
 			identifier: cast.string
 			count: 2
 			path: tests/Unit/Normalizer/ArrayShapeNormalizerTest.php
-
-		-
-			message: '#^Parameter \#1 \$normalizerMap of class Patchlevel\\Hydrator\\Normalizer\\ArrayShapeNormalizer constructor expects array\<Patchlevel\\Hydrator\\Normalizer\\Normalizer\>, array\<string, PHPUnit\\Framework\\MockObject\\MockObject\> given\.$#'
-			identifier: argument.type
-			count: 1
-			path: tests/Unit/Normalizer/ArrayShapeNormalizerTest.php

phpstan.neon.dist

@@ -15,3 +15,7 @@ services:
 		class: Patchlevel\Hydrator\Tests\Architecture\FinalClassesTest
 		tags:
 			- phpat.test
+	-
+		class: Patchlevel\Hydrator\Tests\Architecture\ExceptionImplementsHydratorExceptionTest
+		tags:
+			- phpat.test

src/Attribute/SensitiveData.php

@@ -10,7 +10,7 @@
 #[Attribute(Attribute::TARGET_PROPERTY)]
 final class SensitiveData
 {
-    /** @var (callable(string, mixed):mixed)|null */
+    /** @var (callable(string):mixed)|null */
     public readonly mixed $fallbackCallable;
 
     public function __construct(

src/Cryptography/BaseCryptographer.php

@@ -0,0 +1,95 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Cryptography;
+
+use Patchlevel\Hydrator\Cryptography\Cipher\Cipher;
+use Patchlevel\Hydrator\Cryptography\Cipher\CipherKey;
+use Patchlevel\Hydrator\Cryptography\Cipher\CipherKeyFactory;
+use Patchlevel\Hydrator\Cryptography\Cipher\DecryptionFailed;
+use Patchlevel\Hydrator\Cryptography\Cipher\EncryptionFailed;
+use Patchlevel\Hydrator\Cryptography\Cipher\OpensslCipher;
+use Patchlevel\Hydrator\Cryptography\Cipher\OpensslCipherKeyFactory;
+use Patchlevel\Hydrator\Cryptography\Store\CipherKeyNotExists;
+use Patchlevel\Hydrator\Cryptography\Store\CipherKeyStore;
+
+use function array_key_exists;
+use function is_array;
+
+/**
+ * @phpstan-type EncryptedDataV1 array{
+ *     __enc: 'v1',
+ *     data: non-empty-string,
+ *     method?: non-empty-string,
+ *     iv?: non-empty-string,
+ * }
+ */
+final class BaseCryptographer implements Cryptographer
+{
+    public function __construct(
+        private readonly Cipher $cipher,
+        private readonly CipherKeyStore $cipherKeyStore,
+        private readonly CipherKeyFactory $cipherKeyFactory,
+    ) {
+    }
+
+    /**
+     * @return EncryptedDataV1
+     *
+     * @throws EncryptionFailed
+     */
+    public function encrypt(string $subjectId, mixed $value): array
+    {
+        try {
+            $cipherKey = $this->cipherKeyStore->get($subjectId);
+        } catch (CipherKeyNotExists) {
+            $cipherKey = ($this->cipherKeyFactory)();
+            $this->cipherKeyStore->store($subjectId, $cipherKey);
+        }
+
+        return [
+            '__enc' => 'v1',
+            'data' => $this->cipher->encrypt($cipherKey, $value),
+            'method' => $cipherKey->method,
+            'iv' => $cipherKey->iv,
+        ];
+    }
+
+    /**
+     * @param EncryptedDataV1 $encryptedData
+     *
+     * @throws CipherKeyNotExists
+     * @throws DecryptionFailed
+     */
+    public function decrypt(string $subjectId, mixed $encryptedData): mixed
+    {
+        $cipherKey = $this->cipherKeyStore->get($subjectId);
+
+        return $this->cipher->decrypt(
+            new CipherKey(
+                $cipherKey->key,
+                $encryptedData['method'] ?? $cipherKey->method,
+                $encryptedData['iv'] ?? $cipherKey->iv,
+            ),
+            $encryptedData['data'],
+        );
+    }
+
+    public function supports(mixed $value): bool
+    {
+        return is_array($value) && array_key_exists('__enc', $value) && $value['__enc'] === 'v1';
+    }
+
+    /** @param non-empty-string $method */
+    public static function createWithOpenssl(
+        CipherKeyStore $cryptoStore,
+        string $method = OpensslCipherKeyFactory::DEFAULT_METHOD,
+    ): static {
+        return new self(
+            new OpensslCipher(),
+            $cryptoStore,
+            new OpensslCipherKeyFactory($method),
+        );
+    }
+}

src/Cryptography/Cipher/Cipher.php

@@ -6,7 +6,11 @@
 
 interface Cipher
 {
-    /** @throws EncryptionFailed */
+    /**
+     * @return non-empty-string
+     *
+     * @throws EncryptionFailed
+     */
     public function encrypt(CipherKey $key, mixed $data): string;
 
     /** @throws DecryptionFailed */

src/Cryptography/Cipher/CreateCipherKeyFailed.php

@@ -4,9 +4,10 @@
 
 namespace Patchlevel\Hydrator\Cryptography\Cipher;
 
+use Patchlevel\Hydrator\HydratorException;
 use RuntimeException;
 
-final class CreateCipherKeyFailed extends RuntimeException
+final class CreateCipherKeyFailed extends RuntimeException implements HydratorException
 {
     public function __construct()
     {

src/Cryptography/Cipher/DecryptionFailed.php

@@ -4,9 +4,10 @@
 
 namespace Patchlevel\Hydrator\Cryptography\Cipher;
 
+use Patchlevel\Hydrator\HydratorException;
 use RuntimeException;
 
-final class DecryptionFailed extends RuntimeException
+final class DecryptionFailed extends RuntimeException implements HydratorException
 {
     public function __construct()
     {

src/Cryptography/Cipher/EncryptionFailed.php

@@ -4,9 +4,10 @@
 
 namespace Patchlevel\Hydrator\Cryptography\Cipher;
 
+use Patchlevel\Hydrator\HydratorException;
 use RuntimeException;
 
-final class EncryptionFailed extends RuntimeException
+final class EncryptionFailed extends RuntimeException implements HydratorException
 {
     public function __construct()
     {

src/Cryptography/Cipher/MethodNotSupported.php

@@ -4,11 +4,12 @@
 
 namespace Patchlevel\Hydrator\Cryptography\Cipher;
 
+use Patchlevel\Hydrator\HydratorException;
 use RuntimeException;
 
 use function sprintf;
 
-final class MethodNotSupported extends RuntimeException
+final class MethodNotSupported extends RuntimeException implements HydratorException
 {
     public function __construct(string $method)
     {

src/Cryptography/Cipher/OpensslCipher.php

@@ -17,6 +17,7 @@
 
 final class OpensslCipher implements Cipher
 {
+    /** @return non-empty-string */
     public function encrypt(CipherKey $key, mixed $data): string
     {
         $encryptedData = @openssl_encrypt(
@@ -62,6 +63,6 @@
 
     private function dataDecode(string $data): mixed
     {
         return json_decode($data, true, 512, JSON_THROW_ON_ERROR);
     }
 }

src/Cryptography/Cryptographer.php

@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Patchlevel\Hydrator\Cryptography;
+
+use Patchlevel\Hydrator\Cryptography\Cipher\DecryptionFailed;
+use Patchlevel\Hydrator\Cryptography\Cipher\EncryptionFailed;
+use Patchlevel\Hydrator\Cryptography\Store\CipherKeyNotExists;
+
+interface Cryptographer
+{
+    /** @throws EncryptionFailed */
+    public function encrypt(string $subjectId, mixed $value): mixed;
+
+    /**
+     * @throws CipherKeyNotExists
+     * @throws DecryptionFailed
+     */
+    public function decrypt(string $subjectId, mixed $encryptedData): mixed;
+
+    public function supports(mixed $value): bool;
+}

src/Cryptography/CryptographyExtension.php

@@ -10,7 +10,7 @@
 final class CryptographyExtension implements Extension
 {
     public function __construct(
-        private readonly PayloadCryptographer $cryptography,
+        private readonly Cryptographer $cryptography,
     ) {
     }