data protection improvements (#645)

* XML support in data protection

* configure message protection when only property is annotated

* handle changing property names with custom converters

* cr changes
- move ext-simplexml into suggested as it is used in XML encryption
- forbid to use `#[Sensitive]` on both class and its properties
- cache classes with annotated properties

Author: unixslayer

composer.json

@@ -177,6 +177,9 @@
         "enqueue/dsn": "^0.10.27",
         "yoast/phpunit-polyfills": "^4.0.0"
     },
+    "suggest": {
+        "ext-simplexml": "Required if application/xml is used as serialization media type"
+    },
     "conflict": {
         "symfony/doctrine-messenger": ">7.0.5 < 7.1.0",
         "enqueue/dbal": "*"

packages/DataProtection/composer.json

@@ -48,6 +48,9 @@
         "phpstan/phpstan": "^2.1",
         "wikimedia/composer-merge-plugin": "^2.1"
     },
+    "suggest": {
+        "ext-simplexml": "Required if application/xml is used as serialization media type"
+    },
     "scripts": {
         "tests:phpstan": "vendor/bin/phpstan",
         "tests:phpunit": [

packages/DataProtection/src/Attribute/Sensitive.php

@@ -9,6 +9,9 @@
 use Attribute;
 
 #[Attribute(Attribute::TARGET_CLASS | Attribute::TARGET_PROPERTY)]
-class Sensitive
+readonly class Sensitive
 {
+    public function __construct(public string $sensitiveName = '')
+    {
+    }
 }

packages/DataProtection/src/Configuration/DataProtectionModule.php

@@ -15,6 +15,8 @@
 use Ecotone\DataProtection\Conversion\DataProtectionConversionServiceDecorator;
 use Ecotone\DataProtection\Conversion\JsonDecryptionConverter;
 use Ecotone\DataProtection\Conversion\JsonEncryptionConverter;
+use Ecotone\DataProtection\Conversion\XMLDecryptionConverter;
+use Ecotone\DataProtection\Conversion\XMLEncryptionConverter;
 use Ecotone\DataProtection\Conversion\XPhpDecryptionConverter;
 use Ecotone\DataProtection\Conversion\XPhpEncryptionConverter;
 use Ecotone\DataProtection\Encryption\Key;
@@ -24,6 +26,7 @@
 use Ecotone\Messaging\Config\Annotation\ModuleConfiguration\ExtensionObjectResolver;
 use Ecotone\Messaging\Config\Annotation\ModuleConfiguration\NoExternalConfigurationModule;
 use Ecotone\Messaging\Config\Configuration;
+use Ecotone\Messaging\Config\ConfigurationException;
 use Ecotone\Messaging\Config\Container\Definition;
 use Ecotone\Messaging\Config\Container\Reference;
 use Ecotone\Messaging\Config\ModulePackageList;
@@ -50,8 +53,11 @@ public function __construct(private array $dataProtectorConfigs)
 
     public static function create(AnnotationFinder $annotationRegistrationService, InterfaceToCallRegistry $interfaceToCallRegistry): static
     {
+        $dataProtectorConfigs = self::resolveProtectorConfigsFromAnnotatedClasses([], $annotationRegistrationService->findAnnotatedClasses(Sensitive::class), $interfaceToCallRegistry);
+        $dataProtectorConfigs = self::resolveProtectorConfigsFromAnnotatedClasses($dataProtectorConfigs, $annotationRegistrationService->findClassesWithAnnotatedProperties(Sensitive::class), $interfaceToCallRegistry);
+
         return new self(
-            dataProtectorConfigs: self::resolveProtectorConfigsFromAnnotatedClasses($annotationRegistrationService->findAnnotatedClasses(Sensitive::class), $interfaceToCallRegistry)
+            dataProtectorConfigs: $dataProtectorConfigs
         );
     }
 
@@ -103,7 +109,7 @@ public function prepare(Configuration $messagingConfiguration, array $extensionO
         }
 
         $converters = [];
-        $encryptionConverters = [JsonEncryptionConverter::class, JsonDecryptionConverter::class, XPhpEncryptionConverter::class, XPhpDecryptionConverter::class];
+        $encryptionConverters = [JsonEncryptionConverter::class, JsonDecryptionConverter::class, XPhpEncryptionConverter::class, XPhpDecryptionConverter::class, XMLEncryptionConverter::class, XMLDecryptionConverter::class];
         foreach ($this->dataProtectorConfigs as $protectorConfig) {
             foreach ($encryptionConverters as $converterClass) {
                 $converters[] = new Definition(
@@ -113,6 +119,7 @@ public function prepare(Configuration $messagingConfiguration, array $extensionO
                         Reference::to(sprintf(self::KEY_SERVICE_ID_FORMAT, $protectorConfig->encryptionKeyName($dataProtectionConfiguration))),
                         $protectorConfig->sensitiveProperties,
                         $protectorConfig->scalarProperties,
+                        $protectorConfig->sensitivePropertyNames,
                     ]
                 );
             }
@@ -152,29 +159,43 @@ public function getModulePackageName(): string
         return ModulePackageList::DATA_PROTECTION_PACKAGE;
     }
 
-    private static function resolveProtectorConfigsFromAnnotatedClasses(array $sensitiveMessages, InterfaceToCallRegistry $interfaceToCallRegistry): array
+    private static function resolveProtectorConfigsFromAnnotatedClasses(array $dataProtectorConfigs, array $sensitiveMessages, InterfaceToCallRegistry $interfaceToCallRegistry): array
     {
-        $dataEncryptorConfigs = [];
         foreach ($sensitiveMessages as $message) {
+            if (array_key_exists($message, $dataProtectorConfigs)) {
+                continue;
+            }
+
             $classDefinition = $interfaceToCallRegistry->getClassDefinitionFor($messageType = Type::create($message));
+            $isClassSensitive = $classDefinition->findSingleClassAnnotation(Type::create(Sensitive::class)) !== null;
             $encryptionKey = $classDefinition->findSingleClassAnnotation(Type::create(WithEncryptionKey::class))?->encryptionKey();
 
-            $sensitiveProperties = $classDefinition->getPropertiesWithAnnotation(Type::create(Sensitive::class));
-            if ($sensitiveProperties === []) {
-                $sensitiveProperties = $classDefinition->getProperties();
+            $propertiesToProtect = $classDefinition->getPropertiesWithAnnotation(Type::create(Sensitive::class));
+            if ($propertiesToProtect !== [] && $isClassSensitive) {
+                throw ConfigurationException::create('#[Sensitive] attribute can be used only on class level, not on property level.');
             }
 
-            $scalarProperties = array_values(array_filter($sensitiveProperties, static fn (ClassPropertyDefinition $property): bool => $property->getType()->isScalar()));
+            if ($propertiesToProtect === []) {
+                $propertiesToProtect = $classDefinition->getProperties();
+            }
+
+            $scalarProperties = array_values(array_filter($propertiesToProtect, static fn (ClassPropertyDefinition $property): bool => $property->getType()->isScalar()));
+
+            $nameMapper = static fn (ClassPropertyDefinition $property): string => $property->getName();
+            $sensitiveNameMapper = static function (ClassPropertyDefinition $property): string {
+                $name = $property->findAnnotation(Type::create(Sensitive::class))?->sensitiveName ?? '';
 
-            $mapper = static fn (ClassPropertyDefinition $property): string => $property->getName();
+                return $name ?: $property->getName();
+            };
 
-            $sensitiveProperties = array_map($mapper, $sensitiveProperties);
-            $scalarProperties = array_map($mapper, $scalarProperties);
+            $sensitiveProperties = array_map($nameMapper, $propertiesToProtect);
+            $scalarProperties = array_map($nameMapper, $scalarProperties);
+            $sensitivePropertyNames = array_combine($sensitiveProperties, array_map($sensitiveNameMapper, $propertiesToProtect));
 
-            $dataEncryptorConfigs[$message] = new DataProtectorConfig(supportedType: $messageType, encryptionKey: $encryptionKey, sensitiveProperties: $sensitiveProperties, scalarProperties: $scalarProperties);
+            $dataProtectorConfigs[$message] = new DataProtectorConfig(supportedType: $messageType, encryptionKey: $encryptionKey, sensitiveProperties: $sensitiveProperties, scalarProperties: $scalarProperties, sensitivePropertyNames: $sensitivePropertyNames);
         }
 
-        return $dataEncryptorConfigs;
+        return $dataProtectorConfigs;
     }
 
     private function verifyLicense(Configuration $messagingConfiguration): void

packages/DataProtection/src/Configuration/DataProtectorConfig.php

@@ -19,9 +19,11 @@ public function __construct(
         public ?string $encryptionKey,
         public array $sensitiveProperties,
         public array $scalarProperties,
+        public array $sensitivePropertyNames,
     ) {
         Assert::allStrings($this->sensitiveProperties, 'Sensitive Properties should be array of strings');
         Assert::allStrings($this->scalarProperties, 'Scalar Properties should be array of strings');
+        Assert::allStrings($this->sensitivePropertyNames, 'Sensitive Properties custom names should be array of strings');
     }
 
     public function encryptionKeyName(DataProtectionConfiguration $dataProtectionConfiguration): string

packages/DataProtection/src/Conversion/AbstractDataProtectionConverter.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Ecotone\DataProtection\Conversion;
+
+use Ecotone\DataProtection\Encryption\Key;
+use Ecotone\Messaging\Conversion\Converter;
+use Ecotone\Messaging\Handler\Type;
+
+/**
+ * licence Enterprise
+ */
+abstract class AbstractDataProtectionConverter implements Converter
+{
+    public function __construct(
+        protected Type $supportedType,
+        protected Key $encryptionKey,
+        protected array $sensitiveProperties,
+        protected array $scalarProperties,
+        protected array $sensitivePropertyNames,
+    ) {
+    }
+}

packages/DataProtection/src/Conversion/AbstractDecryptionConverter.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Ecotone\DataProtection\Conversion;
+
+use Ecotone\DataProtection\Encryption\Crypto;
+
+/**
+ * licence Enterprise
+ */
+abstract class AbstractDecryptionConverter extends AbstractDataProtectionConverter
+{
+    protected function decrypt(array $data): array
+    {
+        foreach ($this->sensitiveProperties as $property) {
+            $propertyKey = $this->sensitivePropertyNames[$property] ?? $property;
+            if (! array_key_exists($propertyKey, $data)) {
+                continue;
+            }
+
+            $data[$propertyKey] = Crypto::decrypt($data[$propertyKey], $this->encryptionKey);
+
+            if (! in_array($propertyKey, $this->scalarProperties, true)) {
+                $data[$propertyKey] = json_decode($data[$propertyKey], true);
+            }
+        }
+
+        return $data;
+    }
+}

packages/DataProtection/src/Conversion/AbstractEncryptionConverter.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Ecotone\DataProtection\Conversion;
+
+use Ecotone\DataProtection\Encryption\Crypto;
+
+/**
+ * licence Enterprise
+ */
+abstract class AbstractEncryptionConverter extends AbstractDataProtectionConverter
+{
+    protected function encrypt(array $data): array
+    {
+        foreach ($this->sensitiveProperties as $property) {
+            $propertyKey = $this->sensitivePropertyNames[$property] ?? $property;
+            if (! array_key_exists($propertyKey, $data)) {
+                continue;
+            }
+
+            if (! in_array($propertyKey, $this->scalarProperties, true)) {
+                $data[$propertyKey] = json_encode($data[$propertyKey]);
+            }
+
+            $data[$propertyKey] = Crypto::encrypt($data[$propertyKey], $this->encryptionKey);
+        }
+
+        return $data;
+    }
+}

packages/DataProtection/src/Conversion/DataProtectionConversionServiceDecorator.php

@@ -27,13 +27,13 @@ public function decorate(ConversionService $conversionService): void
     public function convert($source, Type $sourcePHPType, MediaType $sourceMediaType, Type $targetPHPType, MediaType $targetMediaType)
     {
         if ($this->dataProtectionConversionService->canConvert($sourcePHPType, $encryptedSourceMediaType = $sourceMediaType->addParameter('encrypted', 'true'), $targetPHPType, $targetMediaType)) {
-            $source = $this->dataProtectionConversionService->convert($source, $sourcePHPType, $encryptedSourceMediaType, $targetPHPType, $targetMediaType);
+            $source = $this->dataProtectionConversionService->convert($source, $sourcePHPType, $encryptedSourceMediaType, $targetPHPType, $targetMediaType, $this->innerConversionService);
         }
 
-        $source = $this->innerConversionService->convert($source, $sourcePHPType, $sourceMediaType, $targetPHPType, $targetMediaType);
+        $source = $this->innerConversionService->convert($source, $sourcePHPType, $sourceMediaType, $targetPHPType, $targetMediaType, $this->innerConversionService);
 
         if ($this->dataProtectionConversionService->canConvert($sourcePHPType, $sourceMediaType, $targetPHPType, $encryptedTargetMediaType = $targetMediaType->addParameter('encrypted', 'true'))) {
-            $source = $this->dataProtectionConversionService->convert($source, $sourcePHPType, $sourceMediaType, $targetPHPType, $encryptedTargetMediaType);
+            $source = $this->dataProtectionConversionService->convert($source, $sourcePHPType, $sourceMediaType, $targetPHPType, $encryptedTargetMediaType, $this->innerConversionService);
         }
 
         return $source;

packages/DataProtection/src/Conversion/JsonDecryptionConverter.php

@@ -13,31 +13,12 @@
 /**
  * licence Enterprise
  */
-readonly class JsonDecryptionConverter implements Converter
+class JsonDecryptionConverter extends AbstractDecryptionConverter
 {
-    public function __construct(
-        private Type $supportedType,
-        private Key $encryptionKey,
-        private array $sensitiveProperties,
-        private array $scalarProperties,
-    ) {
-    }
-
     public function convert($source, Type $sourceType, MediaType $sourceMediaType, Type $targetType, MediaType $targetMediaType)
     {
         $data = json_decode($source, true);
-
-        foreach ($this->sensitiveProperties as $property) {
-            if (! array_key_exists($property, $data)) {
-                continue;
-            }
-
-            $data[$property] = Crypto::decrypt($data[$property], $this->encryptionKey);
-
-            if (! in_array($property, $this->scalarProperties, true)) {
-                $data[$property] = json_decode($data[$property], true);
-            }
-        }
+        $data = $this->decrypt($data);
 
         return json_encode($data);
     }