Skip to content
Snippets Groups Projects
Commit 89c8aa5d authored by Dimitris Bozelos's avatar Dimitris Bozelos
Browse files

Issue #3488822 Added service method for validating the copied key

parent e89c5861
No related branches found
No related tags found
No related merge requests found
......@@ -9,3 +9,10 @@ services:
arguments:
- '@entity_type.manager'
- '@encryption'
- '@logger.channel.lockr_to_kms'
logger.channel.lockr_to_kms:
class: Drupal\Core\Logger\LoggerChannel
factory: logger.factory:get
arguments:
- 'lockr_to_kms'
......@@ -13,6 +13,8 @@ use Drupal\Core\Entity\EntityTypeManagerInterface;
use Drupal\Core\Config\Entity\ConfigEntityStorageInterface;
use Drupal\Component\Utility\Random;
use Psr\Log\LoggerInterface;
/**
* Service that copies the key from Lockr to the KMS secret.
*/
......@@ -35,10 +37,13 @@ class KeyCopier {
* The entity type manager.
* @param \Drupal\encrypt\EncryptServiceInterface $encryptService
* The encryption service.
* @param \Psr\Log\LoggerInterface $logger
* The logger channel for this module.
*/
public function __construct(
protected EntityTypeManagerInterface $entityTypeManager,
protected EncryptServiceInterface $encryptService,
protected LoggerInterface $logger,
) {
}
......@@ -77,6 +82,67 @@ class KeyCopier {
);
}
/**
* Validates data encryption with the given source/target encryption profiles.
*
* For our use case the source profile would be the Lockr profile, and the
* target profile would be the KMS data encryption profile. This method should
* be run after copying a key from Lockr to the KMS data secret, and it
* validates that test data encrypted with the Lockr profile can be decrypted
* with the KMS data profile.
*
* @param string $source_profile_id
* The ID of the source encryption profile.
* @param string $target_profile_id
* The ID of the target data encryption profile.
*
* @throws \InvalidArgumentException
* When no encryption profile was found with any of the given IDs.
*/
public function test(
string $source_profile_id,
string $target_profile_id,
): void {
$data = (new Random())->string(rand(12, 144));
$encrypted_data = $this->encryptService->encrypt(
$data,
$this->loadProfile($source_profile_id),
);
$success = TRUE;
try {
$decrypted_data = $this->encryptService->decrypt(
$encrypted_data,
$this->loadProfile($target_profile_id),
);
}
catch (EncryptException | CanNotDecryptException $exception) {
$success = FALSE;
}
if ($decrypted_data !== $data) {
$success = FALSE;
}
match($success) {
TRUE => $this->logger->notice(
'Data encrypted with the "@source_profile_id" profile can be successfully decrypted by the "@target_profile_id" profile.',
[
'@source_profile_id' => $source_profile_id,
'@target_profile_id' => $target_profile_id,
],
),
FALSE => $this->logger->error(
'Data encrypted with the "@source_profile_id" profile cannot be decrypted by the "@target_profile_id" profile.',
[
'@source_profile_id' => $source_profile_id,
'@target_profile_id' => $target_profile_id,
],
),
};
}
/**
* Loads the encryption profile with the given ID.
*
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment