Migrate moved to spark command

Test created for new spark command

Author: tswagger

phpunit.xml.dist

@@ -93,7 +93,10 @@
 		<!-- https://getcomposer.org/xdebug -->
 		<env name="COMPOSER_DISABLE_XDEBUG_WARN" value="1"/>
 
-		<!-- Database configuration -->
+        <!-- Default HMAC encryption key -->
+        <env name="authtoken.hmacEncryptionKey" value="hex2bin:178ed94fd0b6d57dd31dd6b22fc601fab8ad191efac165a5f3f30a8ac09d813d"/>
+
+        <!-- Database configuration -->
 		<env name="database.tests.strictOn" value="true"/>
 		<!-- Uncomment to use alternate testing database configuration
 		<env name="database.tests.hostname" value="localhost"/>

src/Commands/Hmac.php

@@ -0,0 +1,133 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CodeIgniter\Shield\Commands;
+
+use CodeIgniter\Shield\Authentication\HMAC\HmacEncrypter;
+use CodeIgniter\Shield\Commands\Exceptions\BadInputException;
+use CodeIgniter\Shield\Models\UserIdentityModel;
+use ReflectionException;
+
+class Hmac extends BaseCommand
+{
+    /**
+     * The Command's name
+     *
+     * @var string
+     */
+    protected $name = 'shield:hmac';
+
+    /**
+     * the Command's short description
+     *
+     * @var string
+     */
+    protected $description = 'Encrypt/Decrypt secretKey for HMAC tokens. The encryption should only be run on existing raw secret keys (extremely rare).';
+
+    /**
+     * the Command's usage
+     *
+     * @var string
+     */
+    protected $usage = <<<'EOL'
+        shield:hmac <action>
+            shield:hmac encrypt
+            shield:hmac decrypt
+        EOL;
+
+    /**
+     * the Command's Arguments
+     *
+     * @var array
+     */
+    protected $arguments = [
+        'action' => <<<'EOL'
+                encrypt: Encrypt all raw HMAC Secret Keys
+                decrypt: Decrypt all encrypted HMAC Secret Keys
+            EOL,
+    ];
+
+    /**
+     * HMAC Encrypter Object
+     */
+    private HmacEncrypter $encrypter;
+
+    /**
+     * the Command's Options
+     *
+     * @var array
+     */
+    protected $options = [];
+
+    /**
+     * Run Encryption Methods
+     */
+    public function run(array $params): int
+    {
+        $action = $params[0] ?? null;
+
+        $this->encrypter = new HmacEncrypter();
+
+        try {
+            switch ($action) {
+                case 'encrypt':
+                    $this->encrypt();
+                    break;
+
+                case 'decrypt':
+                    $this->decrypt();
+                    break;
+
+                default:
+                    throw new BadInputException('Unrecognized Command');
+            }
+        } catch (BadInputException|ReflectionException $e) {
+            $this->write($e->getMessage(), 'red');
+
+            return EXIT_ERROR;
+        }
+
+        return EXIT_SUCCESS;
+    }
+
+    /**
+     * Encrypt all Raw HMAC Secret Keys
+     *
+     * @throws ReflectionException
+     */
+    public function encrypt(): void
+    {
+        $uIdModel  = new UserIdentityModel();
+        $encrypter = $this->encrypter;
+
+        $uIdModel->where('type', 'hmac_sha256')->chunk(
+            100,
+            static function ($identity) use ($uIdModel, $encrypter): void {
+                $identity->secret2 = $encrypter->encrypt($identity->secret2);
+
+                $uIdModel->save($identity);
+            }
+        );
+    }
+
+    /**
+     * Decrypt all encrypted HMAC Secret Keys
+     *
+     * @throws ReflectionException
+     */
+    public function decrypt(): void
+    {
+        $uIdModel  = new UserIdentityModel();
+        $encrypter = $this->encrypter;
+
+        $uIdModel->where('type', 'hmac_sha256')->chunk(
+            100,
+            static function ($identity) use ($uIdModel, $encrypter): void {
+                $identity->secret2 = $encrypter->decrypt($identity->secret2);
+
+                $uIdModel->save($identity);
+            }
+        );
+    }
+}

src/Database/Migrations/2023-10-30-222755_EncryptHmacKeys.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Commands;
+
+use CodeIgniter\Shield\Authentication\HMAC\HmacEncrypter;
+use CodeIgniter\Shield\Entities\User;
+use CodeIgniter\Shield\Models\UserIdentityModel;
+use CodeIgniter\Shield\Models\UserModel;
+use Tests\Support\DatabaseTestCase;
+
+/**
+ * @internal
+ */
+final class HmacTest extends DatabaseTestCase
+{
+    public function testEncrypt(): void
+    {
+        $idModel = new UserIdentityModel();
+
+        /** @var User $user */
+        $user  = fake(UserModel::class);
+        $token = $user->generateHmacToken('foo');
+
+        $rawSecretKey   = $token->rawSecretKey;
+        $token->secret2 = $rawSecretKey;
+
+        $idModel->save($token);
+        $tokenCheck = $idModel->find($token->id);
+
+        $this->assertSame($rawSecretKey, $tokenCheck->secret2);
+
+        $this->assertNotFalse(command('shield:hmac encrypt'));
+
+        $tokenCheck = $idModel->find($token->id);
+
+        $encrypter    = new HmacEncrypter();
+        $decryptedKey = $encrypter->decrypt($tokenCheck->secret2);
+
+        $this->assertSame($rawSecretKey, $decryptedKey);
+    }
+
+    public function testDecrypt(): void
+    {
+        $idModel = new UserIdentityModel();
+
+        /** @var User $user */
+        $user  = fake(UserModel::class);
+        $token = $user->generateHmacToken('foo');
+
+        $rawSecretKey = $token->rawSecretKey;
+
+        $this->assertNotFalse(command('shield:hmac decrypt'));
+
+        $token->secret2 = $rawSecretKey;
+
+        $idModel->save($token);
+        $tokenCheck = $idModel->find($token->id);
+
+        $this->assertSame($rawSecretKey, $tokenCheck->secret2);
+    }
+}

tests/Commands/HmacTest.php

@@ -25,8 +25,6 @@ abstract class TestCase extends CIUnitTestCase
 {
     protected function setUp(): void
     {
-        $_ENV['authtoken.hmacEncryptionKey'] = 'hex2bin:178ed94fd0b6d57dd31dd6b22fc601fab8ad191efac165a5f3f30a8ac09d813d';
-
         $this->resetServices();
 
         parent::setUp();