magento
diff --git a/‎app/code/Magento/Config/Model/Data/ReEncryptorList/CoreConfigDataReEncryptor/Handler.php
Lines changed: 120 additions & 0 deletions b/‎app/code/Magento/Config/Model/Data/ReEncryptorList/CoreConfigDataReEncryptor/Handler.php
Lines changed: 120 additions & 0 deletions
diff --git a/‎app/code/Magento/Config/composer.json
Lines changed: 2 additions & 1 deletion b/‎app/code/Magento/Config/composer.json
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/code/Magento/Config/etc/di.xml
Lines changed: 13 additions & 0 deletions b/‎app/code/Magento/Config/etc/di.xml
Lines changed: 13 additions & 0 deletions
diff --git a/‎app/code/Magento/EncryptionKey/Console/Command/ListReEncryptorsCommand.php
Lines changed: 68 additions & 0 deletions b/‎app/code/Magento/EncryptionKey/Console/Command/ListReEncryptorsCommand.php
Lines changed: 68 additions & 0 deletions
diff --git a/‎app/code/Magento/EncryptionKey/Console/Command/ReEncryptDataCommand.php
Lines changed: 162 additions & 0 deletions b/‎app/code/Magento/EncryptionKey/Console/Command/ReEncryptDataCommand.php
Lines changed: 162 additions & 0 deletions
@@ -0,0 +1,120 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Config\Model\Data\ReEncryptorList\CoreConfigDataReEncryptor;
+
+use Magento\Framework\App\Config\Initial;
+use Magento\Framework\App\ResourceConnection;
+use Magento\Config\Model\Config\Backend\Encrypted;
+use Magento\Framework\Encryption\EncryptorInterface;
+use Magento\EncryptionKey\Model\Data\ReEncryptorList\ReEncryptor\HandlerInterface;
+use Magento\EncryptionKey\Model\Data\ReEncryptorList\ReEncryptor\Handler\ErrorFactory;
+
+/**
+ * Handler for core configuration re-encryption.
+ */
+class Handler implements HandlerInterface
+{
+    /**
+     * @var string
+     */
+    private const TABLE_NAME = "core_config_data";
+
+    /**
+     * @var string
+     */
+    private const BACKEND_MODEL = Encrypted::class;
+
+    /**
+     * @var Initial
+     */
+    private Initial $config;
+
+    /**
+     * @var EncryptorInterface
+     */
+    private EncryptorInterface $encryptor;
+
+    /**
+     * @var ResourceConnection
+     */
+    private ResourceConnection $resourceConnection;
+
+    /**
+     * @var ErrorFactory
+     */
+    private ErrorFactory $errorFactory;
+
+    /**
+     * @param Initial $config
+     * @param EncryptorInterface $encryptor
+     * @param ResourceConnection $resourceConnection
+     * @param ErrorFactory $errorFactory
+     */
+    public function __construct(
+        Initial $config,
+        EncryptorInterface $encryptor,
+        ResourceConnection $resourceConnection,
+        ErrorFactory $errorFactory
+    ) {
+        $this->config = $config;
+        $this->encryptor = $encryptor;
+        $this->resourceConnection = $resourceConnection;
+        $this->errorFactory = $errorFactory;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function reEncrypt(): array
+    {
+        $paths = [];
+        $errors = [];
+
+        foreach ($this->config->getMetadata() as $path => $processor) {
+            if (isset($processor['backendModel']) &&
+                $processor['backendModel'] === self::BACKEND_MODEL
+            ) {
+                $paths[] = $path;
+            }
+        }
+
+        if ($paths) {
+            $tableName = $this->resourceConnection->getTableName(
+                self::TABLE_NAME
+            );
+
+            $connection = $this->resourceConnection->getConnection();
+
+            $select = $connection->select()
+                ->from($tableName, ['config_id', 'value'])
+                ->where('path IN (?)', $paths)
+                ->where('value != ?', '')
+                ->where('value IS NOT NULL');
+
+            foreach ($connection->fetchPairs($select) as $configId => $value) {
+                try {
+                    $connection->update(
+                        $tableName,
+                        ['value' => $this->encryptor->encrypt($this->encryptor->decrypt($value))],
+                        ['config_id = ?' => (int) $configId]
+                    );
+                } catch (\Throwable $e) {
+                    $errors[] = $this->errorFactory->create(
+                        "config_id",
+                        $configId,
+                        $e->getMessage()
+                    );
+
+                    continue;
+                }
+            }
+        }
+
+        return $errors;
+    }
+}
@@ -13,7 +13,8 @@
         "magento/module-directory": "*",
         "magento/module-email": "*",
         "magento/module-media-storage": "*",
-        "magento/module-store": "*"
+        "magento/module-store": "*",
+        "magento/module-encryption-key": "*"
     },
     "type": "magento2-module",
     "license": [
 
@@ -409,4 +409,17 @@
             </argument>
         </arguments>
     </type>
+    <virtualType name="Magento\Config\Model\Data\ReEncryptorList\CoreConfigDataReEncryptor" type="Magento\EncryptionKey\Model\Data\ReEncryptorList\ReEncryptor">
+        <arguments>
+            <argument name="description" xsi:type="string">Re-encrypts 'value' column in the 'core_config_data' DB table.</argument>
+            <argument name="handler" xsi:type="object">Magento\Config\Model\Data\ReEncryptorList\CoreConfigDataReEncryptor\Handler</argument>
+        </arguments>
+    </virtualType>
+    <type name="Magento\EncryptionKey\Model\Data\ReEncryptorList">
+        <arguments>
+            <argument name="reEncryptors" xsi:type="array">
+                <item name="core_config_data" xsi:type="object">Magento\Config\Model\Data\ReEncryptorList\CoreConfigDataReEncryptor</item>
+            </argument>
+        </arguments>
+    </type>
 </config>
@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\EncryptionKey\Console\Command;
+
+use Magento\Framework\Console\Cli;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Magento\EncryptionKey\Model\Data\ReEncryptorList;
+
+/**
+ * Command for displaying a list of available data re-encryptors.
+ */
+class ListReEncryptorsCommand extends Command
+{
+    /**
+     * @var ReEncryptorList
+     */
+    private ReEncryptorList $reEncryptorList;
+
+    /**
+     * @param ReEncryptorList $reEncryptorList
+     */
+    public function __construct(
+        ReEncryptorList $reEncryptorList
+    ) {
+        $this->reEncryptorList = $reEncryptorList;
+
+        parent::__construct();
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function configure()
+    {
+        $this->setName('encryption:data:list-re-encryptors');
+
+        $this->setDescription(
+            'Shows a list of available data re-encryptors.'
+        );
+
+        parent::configure();
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function execute(InputInterface $input, OutputInterface $output)
+    {
+        foreach ($this->reEncryptorList->getReEncryptors() as $name => $reEncryptor) {
+            $output->writeln(
+                sprintf(
+                    '<fg=green>%-40s</> %s',
+                    $name,
+                    $reEncryptor->getDescription()
+                )
+            );
+        }
+
+        return Cli::RETURN_SUCCESS;
+    }
+}
@@ -0,0 +1,162 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\EncryptionKey\Console\Command;
+
+use DateInterval;
+use Magento\Framework\Console\Cli;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Magento\EncryptionKey\Model\Data\ReEncryptorList;
+
+/**
+ * Command for re-encryption of encrypted data using current encryption key.
+ */
+class ReEncryptDataCommand extends Command
+{
+    /**
+     * @var string
+     */
+    private const INPUT_KEY_ENCRYPTORS = 'encryptors';
+
+    /**
+     * @var ReEncryptorList
+     */
+    private ReEncryptorList $reEncryptorList;
+
+    /**
+     * @param ReEncryptorList $reEncryptorList
+     */
+    public function __construct(
+        ReEncryptorList $reEncryptorList
+    ) {
+        $this->reEncryptorList = $reEncryptorList;
+
+        parent::__construct();
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function configure()
+    {
+        $this->setName('encryption:data:re-encrypt');
+
+        $this->setDescription(
+            'Re-encrypts encrypted data using current encryption key.'
+        );
+
+        $this->addArgument(
+            self::INPUT_KEY_ENCRYPTORS,
+            InputArgument::IS_ARRAY,
+            'Space-separated list of re-encryptors to use.'
+        );
+
+        parent::configure();
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function execute(InputInterface $input, OutputInterface $output)
+    {
+        $requestedReEncryptorsNames = $input->getArgument(
+            self::INPUT_KEY_ENCRYPTORS
+        );
+
+        $availableReEncryptors = $this->reEncryptorList->getReEncryptors();
+
+        if (empty($requestedReEncryptorsNames)) {
+            $requestedReEncryptorsNames = array_keys($availableReEncryptors);
+        }
+
+        foreach ($requestedReEncryptorsNames as $name) {
+            if (!isset($availableReEncryptors[$name])) {
+                $output->writeLn(
+                    sprintf("<fg=red>Re-encryptor '%s' could not be found!</>", $name)
+                );
+
+                continue;
+            }
+
+            $reEncryptor = $availableReEncryptors[$name];
+
+            $output->writeLn(
+                sprintf("Executing '%s' re-encryptor...", $name)
+            );
+
+            try {
+                $startTime = new \DateTimeImmutable();
+
+                $errors = $reEncryptor->reEncrypt();
+
+                $endTime = new \DateTimeImmutable();
+
+                $elapsedTime = $this->formatInterval(
+                    $startTime->diff($endTime)
+                );
+            } catch (\Throwable $e) {
+                $output->writeLn("<fg=red>Failed due to the following error:</>");
+
+                $output->writeLn(
+                    sprintf("<fg=white;bg=red>%s</>", $e->getMessage())
+                );
+
+                continue;
+            }
+
+            if (empty($errors)) {
+                $output->writeLn(
+                    sprintf(
+                        "<fg=green>Done successfully in %s.</>",
+                        $elapsedTime
+                    )
+                );
+            } else {
+                $output->writeLn(
+                    sprintf(
+                        "<fg=yellow>Done in %s but with the following errors:</>",
+                        $elapsedTime
+                    )
+                );
+
+                foreach ($errors as $error) {
+                    $output->writeLn(
+                        sprintf(
+                            "<fg=black;bg=yellow>[%s %s]: %s</>",
+                            $error->getRowIdField(),
+                            $error->getRowIdValue(),
+                            $error->getMessage()
+                        )
+                    );
+                }
+            }
+        }
+
+        return Cli::RETURN_SUCCESS;
+    }
+
+    /**
+     * Formats a date interval.
+     *
+     * @param DateInterval $interval
+     *
+     * @return string
+     */
+    private function formatInterval(DateInterval $interval): string
+    {
+        $days = (int) $interval->format('%d');
+
+        $hours = $days * 24 + (int) $interval->format('%H');
+        $minutes = $interval->format('%I');
+        $seconds = $interval->format('%S');
+
+        return sprintf("%s:%s:%s", $hours, $minutes, $seconds);
+    }
+}