Add CLI Command for Updating CC Number Encryption

Updates the encryption of any values in `sales_order_payment.cc_number_enc`
with a cipher version below the latest. The command executes in batches of 1000

Author: pmclain

app/code/Magento/EncryptionKey/Setup/Patch/Data/SodiumChachaPatch.php

@@ -83,10 +83,15 @@ private function reEncryptSystemConfigurationValues()
 
         $this->scope->setCurrentScope(\Magento\Framework\App\Area::AREA_ADMINHTML);
 
-        $paths = $this->structure->getFieldPathsByAttribute(
-            'backend_model',
-            \Magento\Config\Model\Config\Backend\Encrypted::class
-        );
+        try {
+            $paths = $this->structure->getFieldPathsByAttribute(
+                'backend_model',
+                \Magento\Config\Model\Config\Backend\Encrypted::class
+            );
+        } catch (\Exception $e) {
+            // This is thrown during initial application installation
+            return;
+        }
 
         $this->scope->setCurrentScope($currentScope);
 

app/code/Magento/Sales/Console/Command/EncryptionPaymentDataUpdateCommand.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Sales\Console\Command;
+
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Command\Command;
+use Magento\Framework\Console\Cli;
+
+/**
+ * Command for updating encrypted credit card data to the latest cipher
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
+class EncryptionPaymentDataUpdateCommand extends Command
+{
+    /** Command name */
+    const NAME = 'encryption:payment-data:update';
+
+    /**
+     * @var \Magento\Sales\Model\ResourceModel\Order\Payment\EncryptionUpdate
+     */
+    private $paymentResource;
+
+    /**
+     * @param \Magento\Sales\Model\ResourceModel\Order\Payment\EncryptionUpdate $paymentResource
+     */
+    public function __construct(
+        \Magento\Sales\Model\ResourceModel\Order\Payment\EncryptionUpdate $paymentResource
+    ) {
+        $this->paymentResource = $paymentResource;
+        parent::__construct();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function configure()
+    {
+        $this->setName(self::NAME)
+            ->setDescription(
+                'Re-encrypts encrypted credit card data with latest encryption cipher.'
+            );
+        parent::configure();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function execute(InputInterface $input, OutputInterface $output)
+    {
+        try {
+            $this->paymentResource->reEncryptCreditCardNumbers();
+        } catch (\Exception $e) {
+            $output->writeln('<error>' . $e->getMessage() . '</error>');
+            return Cli::RETURN_FAILURE;
+        }
+
+        return Cli::RETURN_SUCCESS;
+    }
+}

app/code/Magento/Sales/Model/ResourceModel/Order/Payment/EncryptionUpdate.php

@@ -0,0 +1,65 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Sales\Model\ResourceModel\Order\Payment;
+
+/**
+ * Resource for updating encrypted credit card data to the latest cipher
+ */
+class EncryptionUpdate
+{
+    const LEGACY_PATTERN = '^[[:digit:]]+:[^%s]:.*$';
+
+    /**
+     * @var \Magento\Sales\Model\ResourceModel\Order\Payment
+     */
+    private $paymentResource;
+
+    /**
+     * @var \Magento\Framework\Encryption\Encryptor
+     */
+    private $encryptor;
+
+    /**
+     * @param \Magento\Sales\Model\ResourceModel\Order\Payment $paymentResource
+     * @param \Magento\Framework\Encryption\Encryptor $encryptor
+     */
+    public function __construct(
+        \Magento\Sales\Model\ResourceModel\Order\Payment $paymentResource,
+        \Magento\Framework\Encryption\Encryptor $encryptor
+    ) {
+        $this->paymentResource = $paymentResource;
+        $this->encryptor = $encryptor;
+    }
+
+    /**
+     * Fetch encrypted credit card numbers using legacy ciphers and re-encrypt with latest cipher
+     * @throws \Magento\Framework\Exception\LocalizedException
+     */
+    public function reEncryptCreditCardNumbers()
+    {
+        $connection = $this->paymentResource->getConnection();
+        $table = $this->paymentResource->getMainTable();
+        $select = $connection->select()->from($table, ['entity_id', 'cc_number_enc'])
+            ->where(
+                'cc_number_enc REGEXP ?',
+                sprintf(self::LEGACY_PATTERN, \Magento\Framework\Encryption\Encryptor::CIPHER_LATEST)
+            )->limit(1000);
+
+        while ($attributeValues = $connection->fetchPairs($select)) {
+                // save new values
+            foreach ($attributeValues as $valueId => $value) {
+                $connection->update(
+                    $table,
+                    ['cc_number_enc' => $this->encryptor->encrypt($this->encryptor->decrypt($value))],
+                    ['entity_id = ?' => (int)$valueId, 'cc_number_enc = ?' => (string)$value]
+                );
+            }
+        }
+    }
+}

app/code/Magento/Sales/etc/di.xml

@@ -974,6 +974,13 @@
     <type name="Magento\Sales\Model\ResourceModel\Order\Handler\Address">
         <plugin name="addressUpdate" type="Magento\Sales\Model\Order\Invoice\Plugin\AddressUpdate"/>
     </type>
+    <type name="Magento\Framework\Console\CommandListInterface">
+        <arguments>
+            <argument name="commands" xsi:type="array">
+                <item name="encyption_payment_data_update" xsi:type="object">Magento\Sales\Console\Command\EncryptionPaymentDataUpdateCommand</item>
+            </argument>
+        </arguments>
+    </type>
     <type name="Magento\Config\Model\Config\TypePool">
         <arguments>
             <argument name="sensitive" xsi:type="array">