AC-12767: Implement extensible data re-encryption mechanism.

Author: admanesachin

app/code/Magento/Config/Model/Data/ReEncryptorList/CoreConfigDataReEncryptor/Handler.php

@@ -11,6 +11,7 @@
 use Magento\Framework\Encryption\EncryptorInterface;
 use Magento\EncryptionKey\Model\Data\ReEncryptorList\ReEncryptor\HandlerInterface;
 use Magento\EncryptionKey\Model\Data\ReEncryptorList\ReEncryptor\Handler\ErrorFactory;
+use Magento\Framework\DB\Query\Generator;
 
 /**
  * Handler for core configuration re-encryption.
@@ -30,7 +31,12 @@ class Handler implements HandlerInterface
     /**
      * @var int
      */
-    private const QUERY_SIZE = 1000;
+    private const BATCH_SIZE = 1000;
+
+    /**
+     * @var string
+     */
+    private const IDENTIFIER = "config_id";
 
     /**
      * @var EncryptorInterface
@@ -47,19 +53,27 @@ class Handler implements HandlerInterface
      */
     private ErrorFactory $errorFactory;
 
+    /**
+     * @var Generator
+     */
+    private Generator $queryGenerator;
+
     /**
      * @param EncryptorInterface $encryptor
      * @param ResourceConnection $resourceConnection
      * @param ErrorFactory $errorFactory
+     * @param Generator $queryGenerator
      */
     public function __construct(
         EncryptorInterface $encryptor,
         ResourceConnection $resourceConnection,
-        ErrorFactory $errorFactory
+        ErrorFactory $errorFactory,
+        Generator $queryGenerator
     ) {
         $this->encryptor = $encryptor;
         $this->resourceConnection = $resourceConnection;
         $this->errorFactory = $errorFactory;
+        $this->queryGenerator = $queryGenerator;
     }
 
     /**
@@ -77,24 +91,31 @@ public function reEncrypt(): array
             ->from($tableName, ['config_id', 'value'])
             ->where('value != ?', '')
             ->where('value IS NOT NULL')
-            ->where('value REGEXP ?', self::PATTERN)
-            ->limit(self::QUERY_SIZE);
-
-        foreach ($connection->fetchPairs($select) as $configId => $value) {
-            try {
-                $connection->update(
-                    $tableName,
-                    ['value' => $this->encryptor->encrypt($this->encryptor->decrypt($value))],
-                    ['config_id = ?' => (int)$configId]
-                );
-            } catch (\Throwable $e) {
-                $errors[] = $this->errorFactory->create(
-                    "config_id",
-                    $configId,
-                    $e->getMessage()
-                );
-
-                continue;
+            ->where('value REGEXP ?', self::PATTERN);
+
+        $iterator = $this->queryGenerator->generate(
+            self::IDENTIFIER,
+            $select,
+            self::BATCH_SIZE
+        );
+
+        foreach ($iterator as $batch) {
+            foreach ($connection->fetchAll($batch) as $row) {
+                try {
+                    $connection->update(
+                        $tableName,
+                        ['value' => $this->encryptor->encrypt($this->encryptor->decrypt($row['value']))],
+                        ['config_id = ?' => $row['config_id']]
+                    );
+                } catch (\Throwable $e) {
+                    $errors[] = $this->errorFactory->create(
+                        self::IDENTIFIER,
+                        $row['config_id'],
+                        $e->getMessage()
+                    );
+
+                    continue;
+                }
             }
         }
 

app/code/Magento/EncryptionKey/Model/Data/ReEncryptorList/ReEncryptor/Handler/Error.php

@@ -22,9 +22,9 @@ class Error
     /**
      * Value of the identifier field of a DB row an error relates to.
      *
-     * @var int
+     * @var int|string
      */
-    private int $rowIdValue;
+    private int|string $rowIdValue;
 
     /**
      * Error message.
@@ -35,12 +35,12 @@ class Error
 
     /**
      * @param string $rowIdField
-     * @param int $rowIdValue
+     * @param int|string $rowIdValue
      * @param string $message
      */
     public function __construct(
         string $rowIdField,
-        int $rowIdValue,
+        int|string $rowIdValue,
         string $message
     ) {
         $this->rowIdField = $rowIdField;
@@ -61,9 +61,9 @@ public function getRowIdField(): string
     /**
      * Returns row ID field value.
      *
-     * @return int
+     * @return int|string
      */
-    public function getRowIdValue(): int
+    public function getRowIdValue(): int|string
     {
         return $this->rowIdValue;
     }

app/code/Magento/EncryptionKey/Model/Data/ReEncryptorList/ReEncryptor/Handler/ErrorFactory.php

@@ -32,12 +32,12 @@ public function __construct(
      * Creates an error object.
      *
      * @param string $rowIdField
-     * @param int $rowIdValue
+     * @param int|string $rowIdValue
      * @param string $message
      *
      * @return Error
      */
-    public function create(string $rowIdField, int $rowIdValue, string $message): Error
+    public function create(string $rowIdField, int|string $rowIdValue, string $message): Error
     {
         return $this->objectManager->create(
             Error::class,

dev/tests/integration/testsuite/Magento/Config/Model/Data/ReEncryptorList/CoreConfigDataReEncryptor/HandlerTest.php

@@ -35,6 +35,11 @@ class HandlerTest extends TestCase
      */
     private ?EncryptorInterface $encryptor;
 
+    /**
+     * Initialize dependencies
+     *
+     * @return void
+     */
     protected function setUp(): void
     {
         $this->config = Bootstrap::getObjectManager()->get(
@@ -51,30 +56,17 @@ protected function setUp(): void
     }
 
     /**
+     * Test ReEncryption for core config data
+     *
      * @magentoDbIsolation enabled
+     * @return void
      */
-    public function testReEncrypt()
+    public function testReEncrypt():void
     {
         $testConfigPath1 = "test/correct_enc_value";
         $testConfigPath2 = "test/incorrect_enc_value";
         $testConfigPath3 = "test/empty_enc_value";
 
-        $initialMock = $this->createMock(Initial::class);
-
-        $initialMock->expects($this->any())
-            ->method('getMetadata')
-            ->willReturn([
-                $testConfigPath1 => [
-                    "backendModel" => Encrypted::class
-                ],
-                $testConfigPath2 => [
-                    "backendModel" => Encrypted::class
-                ],
-                $testConfigPath3 => [
-                    "backendModel" => Encrypted::class
-                ]
-            ]);
-
         $this->configResource->saveConfig(
             $testConfigPath1,
             $this->encryptor->encrypt("Encrypted Config Value")
@@ -97,10 +89,7 @@ public function testReEncrypt()
 
         /** @var Handler $coreConfigDataReEncryptionHandler */
         $coreConfigDataReEncryptionHandler = Bootstrap::getObjectManager()->create(
-            Handler::class,
-            [
-                "config" => $initialMock
-            ]
+            Handler::class
         );
 
         try {