AC-8017 system settings improvement

Author: sreenia806

app/code/Magento/EncryptionKey/Model/ResourceModel/Key/Change.php

@@ -5,10 +5,22 @@
  */
 namespace Magento\EncryptionKey\Model\ResourceModel\Key;
 
+use \Exception;
+use Magento\Config\Model\Config\Backend\Encrypted;
+use Magento\Config\Model\Config\Structure;
+use Magento\Framework\App\DeploymentConfig\Writer;
 use Magento\Framework\App\Filesystem\DirectoryList;
 use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Framework\Config\Data\ConfigData;
 use Magento\Framework\Config\File\ConfigFilePool;
+use Magento\Framework\Encryption\EncryptorInterface;
+use Magento\Framework\Exception\FileSystemException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Filesystem;
+use Magento\Framework\Filesystem\Directory\WriteInterface;
+use Magento\Framework\Math\Random;
+use Magento\Framework\Model\ResourceModel\Db\AbstractDb;
+use Magento\Framework\Model\ResourceModel\Db\Context;
 
 /**
  * Encryption key changer resource model
@@ -19,60 +31,60 @@
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @since 100.0.2
  */
-class Change extends \Magento\Framework\Model\ResourceModel\Db\AbstractDb
+class Change extends AbstractDb
 {
     /**
      * Encryptor interface
      *
-     * @var \Magento\Framework\Encryption\EncryptorInterface
+     * @var EncryptorInterface
      */
     protected $encryptor;
 
     /**
      * Filesystem directory write interface
      *
-     * @var \Magento\Framework\Filesystem\Directory\WriteInterface
+     * @var WriteInterface
      */
     protected $directory;
 
     /**
      * System configuration structure
      *
-     * @var \Magento\Config\Model\Config\Structure
+     * @var Structure
      */
     protected $structure;
 
     /**
      * Configuration writer
      *
-     * @var \Magento\Framework\App\DeploymentConfig\Writer
+     * @var Writer
      */
     protected $writer;
 
     /**
-     * Random
+     * Random string generator
      *
-     * @var \Magento\Framework\Math\Random
+     * @var Random
      * @since 100.0.4
      */
     protected $random;
 
     /**
-     * @param \Magento\Framework\Model\ResourceModel\Db\Context $context
-     * @param \Magento\Framework\Filesystem $filesystem
-     * @param \Magento\Config\Model\Config\Structure $structure
-     * @param \Magento\Framework\Encryption\EncryptorInterface $encryptor
-     * @param \Magento\Framework\App\DeploymentConfig\Writer $writer
-     * @param \Magento\Framework\Math\Random $random
+     * @param Context $context
+     * @param Filesystem $filesystem
+     * @param Structure $structure
+     * @param EncryptorInterface $encryptor
+     * @param Writer $writer
+     * @param Random $random
      * @param string $connectionName
      */
     public function __construct(
-        \Magento\Framework\Model\ResourceModel\Db\Context $context,
-        \Magento\Framework\Filesystem $filesystem,
-        \Magento\Config\Model\Config\Structure $structure,
-        \Magento\Framework\Encryption\EncryptorInterface $encryptor,
-        \Magento\Framework\App\DeploymentConfig\Writer $writer,
-        \Magento\Framework\Math\Random $random,
+        Context $context,
+        Filesystem $filesystem,
+        Structure $structure,
+        EncryptorInterface $encryptor,
+        Writer $writer,
+        Random $random,
         $connectionName = null
     ) {
         $this->encryptor = clone $encryptor;
@@ -98,20 +110,20 @@ protected function _construct()
      *
      * @param string|null $key
      * @return null|string
-     * @throws \Exception
+     * @throws FileSystemException|LocalizedException|Exception
      */
     public function changeEncryptionKey($key = null)
     {
         // prepare new key, encryptor and new configuration segment
         if (!$this->writer->checkIfWritable()) {
-            throw new \Exception(__('Deployment configuration file is not writable.'));
+            throw new FileSystemException(__('Deployment configuration file is not writable.'));
         }
 
         if (null === $key) {
-            // md5() here is not for cryptographic use. It used for generate encryption key itself
-            // and do not encrypt any passwords
-            // phpcs:ignore Magento2.Security.InsecureFunction
-            $key = md5($this->random->getRandomString(ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE));
+            $key = $this->random->getRandomBytes(
+                ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE,
+                ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX
+            );
         }
         $this->encryptor->setNewKey($key);
 
@@ -128,7 +140,7 @@ public function changeEncryptionKey($key = null)
             $this->writer->saveConfig($configData);
             $this->commit();
             return $key;
-        } catch (\Exception $e) {
+        } catch (LocalizedException $e) {
             $this->rollBack();
             throw $e;
         }
@@ -142,11 +154,11 @@ public function changeEncryptionKey($key = null)
     protected function _reEncryptSystemConfigurationValues()
     {
         // look for encrypted node entries in all system.xml files
-        /** @var \Magento\Config\Model\Config\Structure $configStructure  */
+        /** @var Structure $configStructure  */
         $configStructure = $this->structure;
         $paths = $configStructure->getFieldPathsByAttribute(
             'backend_model',
-            \Magento\Config\Model\Config\Backend\Encrypted::class
+            Encrypted::class
         );
 
         // walk through found data and re-encrypt it

app/code/Magento/EncryptionKey/Test/Unit/Model/ResourceModel/Key/ChangeTest.php

@@ -148,16 +148,16 @@ private function setUpChangeEncryptionKey()
     public function testChangeEncryptionKey()
     {
         $this->setUpChangeEncryptionKey();
-        $this->randomMock->expects($this->never())->method('getRandomString');
+        $this->randomMock->expects($this->never())->method('getRandomBytes');
         $key = 'key';
         $this->assertEquals($key, $this->model->changeEncryptionKey($key));
     }
 
     public function testChangeEncryptionKeyAutogenerate()
     {
         $this->setUpChangeEncryptionKey();
-        $this->randomMock->expects($this->once())->method('getRandomString')->willReturn('abc');
-        $this->assertEquals(hash('md5', 'abc'), $this->model->changeEncryptionKey());
+        $this->randomMock->expects($this->once())->method('getRandomBytes')->willReturn('abc');
+        $this->assertEquals('abc', $this->model->changeEncryptionKey());
     }
 
     public function testChangeEncryptionKeyThrowsException()

lib/internal/Magento/Framework/Config/ConfigOptionsListConstants.php

@@ -167,4 +167,9 @@ class ConfigOptionsListConstants
      */
     public const STORE_KEY_RANDOM_STRING_SIZE = SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_KEYBYTES;
     //phpcs:enable
+
+    /**
+     * Prefix of encoded random string
+     */
+    public const STORE_KEY_ENCODED_RANDOM_STRING_PREFIX = 'base64';
 }

lib/internal/Magento/Framework/Encryption/Encryptor.php

@@ -10,6 +10,7 @@
 
 use Magento\Framework\App\DeploymentConfig;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Framework\Encryption\Adapter\EncryptionAdapterInterface;
 use Magento\Framework\Encryption\Adapter\Mcrypt;
 use Magento\Framework\Encryption\Adapter\SodiumChachaIetf;
@@ -265,7 +266,12 @@ public function hash($data, $version = self::HASH_VERSION_SHA256)
             throw new \InvalidArgumentException('Unknown hashing algorithm');
         }
 
-        return hash_hmac($this->hashVersionMap[$version], (string)$data, $this->keys[$this->keyVersion], false);
+        return hash_hmac(
+            $this->hashVersionMap[$version],
+            (string)$data,
+            $this->decodeKey($this->keys[$this->keyVersion]),
+            false
+        );
     }
 
     /**
@@ -375,7 +381,7 @@ private function explodePasswordHash($hash)
      */
     public function encrypt($data)
     {
-        $crypt = new SodiumChachaIetf($this->keys[$this->keyVersion]);
+        $crypt = new SodiumChachaIetf($this->decodeKey($this->keys[$this->keyVersion]));
 
         return $this->keyVersion .
             ':' . self::CIPHER_AEAD_CHACHA20POLY1305 .
@@ -445,7 +451,7 @@ public function decrypt($data)
             if (!isset($this->keys[$keyVersion])) {
                 return '';
             }
-            $crypt = $this->getCrypt($this->keys[$keyVersion], $cryptVersion, $initVector);
+            $crypt = $this->getCrypt($this->decodeKey($this->keys[$keyVersion]), $cryptVersion, $initVector);
             if (null === $crypt) {
                 return '';
             }
@@ -520,7 +526,7 @@ private function getCrypt(
         }
 
         if (null === $key) {
-            $key = $this->keys[$this->keyVersion];
+            $key = $this->decodeKey($this->keys[$this->keyVersion]);
         }
 
         if (!$key) {
@@ -596,4 +602,17 @@ private function getArgonHash(
             )
         );
     }
+
+    /**
+     * Find out actual decode key
+     *
+     * @param string $key
+     * @return false|string
+     */
+    private function decodeKey(string $key)
+    {
+        return (strpos($key, ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX) === 0) ?
+            base64_decode(substr($key, strlen(ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX))) :
+            $key;
+    }
 }

lib/internal/Magento/Framework/Encryption/KeyValidator.php

@@ -25,7 +25,12 @@ class KeyValidator
      */
     public function isValid($value) : bool
     {
-        return $value && strlen($value) === ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE
-            && preg_match('/^\S+$/', $value);
+        if (strpos($value, ConfigOptionsListConstants::STORE_KEY_ENCODED_RANDOM_STRING_PREFIX) === 0) {
+            return (bool)$value;
+        } else {
+            return $value
+                && strlen($value) === ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE
+                && preg_match('/^\S+$/', $value);
+        }
     }
 }

lib/internal/Magento/Framework/Math/Random.php

@@ -5,6 +5,7 @@
  */
 namespace Magento\Framework\Math;
 
+use \Exception;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Phrase;
 
@@ -19,11 +20,11 @@ class Random
     /**#@+
      * Frequently used character classes
      */
-    const CHARS_LOWERS = 'abcdefghijklmnopqrstuvwxyz';
+    public const CHARS_LOWERS = 'abcdefghijklmnopqrstuvwxyz';
 
-    const CHARS_UPPERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+    public const CHARS_UPPERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
 
-    const CHARS_DIGITS = '0123456789';
+    public const CHARS_DIGITS = '0123456789';
 
     /**#@-*/
 
@@ -83,4 +84,17 @@ public function getUniqueHash($prefix = '')
     {
         return $prefix . $this->getRandomString(32);
     }
+
+    /**
+     * Generate a base64 encoded binary string.
+     *
+     * @param int $length
+     * @param string $prefix
+     * @return string
+     * @throws Exception
+     */
+    public function getRandomBytes($length, $prefix = '')
+    {
+        return $prefix . base64_encode(random_bytes($length));
+    }
 }

setup/src/Magento/Setup/Model/CryptKeyGenerator.php

@@ -37,10 +37,7 @@ public function __construct(Random $random)
      */
     public function generate()
     {
-        // md5() here is not for cryptographic use. It used for generate encryption key itself
-        // and do not encrypt any passwords
-        // phpcs:ignore Magento2.Security.InsecureFunction
-        return md5($this->getRandomString());
+        return $this->getRandomString();
     }
 
     /**

setup/src/Magento/Setup/Test/Unit/Model/CryptKeyGeneratorTest.php

@@ -45,17 +45,4 @@ public function testStringForHashingIsReadFromRandom()
 
         $this->cryptKeyGenerator->generate();
     }
-
-    public function testReturnsMd5OfRandomString()
-    {
-        $expected = 'fdb7594e77f1ad5fbb8e6c917b6012ce'; // == 'magento2'
-
-        $this->randomMock
-            ->method('getRandomString')
-            ->willReturn('magento2');
-
-        $actual = $this->cryptKeyGenerator->generate();
-
-        $this->assertEquals($expected, $actual);
-    }
 }

setup/src/Magento/Setup/Test/Unit/Module/ConfigGeneratorTest.php

@@ -78,7 +78,7 @@ public function testCreateCryptConfigWithoutInput()
         $returnValue = $this->configGeneratorObject->createCryptConfig([]);
         $this->assertEquals(ConfigFilePool::APP_ENV, $returnValue->getFileKey());
         // phpcs:ignore Magento2.Security.InsecureFunction
-        $this->assertEquals(['crypt' => ['key' => md5('key')]], $returnValue->getData());
+        $this->assertEquals(['crypt' => ['key' => 'key']], $returnValue->getData());
     }
 
     public function testCreateSessionConfigWithInput()