Fix for Symmetric encryption key handling

.phan/config.php

@@ -54,7 +54,8 @@ return [
 	// Note that the **only** effect of choosing `'5.6'` is to infer that functions removed in php 7.0 exist.
 	// (See `backward_compatibility_checks` for additional options)
 	// Automatically inferred from composer.json requirement for "php" of ">=8.2"
-	'target_php_version' => '8.1',
+	'target_php_version' => '8.2',
+	"minimum_target_php_version" => "8.2",
 
 	// If enabled, missing properties will be created when
 	// they are first seen. If false, we'll report an

composer.json

@@ -3,6 +3,7 @@
     "description": "CoreLibs in a composer package",
     "type": "library",
     "license": "MIT",
+	"keywords": ["corelib", "logging", "database", "templating", "tools"],
     "autoload": {
         "psr-4": {
             "CoreLibs\\": "src/"

publish/last.published

@@ -1 +1 @@
-9.23.0
+9.23.2

src/DB/Support/ConvertPlaceholder.php

@@ -14,10 +14,24 @@ namespace CoreLibs\DB\Support;
 
 class ConvertPlaceholder
 {
-	/** @var string split regex */
+	// NOTE for missing: range */+ are not iplemented in the regex below, but - is for now
-	private const PATTERN_QUERY_SPLIT = '[(<>=,?-]|->|->>|#>|#>>|@>|<@|\?\|\?\&|\|\||#-';
+	// NOTE some combinations are allowed, but the query will fail before this
+	/** @var string split regex, entries before $ group */
+	private const PATTERN_QUERY_SPLIT =
+		'\?\?|' // UNKNOWN: double ??, is this to avoid something?
+		. '[\(,]|' // for ',' and '(' mostly in INSERT or ANY()
+		. '[<>=]|' // general set for <, >, = in any query with any combination
+		. '\^@|' // text search for start from text with ^@
+		. '\|\||' // concats two elements
+		. '&&|' // array overlap
+		. '\-\|\-|' // range overlap for array
+		. '[^-]-{1}|' // single -, used in JSON too
+		. '->|->>|#>|#>>|@>|<@|@@|@\?|\?{1}|\?\||\?&|#-'; //JSON searches, Array searchs, etc
 	/** @var string the main regex including  the pattern query split */
-	private const PATTERN_ELEMENT = '(?:\'.*?\')?\s*(?:\?\?|' . self::PATTERN_QUERY_SPLIT . ')\s*';
+	private const PATTERN_ELEMENT = '(?:\'.*?\')?\s*(?:' . self::PATTERN_QUERY_SPLIT . ')\s*';
+	/** @var string comment regex
+	 * anything that starts with -- and ends with a line break but any character that is not line break inbetween */
+	private const PATTERN_COMMENT = '(?:\-\-[^\r\n]*?\r?\n)*\s*';
 	/** @var string parts to ignore in the SQL */
 	private const PATTERN_IGNORE =
 		// digit -> ignore
@@ -34,6 +48,7 @@ class ConvertPlaceholder
 	/** @var string replace regex for named (:...) entries */
 	public const REGEX_REPLACE_NAMED = '/'
 		. '(' . self::PATTERN_ELEMENT . ')'
+		. self::PATTERN_COMMENT
 		. '('
 		. self::PATTERN_IGNORE
 		. self::PATTERN_NAMED
@@ -42,6 +57,7 @@ class ConvertPlaceholder
 	/** @var string replace regex for question mark (?) entries */
 	public const REGEX_REPLACE_QUESTION_MARK = '/'
 		. '(' . self::PATTERN_ELEMENT . ')'
+		. self::PATTERN_COMMENT
 		. '('
 		. self::PATTERN_IGNORE
 		. self::PATTERN_QUESTION_MARK
@@ -50,6 +66,7 @@ class ConvertPlaceholder
 	/** @var string replace regex for numbered ($n) entries */
 	public const REGEX_REPLACE_NUMBERED = '/'
 		. '(' . self::PATTERN_ELEMENT . ')'
+		. self::PATTERN_COMMENT
 		. '('
 		. self::PATTERN_IGNORE
 		. self::PATTERN_NUMBERED
@@ -60,6 +77,7 @@ class ConvertPlaceholder
 		// prefix string part, must match towards
 		// seperator for ( = , ? - [and json/jsonb in pg doc section 9.15]
 		. self::PATTERN_ELEMENT
+		. self::PATTERN_COMMENT
 		// match for replace part
 		. '(?:'
 		// ignore parts

src/Security/SymmetricEncryption.php

@@ -49,7 +49,11 @@ class SymmetricEncryption
 	 */
 	public static function getInstance(string|null $key = null): self
 	{
-		if (empty(self::$instance)) {
+		// new if no instsance or key is different
+		if (
+			empty(self::$instance) ||
+			self::$instance->key != $key
+		) {
 			self::$instance = new self($key);
 		}
 		return self::$instance;
@@ -130,7 +134,7 @@ class SymmetricEncryption
 	 */
 	private function encryptData(string $message, ?string $key): string
 	{
-		if (empty($this->key) || $key === null) {
+		if ($key === null) {
 			throw new \UnexpectedValueException('Key not set');
 		}
 		$key = $this->createKey($key);

test/phpunit/ACL/database/CoreLibsACLLogin_database_create_data.sql

@@ -321,7 +321,7 @@ CREATE TABLE edit_generic (
 
 -- DROP TABLE edit_visible_group;
 CREATE TABLE edit_visible_group (
-    edit_visible_group_id SERIAL PRIMARY KEY,
+    edit_visible_group_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     name VARCHAR,
     flag VARCHAR
 ) INHERITS (edit_generic) WITHOUT OIDS;
@@ -336,7 +336,7 @@ CREATE TABLE edit_visible_group (
 
 -- DROP TABLE edit_menu_group;
 CREATE TABLE edit_menu_group (
-    edit_menu_group_id SERIAL PRIMARY KEY,
+    edit_menu_group_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     name VARCHAR,
     flag VARCHAR,
     order_number INT NOT NULL
@@ -354,7 +354,7 @@ CREATE TABLE edit_menu_group (
 
 -- DROP TABLE edit_page;
 CREATE TABLE edit_page (
-    edit_page_id SERIAL PRIMARY KEY,
+    edit_page_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     content_alias_edit_page_id	INT, -- alias for page content, if the page content is defined on a different page, ege for ajax backend pages
     FOREIGN KEY (content_alias_edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE RESTRICT ON UPDATE CASCADE,
     filename VARCHAR,
@@ -378,7 +378,7 @@ CREATE TABLE edit_page (
 
 -- DROP TABLE edit_query_string;
 CREATE TABLE edit_query_string (
-    edit_query_string_id SERIAL PRIMARY KEY,
+    edit_query_string_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     edit_page_id INT NOT NULL,
     FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
     enabled SMALLINT NOT NULL DEFAULT 0,
@@ -430,7 +430,7 @@ CREATE TABLE edit_page_menu_group (
 
 -- DROP TABLE edit_access_right;
 CREATE TABLE edit_access_right (
-    edit_access_right_id SERIAL PRIMARY KEY,
+    edit_access_right_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     name VARCHAR,
     level SMALLINT,
     type VARCHAR,
@@ -447,7 +447,7 @@ CREATE TABLE edit_access_right (
 
 -- DROP TABLE edit_scheme;
 CREATE TABLE edit_scheme (
-    edit_scheme_id SERIAL PRIMARY KEY,
+    edit_scheme_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     enabled SMALLINT NOT NULL DEFAULT 0,
     name VARCHAR,
     header_color VARCHAR,
@@ -466,7 +466,7 @@ CREATE TABLE edit_scheme (
 
 -- DROP TABLE edit_language;
 CREATE TABLE edit_language (
-    edit_language_id SERIAL PRIMARY KEY,
+    edit_language_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     enabled SMALLINT NOT NULL DEFAULT 0,
     lang_default SMALLINT NOT NULL DEFAULT 0,
     long_name VARCHAR,
@@ -485,7 +485,7 @@ CREATE TABLE edit_language (
 
 -- DROP TABLE edit_group;
 CREATE TABLE edit_group (
-    edit_group_id SERIAL PRIMARY KEY,
+    edit_group_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     edit_scheme_id INT,
     FOREIGN KEY (edit_scheme_id) REFERENCES edit_scheme (edit_scheme_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
     edit_access_right_id INT NOT NULL,
@@ -507,7 +507,7 @@ CREATE TABLE edit_group (
 
 -- DROP TABLE edit_page_access;
 CREATE TABLE edit_page_access (
-    edit_page_access_id SERIAL PRIMARY KEY,
+    edit_page_access_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     edit_group_id INT NOT NULL,
     FOREIGN KEY (edit_group_id) REFERENCES edit_group (edit_group_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
     edit_page_id INT NOT NULL,
@@ -530,7 +530,7 @@ CREATE TABLE edit_page_access (
 
 -- DROP TABLE edit_page_content;
 CREATE TABLE edit_page_content (
-    edit_page_content_id SERIAL PRIMARY KEY,
+    edit_page_content_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     edit_page_id INT NOT NULL,
     FOREIGN KEY (edit_page_id) REFERENCES edit_page (edit_page_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
     edit_access_right_id INT NOT NULL,
@@ -551,7 +551,7 @@ CREATE TABLE edit_page_content (
 
 -- DROP TABLE edit_user;
 CREATE TABLE edit_user (
-    edit_user_id SERIAL PRIMARY KEY,
+    edit_user_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     connect_edit_user_id INT, -- possible reference to other user
     FOREIGN KEY (connect_edit_user_id) REFERENCES edit_user (edit_user_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
     edit_language_id INT NOT NULL,
@@ -652,11 +652,11 @@ COMMENT ON COLUMN edit_user.additional_acl IS 'Additional Access Control List st
 
 -- DROP TABLE edit_log;
 CREATE TABLE edit_log (
-    edit_log_id SERIAL PRIMARY KEY,
+    edit_log_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     euid INT, -- this is a foreign key, but I don't nedd to reference to it
+    FOREIGN KEY (euid) REFERENCES edit_user (edit_user_id) MATCH FULL ON UPDATE CASCADE ON DELETE SET NULL,
     ecuid VARCHAR,
     ecuuid UUID,
-    FOREIGN KEY (euid) REFERENCES edit_user (edit_user_id) MATCH FULL ON UPDATE CASCADE ON DELETE SET NULL,
     username VARCHAR,
     password VARCHAR,
     event_date TIMESTAMP WITHOUT TIME ZONE DEFAULT CURRENT_TIMESTAMP,
@@ -712,7 +712,7 @@ ALTER TABLE edit_log_overflow ADD CONSTRAINT edit_log_overflow_euid_fkey FOREIGN
 
 -- DROP TABLE edit_access;
 CREATE TABLE edit_access (
-    edit_access_id SERIAL PRIMARY KEY,
+    edit_access_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     enabled SMALLINT NOT NULL DEFAULT 0,
     protected SMALLINT DEFAULT 0,
     deleted SMALLINT DEFAULT 0,
@@ -733,7 +733,7 @@ CREATE TABLE edit_access (
 
 -- DROP TABLE edit_access_user;
 CREATE TABLE edit_access_user (
-    edit_access_user_id SERIAL PRIMARY KEY,
+    edit_access_user_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     edit_access_id INT NOT NULL,
     FOREIGN KEY (edit_access_id) REFERENCES edit_access (edit_access_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
     edit_user_id INT NOT NULL,
@@ -754,7 +754,7 @@ CREATE TABLE edit_access_user (
 
 -- DROP TABLE edit_access_data;
 CREATE TABLE edit_access_data (
-    edit_access_data_id SERIAL PRIMARY KEY,
+    edit_access_data_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
     edit_access_id INT NOT NULL,
     FOREIGN KEY (edit_access_id) REFERENCES edit_access (edit_access_id) MATCH FULL ON DELETE CASCADE ON UPDATE CASCADE,
     enabled SMALLINT NOT NULL DEFAULT 0,

test/phpunit/DB/CoreLibsDBIOTest.php

@@ -17,7 +17,7 @@ Table with Primary Key: table_with_primary_key
 Table without Primary Key: table_without_primary_key
 
 Table with primary key has additional row:
-row_primary_key	SERIAL PRIMARY KEY,
+row_primary_key	INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
 Each table has the following rows
 row_int INT,
 row_numeric NUMERIC,
@@ -160,7 +160,6 @@ final class CoreLibsDBIOTest extends TestCase
 		// create the tables
 		$db->dbExec(
 			// primary key name is table + '_id'
-				// table_with_primary_key_id SERIAL PRIMARY KEY,
 			<<<SQL
 			CREATE TABLE table_with_primary_key (
 				table_with_primary_key_id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
@@ -5136,6 +5135,67 @@ final class CoreLibsDBIOTest extends TestCase
 				SQL,
 				'count' => 6,
 				'convert' => false,
+			],
+			'comments in insert' => [
+				'query' => <<<SQL
+				INSERT INTO table_with_primary_key (
+					row_int, row_numeric, row_varchar, row_varchar_literal
+				) VALUES (
+					-- comment 1 かな
+					$1, $2,
+					-- comment 2 -
+					$3
+					-- comment 3
+					, $4
+				)
+				SQL,
+				'count' => 4,
+				'convert' => false
+			],
+			'comment in update' => [
+				'query' => <<<SQL
+				UPDATE table_with_primary_key SET
+					row_int =
+					-- COMMENT 1
+					$1,
+					row_numeric =
+					$2 -- COMMENT 2
+					,
+					row_varchar -- COMMENT 3
+					= $3
+				WHERE
+					row_varchar = $4
+				SQL,
+				'count' => 4,
+				'convert' => false,
+			],
+			// Note some are not set
+			'a complete set of possible' => [
+				'query' => <<<SQL
+				UPDATE table_with_primary_key SET
+				-- ROW
+				row_varchar = $1
+				WHERE
+				row_varchar = ANY($2) AND row_varchar <> $3
+				AND row_varchar > $4 AND row_varchar < $5
+				AND row_varchar >= $6 AND row_varchar <=$7
+				AND row_jsonb->'a' = $8 AND row_jsonb->>$9 = 'a'
+				AND row_jsonb<@$10 AND row_jsonb@>$11
+				AND row_varchar ^@ $12
+				SQL,
+				'count' => 12,
+				'convert' => false,
+			],
+			// all the same
+			'all the same numbered' => [
+				'query' => <<<SQL
+				UPDATE table_with_primary_key SET
+					row_int = $1::INT, row_numeric = $1::NUMERIC, row_varchar = $1
+				WHERE
+					row_varchar = $1
+				SQL,
+				'count' => 1,
+				'convert' => false,
 			]
 		];
 	}

test/phpunit/Language/locale_other/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

test/phpunit/Security/CoreLibsSecuritySymmetricEncryptionTest.php

@@ -56,7 +56,24 @@ final class CoreLibsSecuritySymmetricEncryptionTest extends TestCase
 			$decrypted,
 			'Class call',
 		);
+	}
 
+	/**
+	 * test encrypt/decrypt produce correct output
+	 *
+	 * @covers ::generateRandomKey
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerEncryptDecryptSuccess
+	 * @testdox encrypt/decrypt indirect $input must be $expected [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $expected
+	 * @return void
+	 */
+	public function testEncryptDecryptSuccessIndirect(string $input, string $expected): void
+	{
+		$key = CreateKey::generateRandomKey();
 		// test indirect
 		$encrypted = SymmetricEncryption::getInstance($key)->encrypt($input);
 		$decrypted = SymmetricEncryption::getInstance($key)->decrypt($encrypted);
@@ -65,7 +82,24 @@ final class CoreLibsSecuritySymmetricEncryptionTest extends TestCase
 			$decrypted,
 			'Class Instance call',
 		);
+	}
 
+	/**
+	 * test encrypt/decrypt produce correct output
+	 *
+	 * @covers ::generateRandomKey
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerEncryptDecryptSuccess
+	 * @testdox encrypt/decrypt static $input must be $expected [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $expected
+	 * @return void
+	 */
+	public function testEncryptDecryptSuccessStatic(string $input, string $expected): void
+	{
+		$key = CreateKey::generateRandomKey();
 		// test static
 		$encrypted = SymmetricEncryption::encryptKey($input, $key);
 		$decrypted = SymmetricEncryption::decryptKey($encrypted, $key);
@@ -114,13 +148,51 @@ final class CoreLibsSecuritySymmetricEncryptionTest extends TestCase
 		$crypt = new SymmetricEncryption($key);
 		$encrypted = $crypt->encrypt($input);
 		$this->expectExceptionMessage($exception_message);
-		$crypt->setKey($key);
+		$crypt->setKey($wrong_key);
 		$crypt->decrypt($encrypted);
+	}
+
+	/**
+	 * Test decryption with wrong key
+	 *
+	 * @covers ::generateRandomKey
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerEncryptFailed
+	 * @testdox decrypt indirect with wrong key $input throws $exception_message [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testEncryptFailedIndirect(string $input, string $exception_message): void
+	{
+		$key = CreateKey::generateRandomKey();
+		$wrong_key = CreateKey::generateRandomKey();
 
 		// class instance
 		$encrypted = SymmetricEncryption::getInstance($key)->encrypt($input);
 		$this->expectExceptionMessage($exception_message);
 		SymmetricEncryption::getInstance($wrong_key)->decrypt($encrypted);
+	}
+
+	/**
+	 * Test decryption with wrong key
+	 *
+	 * @covers ::generateRandomKey
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerEncryptFailed
+	 * @testdox decrypt static with wrong key $input throws $exception_message [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testEncryptFailedStatic(string $input, string $exception_message): void
+	{
+		$key = CreateKey::generateRandomKey();
+		$wrong_key = CreateKey::generateRandomKey();
 
 		// class static
 		$encrypted = SymmetricEncryption::encryptKey($input, $key);
@@ -190,6 +262,56 @@ final class CoreLibsSecuritySymmetricEncryptionTest extends TestCase
 		SymmetricEncryption::decryptKey($encrypted, $key);
 	}
 
+	/**
+	 * test invalid key provided to decrypt or encrypt
+	 *
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerWrongKey
+	 * @testdox wrong key indirect $key throws $exception_message [$_dataName]
+	 *
+	 * @param  string $key
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testWrongKeyIndirect(string $key, string $exception_message): void
+	{
+		$enc_key = CreateKey::generateRandomKey();
+
+		// class instance
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::getInstance($key)->encrypt('test');
+		// we must encrypt valid thing first so we can fail with the wrong key
+		$encrypted = SymmetricEncryption::getInstance($enc_key)->encrypt('test');
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::getInstance($key)->decrypt($encrypted);
+	}
+
+		/**
+	 * test invalid key provided to decrypt or encrypt
+	 *
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerWrongKey
+	 * @testdox wrong key static $key throws $exception_message [$_dataName]
+	 *
+	 * @param  string $key
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testWrongKeyStatic(string $key, string $exception_message): void
+	{
+		$enc_key = CreateKey::generateRandomKey();
+
+		// class static
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::encryptKey('test', $key);
+		// we must encrypt valid thing first so we can fail with the wrong key
+		$encrypted = SymmetricEncryption::encryptKey('test', $enc_key);
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::decryptKey($encrypted, $key);
+	}
+
 	/**
 	 * Undocumented function
 	 *
@@ -232,6 +354,49 @@ final class CoreLibsSecuritySymmetricEncryptionTest extends TestCase
 		$this->expectExceptionMessage($exception_message);
 		SymmetricEncryption::decryptKey($input, $key);
 	}
+
+	/**
+	 * Undocumented function
+	 *
+	 * @covers ::decrypt
+	 * @dataProvider providerWrongCiphertext
+	 * @testdox too short ciphertext indirect $input throws $exception_message [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testWrongCiphertextIndirect(string $input, string $exception_message): void
+	{
+		$key = CreateKey::generateRandomKey();
+
+		// class instance
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::getInstance($key)->decrypt($input);
+
+		// class static
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::decryptKey($input, $key);
+	}
+
+		/**
+	 * Undocumented function
+	 *
+	 * @covers ::decrypt
+	 * @dataProvider providerWrongCiphertext
+	 * @testdox too short ciphertext static $input throws $exception_message [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testWrongCiphertextStatic(string $input, string $exception_message): void
+	{
+		$key = CreateKey::generateRandomKey();
+		// class static
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::decryptKey($input, $key);
+	}
 }
 
 // __END__