Otp
7 months ago
AccessToken.php
11 months ago
Auth.php
2 years ago
Capabilities.php
1 year ago
DataEncryption.php
1 month ago
EncryptionNoticeService.php
1 month ago
Nonce.php
3 years ago
UniqueIdentifier.php
3 years ago
EncryptionNoticeService.php
82 lines
| 1 | <?php |
| 2 | |
| 3 | namespace WPStaging\Framework\Security; |
| 4 | |
| 5 | /** |
| 6 | * Renders the stale-encryption admin notice. |
| 7 | * |
| 8 | * A credential is "stale" when it was encrypted with a key that is no longer |
| 9 | * available: it looks encrypted but decryption silently returns it unchanged. |
| 10 | */ |
| 11 | class EncryptionNoticeService |
| 12 | { |
| 13 | /** @var DataEncryption */ |
| 14 | private $dataEncryption; |
| 15 | |
| 16 | public function __construct(DataEncryption $dataEncryption) |
| 17 | { |
| 18 | $this->dataEncryption = $dataEncryption; |
| 19 | } |
| 20 | |
| 21 | /** |
| 22 | * Renders the notice if any credential field in the option is stale. |
| 23 | * |
| 24 | * @param string $optionName wp_options key to read |
| 25 | * @param string|string[] $credentialKeys Field(s) inside the option to check |
| 26 | * @param string $label Name displayed in the notice(e.g. "Amazon S3", used in the view; don't remove it) |
| 27 | * @return void |
| 28 | */ |
| 29 | public function renderEncryptedNotice(string $optionName, $credentialKeys, string $label) |
| 30 | { |
| 31 | if ($this->hasStaleCredential($optionName, $credentialKeys)) { |
| 32 | require WPSTG_VIEWS_DIR . '_main/partials/encrypted-notice.php'; |
| 33 | } |
| 34 | } |
| 35 | |
| 36 | /** |
| 37 | * Returns true if any of the given credential fields in the option cannot be decrypted. |
| 38 | * |
| 39 | * @param string $optionName |
| 40 | * @param string|string[] $credentialKeys |
| 41 | * @return bool |
| 42 | */ |
| 43 | private function hasStaleCredential(string $optionName, $credentialKeys): bool |
| 44 | { |
| 45 | $option = get_option($optionName, []); |
| 46 | if (empty($option) || !is_array($option)) { |
| 47 | return false; |
| 48 | } |
| 49 | |
| 50 | foreach ((array)$credentialKeys as $key) { |
| 51 | if ($this->isStale($option[$key] ?? '')) { |
| 52 | return true; |
| 53 | } |
| 54 | } |
| 55 | |
| 56 | return false; |
| 57 | } |
| 58 | |
| 59 | /** |
| 60 | * Returns true if the value is encrypted but can no longer be decrypted. |
| 61 | * |
| 62 | * @param string $value |
| 63 | * @return bool |
| 64 | */ |
| 65 | private function isStale(string $value): bool |
| 66 | { |
| 67 | // Nothing to check |
| 68 | if (empty($value)) { |
| 69 | return false; |
| 70 | } |
| 71 | |
| 72 | // Plain-text values are never stale |
| 73 | if (!$this->dataEncryption->isEncrypted($value)) { |
| 74 | return false; |
| 75 | } |
| 76 | |
| 77 | // Both sslDecrypt and base64Decrypt return the input unchanged on failure, |
| 78 | // so equality means the key is gone/changed and the credential can't be recovered |
| 79 | return $this->dataEncryption->decrypt($value) === $value; |
| 80 | } |
| 81 | } |
| 82 |