Merge pull request #119 from OS2Forms/develop

jekuaitk · web-flow · commit 119b31ea24d4 · 2024-07-08T16:48:32.000+02:00
Release 3.15.4
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,13 @@ before starting to add changes. Use example [placed in the end of the page](#exa
 
 ## [Unreleased]
 
+## [3.15.4] 2024-07-08
+
+- [#117](https://github.com/OS2Forms/os2forms/pull/117)
+  Encrypts all elements if encryption enabled.
+- [#114](https://github.com/OS2Forms/os2forms/pull/114)
+  Encrypted computed elements.
+
 ## [3.15.3] 2024-06-25
 
 - [OS-74] Replacing DAWA matrikula select with Datafordeler select
@@ -234,7 +241,9 @@ before starting to add changes. Use example [placed in the end of the page](#exa
 - Security in case of vulnerabilities.
 ```
 
-[Unreleased]: https://github.com/OS2Forms/os2forms/compare/3.15.2...HEAD
+[Unreleased]: https://github.com/OS2Forms/os2forms/compare/3.15.4...HEAD
+[3.15.4]: https://github.com/OS2Forms/os2forms/compare/3.15.3...3.15.4
+[3.15.3]: https://github.com/OS2Forms/os2forms/compare/3.15.2...3.15.3
 [3.15.2]: https://github.com/OS2Forms/os2forms/compare/3.15.1...3.15.2
 [3.15.1]: https://github.com/OS2Forms/os2forms/compare/3.15.0...3.15.1
 [3.15.0]: https://github.com/OS2Forms/os2forms/compare/3.14.1...3.15.0
diff --git a/composer.json b/composer.json
@@ -104,7 +104,8 @@
                 "2733781 - Add Export to Word Support": "https://www.drupal.org/files/issues/2019-11-22/2733781-47.patch"
             },
             "drupal/webform": {
-                "Unlock possibility of using Entity print module export to Word": "https://www.drupal.org/files/issues/2020-02-29/3096552-6.patch"
+                "Unlock possibility of using Entity print module export to Word": "https://www.drupal.org/files/issues/2020-02-29/3096552-6.patch",
+                "Webform computed element post save alter": "https://www.drupal.org/files/issues/2024-06-25/webform_computed_post_save_field_alter.patch"
             },
             "drupal/user_default_page": {
                 "Warning: in_array() expects parameter 2 to be array, null given in user_default_page_user_logout() (https://www.drupal.org/node/3246986)": "https://www.drupal.org/files/issues/2021-11-01/user_default_page-3246986-2.patch"
diff --git a/modules/os2forms_encrypt/README.md b/modules/os2forms_encrypt/README.md
@@ -0,0 +1,33 @@
+# OS2Forms Encrypt module
+
+This module extends and modifies upon [Webform Encrypt](https://www.drupal.org/project/webform_encrypt)
+to provide encryption of webform element values in the database.
+
+## Modifications from the base Webform Encrypt module
+
+### Encryption time
+
+Any computed elements, e.g. Computed Twig, may cause issues as
+their values are attempted computed after encryption. If any calculations
+are done this could result in runtime TypeErrors.
+
+This is handled by modifying the time at which decryption is made, in
+`WebformOs2FormsEncryptSubmissionStorage`.
+
+### Permissions
+
+The Webform Encrypt module introduces a `view encrypted values` permission.
+This permission should be granted to roles that need to view encrypted values.
+
+**Note**, that in Drupal 9 and newer drush commands are ran as an
+anonymous user. This means the anonymous user needs this permission, if
+at any point they need values from submissions to do their job.
+
+### Configurable per element
+
+The Webform Encrypt module allows configuration on element level. That is,
+webform builders can actively enable and disable for each element.
+
+We want all elements to be encrypted whenever encryption is enabled.
+This is done by `os2forms_encrypt_webform_presave` and `os2forms_encrypt_form_alter` in
+`os2forms_encrypt.module`.
diff --git a/modules/os2forms_encrypt/os2forms_encrypt.module b/modules/os2forms_encrypt/os2forms_encrypt.module
@@ -5,22 +5,8 @@
  * This module enabled webform submission encryption as a default option.
  */
 
-/**
- * Implements hook_webform_element_info_alter().
- *
- * Add extra processing function to "force" enabled encryption on webform
- * elements when they are being saved in the UI.
- */
-function os2forms_encrypt_element_info_alter(array &$definitions): void {
-  foreach ($definitions as $element_id => &$definition) {
-    if ($element_id === 'webform_element_encrypt') {
-      $definition['#process'][] = [
-        'Drupal\os2forms_encrypt\Element\WebformElementEncrypt',
-        'processWebformElementEncrypt',
-      ];
-    }
-  }
-}
+use Drupal\Core\Form\FormStateInterface;
+use Drupal\webform\WebformInterface;
 
 /**
  * Implements hook_entity_type_alter().
@@ -33,3 +19,42 @@ function os2forms_encrypt_entity_type_alter(array &$entity_types): void {
     $entity_types['webform_submission']->setStorageClass('Drupal\os2forms_encrypt\WebformOs2FormsEncryptSubmissionStorage');
   }
 }
+
+/**
+ * Implements hook_webform_computed_post_save_field_alter().
+ *
+ * Ensure encryption of computed element values.
+ */
+function os2forms_encrypt_webform_computed_post_save_field_alter(array &$fields): void {
+  /** @var \Drupal\os2forms_encrypt\Helper\Os2FormsEncryptor $os2formsEncryptor */
+  $os2formsEncryptor = \Drupal::service('os2forms_encrypt.encryptor');
+
+  $fields['value'] = $os2formsEncryptor->encryptValue($fields['value'], $fields['name'], $fields['webform_id']);
+}
+
+/**
+ * Implements hook_webform_presave().
+ *
+ * Enable encryption on all webform elements, whenever saved.
+ */
+function os2forms_encrypt_webform_presave(WebformInterface $entity): void {
+  /** @var \Drupal\os2forms_encrypt\Helper\Os2FormsEncryptor $os2formsEncryptor */
+  $os2formsEncryptor = Drupal::service('os2forms_encrypt.encryptor');
+
+  $os2formsEncryptor->enableEncryption($entity);
+}
+
+/**
+ * Implements hook_form_alter().
+ *
+ * Removes 'element_encrypt' element from element forms.
+ *
+ * The hook_webform_presave method ensures all elements are
+ * configured to be encrypted, making this element redundant.
+ */
+function os2forms_encrypt_form_alter(array &$form, FormStateInterface $form_state, string $form_id) {
+  /** @var \Drupal\os2forms_encrypt\Helper\FormHelper $formHelper */
+  $formHelper = Drupal::service('os2forms_encrypt.form_helper');
+
+  $formHelper->formAlter($form, $form_state, $form_id);
+}
diff --git a/modules/os2forms_encrypt/os2forms_encrypt.services.yml b/modules/os2forms_encrypt/os2forms_encrypt.services.yml
@@ -0,0 +1,11 @@
+services:
+  os2forms_encrypt.encryptor:
+    class: Drupal\os2forms_encrypt\Helper\Os2FormsEncryptor
+    arguments: ['@encryption', '@entity_type.manager', '@config.factory']
+
+  os2forms_encrypt.form_helper:
+    class: Drupal\os2forms_encrypt\Helper\FormHelper
+
+  os2forms_encrypt.settings_form:
+    class: Drupal\os2forms_encrypt\Form\SettingsForm
+    arguments: ['@config.factory', '@encrypt.encryption_profile.manager']
diff --git a/modules/os2forms_encrypt/src/Commands/Os2FormsEncryptCommands.php b/modules/os2forms_encrypt/src/Commands/Os2FormsEncryptCommands.php
@@ -56,6 +56,8 @@ public function enabledEncrypt(): void {
       return;
     }
 
+    $defaultEncryptionProfile = $config->get('default_encryption_profile');
+
     // Get the storage for Webform entity type.
     $webformStorage = $this->entityTypeManager->getStorage('webform');
 
@@ -72,7 +74,7 @@ public function enabledEncrypt(): void {
         if (!isset($config['element'][$key])) {
           $config['element'][$key] = [
             'encrypt' => TRUE,
-            'encrypt_profile' => 'webform',
+            'encrypt_profile' => $defaultEncryptionProfile,
           ];
           $changed = TRUE;
         }
diff --git a/modules/os2forms_encrypt/src/Form/SettingsForm.php b/modules/os2forms_encrypt/src/Form/SettingsForm.php
@@ -2,9 +2,12 @@
 
 namespace Drupal\os2forms_encrypt\Form;
 
+use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Form\ConfigFormBase;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Link;
+use Drupal\encrypt\EncryptionProfileManager;
+use Symfony\Component\DependencyInjection\ContainerInterface;
 
 /**
  * Class SettingsForm.
@@ -20,6 +23,28 @@ class SettingsForm extends ConfigFormBase {
    */
   public static string $configName = 'os2forms_encrypt.settings';
 
+  /**
+   * The config factory.
+   *
+   * @var \Drupal\encrypt\EncryptionProfileManager
+   */
+  private EncryptionProfileManager $encryptionProfileManager;
+
+  public function __construct(ConfigFactoryInterface $config_factory, EncryptionProfileManager $encryptionProfileManager) {
+    parent::__construct($config_factory);
+    $this->encryptionProfileManager = $encryptionProfileManager;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container) {
+    return new static(
+      $container->get('config.factory'),
+      $container->get('encrypt.encryption_profile.manager')
+    );
+  }
+
   /**
    * {@inheritdoc}
    */
@@ -58,6 +83,21 @@ public function buildForm(array $form, FormStateInterface $form_state): array {
       '#default_value' => $config->get('enabled'),
     ];
 
+    $encryptionOptions = $this->encryptionProfileManager->getEncryptionProfileNamesAsOptions();
+
+    $form['default_encryption_profile'] = [
+      '#type' => 'select',
+      '#title' => $this->t('Default encryption profile'),
+      '#description' => $this->t('Upon saving webforms, elements that are not configured to be encrypted will be configured to encrypted with the selected encryption profile. The os2forms-encrypt:enable command will also use the default encryption profile.'),
+      '#options' => $encryptionOptions,
+      '#default_value' => $config->get('default_encryption_profile'),
+      '#states' => [
+        'visible' => [
+          ':input[name="enabled"]' => ['checked' => TRUE],
+        ],
+      ],
+    ];
+
     return parent::buildForm($form, $form_state);
   }
 
@@ -69,6 +109,7 @@ public function submitForm(array &$form, FormStateInterface $form_state): void {
 
     $this->config(self::$configName)
       ->set('enabled', $form_state->getValue('enabled'))
+      ->set('default_encryption_profile', $form_state->getValue('default_encryption_profile'))
       ->save();
   }
 
diff --git a/modules/os2forms_encrypt/src/Helper/FormHelper.php b/modules/os2forms_encrypt/src/Helper/FormHelper.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace Drupal\os2forms_encrypt\Helper;
+
+use Drupal\Core\Form\FormStateInterface;
+
+/**
+ * Form helper class.
+ */
+class FormHelper {
+
+  /**
+   * Removes 'element_encrypt' element from element forms.
+   *
+   * @param array $form
+   *   The form.
+   * @param \Drupal\Core\Form\FormStateInterface $form_state
+   *   The form state.
+   * @param string $form_id
+   *   The form id.
+   */
+  public function formAlter(array &$form, FormStateInterface $form_state, string $form_id) {
+    if ('webform_ui_element_form' === $form_id) {
+      if (isset($form['element_encrypt'])) {
+        $form['element_encrypt']['#access'] = FALSE;
+      }
+    }
+  }
+
+}
diff --git a/modules/os2forms_encrypt/src/Helper/Os2FormsEncryptor.php b/modules/os2forms_encrypt/src/Helper/Os2FormsEncryptor.php
@@ -0,0 +1,106 @@
+<?php
+
+namespace Drupal\os2forms_encrypt\Helper;
+
+use Drupal\Core\Config\ConfigFactoryInterface;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\encrypt\EncryptServiceInterface;
+use Drupal\encrypt\Entity\EncryptionProfile;
+use Drupal\os2forms_encrypt\Form\SettingsForm;
+use Drupal\webform\Entity\Webform;
+use Drupal\webform\WebformInterface;
+
+/**
+ * The Os2FormsEncryptor class.
+ */
+class Os2FormsEncryptor {
+
+  /**
+   * The encryption Service.
+   *
+   * @var \Drupal\encrypt\EncryptServiceInterface
+   */
+  private EncryptServiceInterface $encryptionService;
+
+  /**
+   * The entity type manager.
+   *
+   * @var \Drupal\Core\Entity\EntityTypeManagerInterface
+   */
+  private EntityTypeManagerInterface $entityTypeManager;
+
+  /**
+   * The config factory.
+   *
+   * @var \Drupal\Core\Config\ConfigFactoryInterface
+   */
+  private ConfigFactoryInterface $configFactory;
+
+  public function __construct(EncryptServiceInterface $encryptService, EntityTypeManagerInterface $entityTypeManager, ConfigFactoryInterface $configFactory) {
+    $this->encryptionService = $encryptService;
+    $this->entityTypeManager = $entityTypeManager;
+    $this->configFactory = $configFactory;
+  }
+
+  /**
+   * Encrypts value if element is configured to be encrypted.
+   *
+   * @param string $value
+   *   The value that should be encrypted.
+   * @param string $element
+   *   The element.
+   * @param string $webformId
+   *   The webform id.
+   *
+   * @return string
+   *   The resulting value.
+   */
+  public function encryptValue(string $value, string $element, string $webformId): string {
+    /** @var \Drupal\webform\WebformInterface $webform */
+    $webform = $this->entityTypeManager->getStorage('webform')->load($webformId);
+
+    $config = $webform->getThirdPartySetting('webform_encrypt', 'element');
+    $encryption_profile = isset($config[$element]) ? EncryptionProfile::load($config[$element]['encrypt_profile']) : FALSE;
+
+    if (!$encryption_profile) {
+      return $value;
+    }
+
+    $encrypted_data = [
+      'data' => base64_encode($this->encryptionService->encrypt($value, $encryption_profile)),
+      'encrypt_profile' => $encryption_profile->id(),
+    ];
+
+    return serialize($encrypted_data);
+  }
+
+  /**
+   * Enables encrypt on all elements of webform.
+   *
+   * @param \Drupal\webform\WebformInterface $webform
+   *   The webform.
+   */
+  public function enableEncryption(WebformInterface $webform): void {
+
+    // Check that encryption is enabled.
+    $config = $this->configFactory->get(SettingsForm::$configName);
+    if (!$config->get('enabled') || !$webform instanceof Webform) {
+      return;
+    }
+
+    // Check that there are any elements to enable encryption on.
+    $elements = $webform->getElementsDecoded();
+
+    if (empty($elements)) {
+      return;
+    }
+
+    $encryptedElements = array_map(static fn () => [
+      'encrypt' => TRUE,
+      'encrypt_profile' => $config->get('default_encryption_profile'),
+    ], $elements);
+
+    $webform->setThirdPartySetting('webform_encrypt', 'element', $encryptedElements);
+  }
+
+}
diff --git a/modules/os2forms_encrypt/src/WebformOs2FormsEncryptSubmissionStorage.php b/modules/os2forms_encrypt/src/WebformOs2FormsEncryptSubmissionStorage.php
