Create encryption field map

GromNaN · GromNaN · commit 4f34c7048f91 · 2025-04-28T22:08:48.000+02:00
diff --git a/lib/Doctrine/ODM/MongoDB/Mapping/Annotations/Encrypt.php b/lib/Doctrine/ODM/MongoDB/Mapping/Annotations/Encrypt.php
@@ -6,29 +6,34 @@
 
 use Attribute;
 use Doctrine\Common\Annotations\Annotation\NamedArgumentConstructor;
+use InvalidArgumentException;
 use MongoDB\BSON\Type;
 use MongoDB\Driver\ClientEncryption;
 
+use function in_array;
+
 /**
- * Defines an index on a field
+ * Defines an encrypted field mapping.
+ *
+ * @see https://www.mongodb.com/docs/manual/core/queryable-encryption/fundamentals/encrypt-and-query/#configure-encrypted-fields-for-optimal-search-and-storage
  *
  * @Annotation
  * @NamedArgumentConstructor
  */
 #[Attribute(Attribute::TARGET_PROPERTY)]
-final class Encrypt
+final class Encrypt implements Annotation
 {
+    public const QUERY_TYPE_EQUALITY = ClientEncryption::QUERY_TYPE_EQUALITY;
+    public const QUERY_TYPE_RANGE    = ClientEncryption::QUERY_TYPE_RANGE;
+
     /**
-     * @link https://www.mongodb.com/docs/manual/core/queryable-encryption/fundamentals/encrypt-and-query/#configure-encrypted-fields-for-optimal-search-and-storage
-     *
-     * @param ClientEncryption::QUERY_TYPE_* $queryType
-     * @param int<1, 4>|null                 $sparsity
-     * @param positive-int|null              $prevision
-     * @param positive-int|null              $trimFactor
-     * @param positive-int|null              $contention
+     * @param self::QUERY_TYPE_*|null $queryType  Set the query type for the field, null if not queryable.
+     * @param int<1, 4>|null          $sparsity
+     * @param positive-int|null       $prevision
+     * @param positive-int|null       $trimFactor
+     * @param positive-int|null       $contention
      */
     public function __construct(
-        public ?string $bsonType = null, // Should be extracted from the field type
         public ?string $queryType = null,
         public string|int|Type|null $min = null,
         public string|int|Type|null $max = null,
@@ -37,5 +42,8 @@ public function __construct(
         public ?int $trimFactor = null,
         public ?int $contention = null,
     ) {
+        if ($this->queryType && ! in_array($this->queryType, [self::QUERY_TYPE_EQUALITY, self::QUERY_TYPE_RANGE], true)) {
+            throw new InvalidArgumentException('Invalid query type');
+        }
     }
 }
diff --git a/lib/Doctrine/ODM/MongoDB/Mapping/ClassMetadata.php b/lib/Doctrine/ODM/MongoDB/Mapping/ClassMetadata.php
@@ -107,6 +107,7 @@
  *      order?: int|string,
  *      background?: bool,
  *      enumType?: class-string<BackedEnum>,
+ *      encrypt?: array{queryType?: ?string, min?: mixed, max?: mixed, sparsity?: int<1, 4>, prevision?: int, trimFactor?: int, contention?: int}
  * }
  * @phpstan-type FieldMapping array{
  *      type: string,
@@ -153,6 +154,7 @@
  *      alsoLoadFields?: list<string>,
  *      enumType?: class-string<BackedEnum>,
  *      storeEmptyArray?: bool,
+ *      encrypt?: array{queryType?: ?string, min?: mixed, max?: mixed, sparsity?: int<1, 4>, prevision?: int, trimFactor?: int, contention?: int},
  * }
  * @phpstan-type AssociationFieldMapping array{
  *      type?: string,
diff --git a/lib/Doctrine/ODM/MongoDB/Mapping/Driver/AttributeDriver.php b/lib/Doctrine/ODM/MongoDB/Mapping/Driver/AttributeDriver.php
@@ -32,7 +32,7 @@
 use function trigger_deprecation;
 
 /**
- * The AtttributeDriver reads the mapping metadata from attributes.
+ * The AttributeDriver reads the mapping metadata from attributes.
  */
 class AttributeDriver implements MappingDriver
 {
@@ -264,6 +264,8 @@ public function loadMetadataForClass($className, PersistenceClassMetadata $metad
                     $mapping['version'] = true;
                 } elseif ($propertyAttribute instanceof ODM\Lock) {
                     $mapping['lock'] = true;
+                } elseif ($propertyAttribute instanceof ODM\Encrypt) {
+                    $mapping['encrypt'] = (array) $propertyAttribute;
                 }
             }
 
diff --git a/lib/Doctrine/ODM/MongoDB/Utility/EncryptionFieldMap.php b/lib/Doctrine/ODM/MongoDB/Utility/EncryptionFieldMap.php
@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Doctrine\ODM\MongoDB\Utility;
+
+use Doctrine\ODM\MongoDB\Mapping\ClassMetadataFactoryInterface;
+use Generator;
+
+use function array_filter;
+use function iterator_to_array;
+
+final class EncryptionFieldMap
+{
+    public function __construct(private ClassMetadataFactoryInterface $classMetadataFactory)
+    {
+    }
+
+    /**
+     * Generate the encryption field map from the class metadata.
+     *
+     * @param class-string $className
+     */
+    public function getEncryptionFieldMap(string $className): array
+    {
+        return iterator_to_array($this->createEncryptionFieldMap($className));
+    }
+
+    private function createEncryptionFieldMap(string $className, string $path = ''): Generator
+    {
+        $classMetadata = $this->classMetadataFactory->getMetadataFor($className);
+        foreach ($classMetadata->fieldMappings as $mapping) {
+            // Add fields recursively
+            if ($mapping['embedded'] ?? false) {
+                yield from $this->createEncryptionFieldMap($mapping['targetDocument'], $path . $mapping['name'] . '.');
+            }
+
+            if (! isset($mapping['encrypt'])) {
+                continue;
+            }
+
+            $field = [
+                'name' => $path . $mapping['name'],
+                'type' => match ($mapping['type']) {
+                    'one' => 'object',
+                    'many' => 'array',
+                    default => $mapping['type'],
+                },
+                // @todo allow setting a keyId in #[Encrypt] attribute
+                'keyId' => null, // Generate the key automatically
+            ];
+
+            // When queryType is null, the field is not queryable
+            if (isset($mapping['encrypt']['queryType'])) {
+                $field['queries'] = array_filter($mapping['encrypt'], static fn ($v) => $v !== null);
+            }
+
+            yield $field;
+        }
+    }
+}
diff --git a/tests/Doctrine/ODM/MongoDB/Tests/EncryptionTest.php b/tests/Doctrine/ODM/MongoDB/Tests/EncryptionTest.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Doctrine\ODM\MongoDB\Tests;
+
+use Doctrine\ODM\MongoDB\Utility\EncryptionFieldMap;
+use Documents\Encryption\Patient;
+
+class EncryptionTest extends BaseTestCase
+{
+    public function testMetadataIsEncrypted(): void
+    {
+        $factory            = new EncryptionFieldMap($this->dm->getMetadataFactory());
+        $encryptedFieldsMap = $factory->getEncryptionFieldMap(Patient::class);
+
+        $expected = [
+            [
+                'name' => 'patientRecord.ssn',
+                'type' => 'string',
+                'keyId' => null,
+                'queries' => ['queryType' => 'equality'],
+            ],
+            [
+                'name' => 'patientRecord.billing',
+                'type' => 'object',
+                'keyId' => null,
+            ],
+            [
+                'name' => 'patientRecord.billingAmount',
+                'type' => 'int',
+                'keyId' => null,
+                'queries' => ['queryType' => 'range', 'min' => 100, 'max' => 2000, 'sparsity' => 1, 'trimFactor' => 4],
+            ],
+        ];
+
+        self::assertSame($expected, $encryptedFieldsMap);
+    }
+}
diff --git a/tests/Documents/Encryption/Patient.php b/tests/Documents/Encryption/Patient.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace Documents\Encrypted;
+namespace Documents\Encryption;
 
 use Doctrine\ODM\MongoDB\Mapping\Annotations as ODM;
 
diff --git a/tests/Documents/Encryption/PatientBilling.php b/tests/Documents/Encryption/PatientBilling.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace Documents\Encrypted;
+namespace Documents\Encryption;
 
 use Doctrine\ODM\MongoDB\Mapping\Annotations as ODM;
 use Doctrine\ODM\MongoDB\Mapping\Annotations\EmbeddedDocument;
diff --git a/tests/Documents/Encryption/PatientRecord.php b/tests/Documents/Encryption/PatientRecord.php
@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-namespace Documents\Encrypted;
+namespace Documents\Encryption;
 
 use Doctrine\ODM\MongoDB\Mapping\Annotations as ODM;
 use Doctrine\ODM\MongoDB\Mapping\Annotations\EmbeddedDocument;
@@ -14,13 +14,14 @@ class PatientRecord
     public ?string $id;
 
     #[ODM\Field]
-    #[ODM\Encrypt]
+    #[ODM\Encrypt(queryType: ODM\Encrypt::QUERY_TYPE_EQUALITY)]
     public string $ssn;
 
     #[ODM\EmbedOne(targetDocument: PatientBilling::class)]
     #[ODM\Encrypt]
     public PatientBilling $billing;
 
     #[ODM\Field]
+    #[ODM\Encrypt(queryType: ODM\Encrypt::QUERY_TYPE_RANGE, sparsity: 1, trimFactor: 4, min: 100, max: 2000)]
     public int $billingAmount;
 }

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@`
`32`	`32`	`use function trigger_deprecation;`
`33`	`33`
`34`	`34`	`/**`
`35`		`- * The AtttributeDriver reads the mapping metadata from attributes.`
	`35`	`+ * The AttributeDriver reads the mapping metadata from attributes.`
`36`	`36`	`*/`
`37`	`37`	`class AttributeDriver implements MappingDriver`
`38`	`38`	`{`
`@@ -264,6 +264,8 @@ public function loadMetadataForClass($className, PersistenceClassMetadata $metad`
`264`	`264`	`$mapping['version'] = true;`
`265`	`265`	`} elseif ($propertyAttribute instanceof ODM\Lock) {`
`266`	`266`	`$mapping['lock'] = true;`
	`267`	`+ } elseif ($propertyAttribute instanceof ODM\Encrypt) {`
	`268`	`+ $mapping['encrypt'] = (array) $propertyAttribute;`
`267`	`269`	`}`
`268`	`270`	`}`
`269`	`271`