feat[internal-api-php-client]: Unify JobObjectEncryptor with the one in docker-bundle

pepamartinec · pepamartinec · commit 84e9acada7ed · 2025-03-10T11:14:20.000+01:00
diff --git a/src/JobFactory/JobObjectEncryptor.php b/src/JobFactory/JobObjectEncryptor.php
@@ -4,27 +4,40 @@
 
 namespace Keboola\JobQueueInternalClient\JobFactory;
 
+use InvalidArgumentException;
 use Keboola\ObjectEncryptor\ObjectEncryptor;
 use Keboola\PermissionChecker\BranchType;
 use stdClass;
 
 class JobObjectEncryptor
 {
-    private ObjectEncryptor $objectEncryptor;
+    private const PROTECTED_DEFAULT_BRANCH_FEATURE = 'protected-default-branch';
 
-    public function __construct(ObjectEncryptor $objectEncryptor)
-    {
-        $this->objectEncryptor = $objectEncryptor;
+    public function __construct(
+        private readonly ObjectEncryptor $objectEncryptor,
+    ) {
     }
 
     /**
      * @template T of string|array|stdClass
      * @param T $data
      * @return T
      */
-    public function encrypt($data, string $componentId, string $projectId, ?BranchType $branchType)
-    {
-        if ($branchType !== null) {
+    public function encrypt(
+        string|array|stdClass $data,
+        string $componentId,
+        string $projectId,
+        ?BranchType $branchType,
+        array $projectFeatures,
+    ): string|array|stdClass {
+        $hasProtectedDefaultBranch = in_array(self::PROTECTED_DEFAULT_BRANCH_FEATURE, $projectFeatures, true);
+        if ($hasProtectedDefaultBranch && $branchType === null) {
+            throw new InvalidArgumentException(
+                'Protected default branch feature is enabled, but branch type is not set.',
+            );
+        }
+
+        if ($hasProtectedDefaultBranch) {
             return $this->objectEncryptor->encryptForBranchType(
                 $data,
                 $componentId,
@@ -45,8 +58,13 @@ public function encrypt($data, string $componentId, string $projectId, ?BranchTy
      * @param T $data
      * @return T
      */
-    public function decrypt($data, string $componentId, string $projectId, ?string $configId, BranchType $branchType)
-    {
+    public function decrypt(
+        string|array|stdClass $data,
+        string $componentId,
+        string $projectId,
+        ?string $configId,
+        BranchType $branchType,
+    ): string|array|stdClass {
         /* When configId is null, the decryptForBranchType has to be used, because configId is required parameter.
             This is what drives the logic here, not the contents of the cipher! The contents of any cipher can be
             decrypted with decryptForBranchTypeConfiguration which encapsulates all wrappers that might come in use
diff --git a/src/NewJobFactory.php b/src/NewJobFactory.php
@@ -91,21 +91,13 @@ public function createNewJob(array $data): JobInterface
         ];
         $jobData = $this->jobRuntimeResolver->resolveJobData($jobData, $tokenInfo);
 
-        if (in_array(self::PROTECTED_DEFAULT_BRANCH_FEATURE, $tokenInfo['owner']['features'])) {
-            $data = $this->objectEncryptor->encrypt(
-                $jobData,
-                (string) $data['componentId'],
-                (string) $tokenInfo['owner']['id'],
-                BranchType::from($jobData['branchType']),
-            );
-        } else {
-            $data = $this->objectEncryptor->encrypt(
-                $jobData,
-                (string) $data['componentId'],
-                (string) $tokenInfo['owner']['id'],
-                null,
-            );
-        }
+        $data = $this->objectEncryptor->encrypt(
+            $jobData,
+            (string) $data['componentId'],
+            (string) $tokenInfo['owner']['id'],
+            BranchType::from($jobData['branchType']),
+            $tokenInfo['owner']['features'],
+        );
 
         $data = $this->validateJobData($data, FullJobDefinition::class);
         return new Job($this->objectEncryptor, $this->storageClientFactory, $data);
diff --git a/tests/ObjectEncryptor/JobObjectEncryptorTest.php b/tests/ObjectEncryptor/JobObjectEncryptorTest.php
@@ -4,14 +4,15 @@
 
 namespace Keboola\JobQueueInternalClient\Tests\ObjectEncryptor;
 
+use InvalidArgumentException;
 use Keboola\JobQueueInternalClient\JobFactory\JobObjectEncryptor;
 use Keboola\ObjectEncryptor\ObjectEncryptor;
 use Keboola\PermissionChecker\BranchType;
 use PHPUnit\Framework\TestCase;
 
 class JobObjectEncryptorTest extends TestCase
 {
-    public function testEncryptWithoutBranch(): void
+    public function testEncryptWithoutBranchAndNoProtectedFeature(): void
     {
         $internalEncryptor = $this->createMock(ObjectEncryptor::class);
         $internalEncryptor->expects(self::once())
@@ -21,12 +22,45 @@ public function testEncryptWithoutBranch(): void
         ;
 
         $encryptor = new JobObjectEncryptor($internalEncryptor);
-        $result = $encryptor->encrypt('data', 'componentId', 'projectId', null);
+        $result = $encryptor->encrypt('data', 'componentId', 'projectId', null, []);
 
         self::assertSame('encryptedData', $result);
     }
 
-    public function testEncryptWithBranch(): void
+    public function testEncryptWithBranchAndNoProtectedFeature(): void
+    {
+        $internalEncryptor = $this->createMock(ObjectEncryptor::class);
+        $internalEncryptor->expects(self::once())
+            ->method('encryptForProject')
+            ->with('data', 'componentId', 'projectId')
+            ->willReturn('encryptedData')
+        ;
+
+        $encryptor = new JobObjectEncryptor($internalEncryptor);
+        $result = $encryptor->encrypt('data', 'componentId', 'projectId', BranchType::DEFAULT, []);
+
+        self::assertSame('encryptedData', $result);
+    }
+
+    public function testEncryptWithProtectedDefaultBranchFeatureAndNoBranch(): void
+    {
+        $internalEncryptor = $this->createMock(ObjectEncryptor::class);
+        $internalEncryptor->expects(self::never())
+            ->method('encryptForProject')
+        ;
+        $internalEncryptor->expects(self::never())
+            ->method('encryptForBranchType')
+        ;
+
+        $encryptor = new JobObjectEncryptor($internalEncryptor);
+
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('Protected default branch feature is enabled, but branch type is not set.');
+
+        $encryptor->encrypt('data', 'componentId', 'projectId', null, ['protected-default-branch']);
+    }
+
+    public function testEncryptWithProtectedDefaultBranchFeatureAndBranch(): void
     {
         $internalEncryptor = $this->createMock(ObjectEncryptor::class);
         $internalEncryptor->expects(self::once())
@@ -36,7 +70,13 @@ public function testEncryptWithBranch(): void
         ;
 
         $encryptor = new JobObjectEncryptor($internalEncryptor);
-        $result = $encryptor->encrypt('data', 'componentId', 'projectId', BranchType::DEFAULT);
+        $result = $encryptor->encrypt(
+            'data',
+            'componentId',
+            'projectId',
+            BranchType::DEFAULT,
+            ['protected-default-branch'],
+        );
 
         self::assertSame('encryptedData', $result);
     }
