Allow wrapping job data serialization

[francislavoie]

• Laravel Version: 5.5-5.6
• PHP Version: 7.2
• Database Driver & Version: Redis

Description:

See: https://github.com/laravel/framework/blob/5.6/src/Illuminate/Queue/Queue.php#L128 https://github.com/laravel/framework/blob/5.6/src/Illuminate/Queue/Queue.php#L175 https://github.com/laravel/framework/blob/5.6/src/Illuminate/Queue/CallQueuedHandler.php#L42 https://github.com/laravel/framework/blob/5.6/src/Illuminate/Queue/CallQueuedHandler.php#L146

Because my Redis instances are hosted on less-secure servers than my application boxes, I need to be able to encrypt all the sensitive data that might be put into Redis. Currently there's no clear or easy way to extend this functionality transparently. I want to be able to plug in my own transformations at these points so I can control the data.

Any suggestions for doing this that I'm missing, or am I basically forced to fork Illuminate\Queue to do this?

[sisve]

There was once builtin functionality to, somewhat, encrypt the payload in the queue. That's why there's still a protected $encrypter; in the Queue class. This functionality has since been removed for unknown reasons.

Send a PR that adds encryption in an opt-in kind of way. It would probably just be done at the bottom of the createPayload method.

[francislavoie]

So that's the thing, I'd rather the implementation be more general than using Encrypter because I'm not using the built-in encryption, I'm using an HSM which has a different contract.

Thanks for pointing that out though, I might do that... but that might take too long for the PR to get into a build I can use (I rather stick with 5.5 because it's LTS) 🤷‍♂️

[francislavoie]

Huh, did a quick blame, and it seems that $encrypter was only ever used to encrypt closure jobs... that's weird. https://github.com/laravel/framework/blob/a32f8dadf2b36b3ee7549e0166d14cd465e89896/src/Illuminate/Queue/Queue.php#L157

[francislavoie]

I just realized something after doing some more digging on serialization in PHP. Apparently classes can implement the Serializable interface to override how serialization works for a particular model. I think that means I can add a trait to my jobs/events that will have them be encrypted/decrypted before serialization/deserialization. I'll try it out and report back on this issue. I think this could be something added to the queue documentation to note for anyone else who wants to protect their job data