Encrypt and decrypt password using PHP sodium

Encrypt password

<?php
/**
 * encrypt.php
 */
$masterKey = "canyouguess";
$passwordToEncrypt = "top-secret";

//ecncypt password
$code = encrypt($masterKey, $passwordToEncrypt);
echo "code: ", $code, "\n";

/**
 * @param $masterKey
 * @param $password
 * @return string
 * @throws SodiumException
 */
function encrypt($masterKey, $password)
{
    // Derive a subkey of the correct length for secretbox
    $key = sodium_crypto_generichash($masterKey, '', SODIUM_CRYPTO_SECRETBOX_KEYBYTES
    );

    // Generate a random nonce
    $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

    // Encrypt
    $ciphertext = sodium_crypto_secretbox($password, $nonce, $key);

    // Prepend nonce for later decryption, and base64-encode the lot
    return base64_encode($nonce . $ciphertext);
}

In the directory of encrypt.php, run:

docker run -it --rm -v "$PWD":/usr/src -w /usr/src php:8.2-cli php encrypt.php

Output:

code: qKUilnBOnSPIOmKnwIoJAdOaC+9lhud/0eiTekLPokmuImFiRpuHvKG6AoUs7eT7fBY=

Decrypt code to get password

If do not have master key, there is no way to decrypt the code

<?php
/**
 * decrypt.php
 */

$masterKey = "canyouguess";
$code = "qKUilnBOnSPIOmKnwIoJAdOaC+9lhud/0eiTekLPokmuImFiRpuHvKG6AoUs7eT7fBY=";

//decrypt password using master key
$password = decrypt($masterKey, $code);
echo "password: ", $password, "\n";

/**
 * @param $masterKey
 * @param $code
 * @return string
 * @throws SodiumException
 */
function decrypt($masterKey, $code)
{
    $raw = base64_decode($code, true);
    if ($raw === false) {
        throw new RuntimeException('Invalid base64');
    }

    // same derived subkey
    $key = sodium_crypto_generichash($masterKey, '', SODIUM_CRYPTO_SECRETBOX_KEYBYTES
    );

    $nonceLen = SODIUM_CRYPTO_SECRETBOX_NONCEBYTES;
    if (strlen($raw) < $nonceLen) {
        throw new RuntimeException('Ciphertext too short');
    }

    // extract nonce and ciphertext
    $nonce = mb_substr($raw, 0, $nonceLen, '8bit');
    $ciphertext = mb_substr($raw, $nonceLen, null, '8bit');

    // decrypt & verify
    $plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
    if ($plaintext === false) {
        throw new RuntimeException('Decryption failed or message forged');
    }

    return $plaintext;
}

In the same directory of decrypt.php, run:

docker run -it --rm -v "$PWD":/usr/src -w /usr/src php:8.2-cli php decrypt.php

Output:

password: top-secret

Import and export in AWS CloudFormation

 
- ContainerName: !Sub "${AWS::StackName}"
  ContainerPort: 80
  TargetGroupArn: { "Fn::ImportValue" : { "Fn::Join" : [ "-", [ { "Ref" : "EnvironmentType" }, "leo-elb-elb-target-group"]] }}

If EnvironmentType is sandbox, we are importing sandbox-leo-elb-elb-target-group as TargetGroupArn

# part of codes from stack sandbox-leo-elb
# export a resource called leo-elb-elb-target-group
# click Outputs tab in AWS console for this stack. Also see Export Name: leo-elb-elb-target-group
Outputs:
  ELBTargetGroupHTTP:
    Description: The target group
    Value: !Ref ELBTargetGroup
    Export:
      Name: !Sub "${AWS::StackName}-elb-target-group"

Git cherry pick

how to cherry pick codes from development to staging

1. need to find commit hash using git log
2. git checkout release/1-staging
3. git checkout -b feature/SMP-7777
4. git cherry-pick hash
5. git push --set-upstream origin feature/SMP-7777
6. create code review

If pick mutiple commits, start cherry pick from old one.

//example
git checkout master

git checkout -b feature/my-4247-hot-fix

git cherry-pick cd5861fb4c098855fe99b1eb74790874c6be4570 22dfcc0dd6064029da786637e3ceb3b5b5d00719

git push -u origin feature/my-4247-hot-fix

If deploy process stuck because of AWS stack update

If AWS stack update is stuck, and deploy process will not be completed.

• cancel Jenkin release process
• go to AWS cloudformation. go to Stack Action. click Cancel update stack from drop down.
• wait for update_rollback_complete state

AWS Lambda

To access AWS Cloudwatch Logs for Lambda function

1. Click Monitor tab
2. Click view CloudWatch Logs link

Use environment variable in node.js

//here SHARED_MS_BUCKET is env variable name
Bucket: process.env.SHARED_MS_BUCKET

Edit host file for Window 11 WSL (Windows Subsystem for Linux)

You need to edit the following file using notepad and run as admin

 C:\Windows\System32\drivers\etc\hosts

If you edit subsystem linux's /etc/hosts, it will not affect browser such as Google Chrome

Access two github accounts in one linux machine

Assume you already can access your person github repositories using public key id_rsa.pub

1. Create another ssh private / public key pair

   # file name: ~/.ssh/id_rsa2
    ssh-keygen

2. upload public key to your company's github
3. create a ssh config at .ssh/config

   Host github.com
     HostName github.com
     User git
     IdentityFile ~/.ssh/id_rsa
     AddKeysToAgent yes
     ServerAliveInterval 60
     ServerAliveCountMax 30
   
   # Work GitHub account
   Host github-work
     HostName github.com
     User git
     IdentityFile ~/.ssh/id_rsa2
     AddKeysToAgent yes
     ServerAliveInterval 60
     ServerAliveCountMax 30

4. clone work repository

   git clone git@github-work:mycompany/jackt.git

5. clone your person repository as normal because it will use the default ssh config

Access Mysql Database hosted on AWS EC2

To access the database, need to set up two things.

Step 1: add rule to the security group attached to the instance

1. Edit inbound rule of the security group
2. add a rule. Type: MYSQL/Aurora Soure: custom such as 137.229.127.0/24

Step 2: update privilidge of Mysql database

1. log into the database as root or admin

2. #works for mysql 5.7.8 and up. To change a user's ip
     RENAME USER 'teau'@'51.27.292.63' TO 'teau'@'125.256.111.%';
     # for new user, need to grant permission

3. FLUSH PRIVILEGES;

Trouble shooting

If do not do the step one, most likely will see a connection timeout

If do not do the second step, will see something like

[MySQL][ODBC 8.0(w) Driver]Host '*.*.***.**' is not allowed to connect to this MySQL server
Unable to connect to the MySQL server "***.***.**.**". Check that the server is running and that you have
access privileges to the requested database.

Some useful Mysql commands

select version();

select user, host from mysql.user;

SHOW GRANTS FOR 'leo'@'52.30.111.16';

Schedule post to an end point using Amazon EventBridge Rules

1. set up a SNS topic
2. Create a subscription for this SNS topic. Choose protocol https and enter end point such as

   https://paysomething.sandbox.mysite.io/v1/tasks/process

3. Go to Amazon EventBridge to create a rule
4. Make the above SNS topic as target of the rule, and type is Schedule

Work with AWS SQS

• create a rule to put content into sqs
• The above end point to read that sqs. That end point does different jobs according to subject of sqs

AWS WAF

Bock ips to elb

1. • Click IP set tab
   • Click Create IP set button
   • Given name, description and IP addresses
   • Click Create IP set button to save the IP set
2. • Click Web ACLs tab
   • Click Create Web ACL button
   • Follow steps to create web ACL. Add the above ip set rule and action is block
   • For Default web ACL action for requests that don't match any rules, choose allow
3. • Click Web ACLs tab agin. The newly created ACL should show up in the list
   • Click that ACL
   • Click Associate AWS resources tab
   • Click Add AWS resource button
   • Select the ebl and assoicate it to this Web ACL
4. Test it using your own ip
5. Go back to that Web ACL home page to check traffic log

Add Custom Http Header

Using curl

curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'cookiename: blue',
    'X-Apple-Store-Front: 143444,12'
]);

Google Chrome

Use ModHeader extension

Postman

Click Headers tab to add custom header

PHP Propel

fake option for migration

docker-compose run --rm -w /var/src/Propel api ./../vendor/bin/propel migrate --fake

it doesn't actually run the migrations, but it marks them as having been completed. It will add versions in propel_migration table.

Public key and private key

Mainly there are two use cases.

1. encrypte message using public key. Then decrypt message using private key
2. digitally sign message using private key. Then verify signature using public key

Here is example for use case 2. Use SSH public key and private key to do authentication for github after you upload your public key onto github server

1. You initiate an SSH connection to the server
2. The server chooses a random challenge (a nonce or session identifier) and sends it to you
3. Your SSH client uses your private key to compute a digital signature over that challenge
4. You send the signature back to the server
5. The server uses your stored public key to verify the signature
6. If verification succeeds, only someone with the private key could have produced it
7. You’re granted access; if it fails, you’re rejected

Another example for use case 2 is bitcoin transaction

1. Ower uses private key to sign the transaction
2. The signature is verfied by others using public key (the btc address comes from public key)

AWS policy to restrict ips to AWS Gateway API

Here is a sample policy. Only ips in the list will allow to call that API

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "223.333.923.28/32",
                        "162.222.229.139/32"
                    ]
                }
            },
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:execute-api:us-west-1:112334444444:1wertttt/*/POST/v1/bill",
                "arn:aws:execute-api:us-west-1:112334444444:1wertttt/*/GET/vi/bill/*"
            ],
            "Effect": "Allow"
        }
    ]
}

docker container run breakdown

Here is a command to run php 8 in a host machine which only has php 7 installed

docker run --rm --volume `pwd`:/var/src/ -w /var/src php:8.0.26-cli-alpine3.16  php ./bin/swagger_gen.php ./rest/swagger/v1/

Breakdown

• --rm Automatically remove the container and its associated anonymous volumes when it exits

• --volume `pwd`:/var/src/ Bind mount a volume (docker run --volume host-path:container-path

• pwd present working directory of your host machine

• -w Working directory inside the container

Indirect modification of overloaded property has no effect

<?php
error_reporting(E_ALL);

class PropertyTest
{
    /**  Location for overloaded data.  */
    private $data = array();


    public function __set($name, $value)
    {
        $this->data[$name] = $value;
    }

    public function __get($name)
    {
        if (array_key_exists($name, $this->data)) {
            return $this->data[$name];
        } else {
            throw new Exception($name . " not found");
        }
    }
}

$obj = new PropertyTest();
$obj->goods = ["a", "b"];

//the line below will throw notice
//Indirect modification of overloaded property PropertyTest::$goods has no effect
$obj->goods[] = "c";

//still got ["a", "b"]
var_dump($obj->goods);

To fix the error, replace the last two lines of codes with the below.

$obj->goods= array_merge($obj->goods, ['c']);

//got ["a", "b", "c"]
var_dump($obj->goods);

Here is another example

$obj = new PropertyTest();
$obj->test=["a"=>2];
var_dump($obj->test);
//will throw the notice and will not change value
$obj->test['a'] =3;
//the result is the same as what we get from the last dump
var_dump($obj->test);

To make it work as expected

$obj = new PropertyTest();
$obj->test=["a"=>2];
var_dump($obj->test);

$ans = $obj->test;
$ans['a'] = 3;
$obj->test = $ans;
var_dump($obj->test)

How to release PHP package from github

Create tag and release the tag.

How to list and create a tag

Steps to make a release

Assume release version 2.0.1

1. Check out the desired branch and create a tag v2.0.1 in local.

   git tag -a v2.0.1 -m "create tag message"

2. push tag.

   git push origin V2.0.1

3. go to github and view all tags
4. in the row of tag v2.0.1, click three dots
5. choose make a release, and give title v2.0.1
6. push release
7. Go to Packagist to confirm the release

PHP error report

find current error report level

Use error_reporting() with no parameters. It will return the current error level.

 //get current error level
if(!defined('STDOUT')) define('STDOUT', fopen('php://stdout', 'wb'));
fwrite(STDOUT, "\nerror level:" . var_export(error_reporting(), true) . "\n");

error level:30711 (the number 30711 is the magic number for the E_ALL error code.)

Settin error level for different env

//show all errors except e_notice and e_strict. It will show deprecated error
//this can be used in sandbox or local
error_reporting(E_ALL & ~E_STRICT & ~E_NOTICE);

//the following will not show depecated warning. This fits to production
error_reporting(E_ERROR | E_WARNING | E_PARSE);

Ethereum Blockchain Development

IDE

remix

Deploy a smart contract on Linea Sepolia testnet

• When compile, choose EVM to be london
• When deploy, choose envirnment to be "Injected Provider - MetaMask"
• One deployed contract

PHP Laravel

Using MySQL

#choose MySql and do not run migration when ask
laravel new example-app
   
# change .env with mysql user name and password

# run migration
php artisan migrate

Create a new table

To create new table and new model. Here we use task model as example.

# create a migration and a model class. migration script is in 
# this folder database/migrations
# model class is in this folder app/Models
php artisan make:model Task -m

The next step is to edit the migration script to add new columns

public function up(): void
    {
        Schema::create('tasks', function (Blueprint $table) {
            $table->id();
            $table->timestamps();
            $table->string("title");
            $table->text("description");
            $table->text("long_description")->nullable();
            $table->boolean("completed")->default(false);
        });
    }

The last step is run migration to create table tasks.

php artisan migrate

(optional) seed the table

To make seed work, need to HasFactory trait in model class

use Illuminate\Database\Eloquent\Factories\HasFactory;
class Payment extends Model
{
    use HasFactory;

    //
}

# create a factory
php artisan make:factory TaskFactory --model=Task

# seed database
php artisan db:seed

Start local server

# after run, go to http://localhost:8000
php artisan serve

Show route

 php artisan route:list

Start command line

php artisan tinker