def handle(self, *args, **options):
"""
handle method for command class.
"""
LOGGER.info('[Transcript credentials re-encryption] Process started.')
# Invalidate cached properties so that we get the latest keys
invalidate_fernet_cached_properties(TranscriptCredentials,
['api_key', 'api_secret'])
try:
with transaction.atomic():
# Call save on each credentials record so that re-encryption can be be performed on fernet fields.
for transcript_credential in TranscriptCredentials.objects.all(
):
transcript_credential.save()
LOGGER.info(
'[Transcript credentials re-encryption] Process completed.')
except InvalidToken:
LOGGER.exception(
'[Transcript credentials re-encryption] No valid fernet key present to decrypt. Process halted.'
)
def tearDown(self):
"""
Test teardown.
"""
# Invalidate here so that every new test would have FERNET KEYS from tests.py initially.
invalidate_fernet_cached_properties(TranscriptCredentials,
['api_key', 'api_secret'])
def test_invalidate_fernet_cached_properties(self):
"""
Tests that fernet field properties are properly invalidated.
"""
def verify_model_field_keys(model, field_name, expected_keys_list):
"""
Verifies cached property keys has expected keys list.
"""
field = model._meta.get_field(field_name)
# Verify keys are properly set and fetched.
self.assertEqual(field.keys, expected_keys_list)
self.assertEqual(settings.FERNET_KEYS, OLD_FERNET_KEYS_LIST)
verify_model_field_keys(TranscriptCredentials, 'api_key',
OLD_FERNET_KEYS_LIST)
# Invalidate cached properties.
utils.invalidate_fernet_cached_properties(TranscriptCredentials,
['api_key'])
# Prepend a new key.
new_keys_set = ['new-fernet-key'] + settings.FERNET_KEYS
with override_settings(FERNET_KEYS=new_keys_set):
self.assertEqual(settings.FERNET_KEYS, new_keys_set)
verify_model_field_keys(TranscriptCredentials, 'api_key',
new_keys_set)
def test_decrypt_different_key_set(self):
"""
Tests decryption with different fernet key set. Note that now we don't have the old fernet key with which
value was encrypted so we would not be able to decrypt it and we should get an Invalid Token.
"""
old_keys_set = ['test-ferent-key']
self.assertEqual(settings.FERNET_KEYS, old_keys_set)
new_keys_set = ['new-fernet-key']
# Invalidate cached properties so that we get the latest keys
invalidate_fernet_cached_properties(TranscriptCredentials,
['api_key', 'api_secret'])
with override_settings(FERNET_KEYS=new_keys_set):
self.assertEqual(settings.FERNET_KEYS, new_keys_set)
with self.assertRaises(InvalidToken):
TranscriptCredentials.objects.get(
org=self.credentials_data['org'],
provider=self.credentials_data['provider'])
def test_decrypt_different_key(self):
"""
Tests decryption with one more key pre-pended. Note that we still have the old key with which value was
encrypted so we should be able to decrypt it again.
"""
old_keys_set = ['test-ferent-key']
self.assertEqual(settings.FERNET_KEYS, old_keys_set)
new_keys_set = ['new-fernet-key'] + settings.FERNET_KEYS
# Invalidate cached properties so that we get the latest keys
invalidate_fernet_cached_properties(TranscriptCredentials,
['api_key', 'api_secret'])
with override_settings(FERNET_KEYS=new_keys_set):
self.assertEqual(settings.FERNET_KEYS, new_keys_set)
transcript_credentials = TranscriptCredentials.objects.get(
org=self.credentials_data['org'],
provider=self.credentials_data['provider'])
self.assertEqual(transcript_credentials.api_key,
self.credentials_data['api_key'])
self.assertEqual(transcript_credentials.api_secret,
self.credentials_data['api_secret'])
