def test_secret(db, config, encrypt):
"""
If encryption is enabled, ensure that:
* secrets are encrypted.
* secrets are decrypted correctly on retrieval.
* secrets are bytes.
"""
config["ENCRYPT_SECRETS"] = encrypt
bytes_secret = b"\xff\x00\xf1"
unicode_secret = u"foo\u00a0"
secret = Secret()
secret.type = "password"
secret.secret = bytes_secret
db.session.add(secret)
db.session.commit()
secret = db.session.query(Secret).get(secret.id)
if encrypt:
assert secret._secret != bytes_secret, "secret is not encrypted"
else:
assert secret._secret == bytes_secret
assert secret.secret == bytes_secret, "secret not decrypted correctly"
secret.secret = unicode_secret
assert secret.secret == unicode_secret.encode("utf8")
def test_secret(db, config, encrypt):
"""
If encryption is enabled, ensure that:
* secrets are encrypted.
* secrets are decrypted correctly on retrieval.
* secrets are bytes.
"""
config['ENCRYPT_SECRETS'] = encrypt
bytes_secret = b'\xff\x00\xf1'
unicode_secret = u'foo\u00a0'
secret = Secret()
secret.type = 'password'
secret.secret = bytes_secret
db.session.add(secret)
db.session.commit()
secret = db.session.query(Secret).get(secret.id)
if encrypt:
assert secret._secret != bytes_secret, 'secret is not encrypted'
else:
assert secret._secret == bytes_secret
assert secret.secret == bytes_secret, 'secret not decrypted correctly'
with pytest.raises(TypeError) as e:
secret.secret = unicode_secret
assert e.typename == 'TypeError', 'secret cannot be unicode'
def test_secret(db, config, encrypt):
"""
If encryption is enabled, ensure that:
* secrets are encrypted.
* secrets are decrypted correctly on retrieval.
* secrets are bytes.
"""
config['ENCRYPT_SECRETS'] = encrypt
bytes_secret = b'\xff\x00\xf1'
unicode_secret = u'foo\u00a0'
secret = Secret()
secret.type = 'password'
secret.secret = bytes_secret
db.session.add(secret)
db.session.commit()
secret = db.session.query(Secret).get(secret.id)
if encrypt:
assert secret._secret != bytes_secret, 'secret is not encrypted'
else:
assert secret._secret == bytes_secret
assert secret.secret == bytes_secret, 'secret not decrypted correctly'
with pytest.raises(TypeError) as e:
secret.secret = unicode_secret
assert e.typename == 'TypeError', 'secret cannot be unicode'
def test_secret(db, config):
"""
Ensure secrets are encrypted.
Ensure secret are decrypted correctly on retrieval.
Ensure secrets are bytes.
"""
bytes_secret = b'\xff\x00\xf1'
unicode_secret = u'foo\u00a0'
secret = Secret()
secret.type = 'password'
secret.secret = bytes_secret
db.session.add(secret)
db.session.commit()
secret = db.session.query(Secret).get(secret.id)
assert secret._secret != bytes_secret, 'secret is not encrypted'
assert secret.secret == bytes_secret, 'secret not decrypted correctly'
with pytest.raises(TypeError) as e:
secret.secret = unicode_secret
assert e.typename == 'TypeError', 'secret cannot be unicode'
def set_secret(self, secret_type, secret_value):
# type: (SecretType, bytes) -> None
if not self.secret:
self.secret = Secret()
self.secret.type = secret_type.value
self.secret.secret = secret_value
def imap_password(self, value):
# type: (Union[str, bytes]) -> None
value = self.valid_password(value) # type: bytes
if not self.imap_secret:
self.imap_secret = Secret()
self.imap_secret.secret = value
self.imap_secret.type = "password"
def upgrade():
from inbox.ignition import main_engine
engine = main_engine(pool_size=1, max_overflow=0)
Base = sa.ext.declarative.declarative_base()
Base.metadata.reflect(engine)
from inbox.models.session import session_scope
from inbox.models.secret import Secret
if 'easaccount' in Base.metadata.tables:
op.add_column('easaccount', sa.Column('password_id', sa.Integer()))
class EASAccount(Base):
__table__ = Base.metadata.tables['easaccount']
with session_scope(ignore_soft_deletes=False, versioned=False) as \
db_session:
accounts = db_session.query(EASAccount).all()
print '# EAS accounts: ', len(accounts)
for a in accounts:
value = a.password
if isinstance(value, unicode):
value = value.encode('utf-8')
if b'\x00' in value:
print 'Invalid password for account_id: {0}, skipping'.\
format(a.id)
continue
secret = Secret()
secret.secret = value
secret.type = 'password'
a.password_id = secret.id
db_session.add(secret)
db_session.add(a)
assert a.password == value
db_session.commit()
op.drop_column('easaccount', 'password')
def refresh_token(self, value):
# Must be a valid UTF-8 byte sequence without NULL bytes.
if isinstance(value, unicode):
value = value.encode('utf-8')
try:
unicode(value, 'utf-8')
except UnicodeDecodeError:
raise ValueError('Invalid refresh_token')
if b'\x00' in value:
raise ValueError('Invalid refresh_token')
#TODO[k]: Session should not be grabbed here
with session_scope() as db_session:
secret = Secret()
secret.secret = value
secret.type = 'token'
db_session.add(secret)
db_session.commit()
self.refresh_token_id = secret.id
def refresh_token(self, value):
# Must be a valid UTF-8 byte sequence without NULL bytes.
if isinstance(value, unicode):
value = value.encode('utf-8')
try:
unicode(value, 'utf-8')
except UnicodeDecodeError:
raise ValueError('Invalid refresh_token')
if b'\x00' in value:
raise ValueError('Invalid refresh_token')
if not self.refresh_token_secret:
self.refresh_token_secret = Secret()
self.refresh_token_secret.secret = value
self.refresh_token_secret.type = 'token'
def set_secret(self, secret_type, secret_value):
if not self.secret:
self.secret = Secret()
self.secret.type = secret_type.value
self.secret.secret = secret_value
def smtp_password(self, value):
value = self.valid_password(value)
if not self.smtp_secret:
self.smtp_secret = Secret()
self.smtp_secret.secret = value
self.smtp_secret.type = "password"
def imap_password(self, value):
value = self.valid_password(value)
if not self.imap_secret:
self.imap_secret = Secret()
self.imap_secret.secret = value
self.imap_secret.type = 'password'
def put(self, value, type=0, acl=0):
with session_scope() as db_session:
secret = Secret(secret=value, type=type, acl_id=acl)
db_session.add(secret)
db_session.commit()
return secret.id
