2021-09-30 14:27:19 +00:00
|
|
|
import base64
|
2023-07-18 04:55:25 +00:00
|
|
|
import json
|
|
|
|
|
from typing import Optional, Type
|
2022-05-06 13:38:10 +00:00
|
|
|
|
2022-05-06 13:55:52 +00:00
|
|
|
from cryptography.fernet import Fernet, MultiFernet, InvalidToken
|
2021-09-30 14:27:19 +00:00
|
|
|
from cryptography.hazmat.backends import default_backend
|
|
|
|
|
from cryptography.hazmat.primitives import hashes
|
|
|
|
|
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
2022-05-06 13:38:10 +00:00
|
|
|
from django.conf import settings
|
2022-05-06 23:23:24 +00:00
|
|
|
from django.core import validators
|
2023-07-18 04:55:25 +00:00
|
|
|
from django.core.serializers.json import DjangoJSONEncoder
|
2021-09-30 14:27:19 +00:00
|
|
|
from django.db import models
|
2022-05-06 23:23:24 +00:00
|
|
|
from django.db.backends.base.operations import BaseDatabaseOperations
|
2021-12-08 11:12:44 +00:00
|
|
|
from django.utils.functional import cached_property
|
2021-09-30 14:27:19 +00:00
|
|
|
|
|
|
|
|
class EncryptedFieldMixin(object):
|
2021-12-08 11:12:44 +00:00
|
|
|
@cached_property
|
|
|
|
|
def keys(self):
|
|
|
|
|
keys = []
|
2022-04-21 12:15:59 +00:00
|
|
|
salt_keys = (
|
|
|
|
|
settings.SALT_KEY
|
|
|
|
|
if isinstance(settings.SALT_KEY, list)
|
|
|
|
|
else [settings.SALT_KEY]
|
|
|
|
|
)
|
2021-12-08 11:12:44 +00:00
|
|
|
for salt_key in salt_keys:
|
2022-04-21 12:15:59 +00:00
|
|
|
salt = bytes(salt_key, "utf-8")
|
|
|
|
|
kdf = PBKDF2HMAC(
|
|
|
|
|
algorithm=hashes.SHA256(),
|
|
|
|
|
length=32,
|
|
|
|
|
salt=salt,
|
|
|
|
|
iterations=100000,
|
|
|
|
|
backend=default_backend(),
|
|
|
|
|
)
|
|
|
|
|
keys.append(
|
|
|
|
|
base64.urlsafe_b64encode(
|
|
|
|
|
kdf.derive(settings.SECRET_KEY.encode("utf-8"))
|
|
|
|
|
)
|
|
|
|
|
)
|
2021-12-08 11:12:44 +00:00
|
|
|
return keys
|
2021-09-30 14:27:19 +00:00
|
|
|
|
2021-12-08 11:12:44 +00:00
|
|
|
@cached_property
|
|
|
|
|
def f(self):
|
|
|
|
|
if len(self.keys) == 1:
|
|
|
|
|
return Fernet(self.keys[0])
|
|
|
|
|
return MultiFernet([Fernet(k) for k in self.keys])
|
2021-09-30 14:27:19 +00:00
|
|
|
|
|
|
|
|
def get_internal_type(self):
|
|
|
|
|
"""
|
|
|
|
|
To treat everything as text
|
|
|
|
|
"""
|
2022-04-21 12:15:59 +00:00
|
|
|
return "TextField"
|
2021-09-30 14:27:19 +00:00
|
|
|
|
|
|
|
|
def get_prep_value(self, value):
|
2022-05-06 13:55:52 +00:00
|
|
|
value = super().get_prep_value(value)
|
2021-09-30 14:27:19 +00:00
|
|
|
if value:
|
|
|
|
|
if not isinstance(value, str):
|
|
|
|
|
value = str(value)
|
2022-04-21 12:15:59 +00:00
|
|
|
return self.f.encrypt(bytes(value, "utf-8")).decode("utf-8")
|
2021-09-30 14:27:19 +00:00
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
def get_db_prep_value(self, value, connection, prepared=False):
|
|
|
|
|
if not prepared:
|
|
|
|
|
value = self.get_prep_value(value)
|
|
|
|
|
return value
|
|
|
|
|
|
|
|
|
|
def from_db_value(self, value, expression, connection):
|
|
|
|
|
return self.to_python(value)
|
|
|
|
|
|
|
|
|
|
def to_python(self, value):
|
2022-04-21 12:15:59 +00:00
|
|
|
if (
|
|
|
|
|
value is None
|
|
|
|
|
or not isinstance(value, str)
|
|
|
|
|
or hasattr(self, "_already_decrypted")
|
|
|
|
|
):
|
2021-09-30 14:27:19 +00:00
|
|
|
return value
|
2022-05-06 13:55:52 +00:00
|
|
|
try:
|
|
|
|
|
value = self.f.decrypt(bytes(value, "utf-8")).decode("utf-8")
|
|
|
|
|
except InvalidToken:
|
|
|
|
|
pass
|
|
|
|
|
except UnicodeEncodeError:
|
|
|
|
|
pass
|
2021-09-30 14:27:19 +00:00
|
|
|
return super(EncryptedFieldMixin, self).to_python(value)
|
|
|
|
|
|
2021-12-17 17:29:10 +00:00
|
|
|
def clean(self, value, model_instance):
|
|
|
|
|
"""
|
2022-04-21 12:15:59 +00:00
|
|
|
Create and assign a semaphore so that to_python method will not try to decrypt an already decrypted value
|
2021-12-17 17:29:10 +00:00
|
|
|
during cleaning of a form
|
|
|
|
|
"""
|
|
|
|
|
self._already_decrypted = True
|
|
|
|
|
ret = super().clean(value, model_instance)
|
|
|
|
|
del self._already_decrypted
|
|
|
|
|
return ret
|
|
|
|
|
|
2021-09-30 14:27:19 +00:00
|
|
|
|
|
|
|
|
class EncryptedCharField(EncryptedFieldMixin, models.CharField):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class EncryptedTextField(EncryptedFieldMixin, models.TextField):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class EncryptedDateTimeField(EncryptedFieldMixin, models.DateTimeField):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class EncryptedIntegerField(EncryptedFieldMixin, models.IntegerField):
|
2022-05-06 00:38:20 +00:00
|
|
|
@cached_property
|
|
|
|
|
def validators(self):
|
2022-05-06 23:23:24 +00:00
|
|
|
# These validators can't be added at field initialization time since
|
|
|
|
|
# they're based on values retrieved from `connection`.
|
|
|
|
|
validators_ = [*self.default_validators, *self._validators]
|
|
|
|
|
internal_type = models.IntegerField().get_internal_type()
|
|
|
|
|
min_value, max_value = BaseDatabaseOperations.integer_field_ranges[internal_type]
|
|
|
|
|
if min_value is not None and not any(
|
|
|
|
|
(
|
|
|
|
|
isinstance(validator, validators.MinValueValidator)
|
|
|
|
|
and (
|
|
|
|
|
validator.limit_value()
|
|
|
|
|
if callable(validator.limit_value)
|
|
|
|
|
else validator.limit_value
|
|
|
|
|
)
|
|
|
|
|
>= min_value
|
|
|
|
|
)
|
|
|
|
|
for validator in validators_
|
|
|
|
|
):
|
|
|
|
|
validators_.append(validators.MinValueValidator(min_value))
|
|
|
|
|
if max_value is not None and not any(
|
|
|
|
|
(
|
|
|
|
|
isinstance(validator, validators.MaxValueValidator)
|
|
|
|
|
and (
|
|
|
|
|
validator.limit_value()
|
|
|
|
|
if callable(validator.limit_value)
|
|
|
|
|
else validator.limit_value
|
|
|
|
|
)
|
|
|
|
|
<= max_value
|
|
|
|
|
)
|
|
|
|
|
for validator in validators_
|
|
|
|
|
):
|
|
|
|
|
validators_.append(validators.MaxValueValidator(max_value))
|
|
|
|
|
return validators_
|
2021-09-30 14:27:19 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class EncryptedDateField(EncryptedFieldMixin, models.DateField):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class EncryptedFloatField(EncryptedFieldMixin, models.FloatField):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class EncryptedEmailField(EncryptedFieldMixin, models.EmailField):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class EncryptedBooleanField(EncryptedFieldMixin, models.BooleanField):
|
|
|
|
|
pass
|
2023-07-18 04:55:25 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class EncryptedJSONField(EncryptedFieldMixin, models.JSONField):
|
|
|
|
|
def _encrypt_values(self, value):
|
|
|
|
|
if isinstance(value, dict):
|
|
|
|
|
return {key: self._encrypt_values(data) for key, data in value.items()}
|
|
|
|
|
elif isinstance(value, list):
|
|
|
|
|
return [self._encrypt_values(data) for data in value]
|
|
|
|
|
else:
|
|
|
|
|
value = str(value)
|
|
|
|
|
return self.f.encrypt(bytes(value, "utf-8")).decode("utf-8")
|
|
|
|
|
|
|
|
|
|
def _decrypt_values(self, value):
|
|
|
|
|
if value is None:
|
|
|
|
|
return value
|
|
|
|
|
if isinstance(value, dict):
|
|
|
|
|
return {key: self._decrypt_values(data) for key, data in value.items()}
|
|
|
|
|
elif isinstance(value, list):
|
|
|
|
|
return [self._decrypt_values(data) for data in value]
|
|
|
|
|
else:
|
|
|
|
|
value = str(value)
|
|
|
|
|
return self.f.decrypt(bytes(value, "utf-8")).decode("utf-8")
|
|
|
|
|
|
|
|
|
|
def get_prep_value(self, value):
|
|
|
|
|
return json.dumps(self._encrypt_values(value=value), cls=self.encoder)
|
|
|
|
|
|
|
|
|
|
def get_internal_type(self):
|
|
|
|
|
return "JSONField"
|
|
|
|
|
|
|
|
|
|
def to_python(self, value):
|
|
|
|
|
if (
|
|
|
|
|
value is None
|
|
|
|
|
or not isinstance(value, str)
|
|
|
|
|
or hasattr(self, "_already_decrypted")
|
|
|
|
|
):
|
|
|
|
|
return value
|
|
|
|
|
try:
|
|
|
|
|
value = self._decrypt_values(value=json.loads(value))
|
|
|
|
|
except InvalidToken:
|
|
|
|
|
pass
|
|
|
|
|
except UnicodeEncodeError:
|
|
|
|
|
pass
|
|
|
|
|
return super(EncryptedFieldMixin, self).to_python(value)
|
