rhodecode-enterprise-ce Files · rhodecode/lib/encrypt2.py

templates: use better variables names in loading ajax data

super-admin - - Load All Authors

File last commit:

r4995:676da06b default


                r5039:5cad06d1

default

Download file

             encrypt2.py
        
                    84 lines
            
             | 2.7 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / rhodecode / lib / encrypt2.py
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
      import os

      import base64

      from cryptography.fernet import Fernet, InvalidToken

      from cryptography.hazmat.backends import default_backend

      from cryptography.hazmat.primitives import hashes

      from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
      from rhodecode.lib.str_utils import safe_str

      from rhodecode.lib.exceptions import signature_verification_error

      class InvalidDecryptedValue(str):

          def __new__(cls, content):

              """

              This will generate something like this::

                  <InvalidDecryptedValue(QkWusFgLJXR6m42v...)>

              And represent a safe indicator that encryption key is broken

              """

              content = '<{}({}...)>'.format(cls.__name__, content[:16])

              return str.__new__(cls, content)

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
      class Encryptor(object):

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
          key_format = b'enc2$salt:{1}$data:{2}'

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
          pref_len = 5  # salt:, data:

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
          def __init__(self, enc_key: bytes):

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
              self.enc_key = enc_key

          def b64_encode(self, data):

              return base64.urlsafe_b64encode(data)

          def b64_decode(self, data):

              return base64.urlsafe_b64decode(data)

          def get_encryptor(self, salt):

              """

              Uses Fernet as encryptor with HMAC signature

              :param salt: random salt used for encrypting the data

              """

              kdf = PBKDF2HMAC(

                  algorithm=hashes.SHA512(),

                  length=32,

                  salt=salt,

                  iterations=100000,

                  backend=default_backend()

              )

              key = self.b64_encode(kdf.derive(self.enc_key))

              return Fernet(key)

          def _get_parts(self, enc_data):

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
              parts = enc_data.split(b'$', 3)

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
              if len(parts) != 3:

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
                  raise ValueError(f'Encrypted Data has invalid format, expected {self.key_format}, got {parts}')

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
              prefix, salt, enc_data = parts

              try:

                  salt = self.b64_decode(salt[self.pref_len:])

              except TypeError:

                  # bad base64

                  raise ValueError('Encrypted Data salt invalid format, expected base64 format')

              enc_data = enc_data[self.pref_len:]

              return prefix, salt, enc_data

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
          def encrypt(self, data) -> bytes:

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
              salt = os.urandom(64)

              encryptor = self.get_encryptor(salt)

              enc_data = encryptor.encrypt(data)

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
              return self.key_format.replace(b'{1}', self.b64_encode(salt)).replace(b'{2}', enc_data)

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
          def decrypt(self, data, safe=True) -> bytes | InvalidDecryptedValue:

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
              parts = self._get_parts(data)

              salt = parts[1]

              enc_data = parts[2]

              encryptor = self.get_encryptor(salt)

              try:

                  return encryptor.decrypt(enc_data)

              except (InvalidToken,):

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
                  decrypt_fail = InvalidDecryptedValue(safe_str(data))

        marcink
    
encryption: added new backend using cryptography + Fernet encryption....

              r3522
            
                  if safe:

        super-admin
    
encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....

              r4995
            
                      return decrypt_fail

                  raise signature_verification_error(decrypt_fail)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink encryption: added new backend using cryptography + Fernet encryption....	r3522	import os
		import base64
		from cryptography.fernet import Fernet, InvalidToken
		from cryptography.hazmat.backends import default_backend
		from cryptography.hazmat.primitives import hashes
		from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC

super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	from rhodecode.lib.str_utils import safe_str
		from rhodecode.lib.exceptions import signature_verification_error


		class InvalidDecryptedValue(str):

		def __new__(cls, content):
		"""
		This will generate something like this::
		<InvalidDecryptedValue(QkWusFgLJXR6m42v...)>
		And represent a safe indicator that encryption key is broken
		"""
		content = '<{}({}...)>'.format(cls.__name__, content[:16])
		return str.__new__(cls, content)

marcink encryption: added new backend using cryptography + Fernet encryption....	r3522
		class Encryptor(object):
super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	key_format = b'enc2$salt:{1}$data:{2}'
marcink encryption: added new backend using cryptography + Fernet encryption....	r3522	pref_len = 5 # salt:, data:

super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	def __init__(self, enc_key: bytes):
marcink encryption: added new backend using cryptography + Fernet encryption....	r3522	self.enc_key = enc_key

		def b64_encode(self, data):
		return base64.urlsafe_b64encode(data)

		def b64_decode(self, data):
		return base64.urlsafe_b64decode(data)

		def get_encryptor(self, salt):
		"""
		Uses Fernet as encryptor with HMAC signature
		:param salt: random salt used for encrypting the data
		"""
		kdf = PBKDF2HMAC(
		algorithm=hashes.SHA512(),
		length=32,
		salt=salt,
		iterations=100000,
		backend=default_backend()
		)
		key = self.b64_encode(kdf.derive(self.enc_key))
		return Fernet(key)

		def _get_parts(self, enc_data):
super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	parts = enc_data.split(b'$', 3)
marcink encryption: added new backend using cryptography + Fernet encryption....	r3522	if len(parts) != 3:
super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	raise ValueError(f'Encrypted Data has invalid format, expected {self.key_format}, got {parts}')
marcink encryption: added new backend using cryptography + Fernet encryption....	r3522	prefix, salt, enc_data = parts

		try:
		salt = self.b64_decode(salt[self.pref_len:])
		except TypeError:
		# bad base64
		raise ValueError('Encrypted Data salt invalid format, expected base64 format')

		enc_data = enc_data[self.pref_len:]
		return prefix, salt, enc_data

super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	def encrypt(self, data) -> bytes:
marcink encryption: added new backend using cryptography + Fernet encryption....	r3522	salt = os.urandom(64)
		encryptor = self.get_encryptor(salt)
		enc_data = encryptor.encrypt(data)
super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	return self.key_format.replace(b'{1}', self.b64_encode(salt)).replace(b'{2}', enc_data)
marcink encryption: added new backend using cryptography + Fernet encryption....	r3522
super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	def decrypt(self, data, safe=True) -> bytes \| InvalidDecryptedValue:
marcink encryption: added new backend using cryptography + Fernet encryption....	r3522	parts = self._get_parts(data)
		salt = parts[1]
		enc_data = parts[2]
		encryptor = self.get_encryptor(salt)
		try:
		return encryptor.decrypt(enc_data)
		except (InvalidToken,):
super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	decrypt_fail = InvalidDecryptedValue(safe_str(data))
marcink encryption: added new backend using cryptography + Fernet encryption....	r3522	if safe:
super-admin encryption: unified and rewrote encryption modules to be consistent no matter what algo is used....	r4995	return decrypt_fail
		raise signature_verification_error(decrypt_fail)