# HG changeset patch
# User RhodeCode Admin <admin@rhodecode.com>
# Date 2024-04-25 08:56:23
# Node ID 63f7e8c63640dd9c3ce75937bea6504dfdade6e6
# Parent  7ec0fbd3cc241111db8af9d2c6d74516c57e77a9

fix(encryption): rely on default config based strict mode if not explicitly given into function params

diff --git a/rhodecode/lib/enc_utils.py b/rhodecode/lib/enc_utils.py
--- a/rhodecode/lib/enc_utils.py
+++ b/rhodecode/lib/enc_utils.py
@@ -1,3 +1,21 @@
+# Copyright (C) 2011-2023 RhodeCode GmbH
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License, version 3
+# (only), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# This program is dual-licensed. If you wish to learn more about the
+# RhodeCode Enterprise Edition, including its added features, Support services,
+# and proprietary license terms, please see https://rhodecode.com/licenses/
+
 from rhodecode.lib.str_utils import safe_bytes
 from rhodecode.lib.encrypt import encrypt_data, validate_and_decrypt_data
 from rhodecode.lib.encrypt2 import Encryptor
@@ -9,6 +27,10 @@ def get_default_algo():
     import rhodecode
     return rhodecode.CONFIG.get('rhodecode.encrypted_values.algorithm') or 'aes'
 
+def get_strict_mode():
+    import rhodecode
+    return rhodecode.ConfigGet().get_bool('rhodecode.encrypted_values.strict') or False
+
 
 def encrypt_value(value: bytes, enc_key: bytes, algo: str = ''):
     if not algo:
@@ -29,7 +51,12 @@ def encrypt_value(value: bytes, enc_key:
     return value
 
 
-def decrypt_value(value: bytes, enc_key: bytes, algo: str = '', strict_mode: bool = False):
+def decrypt_value(value: bytes, enc_key: bytes, algo: str = '', strict_mode: bool | None = None):
+
+    if strict_mode is None:
+        # we use config value rather then explicit True/False
+        strict_mode = get_strict_mode()
+
     enc_key = safe_bytes(enc_key)
     value = safe_bytes(value)
 
diff --git a/rhodecode/model/db.py b/rhodecode/model/db.py
--- a/rhodecode/model/db.py
+++ b/rhodecode/model/db.py
@@ -199,9 +199,7 @@ class EncryptedTextValue(TypeDecorator):
         if not value:
             return value
 
-        enc_strict_mode = rhodecode.ConfigGet().get_bool('rhodecode.encrypted_values.strict', missing=True)
-
-        bytes_val = enc_utils.decrypt_value(value, enc_key=ENCRYPTION_KEY, strict_mode=enc_strict_mode)
+        bytes_val = enc_utils.decrypt_value(value, enc_key=ENCRYPTION_KEY)
 
         return safe_str(bytes_val)
 
@@ -897,14 +895,12 @@ class User(Base, BaseModel):
 
     def get_2fa_recovery_codes(self):
         encrypted_recovery_codes = self.user_data.get('recovery_codes_2fa', [])
-        strict_mode = ConfigGet().get_bool('rhodecode.encrypted_values.strict', missing=True)
 
         recovery_codes = list(map(
             lambda val: safe_str(
                 enc_utils.decrypt_value(
                     val,
-                    enc_key=ENCRYPTION_KEY,
-                    strict_mode=strict_mode
+                    enc_key=ENCRYPTION_KEY
                 )),
             encrypted_recovery_codes))
         return recovery_codes
@@ -925,9 +921,8 @@ class User(Base, BaseModel):
         """
         secret_2fa = self.user_data.get('secret_2fa')
         if secret_2fa:
-            strict_mode = ConfigGet().get_bool('rhodecode.encrypted_values.strict', missing=True)
             return safe_str(
-                enc_utils.decrypt_value(secret_2fa, enc_key=ENCRYPTION_KEY, strict_mode=strict_mode))
+                enc_utils.decrypt_value(secret_2fa, enc_key=ENCRYPTION_KEY))
         return ''
 
     @secret_2fa.setter