Show More
| @@ -41,6 +41,7 b' from beaker.cache import cache_region, r' | |||
|
|
41 | 41 | from webob.exc import HTTPNotFound |
|
|
42 | 42 | from zope.cachedescriptors.property import Lazy as LazyProperty |
|
|
43 | 43 | |
|
|
44 | from rhodecode.lib import enc_utils | |
|
|
44 | 45 | from rhodecode.translation import _ |
|
|
45 | 46 | |
|
|
46 | 47 | from rhodecode.lib.vcs import get_backend |
| @@ -69,7 +70,7 b' log = logging.getLogger(__name__)' | |||
|
|
69 | 70 | |
|
|
70 | 71 | # this is propagated from .ini file beaker.session.secret |
|
|
71 | 72 | # and initialized at environment.py |
|
|
72 |
ENCRYPTION_KEY = |
|
|
|
73 | ENCRYPTION_KEY: bytes = b'' | |
|
|
73 | 74 | |
|
|
74 | 75 | # used to sort permissions by types, '#' used here is not allowed to be in |
|
|
75 | 76 | # usernames, and it's very early in sorted string.printable table. |
| @@ -106,30 +107,38 b' class EncryptedValue(TypeDecorator):' | |||
|
|
106 | 107 | impl = String |
|
|
107 | 108 | |
|
|
108 | 109 | def process_bind_param(self, value, dialect): |
|
|
109 | if not value: | |
|
|
110 |
|
|
|
|
111 | if value.startswith('enc$aes$'): | |
|
|
112 | # protect against double encrypting if someone manually starts doing | |
|
|
113 | raise ValueError('value needs to be in unencrypted format, ie. ' | |
|
|
114 | 'not starting with enc$aes$') | |
|
|
115 | return 'enc$aes$%s' % AESCipher(ENCRYPTION_KEY).encrypt(value) | |
|
|
116 | ||
|
|
117 | def process_result_value(self, value, dialect): | |
|
|
110 | """ | |
|
|
111 | Setter for storing value | |
|
|
112 | """ | |
|
|
113 | import rhodecode | |
|
|
118 | 114 | if not value: |
|
|
119 | 115 | return value |
|
|
120 | 116 | |
|
|
121 | parts = value.split('$', 3) | |
|
|
122 | if not len(parts) == 3: | |
|
|
123 | # probably not encrypted values | |
|
|
124 | return value | |
|
|
125 | else: | |
|
|
126 | if parts[0] != 'enc': | |
|
|
127 | # parts ok but without our header ? | |
|
|
117 | # protect against double encrypting if values is already encrypted | |
|
|
118 | if value.startswith('enc$aes$') \ | |
|
|
119 | or value.startswith('enc$aes_hmac$') \ | |
|
|
120 | or value.startswith('enc2$'): | |
|
|
121 | raise ValueError('value needs to be in unencrypted format, ' | |
|
|
122 | 'ie. not starting with enc$ or enc2$') | |
|
|
123 | ||
|
|
124 | algo = rhodecode.CONFIG.get('rhodecode.encrypted_values.algorithm') or 'aes' | |
|
|
125 | bytes_val = enc_utils.encrypt_value(value, enc_key=ENCRYPTION_KEY, algo=algo) | |
|
|
126 | return safe_str(bytes_val) | |
|
|
127 | ||
|
|
128 | def process_result_value(self, value, dialect): | |
|
|
129 | """ | |
|
|
130 | Getter for retrieving value | |
|
|
131 | """ | |
|
|
132 | ||
|
|
133 | import rhodecode | |
|
|
134 | if not value: | |
|
|
128 | 135 |
|
|
|
129 | 136 | |
|
|
130 | # at that stage we know it's our encryption | |
|
|
131 | decrypted_data = AESCipher(ENCRYPTION_KEY).decrypt(parts[2]) | |
|
|
132 | return decrypted_data | |
|
|
137 | enc_strict_mode = rhodecode.ConfigGet().get_bool('rhodecode.encrypted_values.strict', missing=True) | |
|
|
138 | ||
|
|
139 | bytes_val = enc_utils.decrypt_value(value, enc_key=ENCRYPTION_KEY, strict_mode=enc_strict_mode) | |
|
|
140 | ||
|
|
141 | return safe_str(bytes_val) | |
|
|
133 | 142 | |
|
|
134 | 143 | |
|
|
135 | 144 | class BaseModel(object): |
| @@ -35,7 +35,7 b' def upgrade(migrate_engine):' | |||
|
|
35 | 35 | username.create(table=tbl) |
|
|
36 | 36 | |
|
|
37 | 37 | _Session = meta.Session() |
|
|
38 |
|
|
|
|
38 | # after adding that column fix all usernames | |
|
|
39 | 39 | users_log = _Session.query(db_1_5_0.UserLog)\ |
|
|
40 | 40 | .options(joinedload(db_1_5_0.UserLog.user))\ |
|
|
41 | 41 | .options(joinedload(db_1_5_0.UserLog.repository)).all() |
| @@ -74,7 +74,7 b' def get_by_name(cls, key):' | |||
|
|
74 | 74 | |
|
|
75 | 75 | def fixups(models, _SESSION): |
|
|
76 | 76 | # ** create default permissions ** # |
|
|
77 | #===================================== | |
|
|
77 | ||
|
|
78 | 78 | for p in models.Permission.PERMS: |
|
|
79 | 79 | if not get_by_key(models.Permission, p[0]): |
|
|
80 | 80 | new_perm = models.Permission() |
| @@ -86,7 +86,6 b' def fixups(models, _SESSION):' | |||
|
|
86 | 86 | _SESSION().commit() |
|
|
87 | 87 | |
|
|
88 | 88 | # ** populate default permissions ** # |
|
|
89 | #===================================== | |
|
|
90 | 89 | |
|
|
91 | 90 | user = models.User.query().filter(models.User.username == 'default').scalar() |
|
|
92 | 91 | |
| @@ -100,9 +99,10 b' def fixups(models, _SESSION):' | |||
|
|
100 | 99 | return '.'.join(perm_name.split('.')[:1]) |
|
|
101 | 100 | |
|
|
102 | 101 | perms = models.UserToPerm.query().filter(models.UserToPerm.user == user).all() |
|
|
103 | defined_perms_groups = map( | |
|
|
104 | _get_group, (x.permission.permission_name for x in perms)) | |
|
|
105 | log.debug('GOT ALREADY DEFINED:%s', perms) | |
|
|
102 | defined_perms_groups = list(map( | |
|
|
103 | _get_group, (x.permission.permission_name for x in perms))) | |
|
|
104 | perms_show = [p.__dict__ for p in perms] | |
|
|
105 | log.debug('GOT ALREADY DEFINED:%s', perms_show) | |
|
|
106 | 106 | DEFAULT_PERMS = models.Permission.DEFAULT_USER_PERMISSIONS |
|
|
107 | 107 | |
|
|
108 | 108 | # for every default permission that needs to be created, we check if |
| @@ -70,11 +70,15 b' def downgrade(migrate_engine):' | |||
|
|
70 | 70 | meta.bind = migrate_engine |
|
|
71 | 71 | |
|
|
72 | 72 | |
|
|
73 | def get_by_key(cls, key): | |
|
|
74 | return cls.query().filter(cls.permission_name == key).scalar() | |
|
|
75 | ||
|
|
76 | ||
|
|
73 | 77 | def fixups(models, _SESSION): |
|
|
74 | 78 | # ** create default permissions ** # |
|
|
75 | 79 | #===================================== |
|
|
76 | 80 | for p in models.Permission.PERMS: |
|
|
77 |
if not models.Permission |
|
|
|
81 | if not get_by_key(models.Permission, p[0]): | |
|
|
78 | 82 | new_perm = models.Permission() |
|
|
79 | 83 | new_perm.permission_name = p[0] |
|
|
80 | 84 | new_perm.permission_longname = p[0] #translation err with p[1] |
| @@ -97,8 +101,7 b' def fixups(models, _SESSION):' | |||
|
|
97 | 101 | return '.'.join(perm_name.split('.')[:1]) |
|
|
98 | 102 | |
|
|
99 | 103 | perms = models.UserToPerm.query().filter(models.UserToPerm.user == user).all() |
|
|
100 | defined_perms_groups = map(_get_group, | |
|
|
101 | (x.permission.permission_name for x in perms)) | |
|
|
104 | defined_perms_groups = list(map(_get_group, (x.permission.permission_name for x in perms))) | |
|
|
102 | 105 | log.debug('GOT ALREADY DEFINED:%s', perms) |
|
|
103 | 106 | DEFAULT_PERMS = models.Permission.DEFAULT_USER_PERMISSIONS |
|
|
104 | 107 | |
| @@ -10,6 +10,7 b' from sqlalchemy.engine import reflection' | |||
|
|
10 | 10 | from sqlalchemy.sql import text |
|
|
11 | 11 | |
|
|
12 | 12 | from rhodecode.lib.dbmigrate.versions import _reset_base |
|
|
13 | from rhodecode.lib.hash_utils import sha1_safe | |
|
|
13 | 14 | from rhodecode.lib.utils2 import safe_str |
|
|
14 | 15 | from rhodecode.model import meta, init_model_encryption |
|
|
15 | 16 | |
| @@ -69,11 +70,9 b' def downgrade(migrate_engine):' | |||
|
|
69 | 70 | def _generate_repo_name_hashes(models, op, session): |
|
|
70 | 71 | repositories = models.Repository.get_all() |
|
|
71 | 72 | for repository in repositories: |
|
|
72 |
hash_ = |
|
|
|
73 | hash_ = sha1_safe(repository.repo_name) | |
|
|
73 | 74 | params = {'hash': hash_, 'id': repository.repo_id} |
|
|
74 | query = text( | |
|
|
75 | 'UPDATE repositories SET repo_name_hash = :hash' | |
|
|
76 | ' WHERE repo_id = :id').bindparams(**params) | |
|
|
75 | query = text('UPDATE repositories SET repo_name_hash = :hash WHERE repo_id = :id').bindparams(**params) | |
|
|
77 | 76 | op.execute(query) |
|
|
78 | 77 | session().commit() |
|
|
79 | 78 | |
| @@ -117,9 +117,13 b' class AESCipher(object):' | |||
|
|
117 | 117 | def validate_and_decrypt_data(enc_data, enc_key, enc_strict_mode=False, safe=True): |
|
|
118 | 118 | enc_data = safe_str(enc_data) |
|
|
119 | 119 | |
|
|
120 | if '$' not in enc_data: | |
|
|
121 | # probably not encrypted values | |
|
|
122 | return enc_data | |
|
|
123 | ||
|
|
120 | 124 | parts = enc_data.split('$', 3) |
|
|
121 | 125 | if len(parts) != 3: |
|
|
122 | raise ValueError(f'Encrypted Data has invalid format, expected {KEY_FORMAT}, got {parts}') | |
|
|
126 | raise ValueError(f'Encrypted Data has invalid format, expected {KEY_FORMAT}, got {parts}, org value: {enc_data}') | |
|
|
123 | 127 | |
|
|
124 | 128 | enc_type = parts[1] |
|
|
125 | 129 | enc_data_part = parts[2] |
General Comments 0
You need to be logged in to leave comments.
Login now