Added encrypted credentials column in sap configuration

CHANGELOG.rst

@@ -17,6 +17,10 @@ Unreleased
 ----------
 * nothing unreleased
 
+[4.23.10]
+----------
+* feat: added encrypted columns for user credentials for SAP config
+
 [4.23.9]
 ----------
 * feat: Add option to show soft deleted group memberships in django admin

enterprise/__init__.py

@@ -2,4 +2,4 @@
 Your project description goes here.
 """
 
-__version__ = "4.23.9"
+__version__ = "4.23.10"

enterprise/signals.py

@@ -464,3 +464,14 @@ def generate_default_orchestration_record_display_name(sender, instance, **kwarg
 
 if COURSE_ENROLLMENT_CHANGED is not None:
     COURSE_ENROLLMENT_CHANGED.connect(course_enrollment_changed_receiver)
+
+
+@receiver(pre_save, sender=SAPSuccessFactorsEnterpriseCustomerConfiguration)
+def update_decrypted_credentials(sender, instance, **kwargs):     # pylint: disable=unused-argument
+    """
+    Ensure that the decrypted credentials have same values as unencrypted credentials.
+    """
+    if instance.key != instance.decrypted_key:
+        instance.encrypted_key = instance.key
+    if instance.secret != instance.decrypted_secret:
+        instance.encrypted_secret = instance.secret

integrated_channels/api/v1/sap_success_factors/serializers.py

@@ -1,6 +1,8 @@
 """
     Serializer for Success Factors configuration.
 """
+from rest_framework import serializers
+
 from integrated_channels.api.serializers import EnterpriseCustomerPluginConfigSerializer
 from integrated_channels.sap_success_factors.models import SAPSuccessFactorsEnterpriseCustomerConfiguration
 
@@ -10,14 +12,19 @@ class Meta:
         model = SAPSuccessFactorsEnterpriseCustomerConfiguration
         extra_fields = (
             'key',
+            'encrypted_key',
             'sapsf_base_url',
             'sapsf_company_id',
             'sapsf_user_id',
             'secret',
+            'encrypted_secret',
             'user_type',
             'additional_locales',
             'show_course_price',
             'transmit_total_hours',
             'prevent_self_submit_grades',
         )
         fields = EnterpriseCustomerPluginConfigSerializer.Meta.fields + extra_fields
+
+    encrypted_key = serializers.CharField(required=False, allow_blank=False, read_only=False)
+    encrypted_secret = serializers.CharField(required=False, allow_blank=False, read_only=False)

integrated_channels/sap_success_factors/admin/__init__.py

@@ -49,7 +49,9 @@ class SAPSuccessFactorsEnterpriseCustomerConfigurationAdmin(DjangoObjectActions,
         "sapsf_base_url",
         "sapsf_company_id",
         "key",
+        "decrypted_key",
         "secret",
+        "decrypted_secret",
         "sapsf_user_id",
         "user_type",
         "has_access_token",

integrated_channels/sap_success_factors/migrations/0017_auto_20240823_0936.py

@@ -0,0 +1,24 @@
+# Generated by Django 3.2.23 on 2024-08-23 09:36
+
+from django.db import migrations, models
+import fernet_fields.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('sap_success_factors', '0016_sapsuccessfactorslearnerdatatransmissionaudit_is_transmitted'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='sapsuccessfactorsenterprisecustomerconfiguration',
+            name='decrypted_key',
+            field=fernet_fields.fields.EncryptedCharField(blank=True, default='', help_text='The encrypted OAuth client identifier. It will be encrypted when stored in the database.', max_length=255, null=True, verbose_name='Encrypted Client ID'),
+        ),
+        migrations.AddField(
+            model_name='sapsuccessfactorsenterprisecustomerconfiguration',
+            name='decrypted_secret',
+            field=models.CharField(blank=True, default='', help_text='The encrypted OAuth client secret. It will be encrypted when stored in the database.', max_length=255, null=True, verbose_name='Encrypted Client Secret'),
+        ),
+    ]

integrated_channels/sap_success_factors/models.py

@@ -6,8 +6,10 @@
 from logging import getLogger
 
 from config_models.models import ConfigurationModel
+from fernet_fields import EncryptedCharField
 
 from django.db import models
+from django.utils.encoding import force_bytes, force_str
 from django.utils.translation import gettext_lazy as _
 
 from integrated_channels.exceptions import ClientError
@@ -80,6 +82,41 @@ class SAPSuccessFactorsEnterpriseCustomerConfiguration(EnterpriseCustomerPluginC
         verbose_name="Client ID",
         help_text=_("OAuth client identifier.")
     )
+
+    decrypted_key = EncryptedCharField(
+        max_length=255,
+        verbose_name="Encrypted Client ID",
+        blank=True,
+        default='',
+        help_text=_(
+            "The encrypted OAuth client identifier."
+            " It will be encrypted when stored in the database."
+        ),
+        null=True
+    )
+
+    @property
+    def encrypted_key(self):
+        """
+        Return encrypted key as a string.
+        The data is encrypted in the DB at rest, but is unencrypted in the app when retrieved through the
+        decrypted_key field. This method will encrypt the key again before sending.
+        """
+        if self.decrypted_key:
+            return force_str(
+                self._meta.get_field('decrypted_key').fernet.encrypt(
+                    force_bytes(self.decrypted_key)
+                )
+            )
+        return self.decrypted_key
+
+    @encrypted_key.setter
+    def encrypted_key(self, value):
+        """
+        Set the encrypted key.
+        """
+        self.decrypted_key = value
+
     sapsf_base_url = models.CharField(
         max_length=255,
         blank=True,
@@ -108,6 +145,41 @@ class SAPSuccessFactorsEnterpriseCustomerConfiguration(EnterpriseCustomerPluginC
         verbose_name="Client Secret",
         help_text=_("OAuth client secret.")
     )
+
+    decrypted_secret = models.CharField(
+        max_length=255,
+        blank=True,
+        default='',
+        verbose_name="Encrypted Client Secret",
+        help_text=_(
+            "The encrypted OAuth client secret."
+            " It will be encrypted when stored in the database."
+        ),
+        null=True
+    )
+
+    @property
+    def encrypted_secret(self):
+        """
+        Return encrypted secret as a string.
+        The data is encrypted in the DB at rest, but is unencrypted in the app when retrieved through the
+        decrypted_secret field. This method will encrypt the secret again before sending.
+        """
+        if self.decrypted_secret:
+            return force_str(
+                self._meta.get_field('decrypted_secret').fernet.encrypt(
+                    force_bytes(self.decrypted_secret)
+                )
+            )
+        return self.decrypted_secret
+
+    @encrypted_secret.setter
+    def encrypted_secret(self, value):
+        """
+        Set the encrypted secret.
+        """
+        self.decrypted_secret = value
+
     user_type = models.CharField(
         max_length=20,
         choices=USER_TYPE_CHOICES,

tests/test_integrated_channels/test_api/test_sap_success_factors/test_views.py

@@ -91,16 +91,16 @@ def test_update(self, mock_current_request):
             'sapsf_company_id': 'test',
             'enterprise_customer': ENTERPRISE_ID,
             'sapsf_user_id': 893489,
-            'key': 'testing',
-            'secret': 'secret',
+            'key': '',
+            'secret': '',
             'user_type': 'user',
         }
         response = self.client.put(url, payload)
         self.sap_config.refresh_from_db()
         self.assertEqual(self.sap_config.sapsf_base_url, 'http://testing2')
         self.assertEqual(self.sap_config.sapsf_company_id, 'test')
-        self.assertEqual(self.sap_config.key, 'testing')
-        self.assertEqual(self.sap_config.secret, 'secret')
+        self.assertEqual(self.sap_config.key, '')
+        self.assertEqual(self.sap_config.secret, '')
         self.assertEqual(self.sap_config.user_type, 'user')
         self.assertEqual(self.sap_config.sapsf_user_id, '893489')
         self.assertEqual(response.status_code, 200)

tests/test_integrated_channels/test_sap_success_factors/test_client.py

@@ -71,10 +71,12 @@ def setUp(self):
         self.expected_token_response_body = {"expires_in": self.expires_in, "access_token": self.access_token}
         self.enterprise_config = SAPSuccessFactorsEnterpriseCustomerConfiguration(
             key=self.client_id,
+            encrypted_key=self.client_id,
             sapsf_base_url=self.url_base,
             sapsf_company_id=self.company_id,
             sapsf_user_id=self.user_id,
-            secret=self.client_secret
+            secret=self.client_secret,
+            encrypted_secret=self.client_secret
         )
         self.enterprise_config.enterprise_customer = EnterpriseCustomerFactory()
         self.completion_payload = {