Remove unencrypted sap client credentials

CHANGELOG.rst

@@ -17,6 +17,23 @@ Unreleased
 ----------
 * nothing unreleased
 
+[4.23.17]
+----------
+* feat: added migration for removing unencrypted client credentials
+
+[4.23.16]
+----------
+* refactor: removed unencrypted credentials from sap config model
+
+[4.23.15]
+----------
+* feat: replaced references from unencrypted to encrypted columns
+* feat: added data migration to populate encrypted columns
+
+[4.23.14]
+----------
+* feat: altered decrypted_secret to be encrypted and made credentials nullable
+
 [4.23.13]
 ----------
 * feat: added encrypted columns for user credentials for SAP config

enterprise/__init__.py

@@ -2,4 +2,4 @@
 Your project description goes here.
 """
 
-__version__ = "4.23.13"
+__version__ = "4.23.17"

enterprise/signals.py

@@ -475,14 +475,3 @@ def mirror_id_and_secret_to_decrypted_fields(sender, instance, **kwargs):   # py
 
 if COURSE_ENROLLMENT_CHANGED is not None:
     COURSE_ENROLLMENT_CHANGED.connect(course_enrollment_changed_receiver)
-
-
-@receiver(pre_save, sender=SAPSuccessFactorsEnterpriseCustomerConfiguration)
-def update_decrypted_credentials(sender, instance, **kwargs):     # pylint: disable=unused-argument
-    """
-    Ensure that the decrypted credentials have same values as unencrypted credentials.
-    """
-    if instance.key != instance.decrypted_key:
-        instance.decrypted_key = instance.key
-    if instance.secret != instance.decrypted_secret:
-        instance.decrypted_secret = instance.secret

integrated_channels/api/v1/sap_success_factors/serializers.py

@@ -1,6 +1,8 @@
 """
     Serializer for Success Factors configuration.
 """
+from rest_framework import serializers
+
 from integrated_channels.api.serializers import EnterpriseCustomerPluginConfigSerializer
 from integrated_channels.sap_success_factors.models import SAPSuccessFactorsEnterpriseCustomerConfiguration
 
@@ -9,15 +11,18 @@ class SAPSuccessFactorsConfigSerializer(EnterpriseCustomerPluginConfigSerializer
     class Meta:
         model = SAPSuccessFactorsEnterpriseCustomerConfiguration
         extra_fields = (
-            'key',
+            'encrypted_key',
             'sapsf_base_url',
             'sapsf_company_id',
             'sapsf_user_id',
-            'secret',
+            'encrypted_secret',
             'user_type',
             'additional_locales',
             'show_course_price',
             'transmit_total_hours',
             'prevent_self_submit_grades',
         )
         fields = EnterpriseCustomerPluginConfigSerializer.Meta.fields + extra_fields
+
+    encrypted_key = serializers.CharField(required=False, allow_blank=False, read_only=False)
+    encrypted_secret = serializers.CharField(required=False, allow_blank=False, read_only=False)

integrated_channels/sap_success_factors/admin/__init__.py

@@ -48,9 +48,7 @@ class SAPSuccessFactorsEnterpriseCustomerConfigurationAdmin(DjangoObjectActions,
         "active",
         "sapsf_base_url",
         "sapsf_company_id",
-        "key",
         "decrypted_key",
-        "secret",
         "decrypted_secret",
         "sapsf_user_id",
         "user_type",
@@ -111,8 +109,8 @@ def has_access_token(self, obj):
         try:
             access_token, expires_at = SAPSuccessFactorsAPIClient.get_oauth_access_token(
                 obj.sapsf_base_url,
-                obj.key,
-                obj.secret,
+                obj.decrypted_key,
+                obj.decrypted_secret,
                 obj.sapsf_company_id,
                 obj.sapsf_user_id,
                 obj.user_type,

integrated_channels/sap_success_factors/client.py

@@ -137,8 +137,8 @@ def _create_session(self):
                 self.session.close()
 
             oauth_access_token, expires_at = self.get_oauth_access_token(
-                self.enterprise_configuration.key,
-                self.enterprise_configuration.secret,
+                self.enterprise_configuration.decrypted_key,
+                self.enterprise_configuration.decrypted_secret,
                 self.enterprise_configuration.sapsf_company_id,
                 self.enterprise_configuration.sapsf_user_id,
                 self.enterprise_configuration.user_type,
@@ -301,8 +301,8 @@ def _call_post_with_user_override(self, sap_user_id, url, payload):
             'SAPSuccessFactorsEnterpriseCustomerConfiguration'
         )
         oauth_access_token, _ = self.get_oauth_access_token(
-            self.enterprise_configuration.key,
-            self.enterprise_configuration.secret,
+            self.enterprise_configuration.decrypted_key,
+            self.enterprise_configuration.decrypted_secret,
             self.enterprise_configuration.sapsf_company_id,
             sap_user_id,
             SAPSuccessFactorsEnterpriseCustomerConfiguration.USER_TYPE_USER,

integrated_channels/sap_success_factors/migrations/0018_auto_20240829_0910.py

@@ -0,0 +1,29 @@
+# Generated by Django 3.2.23 on 2024-08-29 09:10
+
+from django.db import migrations, models
+import fernet_fields.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('sap_success_factors', '0017_auto_20240823_0936'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='sapsuccessfactorsenterprisecustomerconfiguration',
+            name='decrypted_secret',
+            field=fernet_fields.fields.EncryptedCharField(blank=True, default='', help_text='The encrypted OAuth client secret. It will be encrypted when stored in the database.', max_length=255, null=True, verbose_name='Encrypted Client Secret'),
+        ),
+        migrations.AlterField(
+            model_name='sapsuccessfactorsenterprisecustomerconfiguration',
+            name='key',
+            field=models.CharField(blank=True, default='', help_text='OAuth client identifier.', max_length=255, null=True, verbose_name='Client ID'),
+        ),
+        migrations.AlterField(
+            model_name='sapsuccessfactorsenterprisecustomerconfiguration',
+            name='secret',
+            field=models.CharField(blank=True, default='', help_text='OAuth client secret.', max_length=255, null=True, verbose_name='Client Secret'),
+        ),
+    ]

integrated_channels/sap_success_factors/migrations/0019_auto_20240829_1044.py

@@ -0,0 +1,15 @@
+# Generated by Django 3.2.23 on 2024-08-26 09:54
+
+from django.db import migrations
+from integrated_channels.sap_success_factors.utils import populate_decrypted_fields_sap_success_factors
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('sap_success_factors', '0018_auto_20240829_0910'),
+    ]
+
+    operations = [
+        migrations.RunPython(populate_decrypted_fields_sap_success_factors, reverse_code=migrations.RunPython.noop),
+    ]

integrated_channels/sap_success_factors/migrations/0020_auto_20240827_1238.py

@@ -0,0 +1,21 @@
+# Generated by Django 3.2.23 on 2024-08-27 12:38
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('sap_success_factors', '0019_auto_20240829_1044'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='sapsuccessfactorsenterprisecustomerconfiguration',
+            name='key',
+        ),
+        migrations.RemoveField(
+            model_name='sapsuccessfactorsenterprisecustomerconfiguration',
+            name='secret',
+        ),
+    ]

integrated_channels/sap_success_factors/models.py

@@ -9,6 +9,7 @@
 from fernet_fields import EncryptedCharField
 
 from django.db import models
+from django.utils.encoding import force_bytes, force_str
 from django.utils.translation import gettext_lazy as _
 
 from integrated_channels.exceptions import ClientError
@@ -74,14 +75,6 @@ class SAPSuccessFactorsEnterpriseCustomerConfiguration(EnterpriseCustomerPluginC
         (USER_TYPE_ADMIN, 'Admin'),
     )
 
-    key = models.CharField(
-        max_length=255,
-        blank=True,
-        default='',
-        verbose_name="Client ID",
-        help_text=_("OAuth client identifier.")
-    )
-
     decrypted_key = EncryptedCharField(
         max_length=255,
         verbose_name="Encrypted Client ID",
@@ -94,6 +87,28 @@ class SAPSuccessFactorsEnterpriseCustomerConfiguration(EnterpriseCustomerPluginC
         null=True
     )
 
+    @property
+    def encrypted_key(self):
+        """
+        Return encrypted key as a string.
+        The data is encrypted in the DB at rest, but is unencrypted in the app when retrieved through the
+        decrypted_key field. This method will encrypt the key again before sending.
+        """
+        if self.decrypted_key:
+            return force_str(
+                self._meta.get_field('decrypted_key').fernet.encrypt(
+                    force_bytes(self.decrypted_key)
+                )
+            )
+        return self.decrypted_key
+
+    @encrypted_key.setter
+    def encrypted_key(self, value):
+        """
+        Set the encrypted key.
+        """
+        self.decrypted_key = value
+
     sapsf_base_url = models.CharField(
         max_length=255,
         blank=True,
@@ -115,15 +130,8 @@ class SAPSuccessFactorsEnterpriseCustomerConfiguration(EnterpriseCustomerPluginC
         verbose_name="SAP User ID",
         help_text=_("Success factors user identifier.")
     )
-    secret = models.CharField(
-        max_length=255,
-        blank=True,
-        default='',
-        verbose_name="Client Secret",
-        help_text=_("OAuth client secret.")
-    )
 
-    decrypted_secret = models.CharField(
+    decrypted_secret = EncryptedCharField(
         max_length=255,
         blank=True,
         default='',
@@ -135,6 +143,28 @@ class SAPSuccessFactorsEnterpriseCustomerConfiguration(EnterpriseCustomerPluginC
         null=True
     )
 
+    @property
+    def encrypted_secret(self):
+        """
+        Return encrypted secret as a string.
+        The data is encrypted in the DB at rest, but is unencrypted in the app when retrieved through the
+        decrypted_secret field. This method will encrypt the secret again before sending.
+        """
+        if self.decrypted_secret:
+            return force_str(
+                self._meta.get_field('decrypted_secret').fernet.encrypt(
+                    force_bytes(self.decrypted_secret)
+                )
+            )
+        return self.decrypted_secret
+
+    @encrypted_secret.setter
+    def encrypted_secret(self, value):
+        """
+        Set the encrypted secret.
+        """
+        self.decrypted_secret = value
+
     user_type = models.CharField(
         max_length=20,
         choices=USER_TYPE_CHOICES,
@@ -205,15 +235,15 @@ def is_valid(self):
         """
         missing_items = {'missing': []}
         incorrect_items = {'incorrect': []}
-        if not self.key:
+        if not self.decrypted_key:
             missing_items.get('missing').append('key')
         if not self.sapsf_base_url:
             missing_items.get('missing').append('sapsf_base_url')
         if not self.sapsf_company_id:
             missing_items.get('missing').append('sapsf_company_id')
         if not self.sapsf_user_id:
             missing_items.get('missing').append('sapsf_user_id')
-        if not self.secret:
+        if not self.decrypted_secret:
             missing_items.get('missing').append('secret')
         if not is_valid_url(self.sapsf_base_url):
             incorrect_items.get('incorrect').append('sapsf_base_url')

integrated_channels/sap_success_factors/utils.py

@@ -0,0 +1,19 @@
+"""
+Utilities for SAP Success Factors integrated channel.
+"""
+
+
+def populate_decrypted_fields_sap_success_factors(apps, schema_editor=None):  # pylint: disable=unused-argument
+    """
+    Populates the encryption fields in SAP Success Factors config with the data previously stored in database.
+    """
+    SAPSuccessFactorsEnterpriseCustomerConfiguration = apps.get_model(
+        'sap_success_factors', 'SAPSuccessFactorsEnterpriseCustomerConfiguration'
+    )
+
+    for sap_success_factors_enterprise_configuration in SAPSuccessFactorsEnterpriseCustomerConfiguration.objects.all():
+        sap_success_factors_enterprise_configuration.decrypted_key = getattr(
+            sap_success_factors_enterprise_configuration, 'key', '')
+        sap_success_factors_enterprise_configuration.decrypted_secret = getattr(
+            sap_success_factors_enterprise_configuration, 'secret', '')
+        sap_success_factors_enterprise_configuration.save()