Verified Commit 3e67788d authored by Huste, Tobias (FWCC) - 111645's avatar Huste, Tobias (FWCC) - 111645
Browse files

utils: add function to regenerate encrypted PKey

When the SECRET_KEY value changes, the encrypted private keys will not
be readable anymore. Add a function that rebuilds the private keys once
SECRET_KEY changes
parent 7ed75d64
Pipeline #5274 failed with stages
in 5 minutes and 16 seconds
......@@ -28,6 +28,7 @@ from flask import current_app, flash
from flask_login import current_user
from invenio_accounts.models import User
from invenio_db import db
from invenio_db.utils import rebuild_encrypted_properties
from werkzeug.local import LocalProxy
from werkzeug.utils import import_string
......@@ -235,3 +236,14 @@ def make_object(value, default=None):
else:
return value
return default
def rebuild_private_keys(old_key):
"""
Rebuild the private keys when SECRET_KEY is changed.
Args:
old_key(str): The old SECRET_KEY value.
"""
current_app.logger.info('Rebuilding SSHKey.private_key...')
rebuild_encrypted_properties(old_key, SSHKey, ['private_key'])
......@@ -30,7 +30,7 @@ from invenio_uploadbyurl.config import UPLOADBYURL_COMMENT
from invenio_uploadbyurl.models import RemoteServer, SSHKey
from invenio_uploadbyurl.utils import connect_user_and_server, \
delete_ssh_key, deploy_ssh_key, generate_public_keystr, generate_rsa_key, \
notification_mail
notification_mail, rebuild_private_keys
def test_deploy_key(app):
......@@ -120,3 +120,25 @@ def test_notification_mail(app, user):
assert outbox[2].body == app.config[
'UPLOADBYURL_EMAIL_BODY_FAILED_URL'].format(
url='https://www.test.de/test.zip')
def test_rebuilding_privatekeys(app, db, remote):
"""Test rebuilding of private keys with random new SECRET_KEY."""
old_key = app.secret_key
# Get the secret key
key = SSHKey.get(user_id=1, remote_server_id=1)
app.secret_key = 'NEW_KEY_VALUE'
db.session.expunge_all()
# Assert that existing key cannot be read anymore
with pytest.raises(ValueError):
SSHKey.get(user_id=1, remote_server_id=1)
rebuild_private_keys(old_key)
key = SSHKey.query.first()
# make sure the SSHKey is still the same
assert SSHKey.get(user_id=1, remote_server_id=1) == key
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment