encription from a env key and password admin

2024-01-03 17:52:46 +01:00 · 2024-01-03 17:52:46 +01:00 · d2f7e5395d
parent 20f40b43d0
commit d2f7e5395d
6 changed files with 41 additions and 29 deletions
--- a/idhub/admin/views.py
+++ b/idhub/admin/views.py
@ -645,7 +645,7 @@ class DidRegisterView(Credentials, CreateView):

    def form_valid(self, form):
        form.instance.user = self.request.user
-        form.instance.set_did(self.request.session)
+        form.instance.set_did()
        form.save()
        messages.success(self.request, _('DID created successfully'))
        Event.set_EV_ORG_DID_CREATED_BY_ADMIN(form.instance)
--- a/idhub/models.py
+++ b/idhub/models.py
@ -421,16 +421,16 @@ class DID(models.Model):
        null=True,
    )

-    def get_key_material(self, session):
-        if "sensitive_data_encryption_key" not in session:
-            raise Exception("Ojo! Se intenta acceder a datos cifrados sin tener la clave de usuario.")
-        sb = secret.SecretBox(session["sensitive_data_encryption_key"])
+    def get_key_material(self):
+        if not settings.KEY_CREDENTIALS_CLEAN:
+            raise Exception("Ojo! Se intenta acceder a datos cifrados sin tener la clave.")
+        sb = secret.SecretBox(settings.KEY_CREDENTIALS_CLEAN)
        return sb.decrypt(self._key_material)

-    def set_key_material(self, value, session):
-        if "sensitive_data_encryption_key" not in session:
-            raise Exception("Ojo! Se intenta acceder a datos cifrados sin tener la clave de usuario.")
-        sb = secret.SecretBox(session["sensitive_data_encryption_key"])
+    def set_key_material(self, value):
+        if not settings.KEY_CREDENTIALS_CLEAN:
+            raise Exception("Ojo! Se intenta acceder a datos cifrados sin tener la clave.")
+        sb = secret.SecretBox(settings.KEY_CREDENTIALS_CLEAN)
        self._key_material = sb.encrypt(value)

    @property
@ -439,7 +439,7 @@ class DID(models.Model):
            return True
        return False

-    def set_did(self, session):
+    def set_did(self):
        """
        Generates a new DID Controller Key and derives a DID from it.
        Because DID Controller Keys are stored encrypted using a User's Sensitive Data Encryption Key,
@ -447,7 +447,7 @@ class DID(models.Model):
        """
        new_key_material = generate_did_controller_key()
        self.did = keydid_from_controller_key(new_key_material)
-        self.set_key_material(new_key_material, session)
+        self.set_key_material(new_key_material)


    # TODO: darmengo: esta funcion solo se llama desde un fichero que sube cosas a s3 (??) Preguntar a ver que hace.
@ -513,16 +513,16 @@ class VerificableCredential(models.Model):
        related_name='vcredentials',
    )

-    def get_data(self, session):
-        if "sensitive_data_encryption_key" not in session:
-            raise Exception("Ojo! Se intenta acceder a datos cifrados sin tener la clave de usuario.")
-        sb = secret.SecretBox(session["sensitive_data_encryption_key"])
+    def get_data(self):
+        if not settings.KEY_CREDENTIALS_CLEAN:
+            raise Exception("Ojo! Se intenta acceder a datos cifrados sin tener la clave.")
+        sb = secret.SecretBox(settings.KEY_CREDENTIALS_CLEAN)
        return sb.decrypt(self._data)

-    def set_data(self, value, session):
-        if "sensitive_data_encryption_key" not in session:
-            raise Exception("Ojo! Se intenta acceder a datos cifrados sin tener la clave de usuario.")
-        sb = secret.SecretBox(session["sensitive_data_encryption_key"])
+    def set_data(self, value):
+        if not settings.KEY_CREDENTIALS_CLEAN:
+            raise Exception("Ojo! Se intenta acceder a datos cifrados sin tener la clave.")
+        sb = secret.SecretBox(settings.KEY_CREDENTIALS_CLEAN)
        self._data = sb.encrypt(value)

    @property
@ -553,7 +553,7 @@ class VerificableCredential(models.Model):
        data = json.loads(self.csv_data).items()
        return data

-    def issue(self, did, session):
+    def issue(self, did):
        if self.status == self.Status.ISSUED:
            return

@ -562,7 +562,7 @@ class VerificableCredential(models.Model):
        self.issued_on = datetime.datetime.now().astimezone(pytz.utc)
        self.data = sign_credential(
            self.render(),
-            self.issuer_did.get_key_material(session)
+            self.issuer_did.get_key_material()
        )

    def get_context(self):
--- a/idhub/user/forms.py
+++ b/idhub/user/forms.py
@ -18,7 +18,6 @@ class RequestCredentialForm(forms.Form):

    def __init__(self, *args, **kwargs):
        self.user = kwargs.pop('user', None)
-        self.session = kwargs.pop('session', None)
        super().__init__(*args, **kwargs)
        self.fields['did'].choices = [
            (x.did, x.label) for x in DID.objects.filter(user=self.user)
@ -46,7 +45,7 @@ class RequestCredentialForm(forms.Form):
        did = did[0].did
        cred = cred[0]
        try:
-            cred.issue(did, self.session)
+            cred.issue(did)
        except Exception:
            return

--- a/idhub/user/views.py
+++ b/idhub/user/views.py
@ -128,7 +128,6 @@ class CredentialsRequestView(MyWallet, FormView):
    def get_form_kwargs(self):
        kwargs = super().get_form_kwargs()
        kwargs['user'] = self.request.user
-        kwargs['session'] = self.request.session
        return kwargs
    
    def form_valid(self, form):
@ -190,7 +189,7 @@ class DidRegisterView(MyWallet, CreateView):

    def form_valid(self, form):
        form.instance.user = self.request.user
-        form.instance.set_did(self.request.session)
+        form.instance.set_did()
        form.save()
        messages.success(self.request, _('DID created successfully'))

--- a/idhub/views.py
+++ b/idhub/views.py
@ -1,8 +1,10 @@
 from django.urls import reverse_lazy
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from django.contrib.auth import views as auth_views
 from django.contrib.auth import login as auth_login
 from django.http import HttpResponseRedirect
+from nacl import secret


 class LoginView(auth_views.LoginView):
@ -24,9 +26,19 @@ class LoginView(auth_views.LoginView):
            admin_dashboard = reverse_lazy('idhub:admin_dashboard')
            if self.extra_context['success_url'] == user_dashboard:
                self.extra_context['success_url'] = admin_dashboard
-        auth_login(self.request, user)
+            password = form.cleaned_data.get("password")
            # Decrypt the user's sensitive data encryption key and store it in the session.
-        password = form.cleaned_data.get("password")  # TODO: Is this right????????
-        sensitive_data_encryption_key = user.decrypt_sensitive_data_encryption_key(password)
-        self.request.session["sensitive_data_encryption_key"] = sensitive_data_encryption_key
+            self.decript_key(user, password)
+
+        auth_login(self.request, user)
        return HttpResponseRedirect(self.extra_context['success_url'])
+
+    def decript_key(self, user, password):
+        if not settings.KEY_CREDENTIALS:
+            return
+
+        sb_key = user.derive_key_from_password(password)
+        sb = secret.SecretBox(sb_key)
+        data_decript = sb.decrypt(settings.KEY_CREDENTIALS)
+        settings.KEY_CREDENTIALS_CLEAN = data_decript
+
--- a/trustchain_idhub/settings.py
+++ b/trustchain_idhub/settings.py
@ -184,3 +184,5 @@ USE_I18N = True
 USE_L10N = True

 AUTH_USER_MODEL = 'idhub_auth.User'
+KEY_CREDENTIALS = config("KEY_CREDENTIALS")
+KEY_CREDENTIALS_CLEAN = ""