Merge pull request #6541 from wwitzel3/issue-826

Re-Encrypt all of our existing encrypted fields.
2026-05-14 15:58:38 -05:00 · 2017-06-13 09:42:56 -04:00
parent 18dc5c1ba9 8989c95b93
commit 12982d6ef6
22 changed files with 493 additions and 204 deletions
@@ -9,6 +9,7 @@ from psycopg2.extensions import AsIs
 from django.db import migrations, models

 # AWX
+from awx.main.migrations import _reencrypt as reencrypt
 import awx.main.fields
 from awx.main.models import Host

@@ -260,7 +261,7 @@ class Migration(migrations.Migration):
            name='Permission',
        ),

-	# Insights
+        # Insights
        migrations.AddField(
            model_name='host',
            name='insights_system_id',
@@ -276,4 +277,5 @@ class Migration(migrations.Migration):
            name='kind',
            field=models.CharField(default=b'', help_text='Kind of inventory being represented.', max_length=32, blank=True, choices=[(b'', 'Hosts have a direct link to this inventory.'), (b'smart', 'Hosts for inventory generated using the host_filter property.')]),
        ),
+        migrations.RunPython(reencrypt.replace_aesecb_fernet),
    ]
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import migrations
+from awx.main.migrations import _reencrypt
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0043_v320_instancegroups'),
+    ]
+
+    operations = [
+        migrations.RunPython(_reencrypt.replace_aesecb_fernet),
+    ]
@@ -1,6 +1,6 @@
 from awx.main import utils
 from awx.main.models import CredentialType
-from awx.main.utils.common import encrypt_field, decrypt_field
+from awx.main.utils import encrypt_field, decrypt_field
 from django.db.models import Q


@@ -0,0 +1,46 @@
+from awx.conf.migrations._reencrypt import decrypt_field
+
+
+__all__ = ['replace_aesecb_fernet']
+
+
+def replace_aesecb_fernet(apps, schema_editor):
+    _notification_templates(apps)
+    _credentials(apps)
+    _unified_jobs(apps)
+
+
+def _notification_templates(apps):
+    NotificationTemplate = apps.get_model('main', 'NotificationTemplate')
+    for nt in NotificationTemplate.objects.all():
+        for field in filter(lambda x: nt.notification_class.init_parameters[x]['type'] == "password",
+                            nt.notification_class.init_parameters):
+            if nt.notification_configuration[field].startswith('$encrypted$AESCBC$'):
+                continue
+            value = decrypt_field(nt, 'notification_configuration', subfield=field)
+            nt.notification_configuration[field] = value
+        nt.save()
+
+
+def _credentials(apps):
+    Credential = apps.get_model('main', 'Credential')
+    for credential in Credential.objects.all():
+        for field_name, value in credential.inputs.items():
+            if field_name in credential.credential_type.secret_fields:
+                value = getattr(credential, field_name)
+                if value.startswith('$encrypted$AESCBC$'):
+                    continue
+                value = decrypt_field(credential, field_name)
+                credential.inputs[field_name] = value
+        credential.save()
+
+
+def _unified_jobs(apps):
+    UnifiedJob = apps.get_model('main', 'UnifiedJob')
+    for uj in UnifiedJob.objects.all():
+        if uj.start_args is not None:
+            if uj.start_args.startswith('$encrypted$AESCBC$'):
+                continue
+            start_args = decrypt_field(uj, 'start_args')
+            uj.start_args = start_args
+            uj.save()