feat(security): encrypt sensitive settings at rest (Fernet)
Secrets (smtp.password, oidc.client_secret, ldap.bind_password, ansible ssh_private_key/become_password/vault_password) were stored plaintext in app_settings. Add transparent encryption-at-rest: - steward/core/crypto.py: Fernet keyed off the app secret (/data/secret.key), enc:v1: prefix marks ciphertext; passthrough for plaintext/empty/no-key, never reveals plaintext on a wrong key. - settings.py: SECRET_KEYS registry; set_setting encrypts on write; all read paths (get_setting / get_all_settings / load_settings_sync) decrypt transparently; migrate_plaintext_secrets() converts legacy rows in place. - app.py startup: init_crypto(SECRET_KEY) + one-time legacy-secret migration before settings load. - Add cryptography dependency. UI masking is unchanged (it checks decrypted truthiness). Key-loss caveat documented: secrets are unrecoverable if the app secret key is lost. Unit tests cover round-trip, empty/plaintext passthrough, and wrong-key safety. Task #580. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,93 @@
|
||||
# steward/core/crypto.py
|
||||
"""Encryption-at-rest for sensitive settings (smtp/oidc/ldap/ansible secrets).
|
||||
|
||||
Values are encrypted with Fernet (AES-128-CBC + HMAC) using a key derived from
|
||||
the app secret key (the same /data/secret.key used for sessions). Encrypted
|
||||
values are stored with an ``enc:v1:`` prefix so reads can transparently tell
|
||||
ciphertext from legacy plaintext during/after migration.
|
||||
|
||||
Key-loss caveat: if the app secret key is lost or changed, encrypted secrets
|
||||
become unrecoverable — they must be re-entered. This ties secret recovery to
|
||||
the same key the rest of the app already depends on; back it up with the data.
|
||||
"""
|
||||
from __future__ import annotations
|
||||
|
||||
import base64
|
||||
import hashlib
|
||||
import logging
|
||||
import os
|
||||
from pathlib import Path
|
||||
|
||||
from cryptography.fernet import Fernet, InvalidToken
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
ENC_PREFIX = "enc:v1:"
|
||||
_SECRET_KEY_FILE = Path("/data/secret.key")
|
||||
_fernet: Fernet | None = None
|
||||
|
||||
|
||||
def _make_fernet(secret_key: str) -> Fernet:
|
||||
# Derive a stable 32-byte Fernet key from the app secret (any length string).
|
||||
digest = hashlib.sha256(secret_key.encode("utf-8")).digest()
|
||||
return Fernet(base64.urlsafe_b64encode(digest))
|
||||
|
||||
|
||||
def init_crypto(secret_key: str) -> None:
|
||||
"""Bind the encryptor to the app's secret key (called once at startup)."""
|
||||
global _fernet
|
||||
if secret_key:
|
||||
_fernet = _make_fernet(secret_key)
|
||||
|
||||
|
||||
def _resolve_secret_key() -> str | None:
|
||||
"""Fallback key resolution mirroring config (env → /data/secret.key)."""
|
||||
k = os.environ.get("STEWARD_SECRET_KEY")
|
||||
if k:
|
||||
return k
|
||||
try:
|
||||
if _SECRET_KEY_FILE.exists():
|
||||
v = _SECRET_KEY_FILE.read_text().strip()
|
||||
if v:
|
||||
return v
|
||||
except OSError:
|
||||
pass
|
||||
return None
|
||||
|
||||
|
||||
def _get() -> Fernet | None:
|
||||
global _fernet
|
||||
if _fernet is None:
|
||||
k = _resolve_secret_key()
|
||||
if k:
|
||||
_fernet = _make_fernet(k)
|
||||
return _fernet
|
||||
|
||||
|
||||
def is_encrypted(value) -> bool:
|
||||
return isinstance(value, str) and value.startswith(ENC_PREFIX)
|
||||
|
||||
|
||||
def encrypt_secret(plaintext: str) -> str:
|
||||
"""Return an ``enc:v1:`` token, or the input unchanged if empty / no key."""
|
||||
if not plaintext:
|
||||
return plaintext
|
||||
f = _get()
|
||||
if f is None:
|
||||
logger.warning("No secret key available — storing a secret in PLAINTEXT")
|
||||
return plaintext
|
||||
return ENC_PREFIX + f.encrypt(plaintext.encode("utf-8")).decode("ascii")
|
||||
|
||||
|
||||
def decrypt_secret(value: str) -> str:
|
||||
"""Decrypt an ``enc:v1:`` token; pass through plaintext / undecryptable values."""
|
||||
if not is_encrypted(value):
|
||||
return value
|
||||
f = _get()
|
||||
if f is None:
|
||||
return value
|
||||
try:
|
||||
return f.decrypt(value[len(ENC_PREFIX):].encode("ascii")).decode("utf-8")
|
||||
except InvalidToken:
|
||||
logger.error("Could not decrypt a stored secret (wrong/rotated key?)")
|
||||
return value
|
||||
Reference in New Issue
Block a user