feat(security): encrypt sensitive settings at rest (Fernet)
Secrets (smtp.password, oidc.client_secret, ldap.bind_password, ansible ssh_private_key/become_password/vault_password) were stored plaintext in app_settings. Add transparent encryption-at-rest: - steward/core/crypto.py: Fernet keyed off the app secret (/data/secret.key), enc:v1: prefix marks ciphertext; passthrough for plaintext/empty/no-key, never reveals plaintext on a wrong key. - settings.py: SECRET_KEYS registry; set_setting encrypts on write; all read paths (get_setting / get_all_settings / load_settings_sync) decrypt transparently; migrate_plaintext_secrets() converts legacy rows in place. - app.py startup: init_crypto(SECRET_KEY) + one-time legacy-secret migration before settings load. - Add cryptography dependency. UI masking is unchanged (it checks decrypted truthiness). Key-loss caveat documented: secrets are unrecoverable if the app secret key is lost. Unit tests cover round-trip, empty/plaintext passthrough, and wrong-key safety. Task #580. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -104,6 +104,24 @@ DEFAULTS: dict[str, Any] = {
|
||||
"reports.last_sent_at": "",
|
||||
}
|
||||
|
||||
# Settings encrypted at rest (transparent encrypt-on-write / decrypt-on-read).
|
||||
# Adding a key here makes new writes ciphertext; run migrate_plaintext_secrets
|
||||
# to convert any existing plaintext rows.
|
||||
SECRET_KEYS: set[str] = {
|
||||
"smtp.password",
|
||||
"oidc.client_secret",
|
||||
"ldap.bind_password",
|
||||
"ansible.ssh_private_key",
|
||||
"ansible.become_password",
|
||||
"ansible.vault_password",
|
||||
}
|
||||
|
||||
|
||||
def _decode(value: Any) -> Any:
|
||||
"""Decrypt a stored value if it's an encrypted token; else pass through."""
|
||||
from steward.core.crypto import decrypt_secret, is_encrypted
|
||||
return decrypt_secret(value) if is_encrypted(value) else value
|
||||
|
||||
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
# Async helpers (use inside request handlers / scheduled tasks)
|
||||
@@ -117,27 +135,31 @@ async def get_setting(session: AsyncSession, key: str) -> Any:
|
||||
row = result.scalar_one_or_none()
|
||||
if row is None:
|
||||
return DEFAULTS.get(key)
|
||||
return json.loads(row.value_json)
|
||||
return _decode(json.loads(row.value_json))
|
||||
|
||||
|
||||
async def set_setting(session: AsyncSession, key: str, value: Any) -> None:
|
||||
"""Upsert a setting. Call inside an active transaction."""
|
||||
"""Upsert a setting (encrypting secret keys at rest). Call in a transaction."""
|
||||
to_store = value
|
||||
if key in SECRET_KEYS and isinstance(value, str) and value:
|
||||
from steward.core.crypto import encrypt_secret
|
||||
to_store = encrypt_secret(value)
|
||||
result = await session.execute(
|
||||
select(AppSetting).where(AppSetting.key == key)
|
||||
)
|
||||
row = result.scalar_one_or_none()
|
||||
now = datetime.now(timezone.utc)
|
||||
if row is None:
|
||||
session.add(AppSetting(key=key, value_json=json.dumps(value), updated_at=now))
|
||||
session.add(AppSetting(key=key, value_json=json.dumps(to_store), updated_at=now))
|
||||
else:
|
||||
row.value_json = json.dumps(value)
|
||||
row.value_json = json.dumps(to_store)
|
||||
row.updated_at = now
|
||||
|
||||
|
||||
async def get_all_settings(session: AsyncSession) -> dict[str, Any]:
|
||||
"""Return flat key→value dict with defaults filled in for missing keys."""
|
||||
result = await session.execute(select(AppSetting))
|
||||
stored = {row.key: json.loads(row.value_json) for row in result.scalars()}
|
||||
stored = {row.key: _decode(json.loads(row.value_json)) for row in result.scalars()}
|
||||
out: dict[str, Any] = {}
|
||||
for key, default in DEFAULTS.items():
|
||||
out[key] = stored.get(key, default)
|
||||
@@ -216,7 +238,7 @@ def load_settings_sync(db_url: str) -> dict[str, Any]:
|
||||
try:
|
||||
async with factory() as session:
|
||||
result = await session.execute(select(AppSetting))
|
||||
return {row.key: json.loads(row.value_json) for row in result.scalars()}
|
||||
return {row.key: _decode(json.loads(row.value_json)) for row in result.scalars()}
|
||||
finally:
|
||||
await engine.dispose()
|
||||
|
||||
@@ -230,6 +252,37 @@ def load_settings_sync(db_url: str) -> dict[str, Any]:
|
||||
return out
|
||||
|
||||
|
||||
def migrate_plaintext_secrets(db_url: str) -> int:
|
||||
"""Encrypt any existing plaintext secret rows in place. Idempotent.
|
||||
|
||||
Returns the number of values converted. Run once at startup after the
|
||||
encryptor is initialised (already-encrypted rows are skipped).
|
||||
"""
|
||||
from steward.core.crypto import encrypt_secret, is_encrypted
|
||||
|
||||
async def _run() -> int:
|
||||
from sqlalchemy.ext.asyncio import create_async_engine, async_sessionmaker
|
||||
engine = create_async_engine(db_url, echo=False)
|
||||
factory = async_sessionmaker(engine, expire_on_commit=False)
|
||||
converted = 0
|
||||
try:
|
||||
async with factory() as session:
|
||||
async with session.begin():
|
||||
result = await session.execute(
|
||||
select(AppSetting).where(AppSetting.key.in_(SECRET_KEYS))
|
||||
)
|
||||
for row in result.scalars():
|
||||
val = json.loads(row.value_json)
|
||||
if isinstance(val, str) and val and not is_encrypted(val):
|
||||
row.value_json = json.dumps(encrypt_secret(val))
|
||||
converted += 1
|
||||
finally:
|
||||
await engine.dispose()
|
||||
return converted
|
||||
|
||||
return asyncio.run(_run())
|
||||
|
||||
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
# External URL helper
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
Reference in New Issue
Block a user