Files
FabledSteward/tests/core/test_crypto.py
T
bvandeusen 6e91bdc82b
CI / lint (push) Successful in 2s
CI / unit (push) Successful in 7s
CI / integration (push) Successful in 2m17s
CI / publish (push) Successful in 45s
feat(security): encrypt sensitive settings at rest (Fernet)
Secrets (smtp.password, oidc.client_secret, ldap.bind_password, ansible
ssh_private_key/become_password/vault_password) were stored plaintext in
app_settings. Add transparent encryption-at-rest:

- steward/core/crypto.py: Fernet keyed off the app secret (/data/secret.key),
  enc:v1: prefix marks ciphertext; passthrough for plaintext/empty/no-key,
  never reveals plaintext on a wrong key.
- settings.py: SECRET_KEYS registry; set_setting encrypts on write; all read
  paths (get_setting / get_all_settings / load_settings_sync) decrypt
  transparently; migrate_plaintext_secrets() converts legacy rows in place.
- app.py startup: init_crypto(SECRET_KEY) + one-time legacy-secret migration
  before settings load.
- Add cryptography dependency.

UI masking is unchanged (it checks decrypted truthiness). Key-loss caveat
documented: secrets are unrecoverable if the app secret key is lost. Unit
tests cover round-trip, empty/plaintext passthrough, and wrong-key safety.

Task #580.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 15:22:43 -04:00

47 lines
1.2 KiB
Python

"""Unit tests for settings encryption-at-rest (Fernet)."""
from steward.core.crypto import (
ENC_PREFIX,
decrypt_secret,
encrypt_secret,
init_crypto,
is_encrypted,
)
def setup_function():
init_crypto("unit-test-secret-key")
def test_roundtrip():
tok = encrypt_secret("hunter2")
assert tok.startswith(ENC_PREFIX)
assert tok != "hunter2"
assert is_encrypted(tok)
assert decrypt_secret(tok) == "hunter2"
def test_empty_passes_through():
assert encrypt_secret("") == ""
assert is_encrypted("") is False
def test_plaintext_decrypt_passthrough():
assert decrypt_secret("not-encrypted") == "not-encrypted"
def test_is_encrypted_type_guard():
assert is_encrypted(encrypt_secret("x")) is True
assert is_encrypted("plain") is False
assert is_encrypted(None) is False
assert is_encrypted(123) is False
def test_wrong_key_does_not_reveal_plaintext():
init_crypto("key-A")
tok = encrypt_secret("secret")
init_crypto("key-B")
# Wrong key -> InvalidToken -> token returned unchanged, never the plaintext.
assert decrypt_secret(tok) != "secret"
init_crypto("key-A")
assert decrypt_secret(tok) == "secret"