Removing unencrypted user credentials data (#1966)

* feat: replacing non encrypted fields of moodle config model with encrypted ones (ENT 5613)

CHANGELOG.rst

@@ -16,6 +16,11 @@ Change Log
 Unreleased
 ----------
 
+[4.9.5]
+--------
+
+feat: replacing non encrypted fields of moodle config model with encrypted ones
+
 [4.9.4]
 --------
 

enterprise/__init__.py

@@ -2,4 +2,4 @@
 Your project description goes here.
 """
 
-__version__ = "4.9.4"
+__version__ = "4.9.5"

integrated_channels/api/v1/moodle/serializers.py

@@ -1,6 +1,8 @@
 """
     Serializer for Moodle configuration.
 """
+from rest_framework import serializers
+
 from integrated_channels.api.serializers import EnterpriseCustomerPluginConfigSerializer
 from integrated_channels.moodle.models import MoodleEnterpriseCustomerConfiguration
 
@@ -12,8 +14,12 @@ class Meta:
             'moodle_base_url',
             'service_short_name',
             'category_id',
-            'username',
-            'password',
-            'token',
+            'encrypted_username',
+            'encrypted_password',
+            'encrypted_token',
         )
         fields = EnterpriseCustomerPluginConfigSerializer.Meta.fields + extra_fields
+
+    encrypted_password = serializers.CharField(required=False, allow_blank=False, read_only=False)
+    encrypted_username = serializers.CharField(required=False, allow_blank=False, read_only=False)
+    encrypted_token = serializers.CharField(required=False, allow_blank=False, read_only=False)

integrated_channels/moodle/admin/__init__.py

@@ -24,9 +24,9 @@ class Meta:
 
     def clean(self):
         cleaned_data = super().clean()
-        cleaned_username = cleaned_data.get('username')
-        cleaned_password = cleaned_data.get('password')
-        cleaned_token = cleaned_data.get('token')
+        cleaned_username = cleaned_data.get('decrypted_username')
+        cleaned_password = cleaned_data.get('decrypted_password')
+        cleaned_token = cleaned_data.get('decrypted_token')
         if cleaned_token and (cleaned_username or cleaned_password):
             raise ValidationError(_('Cannot set both a Username/Password and Token'))
         if (cleaned_username and not cleaned_password) or (cleaned_password and not cleaned_username):

integrated_channels/moodle/client.py

@@ -184,6 +184,7 @@ def _get_access_token(self):
         username = self.enterprise_configuration.username
         decrypted_password = self.enterprise_configuration.decrypted_password
         password = self.enterprise_configuration.password
+        use_encrypted_user_data = getattr(settings, 'FEATURES', {}).get('USE_ENCRYPTED_USER_DATA', False)
 
         response = requests.post(
             urljoin(
@@ -195,8 +196,8 @@ def _get_access_token(self):
                 'Content-Type': 'application/x-www-form-urlencoded',
             },
             data={
-                "username": decrypted_username if settings.FEATURES.get('USE_ENCRYPTED_USER_DATA', False) else username,
-                "password": decrypted_password if settings.FEATURES.get('USE_ENCRYPTED_USER_DATA', False) else password,
+                "username": decrypted_username if use_encrypted_user_data else username,
+                "password": decrypted_password if use_encrypted_user_data else password,
             },
         )
 

integrated_channels/moodle/models.py

@@ -230,7 +230,7 @@ def is_valid(self):
         incorrect_items = {'incorrect': []}
         if not self.moodle_base_url:
             missing_items.get('missing').append('moodle_base_url')
-        if not self.token and not (self.username and self.password):
+        if not self.decrypted_token and not (self.decrypted_username and self.decrypted_password):
             missing_items.get('missing').append('token OR username and password')
         if not self.service_short_name:
             missing_items.get('missing').append('service_short_name')

tests/test_integrated_channels/test_api/test_moodle/test_views.py

@@ -82,13 +82,13 @@ def test_update(self, mock_current_request):
             'moodle_base_url': 'http://testing2',
             'service_short_name': 'test',
             'enterprise_customer': ENTERPRISE_ID,
-            'token': 'testing'
+            'encrypted_token': 'testing'
         }
         response = self.client.put(url, payload)
         self.moodle_config.refresh_from_db()
         self.assertEqual(self.moodle_config.moodle_base_url, 'http://testing2')
         self.assertEqual(self.moodle_config.service_short_name, 'test')
-        self.assertEqual(self.moodle_config.token, 'testing')
+        self.assertEqual(self.moodle_config.decrypted_token, 'testing')
         self.assertEqual(response.status_code, 200)
 
     @mock.patch('enterprise.rules.crum.get_current_request')
@@ -139,6 +139,9 @@ def test_is_valid_field(self, mock_current_request):
         _, incorrect = data[0].get('is_valid')
         assert incorrect.get('incorrect') == ['moodle_base_url', 'display_name']
 
+        self.moodle_config.decrypted_token = ''
+        self.moodle_config.decrypted_username = ''
+        self.moodle_config.decrypted_password = ''
         self.moodle_config.token = ''
         self.moodle_config.username = ''
         self.moodle_config.password = ''
@@ -152,6 +155,9 @@ def test_is_valid_field(self, mock_current_request):
         assert missing.get('missing') == ['moodle_base_url', 'token OR username and password', 'service_short_name']
 
         self.moodle_config.category_id = 10
+        self.moodle_config.decrypted_username = 'lmao'
+        self.moodle_config.decrypted_password = 'foobar'
+        self.moodle_config.decrypted_token = 'baa'
         self.moodle_config.username = 'lmao'
         self.moodle_config.password = 'foobar'
         self.moodle_config.token = 'baa'