Encryption fields added to moodle config

CHANGELOG.rst

@@ -15,6 +15,11 @@ Change Log
 
 Unreleased
 ----------
+[4.6.9]
+-------
+refactor: removing "null=true" constraint from encrypted fields
+feat: added fields for holding encrypted data in database (ENT 5613)
+
 [4.6.8]
 -------
 feat: truncate API Response before writing to the APIResponseRecord

enterprise/__init__.py

@@ -2,4 +2,4 @@
 Your project description goes here.
 """
 
-__version__ = "4.6.8"
+__version__ = "4.6.9"

integrated_channels/moodle/migrations/0028_auto_20230928_1530.py

@@ -0,0 +1,59 @@
+# Generated by Django 3.2.20 on 2023-09-28 15:30
+
+from django.db import migrations
+from integrated_channels.utils import dummy_reverse
+import fernet_fields.fields
+
+
+def populate_decrypted_fields(apps, schema_editor):
+    """
+    Populates the encryption fields with the data previously stored in database.
+    """
+    MoodleEnterpriseCustomerConfiguration = apps.get_model('moodle', 'MoodleEnterpriseCustomerConfiguration')
+
+    for moodle_enterprise_configuration in MoodleEnterpriseCustomerConfiguration.objects.all():
+        moodle_enterprise_configuration.decrypted_username = moodle_enterprise_configuration.username
+        moodle_enterprise_configuration.decrypted_password = moodle_enterprise_configuration.password
+        moodle_enterprise_configuration.decrypted_token = moodle_enterprise_configuration.token
+        moodle_enterprise_configuration.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('moodle', '0027_alter_historicalmoodleenterprisecustomerconfiguration_options'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='historicalmoodleenterprisecustomerconfiguration',
+            name='decrypted_password',
+            field=fernet_fields.fields.EncryptedCharField(blank=True, help_text="The encrypted API user's password used to obtain new tokens.", max_length=255, default="", verbose_name='Encrypted Webservice Password'),
+        ),
+        migrations.AddField(
+            model_name='historicalmoodleenterprisecustomerconfiguration',
+            name='decrypted_token',
+            field=fernet_fields.fields.EncryptedCharField(blank=True, help_text="The encrypted API user's token used to obtain new tokens.", max_length=255, default="", verbose_name='Encrypted Webservice Token'),
+        ),
+        migrations.AddField(
+            model_name='historicalmoodleenterprisecustomerconfiguration',
+            name='decrypted_username',
+            field=fernet_fields.fields.EncryptedCharField(blank=True, help_text="The encrypted API user's username used to obtain new tokens.", max_length=255, default="", verbose_name='Encrypted Webservice Username'),
+        ),
+        migrations.AddField(
+            model_name='moodleenterprisecustomerconfiguration',
+            name='decrypted_password',
+            field=fernet_fields.fields.EncryptedCharField(blank=True, help_text="The encrypted API user's password used to obtain new tokens.", max_length=255, default="", verbose_name='Encrypted Webservice Password'),
+        ),
+        migrations.AddField(
+            model_name='moodleenterprisecustomerconfiguration',
+            name='decrypted_token',
+            field=fernet_fields.fields.EncryptedCharField(blank=True, help_text="The encrypted API user's token used to obtain new tokens.", max_length=255, default="", verbose_name='Encrypted Webservice Token'),
+        ),
+        migrations.AddField(
+            model_name='moodleenterprisecustomerconfiguration',
+            name='decrypted_username',
+            field=fernet_fields.fields.EncryptedCharField(blank=True, help_text="The encrypted API user's username used to obtain new tokens.", max_length=255, default="", verbose_name='Encrypted Webservice Username'),
+        ),
+        migrations.RunPython(populate_decrypted_fields, dummy_reverse),
+    ]

integrated_channels/moodle/models.py

@@ -5,9 +5,11 @@
 import json
 from logging import getLogger
 
+from fernet_fields import EncryptedCharField
 from simple_history.models import HistoricalRecords
 
 from django.db import models
+from django.utils.encoding import force_bytes, force_str
 from django.utils.translation import gettext_lazy as _
 
 from integrated_channels.integrated_channel.models import (
@@ -64,6 +66,38 @@ class MoodleEnterpriseCustomerConfiguration(EnterpriseCustomerPluginConfiguratio
         )
     )
 
+    decrypted_username = EncryptedCharField(
+        max_length=255,
+        verbose_name="Encrypted Webservice Username",
+        blank=True,
+        help_text=_(
+            "The encrypted API user's username used to obtain new tokens."),
+        default="",
+    )
+
+    @property
+    def encrypted_username(self):
+        """
+        Return encrypted username as a string.
+
+        The data is encrypted in the DB at rest, but is unencrypted in the app when retrieved through the
+        decrypted_username field. This method will encrypt the username again before sending.
+        """
+        if self.decrypted_username:
+            return force_str(
+                self._meta.get_field('decrypted_username').fernet.encrypt(
+                    force_bytes(self.decrypted_username)
+                )
+            )
+        return self.decrypted_username
+
+    @encrypted_username.setter
+    def encrypted_username(self, value):
+        """
+        Set the encrypted username.
+        """
+        self.decrypted_username = value
+
     password = models.CharField(
         max_length=255,
         blank=True,
@@ -73,6 +107,38 @@ class MoodleEnterpriseCustomerConfiguration(EnterpriseCustomerPluginConfiguratio
         )
     )
 
+    decrypted_password = EncryptedCharField(
+        max_length=255,
+        verbose_name="Encrypted Webservice Password",
+        blank=True,
+        help_text=_(
+            "The encrypted API user's password used to obtain new tokens."),
+        default="",
+    )
+
+    @property
+    def encrypted_password(self):
+        """
+        Return encrypted password as a string.
+
+        The data is encrypted in the DB at rest, but is unencrypted in the app when retrieved through the
+        decrypted_password field. This method will encrypt the password again before sending.
+        """
+        if self.decrypted_password:
+            return force_str(
+                self._meta.get_field('decrypted_password').fernet.encrypt(
+                    force_bytes(self.decrypted_password)
+                )
+            )
+        return self.decrypted_password
+
+    @encrypted_password.setter
+    def encrypted_password(self, value):
+        """
+        Set the encrypted password.
+        """
+        self.decrypted_password = value
+
     token = models.CharField(
         max_length=255,
         blank=True,
@@ -82,6 +148,38 @@ class MoodleEnterpriseCustomerConfiguration(EnterpriseCustomerPluginConfiguratio
         )
     )
 
+    decrypted_token = EncryptedCharField(
+        max_length=255,
+        verbose_name="Encrypted Webservice Token",
+        blank=True,
+        help_text=_(
+            "The encrypted API user's token used to obtain new tokens."),
+        default="",
+    )
+
+    @property
+    def encrypted_token(self):
+        """
+        Return encrypted token as a string.
+
+        The data is encrypted in the DB at rest, but is unencrypted in the app when retrieved through the
+        decrypted_token field. This method will encrypt the token again before sending.
+        """
+        if self.decrypted_token:
+            return force_str(
+                self._meta.get_field('decrypted_token').fernet.encrypt(
+                    force_bytes(self.decrypted_token)
+                )
+            )
+        return self.decrypted_token
+
+    @encrypted_token.setter
+    def encrypted_token(self, value):
+        """
+        Set the encrypted token.
+        """
+        self.decrypted_token = value
+
     transmission_chunk_size = models.IntegerField(
         default=1,
         help_text=_("The maximum number of data items to transmit to the integrated channel with each request.")

integrated_channels/utils.py

@@ -501,3 +501,13 @@ def get_enterprise_client_by_channel_code(channel_code):
         'canvas': CanvasAPIClient,
     }
     return _enterprise_client_model_by_channel_code[channel_code]
+
+
+def dummy_reverse(_apps, _schema_editor):
+    """
+    Reverse a data migration but do nothing.
+
+    :param _apps:
+    :param _schema_editor:
+    :return:
+    """