nucliadb-utils 5.0.0.post641__py3-none-any.whl → 5.0.0.post642__py3-none-any.whl

nucliadb_utils/encryption/__init__.py

@@ -0,0 +1,81 @@
+# Copyright (C) 2021 Bosutech XXI S.L.
+#
+# nucliadb is offered under the AGPL v3.0 and as commercial software.
+# For commercial licensing, contact us at info@nuclia.com.
+#
+# AGPL:
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+import base64
+import binascii
+
+import nacl.exceptions
+import nacl.secret
+import nacl.utils
+
+from nucliadb_telemetry.metrics import Observer
+
+
+class DecryptionError(Exception): ...
+
+
+class DecryptionDataError(DecryptionError): ...
+
+
+endecryptor_observer = Observer(
+    "endecryptor",
+    error_mappings={
+        "DecryptionError": DecryptionError,
+        "DecryptionDataError": DecryptionDataError,
+    },
+    labels={"operation": ""},
+)
+
+
+class EndecryptorUtility:
+    """
+    Utility class for encryption and decryption of sensitive data using the nacl library.
+    """
+
+    def __init__(self, secret_key: bytes):
+        try:
+            self.box = nacl.secret.SecretBox(secret_key)
+        except nacl.exceptions.TypeError as ex:
+            raise ValueError("Invalid secret key") from ex
+
+    @classmethod
+    def from_b64_encoded_secret_key(cls, encoded_secret_key: str):
+        try:
+            secret_key = base64.b64decode(encoded_secret_key)
+        except binascii.Error as ex:
+            raise ValueError("Invalid base64 encoding") from ex
+        return cls(secret_key=secret_key)
+
+    @endecryptor_observer.wrap({"operation": "encrypt"})
+    def encrypt(self, text: str) -> str:
+        text_bytes = text.encode()
+        encrypted = self.box.encrypt(text_bytes)
+        return encrypted.hex()
+
+    @endecryptor_observer.wrap({"operation": "decrypt"})
+    def decrypt(self, encrypted_text: str) -> str:
+        try:
+            encrypted = nacl.utils.EncryptedMessage.fromhex(encrypted_text)
+        except ValueError as ex:
+            raise DecryptionDataError("Error decrypting the message") from ex
+        try:
+            decrypted_bytes = self.box.decrypt(encrypted)
+        except nacl.exceptions.CryptoError as ex:
+            raise DecryptionError("Error decrypting the message") from ex
+        return decrypted_bytes.decode()

nucliadb_utils/encryption/settings.py

@@ -0,0 +1,39 @@
+# Copyright (C) 2021 Bosutech XXI S.L.
+#
+# nucliadb is offered under the AGPL v3.0 and as commercial software.
+# For commercial licensing, contact us at info@nuclia.com.
+#
+# AGPL:
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+from typing import Optional
+
+from pydantic import Field
+from pydantic_settings import BaseSettings
+
+
+class EncryptionSettings(BaseSettings):
+    encryption_secret_key: Optional[str] = Field(
+        default=None,
+        title="Encryption Secret Key",
+        description="""Secret key used for encryption and decryption of sensitive data in the database.
+The key must be a 32-byte string, base64 encoded. You can generate a new key with the following unix command:
+head -c 32 /dev/urandom | base64
+""",
+        examples=[
+            "6TGjSkvX6qkFOo/BJKl5OY1fwJoWnMaSVI7VOJjU07Y=",
+        ],
+    )
+
+
+settings = EncryptionSettings()

nucliadb_utils/utilities.py

@@ -34,6 +34,8 @@ from nucliadb_utils.audit.stream import StreamAuditStorage
 from nucliadb_utils.cache.nats import NatsPubsub
 from nucliadb_utils.cache.pubsub import PubSubDriver
 from nucliadb_utils.cache.settings import settings as cache_settings
+from nucliadb_utils.encryption import EndecryptorUtility
+from nucliadb_utils.encryption.settings import settings as encryption_settings
 from nucliadb_utils.exceptions import ConfigurationError
 from nucliadb_utils.indexing import IndexingUtility
 from nucliadb_utils.nats import NatsConnectionManager
@@ -78,6 +80,7 @@ class Utility(str, Enum):
     LOCAL_STORAGE = "local_storage"
     NUCLIA_STORAGE = "nuclia_storage"
     MAINDB_DRIVER = "driver"
+    ENDECRYPTOR = "endecryptor"
 
 
 def get_utility(ident: Union[Utility, str]):
@@ -406,3 +409,19 @@ def has_feature(
         if X_ACCOUNT_TYPE_HEADER in headers:
             context["account_type"] = headers[X_ACCOUNT_TYPE_HEADER]
     return get_feature_flags().enabled(name, default=default, context=context)
+
+
+def get_endecryptor() -> EndecryptorUtility:
+    util = get_utility(Utility.ENDECRYPTOR)
+    if util is not None:
+        return util
+    if encryption_settings.encryption_secret_key is None:
+        raise ConfigurationError("Encryption secret key not configured")
+    try:
+        util = EndecryptorUtility.from_b64_encoded_secret_key(encryption_settings.encryption_secret_key)
+    except ValueError as ex:
+        raise ConfigurationError(
+            "Invalid encryption key. Must be a base64 encoded 32-byte string"
+        ) from ex
+    set_utility(Utility.ENDECRYPTOR, util)
+    return util

{nucliadb_utils-5.0.0.post641.dist-info → nucliadb_utils-5.0.0.post642.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: nucliadb_utils
-Version: 5.0.0.post641
+Version: 5.0.0.post642
 Home-page: https://nuclia.com
 License: BSD
 Classifier: Development Status :: 4 - Beta
@@ -23,8 +23,8 @@ Requires-Dist: PyNaCl
 Requires-Dist: pyjwt >=2.4.0
 Requires-Dist: memorylru >=1.1.2
 Requires-Dist: mrflagly
-Requires-Dist: nucliadb-protos >=5.0.0.post641
-Requires-Dist: nucliadb-telemetry >=5.0.0.post641
+Requires-Dist: nucliadb-protos >=5.0.0.post642
+Requires-Dist: nucliadb-telemetry >=5.0.0.post642
 Provides-Extra: cache
 Requires-Dist: redis >=4.3.4 ; extra == 'cache'
 Requires-Dist: orjson >=3.6.7 ; extra == 'cache'

{nucliadb_utils-5.0.0.post641.dist-info → nucliadb_utils-5.0.0.post642.dist-info}/RECORD

@@ -16,7 +16,7 @@ nucliadb_utils/settings.py,sha256=AaOtQZVRqRcMnUyN1l1MpR10lANaDT2uPrbhmTyn6uk,76
 nucliadb_utils/signals.py,sha256=JRNv2y9zLtBjOANBf7krGfDGfOc9qcoXZ6N1nKWS2FE,2674
 nucliadb_utils/store.py,sha256=kQ35HemE0v4_Qg6xVqNIJi8vSFAYQtwI3rDtMsNy62Y,890
 nucliadb_utils/transaction.py,sha256=mwcI3aIHAvU5KOGqd_Uz_d1XQzXhk_-NWY8NqU1lfb0,7307
-nucliadb_utils/utilities.py,sha256=puBRsquZEM3gnXNI8wPwXzG1gN8Gg86B7g-oJFlrXQQ,14188
+nucliadb_utils/utilities.py,sha256=ABcv4PwRYlrFOFOJF-1TU8PVbmW548g7scs-dsEJDp0,14955
 nucliadb_utils/audit/__init__.py,sha256=cp15ZcFnHvpcu_5-aK2A4uUyvuZVV_MJn4bIXMa20ks,835
 nucliadb_utils/audit/audit.py,sha256=dn5ZnCVQUlCcvdjzaORghbrjk9QgVGrtkfIftq30Bp8,2819
 nucliadb_utils/audit/basic.py,sha256=NViey6mKbCXqRTLDBX2xNTcCg9I-2e4oB2xkekuhDvM,3392
@@ -26,6 +26,8 @@ nucliadb_utils/cache/exceptions.py,sha256=Zu-O_-0-yctOEgoDGI92gPzWfBMRrpiAyESA62
 nucliadb_utils/cache/nats.py,sha256=-AjCfkFgKVdJUlGR0hT9JDSNkPVFg4S6w9eW-ZIcXPM,7037
 nucliadb_utils/cache/pubsub.py,sha256=l8i_RwRf7OPzfmPy-gyn66xgYFs5aHidCIjEaU9VOHE,1654
 nucliadb_utils/cache/settings.py,sha256=WVeHOE6Re5i4k2hUHdFKfkoL4n83v_Z6UPBK6GHYb8g,1059
+nucliadb_utils/encryption/__init__.py,sha256=oav6jFOTGgmIen88sdmy-bCK-uj1tyDt2hr7lB2YKik,2690
+nucliadb_utils/encryption/settings.py,sha256=yF2AW6c_mu0yWbBn1grAERDAqDvKIpXqQnwD0OFmROI,1467
 nucliadb_utils/fastapi/__init__.py,sha256=itSI7dtTwFP55YMX4iK7JzdMHS5CQVUiB1XzQu4UBh8,833
 nucliadb_utils/fastapi/openapi.py,sha256=b0pLuri0QuzQd0elDyOVXM42YYmES_cmT-jEfsQ1G6Y,1737
 nucliadb_utils/fastapi/run.py,sha256=n6vOX64QqF1I5n4UlKnpm_ZJ24rmwfRGi-J9YMGpZzA,3631
@@ -58,8 +60,8 @@ nucliadb_utils/tests/indexing.py,sha256=YW2QhkhO9Q_8A4kKWJaWSvXvyQ_AiAwY1VylcfVQ
 nucliadb_utils/tests/local.py,sha256=c3gZJJWmvOftruJkIQIwB3q_hh3uxEhqGIAVWim1Bbk,1343
 nucliadb_utils/tests/nats.py,sha256=Tosonm9A9cusImyji80G4pgdXEHNVPaCLT5TbFK_ra0,7543
 nucliadb_utils/tests/s3.py,sha256=YB8QqDaBXxyhHonEHmeBbRRDmvB7sTOaKBSi8KBGokg,2330
-nucliadb_utils-5.0.0.post641.dist-info/METADATA,sha256=twt2gRVvpXGQKCeR-x2zhLnb9vDehms3s9Qf0AWLxkM,2078
-nucliadb_utils-5.0.0.post641.dist-info/WHEEL,sha256=y4mX-SOX4fYIkonsAGA5N0Oy-8_gI4FXw5HNI1xqvWg,91
-nucliadb_utils-5.0.0.post641.dist-info/top_level.txt,sha256=fE3vJtALTfgh7bcAWcNhcfXkNPp_eVVpbKK-2IYua3E,15
-nucliadb_utils-5.0.0.post641.dist-info/zip-safe,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
-nucliadb_utils-5.0.0.post641.dist-info/RECORD,,
+nucliadb_utils-5.0.0.post642.dist-info/METADATA,sha256=Pvc_Ts0moq5GdYijN-wBnOI7u5to8ZqGAdl4Vqwve1g,2078
+nucliadb_utils-5.0.0.post642.dist-info/WHEEL,sha256=y4mX-SOX4fYIkonsAGA5N0Oy-8_gI4FXw5HNI1xqvWg,91
+nucliadb_utils-5.0.0.post642.dist-info/top_level.txt,sha256=fE3vJtALTfgh7bcAWcNhcfXkNPp_eVVpbKK-2IYua3E,15
+nucliadb_utils-5.0.0.post642.dist-info/zip-safe,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
+nucliadb_utils-5.0.0.post642.dist-info/RECORD,,