Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key derivation #889

Merged
merged 9 commits into from
Feb 17, 2022
Merged

Key derivation #889

merged 9 commits into from
Feb 17, 2022

Conversation

worukan
Copy link
Contributor

@worukan worukan commented Feb 15, 2022

Change the way an invite token is verified and transferred to a user, Make it possible to get hold of the current encrypted token and its contents at the endpoints and the key operations, Introduce new errors for exceptional situations regarding token and keys, Remove temporary_key from user model, Derive user key from users password, Generate user key pair using the derived user key, Include sensitive content in the encrypted token, Update development and test db setup accordingly, Update some existing tests accordingly, Clean up some unused imports and Fix minor syntax issues encountered

Closes #738

@worukan
Change the way an invite token is verified and transferred to a user,…
0793017 
… Make it possible to get hold of the current encrypted token and its contents at the endpoints and the key operations, Introduce new errors for exceptional situations regarding token and keys, Remove temporary_key from user model, Derive user key from users password, Generate user key pair using the derived user key, Include sensitive content in the encrypted token, Update development and test db setup accordingly, Update some existing tests accordingly, Clean up some unused imports and Fix minor syntax issues encountered
@worukan worukan self-assigned this Feb 15, 2022
@worukan
Copy link
Contributor Author

worukan commented Feb 16, 2022
edited
Loading

The work is completed and ready to review.

@codecov
Copy link

codecov bot commented Feb 16, 2022
edited
Loading

Codecov Report

Merging #889 (9c19c30) into dev (b573bec) will increase coverage by 0.87%.
The diff coverage is 91.79%.

Impacted file tree graph

@@            Coverage Diff             @@
##              dev     #889      +/-   ##
==========================================
+ Coverage   75.42%   76.29%   +0.87%     
==========================================
  Files          29       29              
  Lines        2856     2915      +59     
==========================================
+ Hits         2154     2224      +70     
+ Misses        702      691      -11
Impacted Files Coverage Δ
dds_web/api/project.py 83.76% <ø> (+1.28%) ⬆️
dds_web/development/db_init.py 0.00% <0.00%> (ø)
dds_web/forms.py 94.73% <ø> (-0.39%) ⬇️
dds_web/security/tokens.py 100.00% <ø> (ø)
dds_web/web/user.py 65.89% <50.00%> (-0.31%) ⬇️
dds_web/api/user.py 89.90% <60.00%> (ø)
dds_web/security/project_user_keys.py 97.36% <94.73%> (+5.77%) ⬆️
dds_web/api/schemas/user_schemas.py 82.47% <100.00%> (-0.36%) ⬇️
dds_web/config.py 100.00% <100.00%> (ø)
dds_web/database/models.py 91.84% <100.00%> (-0.03%) ⬇️
... and 6 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b573bec...9c19c30. Read the comment docs.

@worukan worukan marked this pull request as ready for review February 16, 2022 08:46
i-oden
i-oden requested changes Feb 17, 2022
View reviewed changes
Copy link
Member

@i-oden i-oden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Some variable names and docstrings etc needed but also not super vital and as with the last PR I can add it at some point.

I think you should make a note in the comment section that we need to do dds auth logout and then login again for this to work.

Also:

dds_backend   | [2022-02-17 10:43:06,633] project [DEBUG] Getting the private key.
dds_backend   | 172.19.0.1 - - [17/Feb/2022 10:43:06] "GET /api/v1/proj/private?project=someunit00004 HTTP/1.1" 500 -
dds_backend   | Traceback (most recent call last):
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2091, in __call__
dds_backend   |     return self.wsgi_app(environ, start_response)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2076, in wsgi_app
dds_backend   |     response = self.handle_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2073, in wsgi_app
dds_backend   |     response = self.full_dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1518, in full_dispatch_request
dds_backend   |     rv = self.handle_user_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1516, in full_dispatch_request
dds_backend   |     rv = self.dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1502, in dispatch_request
dds_backend   |     return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper
dds_backend   |     resp = resource(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 84, in view
dds_backend   |     return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request
dds_backend   |     resp = meth(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_httpauth.py", line 172, in decorated
dds_backend   |     return self.ensure_sync(f)(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/dds_decorators.py", line 107, in wrapper_logging_bind_request
dds_backend   |     value = func(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/project.py", line 243, in get
dds_backend   |     {"private": obtain_project_private_key(auth.current_user(), project).hex().upper()}
dds_backend   | TypeError: obtain_project_private_key() missing 1 required positional argument: 'project'

dds_web/security/project_user_keys.py Outdated Show resolved Hide resolved
tests/test_project_user_keys.py Outdated Show resolved Hide resolved
@worukan
Copy link
Contributor Author

worukan commented Feb 17, 2022

Looks good. Some variable names and docstrings etc needed but also not super vital and as with the last PR I can add it at some point.

I think you should make a note in the comment section that we need to do dds auth logout and then login again for this to work.

Also:

dds_backend   | [2022-02-17 10:43:06,633] project [DEBUG] Getting the private key.
dds_backend   | 172.19.0.1 - - [17/Feb/2022 10:43:06] "GET /api/v1/proj/private?project=someunit00004 HTTP/1.1" 500 -
dds_backend   | Traceback (most recent call last):
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2091, in __call__
dds_backend   |     return self.wsgi_app(environ, start_response)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2076, in wsgi_app
dds_backend   |     response = self.handle_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2073, in wsgi_app
dds_backend   |     response = self.full_dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1518, in full_dispatch_request
dds_backend   |     rv = self.handle_user_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1516, in full_dispatch_request
dds_backend   |     rv = self.dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1502, in dispatch_request
dds_backend   |     return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper
dds_backend   |     resp = resource(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 84, in view
dds_backend   |     return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request
dds_backend   |     resp = meth(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_httpauth.py", line 172, in decorated
dds_backend   |     return self.ensure_sync(f)(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/dds_decorators.py", line 107, in wrapper_logging_bind_request
dds_backend   |     value = func(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/project.py", line 243, in get
dds_backend   |     {"private": obtain_project_private_key(auth.current_user(), project).hex().upper()}
dds_backend   | TypeError: obtain_project_private_key() missing 1 required positional argument: 'project'

I didn't understand this. Could you please clarify?

@i-oden
Copy link
Member

i-oden commented Feb 17, 2022

Looks good. Some variable names and docstrings etc needed but also not super vital and as with the last PR I can add it at some point.
I think you should make a note in the comment section that we need to do dds auth logout and then login again for this to work.
Also:

dds_backend   | [2022-02-17 10:43:06,633] project [DEBUG] Getting the private key.
dds_backend   | 172.19.0.1 - - [17/Feb/2022 10:43:06] "GET /api/v1/proj/private?project=someunit00004 HTTP/1.1" 500 -
dds_backend   | Traceback (most recent call last):
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2091, in __call__
dds_backend   |     return self.wsgi_app(environ, start_response)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2076, in wsgi_app
dds_backend   |     response = self.handle_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2073, in wsgi_app
dds_backend   |     response = self.full_dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1518, in full_dispatch_request
dds_backend   |     rv = self.handle_user_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1516, in full_dispatch_request
dds_backend   |     rv = self.dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1502, in dispatch_request
dds_backend   |     return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper
dds_backend   |     resp = resource(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 84, in view
dds_backend   |     return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request
dds_backend   |     resp = meth(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_httpauth.py", line 172, in decorated
dds_backend   |     return self.ensure_sync(f)(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/dds_decorators.py", line 107, in wrapper_logging_bind_request
dds_backend   |     value = func(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/project.py", line 243, in get
dds_backend   |     {"private": obtain_project_private_key(auth.current_user(), project).hex().upper()}
dds_backend   | TypeError: obtain_project_private_key() missing 1 required positional argument: 'project'

I didn't understand this. Could you please clarify?

I try to download so the private key is needed and then I get this traceback.
> > dds_backend | TypeError: obtain_project_private_key() missing 1 required positional argument: 'project'

@worukan
Copy link
Contributor Author

worukan commented Feb 17, 2022

Looks good. Some variable names and docstrings etc needed but also not super vital and as with the last PR I can add it at some point.
I think you should make a note in the comment section that we need to do dds auth logout and then login again for this to work.
Also:

dds_backend   | [2022-02-17 10:43:06,633] project [DEBUG] Getting the private key.
dds_backend   | 172.19.0.1 - - [17/Feb/2022 10:43:06] "GET /api/v1/proj/private?project=someunit00004 HTTP/1.1" 500 -
dds_backend   | Traceback (most recent call last):
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2091, in __call__
dds_backend   |     return self.wsgi_app(environ, start_response)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2076, in wsgi_app
dds_backend   |     response = self.handle_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2073, in wsgi_app
dds_backend   |     response = self.full_dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1518, in full_dispatch_request
dds_backend   |     rv = self.handle_user_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1516, in full_dispatch_request
dds_backend   |     rv = self.dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1502, in dispatch_request
dds_backend   |     return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper
dds_backend   |     resp = resource(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 84, in view
dds_backend   |     return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request
dds_backend   |     resp = meth(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_httpauth.py", line 172, in decorated
dds_backend   |     return self.ensure_sync(f)(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/dds_decorators.py", line 107, in wrapper_logging_bind_request
dds_backend   |     value = func(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/project.py", line 243, in get
dds_backend   |     {"private": obtain_project_private_key(auth.current_user(), project).hex().upper()}
dds_backend   | TypeError: obtain_project_private_key() missing 1 required positional argument: 'project'

I didn't understand this. Could you please clarify?

I try to download so the private key is needed and then I get this traceback. > > dds_backend | TypeError: obtain_project_private_key() missing 1 required positional argument: 'project'

This seems like a bug for ProjectRequiredSchema. I will investigate...

@worukan
Copy link
Contributor Author

worukan commented Feb 17, 2022

Looks good. Some variable names and docstrings etc needed but also not super vital and as with the last PR I can add it at some point.
I think you should make a note in the comment section that we need to do dds auth logout and then login again for this to work.
Also:

dds_backend   | [2022-02-17 10:43:06,633] project [DEBUG] Getting the private key.
dds_backend   | 172.19.0.1 - - [17/Feb/2022 10:43:06] "GET /api/v1/proj/private?project=someunit00004 HTTP/1.1" 500 -
dds_backend   | Traceback (most recent call last):
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2091, in __call__
dds_backend   |     return self.wsgi_app(environ, start_response)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2076, in wsgi_app
dds_backend   |     response = self.handle_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 2073, in wsgi_app
dds_backend   |     response = self.full_dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1518, in full_dispatch_request
dds_backend   |     rv = self.handle_user_exception(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 271, in error_router
dds_backend   |     return original_handler(e)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1516, in full_dispatch_request
dds_backend   |     rv = self.dispatch_request()
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/app.py", line 1502, in dispatch_request
dds_backend   |     return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper
dds_backend   |     resp = resource(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask/views.py", line 84, in view
dds_backend   |     return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request
dds_backend   |     resp = meth(*args, **kwargs)
dds_backend   |   File "/usr/local/lib/python3.10/site-packages/flask_httpauth.py", line 172, in decorated
dds_backend   |     return self.ensure_sync(f)(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/dds_decorators.py", line 107, in wrapper_logging_bind_request
dds_backend   |     value = func(*args, **kwargs)
dds_backend   |   File "/code/dds_web/api/project.py", line 243, in get
dds_backend   |     {"private": obtain_project_private_key(auth.current_user(), project).hex().upper()}
dds_backend   | TypeError: obtain_project_private_key() missing 1 required positional argument: 'project'

I didn't understand this. Could you please clarify?

I try to download so the private key is needed and then I get this traceback. > > dds_backend | TypeError: obtain_project_private_key() missing 1 required positional argument: 'project'

This seems like a bug for ProjectRequiredSchema. I will investigate...

Problem found! It's because of the additional required token. Fixing it and writing more tests...

@worukan
Update get project private endpoint according to the new key operatio…
9c19c30 
…ns with token, Add tests for it, Rearrange and clarify some key related parameters, Clean up some unused imports
@worukan worukan requested a review from i-oden February 17, 2022 14:24
alneberg
alneberg approved these changes Feb 17, 2022
View reviewed changes
Copy link
Contributor

@alneberg alneberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and I think it works as it should now!

i-oden
i-oden approved these changes Feb 17, 2022
View reviewed changes
Copy link
Member

@i-oden i-oden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and the bug is fixed!

@i-oden i-oden merged commit 7430bd6 into dev Feb 17, 2022
@i-oden i-oden deleted the key-derivation branch February 19, 2022 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@talavis talavis talavis left review comments

@alneberg alneberg alneberg approved these changes

@i-oden i-oden i-oden approved these changes

Assignees

@worukan worukan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Key derivation from password
4 participants
@worukan @i-oden @talavis @alneberg