From 3ef5ff86ea4ab460d81f5bdafde6cd64d370a859 Mon Sep 17 00:00:00 2001 From: Jonathan Tang Date: Mon, 9 Dec 2024 09:51:00 -0800 Subject: [PATCH 1/2] don't do migration yet as the the migrated data is dependent on code changes to support decrypting a cbc encrypted password --- .../0003_emailsettings_password_cbc.py | 51 ------------------- migrations.lock | 1 - 2 files changed, 52 deletions(-) delete mode 100644 corehq/apps/email/migrations/0003_emailsettings_password_cbc.py diff --git a/corehq/apps/email/migrations/0003_emailsettings_password_cbc.py b/corehq/apps/email/migrations/0003_emailsettings_password_cbc.py deleted file mode 100644 index acf8d28b3a31..000000000000 --- a/corehq/apps/email/migrations/0003_emailsettings_password_cbc.py +++ /dev/null @@ -1,51 +0,0 @@ -# Generated by Django 4.2.16 on 2024-11-19 20:16 - -from django.db import migrations - -from corehq.motech.const import ALGO_AES, ALGO_AES_CBC -from corehq.util.django_migrations import skip_on_fresh_install -from corehq.motech.utils import reencrypt_ecb_to_cbc_mode, reencrypt_cbc_to_ecb_mode - - -@skip_on_fresh_install -def copy_and_reencrypt_password_to_password_cbc(apps, schema_editor): - EmailSettings = apps.get_model('email', 'EmailSettings') - - email_settings_to_update = EmailSettings.objects.exclude( - password__startswith=f'${ALGO_AES_CBC}$' - ) - - for email_settings in email_settings_to_update: - if email_settings.password.startswith(f'${ALGO_AES}$'): - prefix = f'${ALGO_AES}$' - else: - prefix = None - email_settings.password = reencrypt_ecb_to_cbc_mode(email_settings.password, prefix) - email_settings.save() - - -def revert_password_cbc_to_password(apps, schema_editor): - EmailSettings = apps.get_model('email', 'EmailSettings') - - email_settings_to_update = EmailSettings.objects.exclude( - password__startswith=f'${ALGO_AES}$' - ) - - for email_settings in email_settings_to_update: - if email_settings.password.startswith(f'${ALGO_AES_CBC}$'): - prefix = f'${ALGO_AES_CBC}$' - else: - prefix = None - email_settings.password = reencrypt_cbc_to_ecb_mode(email_settings.password, prefix) - email_settings.save() - - -class Migration(migrations.Migration): - - dependencies = [ - ('email', '0002_emailsettings_return_path_email'), - ] - - operations = [ - migrations.RunPython(copy_and_reencrypt_password_to_password_cbc, revert_password_cbc_to_password), - ] diff --git a/migrations.lock b/migrations.lock index 9ea061a70985..515762313673 100644 --- a/migrations.lock +++ b/migrations.lock @@ -416,7 +416,6 @@ dropbox email 0001_initial 0002_emailsettings_return_path_email - 0003_emailsettings_password_cbc enterprise 0001_initial 0002_enterprisepermissions_account_unique From 0a94aa1c056876043b8f492e822b7f7404d4ee2a Mon Sep 17 00:00:00 2001 From: Jonathan Tang Date: Mon, 9 Dec 2024 10:44:06 -0800 Subject: [PATCH 2/2] correct function name typo --- corehq/motech/tests/test_reencryption_migration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/corehq/motech/tests/test_reencryption_migration.py b/corehq/motech/tests/test_reencryption_migration.py index 731a703dc74f..5218b6627ad5 100644 --- a/corehq/motech/tests/test_reencryption_migration.py +++ b/corehq/motech/tests/test_reencryption_migration.py @@ -40,7 +40,7 @@ def test_reencrypt_ecb_to_cbc_mode_match_plaintext_without_prefix(self): self.assertEqual(plaintext_password, self.email_settings.plaintext_password) - def test_empty_password_reencrypt_cbc_to_ecb_mode_match_plaintext(self): + def test_empty_password_reencrypt_ecb_to_cbc_mode_match_plaintext(self): plaintext_password = '' self.email_settings.password = plaintext_password reencrypted_password = reencrypt_ecb_to_cbc_mode(self.email_settings.password, f'${ALGO_AES}$')