FossilRepo
|
1
|
"""Custom model fields — encrypted storage using Fernet symmetric encryption.""" |
|
2
|
|
|
3
|
import base64 |
|
4
|
import hashlib |
|
5
|
|
|
6
|
from cryptography.fernet import Fernet, InvalidToken |
|
7
|
from django.conf import settings |
|
8
|
from django.db import models |
|
9
|
|
|
10
|
|
|
11
|
def _get_fernet(): |
|
12
|
"""Derive a Fernet key from Django's SECRET_KEY.""" |
|
13
|
key_bytes = hashlib.sha256(settings.SECRET_KEY.encode()).digest() |
|
14
|
return Fernet(base64.urlsafe_b64encode(key_bytes)) |
|
15
|
|
|
16
|
|
|
17
|
class EncryptedTextField(models.TextField): |
|
18
|
"""TextField that encrypts data at rest using Fernet (AES-128-CBC + HMAC). |
|
19
|
|
|
20
|
Values are transparently encrypted on save and decrypted on read. |
|
21
|
Stored as base64-encoded ciphertext in the database. |
|
22
|
""" |
|
23
|
|
|
24
|
def get_prep_value(self, value): |
|
25
|
if value is None or value == "": |
|
26
|
return value |
|
27
|
f = _get_fernet() |
|
28
|
return f.encrypt(value.encode("utf-8")).decode("utf-8") |
|
29
|
|
|
30
|
def from_db_value(self, value, expression, connection): |
|
31
|
if value is None or value == "": |
|
32
|
return value |
|
33
|
f = _get_fernet() |
|
34
|
try: |
|
35
|
return f.decrypt(value.encode("utf-8")).decode("utf-8") |
|
36
|
except InvalidToken: |
|
37
|
# Value may not be encrypted (e.g. pre-existing data). |
|
38
|
return value |
|
39
|
|
|
40
|
def deconstruct(self): |
|
41
|
name, path, args, kwargs = super().deconstruct() |
|
42
|
return name, path, args, kwargs |
|
43
|
|