ADD crypto-fields

[kamil1marczak]

Hi I have added package of encrypted fields,

[codecov-commenter]

Codecov Report

Merging #160 (714ecae) into master (252e681) will increase coverage by 0.01%.
The diff coverage is 93.16%.

@@            Coverage Diff             @@
##           master     #160      +/-   ##
==========================================
+ Coverage   93.02%   93.04%   +0.01%     
==========================================
  Files           9       11       +2     
  Lines         789      949     +160     
==========================================
+ Hits          734      883     +149     
- Misses         55       66      +11     

Impacted Files	Coverage Δ
drf_extra_fields/crypto_fields.py	88.40% <88.40%> (ø)
tests/test_crypto_fields.py	96.70% <96.70%> (ø)
drf_extra_fields/runtests/settings.py	86.66% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 252e681...714ecae. Read the comment docs.

[yigitguler]

Hi @kamil1marczak, thank you for this detailed PR.

We will review it and get back to you.

[alicertel]

salt_settings_env sounds like an environment variable but it's not actually. Why not this is directly provided like password? Why there is an inconsistency?

I suggest to have DEFAULT_CRYPTOGRAPHY_SALT and DEFAULT_CRYPTOGRAPHY_PASSWORD variables in settings.py. These must be defined to be able to use crypto fields. If salt or password is not provided along with field definition these will be used. What do you think?

[kamil1marczak]

in an updated version, I use Django SECRET_KEY as salt but I kept the password as an optional parameter to make it more dynamic (the whole idea is to have something static - salt and dynamic - password as encryption ingredients)

[omerfarukabaci]

Thank you for your PR, we much appreciate it! However, I guess there is a misunderstanding here (and yes, I have realized it now, after reviewing your PR... 😓). This package includes extra fields for DRF (Django Rest Framework) Serializer fields, not for Django model fields (at least until now). I don't know what can/should we do about it. Any thoughts @alicertel?

[omerfarukabaci]

Suggested change

	## CryptoField Package
	A set of generic common Djano Fields that automatically encrypt data for database amd encrypt for the purpose of usage in Django.
	* *CryptoFieldMixin* - Mixin that implement encrypt/decrypt methods.
	Example of how to use to create custom CryptoTextField
	## CryptoField Package
	A set of generic common Django Fields that automatically encrypts data for the database and for the purpose of usage in Django.
	* *CryptoFieldMixin* - A mixin that implements encrypt/decrypt methods.
	Example of how to use it to create the CustomCryptoTextField

[omerfarukabaci]

Suggested change

	**Settings.**
	each CryptoField has 2 kwargs *salt_settings_env* and *password*.
	* *salt_settings_env* - name of variable stored in settings.py file, which will be used as cryptographic salt. default: salt_settings_env = 'SECRET_KEY' if settings not set or no SECRET_KEY in setting default: salt = "Salt123!!!"
	* *password* - password to be used in encryption process of given field (together with salt set globally) default = 'password'
	### Settings
	Each CryptoField has 2 kwargs: `salt_settings_env` and `password`.
	* `salt_settings_env`: Name of the variable stored in the settings.py file, which will be used as cryptographic salt.
	**Default**: `"SECRET_KEY"`
	**Note**: If `salt_settings_env` does not exist in `settings.py` then `salt` will be `Salt123!!!`
	* `password`: Password to be used in the encryption process of the given field (together with salt set globally).
	**Default**: `"password"`

[omerfarukabaci]

Suggested change

	**Example.**
	```python
	# models.py
	from django.db import models
	from drf_extra_fields.crypto_field import *
	class TestCryptoEmail(models.Model):
	value = CryptoEmailField(salt_settings_env='NEW_SECRET_KEY', password='new_password')
	## Example
	```python
	# models.py
	from django.db import models
	from drf_extra_fields.crypto_field import CryptoEmailField
	class User(models.Model):
	encrypted_email = CryptoEmailField(salt_settings_env='NEW_SECRET_KEY', password='new_password')

[omerfarukabaci]

1. This method doesn't work as expected for bytearray:

to_bytes(bytearray([1, 2, 3, 4, 5]))
# b"bytearray(b'\\x01\\x02\\x03\\x04\\x05')"

because force_bytes casts bytearray to str and then convert it to bytes. Here we don't need to use force_bytes, we can cast the object to bytes directly for bytearray and memoryview.

2. What about calling this method _to_bytes(), since this is a specific method for crypto_field?

3. What is the purpose of the underscore in _obj here? I guess using _to_bytes(obj) is fine.

[kamil1marczak]

In the new version, I use validators rather than force casting types

[omerfarukabaci]

Suggested change

	try:
	from functools import cached_property as property_decorator
	except ImportError:
	from builtins import property as property_decorator
	import base64
	import pickle
	from django.utils.translation import gettext_lazy as _
	from cryptography.fernet import Fernet
	from cryptography.hazmat.primitives import hashes
	from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
	from django.conf import settings
	from django.core.checks import Error
	from django.core.exceptions import ImproperlyConfigured
	from django.db import models
	from django.utils.encoding import force_bytes
	try:
	from functools import cached_property as property_decorator
	except ImportError:
	from builtins import property as property_decorator
	import base64
	import pickle
	from cryptography.fernet import Fernet
	from cryptography.hazmat.primitives import hashes
	from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
	from django.conf import settings
	from django.core.checks import Error
	from django.core.exceptions import ImproperlyConfigured
	from django.db import models
	from django.utils.encoding import force_bytes
	from django.utils.translation import gettext_lazy as _

[omerfarukabaci]

What about something like that?

Suggested change

	def get_db_prep_save(self, value, connection, prepared=False):
	if self.empty_strings_allowed and value == bytes():
	value = ""
	value = super().get_db_prep_value(value, connection, prepared=False)
	if value is not None:
	encrypted_value = self.encrypt(value)
	return encrypted_value
	# return connection.Database.Binary(encrypted_value)
	def get_db_prep_save(self, value, connection, prepared=False):
	if value:
	value = self.encrypt(value)
	return super().get_db_prep_value(value, connection, prepared)

[omerfarukabaci]

Could you please pin the version?

[kamil1marczak]

version 3.2.1 is the last with python 3.5 support therefore I have pined that one

[omerfarukabaci]

Suggested change

	class PersonTest(TestCase):
	class CryptoFieldsTests(TestCase):

[omerfarukabaci]

Also what about creating a model consisting of all crypto fields and making some insert & update & delete operations to make sure that the whole integration is working?

[kamil1marczak]

I have tested in that matter in updated version

[omerfarukabaci]

Could you please rename this file to test_crypto_fields.py?

[omerfarukabaci]

Could you please rename this file to crypto_fields.py? It makes more sense while importing:

from drf_extra_fields.crypto_fields import CryptoTextField

[alicertel]

Thank you for your PR, we much appreciate it! However, I guess there is a misunderstanding here (and yes, I have realized it now, after reviewing your PR... 😓). This package includes extra fields for DRF (Django Rest Framework) Serializer fields, not for Django model fields (at least until now). I don't know what can/should we do about it. Any thoughts @alicertel?

Good catch @omerfarukabaci . I didn't realize that. You are right our package includes only DRF fields. I believe this pr is more suitable to https://django-extensions.readthedocs.io/en/latest/field_extensions.html

[kamil1marczak]

I am really sorry for the obvious mistake, I will rewrite it to operate as serialization and include all of your comments from the review. I have few ideas in that matter Can I write you directly in case of seeking consultation on how to get the most utility out of it? Kamil wt., 11 maj 2021 o 18:15 alicertel ***@***.***> napisał(a):

…

Thank you for your PR, we much appreciate it! However, I guess there is a misunderstanding here (and yes, I have realized it now, after reviewing your PR... 😓). This package includes extra fields for DRF (Django Rest Framework) Serializer fields, not for Django model fields (at least until now). I don't know what can/should we do about it. Any thoughts @alicertel <https://github.com/alicertel>? Good catch @omerfarukabaci <https://github.com/omerfarukabaci> . I didn't realize that. You are right our package includes only DRF fields. I believe this pr is more suitable to https://django-extensions.readthedocs.io/en/latest/field_extensions.html — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#160 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANBYAGQUJPPUJFYADSVB7LDTNFJ2TANCNFSM43QRZHIA> .

[kamil1marczak]

@omerfarukabaci @alicertel everything has been rewritten to drf fields. I will be grateful for another review

[alicertel]

Thanks @kamil1marczak I will review this within this week.

[kamil1marczak]

Thanks @kamil1marczak I will review this within this week.

@alicertel hey any progress?

[alicertel]

Thanks @kamil1marczak I will review this within this week.

@alicertel hey any progress?

Apologies for the late review. I've been reviewing your PR but it's not finished. I will send it anyway and continue reviewing this week.

@omerfarukabaci Could you please help me review this PR?

[alicertel]

How about we make cryptography an optional dependency? Please see https://github.com/Hipo/drf-extra-fields/blob/master/setup.py#L19

Pillow is an optional dependency and it's only required if Base64ImageField is used.

We can raise an error if the cryptography is not installed when the one of the crypto fields are initialized. How that sounds?

[alicertel]

Why this is failing silently? There is something wrong here and this code block is hiding it. I think we should raise the error. What do you think?

[alicertel]

It's possible value to be None https://github.com/Hipo/drf-extra-fields/pull/160/files#diff-d6824db8ef32e9fad7a3e9a7ba84738d5a9c233da178e29aea2479e13e40f8fbR92

It will fail in that case but it shouldn't

[alicertel]

I am not sure why there are bunch of changes in the README file. Could you please revert them back and only have the documentation of the newly added fields.

I assume these changes caused by the IDE/Editor you are using.

[omerfarukabaci]

Agreed, it might be because of auto formatting or something.

[alicertel]

Could you please tell me your use case for this field? I am curious about why you want to store binary data in DB (judging by your previous PR I am assuming these data will go to db)?

[omerfarukabaci]

Thank you for the changes! 🚀 I have made some change requests.

[omerfarukabaci]

Agreed, it might be because of auto formatting or something.

[omerfarukabaci]

Let's call this BaseCryptoSerializer and create other serializers in the test methods using this:

def test_serialization_with_salt(self):
    class CryptoSerializer(BaseCryptoSerializer):
        message = CryptoBinaryField(password=..., salt=...)

[omerfarukabaci]

We cannot use time.sleep in tests, we should mock time.time.

[omerfarukabaci]

Let's make sure that every AssertionErrror and ValidationError is tested.