Merge branch 'master' into new-apify-storage-clients

Author: vdusek

CHANGELOG.md

@@ -8,6 +8,11 @@ All notable changes to this project will be documented in this file.
 ### 🚀 Features
 
 - Expose `logger` argument on `Actor.call` to control log redirection from started Actor run ([#487](https://github.com/apify/apify-sdk-python/pull/487)) ([aa6fa47](https://github.com/apify/apify-sdk-python/commit/aa6fa4750ea1bc7909be1191c0d276a2046930c2)) by [@Pijukatel](https://github.com/Pijukatel)
+- **crypto:** Decrypt secret objects ([#482](https://github.com/apify/apify-sdk-python/pull/482)) ([ce9daf7](https://github.com/apify/apify-sdk-python/commit/ce9daf7381212b8dc194e8a643e5ca0dedbc0078)) by [@MFori](https://github.com/MFori)
+
+### 🐛 Bug Fixes
+
+- Sync `@docusaurus` theme version [internal] ([#500](https://github.com/apify/apify-sdk-python/pull/500)) ([a7485e7](https://github.com/apify/apify-sdk-python/commit/a7485e7d2276fde464ce862573d5b95e7d4d836a)) by [@katzino](https://github.com/katzino)
 
 
 <!-- git-cliff-unreleased-end -->

src/apify/_consts.py

@@ -6,5 +6,8 @@
 EVENT_LISTENERS_TIMEOUT = timedelta(seconds=5)
 
 BASE64_REGEXP = '[-A-Za-z0-9+/]*={0,3}'
-ENCRYPTED_INPUT_VALUE_PREFIX = 'ENCRYPTED_VALUE'
-ENCRYPTED_INPUT_VALUE_REGEXP = re.compile(f'^{ENCRYPTED_INPUT_VALUE_PREFIX}:({BASE64_REGEXP}):({BASE64_REGEXP})$')
+ENCRYPTED_STRING_VALUE_PREFIX = 'ENCRYPTED_VALUE'
+ENCRYPTED_JSON_VALUE_PREFIX = 'ENCRYPTED_JSON'
+ENCRYPTED_INPUT_VALUE_REGEXP = re.compile(
+    f'^({ENCRYPTED_STRING_VALUE_PREFIX}|{ENCRYPTED_JSON_VALUE_PREFIX}):(?:({BASE64_REGEXP}):)?({BASE64_REGEXP}):({BASE64_REGEXP})$'
+)

src/apify/_crypto.py

@@ -3,6 +3,7 @@
 import base64
 import hashlib
 import hmac
+import json
 import string
 from typing import Any
 
@@ -14,7 +15,7 @@
 from apify_shared.utils import ignore_docs
 from crawlee._utils.crypto import crypto_random_object_id
 
-from apify._consts import ENCRYPTED_INPUT_VALUE_REGEXP
+from apify._consts import ENCRYPTED_INPUT_VALUE_REGEXP, ENCRYPTED_JSON_VALUE_PREFIX, ENCRYPTED_STRING_VALUE_PREFIX
 
 ENCRYPTION_KEY_LENGTH = 32
 ENCRYPTION_IV_LENGTH = 16
@@ -147,14 +148,20 @@ def decrypt_input_secrets(private_key: rsa.RSAPrivateKey, input_data: Any) -> An
         if isinstance(value, str):
             match = ENCRYPTED_INPUT_VALUE_REGEXP.fullmatch(value)
             if match:
-                encrypted_password = match.group(1)
-                encrypted_value = match.group(2)
-                input_data[key] = private_decrypt(
+                prefix = match.group(1)
+                encrypted_password = match.group(3)
+                encrypted_value = match.group(4)
+                decrypted_value = private_decrypt(
                     encrypted_password,
                     encrypted_value,
                     private_key=private_key,
                 )
 
+                if prefix == ENCRYPTED_STRING_VALUE_PREFIX:
+                    input_data[key] = decrypted_value
+                elif prefix == ENCRYPTED_JSON_VALUE_PREFIX:
+                    input_data[key] = json.loads(decrypted_value)
+
     return input_data
 
 

tests/unit/actor/test_actor_key_value_store.py

@@ -6,7 +6,7 @@
 
 from ..test_crypto import PRIVATE_KEY_PASSWORD, PRIVATE_KEY_PEM_BASE64, PUBLIC_KEY
 from apify import Actor
-from apify._consts import ENCRYPTED_INPUT_VALUE_PREFIX
+from apify._consts import ENCRYPTED_JSON_VALUE_PREFIX, ENCRYPTED_STRING_VALUE_PREFIX
 from apify._crypto import public_encrypt
 
 
@@ -59,15 +59,49 @@ async def test_get_input_with_encrypted_secrets(monkeypatch: pytest.MonkeyPatch)
     monkeypatch.setenv(ApifyEnvVars.INPUT_SECRETS_PRIVATE_KEY_PASSPHRASE, PRIVATE_KEY_PASSWORD)
 
     input_key = 'INPUT'
+    secret_string_legacy = 'secret-string'
     secret_string = 'secret-string'
-    encrypted_secret = public_encrypt(secret_string, public_key=PUBLIC_KEY)
+    secret_object = {'foo': 'bar', 'baz': 'qux'}
+    secret_array = ['foo', 'bar', 'baz']
+
+    # The legacy encryption format uses ENCRYPTED_STRING_VALUE_PREFIX prefix, value in raw string and does
+    # not include schemahash. The new format uses ENCRYPTED_JSON_VALUE_PREFIX prefix, value in JSON format
+    # and includes schemahash. We are testing both formats to ensure backward compatibility.
+
+    encrypted_string_legacy = public_encrypt(secret_string_legacy, public_key=PUBLIC_KEY)
+    encrypted_string = public_encrypt(json_dumps(secret_string), public_key=PUBLIC_KEY)
+    encrypted_object = public_encrypt(json_dumps(secret_object), public_key=PUBLIC_KEY)
+    encrypted_array = public_encrypt(json_dumps(secret_array), public_key=PUBLIC_KEY)
+
     input_with_secret = {
         'foo': 'bar',
-        'secret': f'{ENCRYPTED_INPUT_VALUE_PREFIX}:{encrypted_secret["encrypted_password"]}:{encrypted_secret["encrypted_value"]}',  # noqa: E501
+        'secret_string_legacy': (
+            f'{ENCRYPTED_STRING_VALUE_PREFIX}:'
+            f'{encrypted_string_legacy["encrypted_password"]}:'
+            f'{encrypted_string_legacy["encrypted_value"]}'
+        ),
+        'secret_string': (
+            f'{ENCRYPTED_JSON_VALUE_PREFIX}:schemahash:'
+            f'{encrypted_string["encrypted_password"]}:'
+            f'{encrypted_string["encrypted_value"]}'
+        ),
+        'secret_object': (
+            f'{ENCRYPTED_JSON_VALUE_PREFIX}:schemahash:'
+            f'{encrypted_object["encrypted_password"]}:'
+            f'{encrypted_object["encrypted_value"]}'
+        ),
+        'secret_array': (
+            f'{ENCRYPTED_JSON_VALUE_PREFIX}:schemahash:'
+            f'{encrypted_array["encrypted_password"]}:'
+            f'{encrypted_array["encrypted_value"]}'
+        ),
     }
 
     async with Actor as actor:
-        await actor.set_value(key=input_key, value=input_with_secret)
+        await actor.set_value(key=input_key, value=input_with_secret, content_type='application/json')
         actor_input = await actor.get_input()
         assert actor_input['foo'] == input_with_secret['foo']
-        assert actor_input['secret'] == secret_string
+        assert actor_input['secret_string_legacy'] == secret_string_legacy
+        assert actor_input['secret_string'] == secret_string
+        assert actor_input['secret_object'] == secret_object
+        assert actor_input['secret_array'] == secret_array