Merge pull request #2895 from fractal-analytics-platform/2891-remove-email-password-encryption

Remove email-password encryption

Author: tcompa

.github/workflows/oauth.yaml

@@ -74,10 +74,7 @@ jobs:
             FRACTAL_EMAIL_RECIPIENTS: [email protected],[email protected]
             FRACTAL_EMAIL_USE_STARTTLS: false
             FRACTAL_EMAIL_USE_LOGIN: true
-            # FRACTAL_EMAIL_PASSWORD and FRACTAL_EMAIL_PASSWORD_KET are generated with the following command
-            # `printf "fakepassword\n" | poetry run fractalctl encrypt-email-password`
-            FRACTAL_EMAIL_PASSWORD: gAAAAABnoQUGHMsDgLkpDtwUtrKtf9T1so44ahEXExGRceAnf097mVY1EbNuMP5fjvkndvwCwBJM7lHoSgKQkZ4VbvO9t3PJZg==
-            FRACTAL_EMAIL_PASSWORD_KEY: lp3j2FVDkzLd0Rklnzg1pHuV9ClCuDE0aGeJfTNCaW4=
+            FRACTAL_EMAIL_PASSWORD: fakepassword
           run: |
             fractalctl set-db
             fractalctl init-db-data --resource default --profile default --admin-email [email protected] --admin-pwd 1234

CHANGELOG.md

@@ -11,6 +11,8 @@ TBD
 \#2882
 \#2884
 \#2893
+\#2895 (remove email-password encryption)
+
 
 # 2.16.6
 

fractal_server/__main__.py

@@ -90,15 +90,6 @@
     description="Apply data-migration script to an existing database.",
 )
 
-# fractalctl encrypt-email-password
-encrypt_email_password_parser = subparsers.add_parser(
-    "encrypt-email-password",
-    description=(
-        "Generate valid values for environment variables "
-        "FRACTAL_EMAIL_PASSWORD and FRACTAL_EMAIL_PASSWORD_KEY."
-    ),
-)
-
 
 def save_openapi(dest="openapi.json"):
     from fractal_server.main import start_application
@@ -325,17 +316,6 @@ def _slugify_version(raw_version: str) -> str:
     current_update_db_data_module.fix_db()
 
 
-def print_encrypted_password():
-    from cryptography.fernet import Fernet
-
-    password = input("Insert email password: ").encode("utf-8")
-    key = Fernet.generate_key().decode("utf-8")
-    encrypted_password = Fernet(key).encrypt(password).decode("utf-8")
-
-    print(f"\nFRACTAL_EMAIL_PASSWORD={encrypted_password}")
-    print(f"FRACTAL_EMAIL_PASSWORD_KEY={key}")
-
-
 def run():
     args = parser.parse_args(sys.argv[1:])
 
@@ -359,8 +339,6 @@ def run():
             port=args.port,
             reload=args.reload,
         )
-    elif args.cmd == "encrypt-email-password":
-        print_encrypted_password()
     else:
         sys.exit(f"Error: invalid command '{args.cmd}'.")
 

fractal_server/app/security/signup_email.py

@@ -2,8 +2,6 @@
 from email.message import EmailMessage
 from email.utils import formataddr
 
-from cryptography.fernet import Fernet
-
 from fractal_server.config import PublicEmailSettings
 
 
@@ -35,11 +33,7 @@ def mail_new_oauth_signup(msg: str, email_settings: PublicEmailSettings):
             server.starttls()
             server.ehlo()
         if email_settings.use_login:
-            password = (
-                Fernet(email_settings.encryption_key.get_secret_value())
-                .decrypt(email_settings.encrypted_password.get_secret_value())
-                .decode("utf-8")
-            )
+            password = email_settings.password.get_secret_value()
             server.login(user=email_settings.sender, password=password)
         server.sendmail(
             from_addr=email_settings.sender,

fractal_server/config/_email.py

@@ -1,6 +1,5 @@
 from typing import Literal
 
-from cryptography.fernet import Fernet
 from pydantic import BaseModel
 from pydantic import EmailStr
 from pydantic import Field
@@ -31,8 +30,7 @@ class PublicEmailSettings(BaseModel):
     recipients: list[EmailStr] = Field(min_length=1)
     smtp_server: str
     port: int
-    encrypted_password: SecretStr | None = None
-    encryption_key: SecretStr | None = None
+    password: SecretStr | None = None
     instance_name: str
     use_starttls: bool
     use_login: bool
@@ -53,10 +51,6 @@ class EmailSettings(BaseSettings):
     """
     Password for the OAuth-signup email sender.
     """
-    FRACTAL_EMAIL_PASSWORD_KEY: SecretStr | None = None
-    """
-    Key value for `cryptography.fernet` decrypt
-    """
     FRACTAL_EMAIL_SMTP_SERVER: str | None = None
     """
     SMTP server for the OAuth-signup emails.
@@ -81,8 +75,7 @@ class EmailSettings(BaseSettings):
     FRACTAL_EMAIL_USE_LOGIN: Literal["true", "false"] = "true"
     """
     Whether to use login when using the SMTP server.
-    If 'true', FRACTAL_EMAIL_PASSWORD and FRACTAL_EMAIL_PASSWORD_KEY must be
-    provided.
+    If 'true', FRACTAL_EMAIL_PASSWORD  must be provided.
     Accepted values: 'true', 'false'.
     """
 
@@ -119,49 +112,18 @@ def validate_email_settings(self):
             use_starttls = self.FRACTAL_EMAIL_USE_STARTTLS == "true"
             use_login = self.FRACTAL_EMAIL_USE_LOGIN == "true"
 
-            if use_login:
-                if self.FRACTAL_EMAIL_PASSWORD is None:
-                    raise ValueError(
-                        "'FRACTAL_EMAIL_USE_LOGIN' is 'true' but "
-                        "'FRACTAL_EMAIL_PASSWORD' is not provided."
-                    )
-                if self.FRACTAL_EMAIL_PASSWORD_KEY is None:
-                    raise ValueError(
-                        "'FRACTAL_EMAIL_USE_LOGIN' is 'true' but "
-                        "'FRACTAL_EMAIL_PASSWORD_KEY' is not provided."
-                    )
-                try:
-                    (
-                        Fernet(
-                            self.FRACTAL_EMAIL_PASSWORD_KEY.get_secret_value()
-                        )
-                        .decrypt(
-                            self.FRACTAL_EMAIL_PASSWORD.get_secret_value()
-                        )
-                        .decode("utf-8")
-                    )
-                except Exception as e:
-                    raise ValueError(
-                        "Invalid pair (FRACTAL_EMAIL_PASSWORD, "
-                        "FRACTAL_EMAIL_PASSWORD_KEY). "
-                        f"Original error: {str(e)}."
-                    )
-                password = self.FRACTAL_EMAIL_PASSWORD.get_secret_value()
-            else:
-                password = None
-
-            if self.FRACTAL_EMAIL_PASSWORD_KEY is not None:
-                key = self.FRACTAL_EMAIL_PASSWORD_KEY.get_secret_value()
-            else:
-                key = None
+            if use_login and self.FRACTAL_EMAIL_PASSWORD is None:
+                raise ValueError(
+                    "'FRACTAL_EMAIL_USE_LOGIN' is 'true' but "
+                    "'FRACTAL_EMAIL_PASSWORD' is not provided."
+                )
 
             self.public = PublicEmailSettings(
                 sender=self.FRACTAL_EMAIL_SENDER,
                 recipients=self.FRACTAL_EMAIL_RECIPIENTS.split(","),
                 smtp_server=self.FRACTAL_EMAIL_SMTP_SERVER,
                 port=self.FRACTAL_EMAIL_SMTP_PORT,
-                encrypted_password=password,
-                encryption_key=key,
+                password=self.FRACTAL_EMAIL_PASSWORD,
                 instance_name=self.FRACTAL_EMAIL_INSTANCE_NAME,
                 use_starttls=use_starttls,
                 use_login=use_login,

tests/no_version/test_commands.py

@@ -56,16 +56,3 @@ def test_email_settings():
     )
     assert not res.stdout
     assert "usage" in res.stderr
-
-    cmd = (
-        'printf "mypassword\n" | poetry run fractalctl encrypt-email-password'
-    )
-    res = subprocess.run(
-        cmd,
-        encoding="utf-8",
-        capture_output=True,
-        shell=True,
-    )
-    assert "FRACTAL_EMAIL_PASSWORD" in res.stdout
-    assert "FRACTAL_EMAIL_PASSWORD_KEY" in res.stdout
-    assert not res.stderr

tests/no_version/test_unit_config.py

@@ -161,16 +161,6 @@ def test_get_oauth_router(override_oauth_settings_factory):
 
 
 def test_email_settings():
-    from cryptography.fernet import Fernet
-
-    password = "password"
-    FRACTAL_EMAIL_PASSWORD_KEY = Fernet.generate_key().decode("utf-8")
-    FRACTAL_EMAIL_PASSWORD = (
-        Fernet(FRACTAL_EMAIL_PASSWORD_KEY)
-        .encrypt(password.encode("utf-8"))
-        .decode("utf-8")
-    )
-
     required_mail_args = dict(
         FRACTAL_EMAIL_SENDER="[email protected]",
         FRACTAL_EMAIL_SMTP_SERVER="smtp_server",
@@ -186,23 +176,13 @@ def test_email_settings():
         EmailSettings(
             **required_mail_args,
         )
-    # 3a: missing password
-    with pytest.raises(ValidationError):
-        EmailSettings(
-            **required_mail_args,
-            FRACTAL_EMAIL_PASSWORD_KEY=FRACTAL_EMAIL_PASSWORD_KEY,
-        )
-    # 3b missing password key
+    # 3: missing password
     with pytest.raises(ValidationError):
-        EmailSettings(
-            **required_mail_args,
-            FRACTAL_EMAIL_PASSWORD=FRACTAL_EMAIL_PASSWORD,
-        )
+        EmailSettings(**required_mail_args)
     # 4: ok
     email_settings = EmailSettings(
         **required_mail_args,
-        FRACTAL_EMAIL_PASSWORD=FRACTAL_EMAIL_PASSWORD,
-        FRACTAL_EMAIL_PASSWORD_KEY=FRACTAL_EMAIL_PASSWORD_KEY,
+        FRACTAL_EMAIL_PASSWORD="password",
     )
     assert email_settings.public is not None
     assert len(email_settings.public.recipients) == 2
@@ -222,19 +202,6 @@ def test_email_settings():
                 **{k: v for k, v in required_mail_args.items() if k != arg},
                 FRACTAL_EMAIL_USE_LOGIN="false",
             )
-    # 7a: fail with Fernet encryption
-    with pytest.raises(ValidationError, match="FRACTAL_EMAIL_PASSWORD"):
-        EmailSettings(
-            **required_mail_args,
-            FRACTAL_EMAIL_PASSWORD="invalid",
-            FRACTAL_EMAIL_PASSWORD_KEY=FRACTAL_EMAIL_PASSWORD_KEY,
-        )
-    with pytest.raises(ValidationError, match="FRACTAL_EMAIL_PASSWORD"):
-        EmailSettings(
-            **required_mail_args,
-            FRACTAL_EMAIL_PASSWORD=FRACTAL_EMAIL_PASSWORD,
-            FRACTAL_EMAIL_PASSWORD_KEY="invalid",
-        )
     # 8: fail with sender emails
     with pytest.raises(ValidationError):
         EmailSettings(