EmailSettings password encryption improvement

[Jtang-1]

Product Description

Technical Summary

Ticket: https://dimagi.atlassian.net/browse/SAAS-16191

Introduces a solution for these code scan alerts:
https://github.com/dimagi/commcare-hq/security/code-scanning/295
https://github.com/dimagi/commcare-hq/security/code-scanning/296

CodeQL recommends using CBC cipher mode instead of ECB. From the doc:

ECB should not be used as a mode for encryption as it has dangerous weaknesses. Data is encrypted the same way every time, which means that the same plaintext input will always produce the same ciphertext. This behavior makes messages encrypted with ECB more vulnerable to replay attacks.

This PR introduces a encryption and decryption function that uses ECB as well as a helper function to convert existing ECB encrypted strings to a CBC encrypted string.

Many models store either a password, API key, etc. that is encrypted with ECB. Those fields will need to be migrated to be CBC encrypted. This PR begins the migration process for only EmailSettings model.

Feature Flag

Not specific to a feature flag but the model effected is only relevant for this feature flag https://www.commcarehq.org/hq/flags/edit/custom_email_gateway/

Safety Assurance

Safety story

Locally tested

Automated test coverage

Added tests that the encryption and decryption with CBC results in the expected plaintext.
Also tests that the function for reencryption from ECB to CBC on the EmailSettings model existing password field results in password being overwritten with the same plaintext password but cbc encrypted.

QA Plan

no QA

This is the first phase which includes:

• Support read from both CBC and ECB decryption of the password field (depending on the prefix)
• Write to password only with CBC encryption

Following PRs will:
1.

• Re-encrypting password field to CBC mode (and include aes-cbc prefix) and overwriting the ECB encrypted password

• Update: support read from only CBC decryption

Rollback instructions

• This PR can be reverted after deploy with no further considerations

Labels & Review

• Risk label is set correctly
• The set of people pinged as reviewers is appropriate for the level of risk of the change

[sentry-io]

🔍 Existing Issues For Review

Your pull request is modifying functions with the following pre-existing issues:

📄 File: corehq/motech/utils.py

Function	Unhandled Issue
b64_aes_decrypt	UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb1 in position 0: invalid start byte ... Event Count: 1

---

_{Did you find this useful? React with a 👍 or 👎}

[kaapstorm]

Instead of creating a new field, just use a different prefix.

Define a new prefix, say,

# corehq/motech/const.py
ALGO_AES_CBC = 'aes-cbc'

And then, you can use it to encrypt and decrypt:

    @property
    def plaintext_password(self):
        if self.password.startswith(f'${ALGO_AES_CBC}$'):
            ciphertext = self.password.split('$', 2)[2]
            return b64_aes_cbc_decrypt(ciphertext)
        if self.password.startswith(f'${ALGO_AES}$'):
            ciphertext = self.password.split('$', 2)[2]
            return b64_aes_decrypt(ciphertext)
        return self.password

    @plaintext_password.setter
    def plaintext_password(self, plaintext):
        if plaintext != PASSWORD_PLACEHOLDER:
            ciphertext = b64_aes_cbc_encrypt(plaintext)
            self.password = f'${ALGO_AES_CBC}${ciphertext}'

[millerdev]

+1

[Jtang-1]

Thanks for the suggestion - this way is cleaner. ac20dac

Jing and I did consider this but decided to create another field so that we're not overriding existing data just to make the transition a bit safer. But looking at it again, it's pretty straightforward so i'm comfortable doing it this way.

Just curious - is the main benefit of this strategy to reduce overhead of creating a new field and eventually having to delete the original? Or is there anything else additional?

[millerdev]

I think the main benefit is simplicity of implementation and rollout. It's much easier to roll out if there are no database columns to be added/removed.

[millerdev]

This name is confusing to me. Is the return value plaintext or CBC-encrpyted? I think it can be removed if Norman's suggestion of using an aes-cbc prefix is accepted.

[Jtang-1]

fair point, I ended up removing it in favor of Norman's suggestion.

[millerdev]

This filter could be applied to the database query.

[Jtang-1]

That's better 1601646

[millerdev]

This will load all rows into memory at once, and then save each one individually, which has two potential problems:

• May use a lot of memory.
• Will take a long time because many individual updates are much less efficient than bulk updates.

What do you think of reimplementing this to load rows in batches and update each batch with a single batch update query?

Edit: for batch loading look at paginate_query, and for bulk updates look at bulk_update().

[Jtang-1]

That's a good idea but I don't think is necessary in this case. Jing and I checked and (I forgot the exact number) there's around 10 rows in that table.

[Jtang-1]

I actually didn't know bulk_update existed, that's really handy. thanks for sharing.

[millerdev]

Since this is only referenced in the migration, what do you think of moving it into the migration file? (And removing it from this PR since the migration has been removed.)

[Jtang-1]

I'm open to that, but this same function will be needed for migration of other models (in future PRs). Does it make sense to copy this same function into each migration file?

[millerdev]

Yes, I think so. Migration files should avoid importing things from other modules as much as possible because they should be frozen-in-time rather than depending on things that may be refactored and change in other ways over time. Granted, this function is probably unlikely to change over time, but I still think it's safer to include it in each migration file that needs it.

[Jtang-1]

That makes sense, how would you advise i unit test the function in that case? I don't think i can import functions defined within a migration file

[millerdev]

The name of this test says cbc_to_ecb, but it uses the reencrypt_ecb_to_cbc_mode function. Is that intentional?

[Jtang-1]

oops typo, fixed 0a94aa1

[millerdev]

nit: why does this test need to interact with self.email_settings?

[Jtang-1]

it was intended to assert against self.email_settings.plaintext_password, fixed b260ec9