refactor: for reversion, filter only for value that have been migrate…

…d, indicated by the 'aes-cbc' prefix
dimagi · Jan 22, 2025 · 403d6b5 · 403d6b5
1 parent 2294f7f
commit 403d6b5
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 8 deletions.
diff --git a/corehq/apps/geospatial/migrations/0009_geoconfig_api_key_cbc_encryption.py b/corehq/apps/geospatial/migrations/0009_geoconfig_api_key_cbc_encryption.py
@@ -0,0 +1,52 @@
+from django.db import migrations
+from django.db.migrations import RunPython
+
+from corehq.util.django_migrations import skip_on_fresh_install
+from corehq.motech.const import ALGO_AES, ALGO_AES_CBC
+from corehq.motech.utils import (
+    reencrypt_ecb_to_cbc_mode,
+    reencrypt_cbc_to_ecb_mode,
+    b64_aes_cbc_encrypt,
+)
+
+
+@skip_on_fresh_install
+def reencrypt_api_keys(apps, schema_editor):
+    GeoConfig = apps.get_model('geospatial', 'GeoConfig')
+
+    geo_configs_to_update = GeoConfig.objects.exclude(
+        api_token__startswith=f'${ALGO_AES_CBC}$'
+    ).exclude(api_token=None)
+
+    for config in geo_configs_to_update:
+        if config.api_token.startswith(f'${ALGO_AES}$'):
+            config.api_token = reencrypt_ecb_to_cbc_mode(config.api_token,
+                                                         f'${ALGO_AES}$')
+        else:
+            ciphertext = b64_aes_cbc_encrypt(config.api_token)
+            config.api_token = f'${ALGO_AES_CBC}${ciphertext}'
+        config.save()
+
+
+def reversion_api_keys(apps, schema_editor):
+    GeoConfig = apps.get_model('geospatial', 'GeoConfig')
+
+    geo_configs_to_revert = GeoConfig.objects.filter(
+        api_token__startswith=f'${ALGO_AES_CBC}$'
+    )
+
+    for config in geo_configs_to_revert:
+        config.api_token = reencrypt_cbc_to_ecb_mode(config.api_token,
+                                                    f'${ALGO_AES_CBC}$')
+        config.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('geospatial', '0008_geoconfig_flag_assigned_cases'),
+    ]
+
+    operations = [
+        RunPython(reencrypt_api_keys, reverse_code=reversion_api_keys),
+    ]
diff --git a/corehq/apps/reports/migrations/0021_tableauconnectedapp_use_aes_cbc_encryption.py b/corehq/apps/reports/migrations/0021_tableauconnectedapp_use_aes_cbc_encryption.py
@@ -33,16 +33,14 @@ def migrate_tableau_connected_app_secret_value(apps, schema_editor):
 def revert_tableau_connected_app_secret_value(apps, schema_editor):
     TableauConnectedApp = apps.get_model('reports', 'TableauConnectedApp')
 
-    connected_apps_to_revert = TableauConnectedApp.objects.exclude(
-        encrypted_secret_value__startswith=f'${ALGO_AES}$'
-    ).exclude(encrypted_secret_value=None).exclude(encrypted_secret_value='')
+    connected_apps_to_revert = TableauConnectedApp.objects.filter(
+        encrypted_secret_value__startswith=f'${ALGO_AES_CBC}$'
+    )
 
     for connected_app in connected_apps_to_revert:
-        encrypted_secret_value = connected_app.encrypted_secret_value
-        if encrypted_secret_value.startswith(f'${ALGO_AES_CBC}$'):
-            connected_app.encrypted_secret_value = reencrypt_cbc_to_ecb_mode(
-                encrypted_secret_value, f'${ALGO_AES_CBC}$'
-            )
+        connected_app.encrypted_secret_value = reencrypt_cbc_to_ecb_mode(
+            connected_app.encrypted_secret_value, f'${ALGO_AES_CBC}$'
+        )
         connected_app.save()