TableauConnectedApp, TransifexOrganization, and OpenmrsImporter models: AES CBC encryption read and write #35665
+48
−20
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…upport reading both cbc and ecb mode
…stance is created
…support reading both cbc and ecb mode
…t reading both cbc and ecb mode
Jtang-1
changed the title
Jtang-1
requested review from
a team,
AddisonDunn,
minhaminha,
Robert-Costello and
jingcheng16
and removed request for
a team and
AddisonDunn
4 tasks
jingcheng16
reviewed
Jan 23, 2025
|
Can you link the follow up PR in this PR's Migration section for convenience? |
jingcheng16
approved these changes
Jan 23, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Product Description
N/A
Technical Summary
Continuation of the work initiated by this PR
Jira Ticket
Introduces a solution for these code scan alerts:
https://github.com/dimagi/commcare-hq/security/code-scanning/295
https://github.com/dimagi/commcare-hq/security/code-scanning/296
This PR updates
TableauConnectedApp'ssecret_value,TransifexOrganization'sapi_token, andOpenmrsImporter'spassword. The model continues supporting reads for both AES ECB and AES CBC encryption while writes only with CBC encryption.Feature Flag
The
OpenmrsImporterdocument is only relevant to openmrs_integration FFThe TableauConnected model is only relevant to embedded_tableau and tableau_user_syncing FF
Safety Assurance
Safety story
locally tested. This change will not affect any existing data and existing data will be read the same way.
Automated test coverage
There exists tests that the encryption and decryption with CBC results in the expected plaintext. Also test that TableauConnectedApp secret value can be encrypted and decrypted.
QA Plan
no QA
Migrations
There is no migration in this PR. But there is a follow up PR that does a migration related to the changes in this PR.
Rollback instructions
This PR will start writing data with AES CBC encryption while also adding support to read AES CBC encrypted data. If this PR is reverted, the data encrypted with CBC will fail to be decrypted. To rollback this PR, data written with AES CBC encryption will need to be reencrypted with EBC.
Labels & Review