Add CLI command to store legacy plaintext API keys

alephdata · Aug 5, 2024 · 15b52eb · 15b52eb
1 parent 97252b1
commit 15b52eb
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 1 deletion.
diff --git a/aleph/logic/api_keys.py b/aleph/logic/api_keys.py
@@ -112,3 +112,25 @@ def reset_api_key_expiration():
 
     query.update({Role.api_key_expires_at: expires_at})
     db.session.commit()
+
+
+def hash_plaintext_api_keys():
+    query = Role.all_users()
+    query = query.yield_per(250)
+    query = query.where(
+        and_(
+            Role.api_key != None,  # noqa: E711
+            Role.api_key_digest == None,  # noqa: E711
+        )
+    )
+
+    results = db.session.execute(query).scalars()
+
+    for index, partition in enumerate(results.partitions()):
+        for role in partition:
+            role.api_key_digest = hash_api_key(role.api_key)
+            role.api_key = None
+            db.session.add(role)
+            log.info(f"Hashing API key: {role}")
+        log.info(f"Comitting partition {index}")
+        db.session.commit()
diff --git a/aleph/manage.py b/aleph/manage.py
@@ -19,7 +19,10 @@
 from aleph.queues import get_status, cancel_queue
 from aleph.queues import get_active_dataset_status
 from aleph.index.admin import delete_index
-from aleph.logic.api_keys import reset_api_key_expiration as _reset_api_key_expiration
+from aleph.logic.api_keys import (
+    reset_api_key_expiration as _reset_api_key_expiration,
+    hash_plaintext_api_keys as _hash_plaintext_api_keys,
+)
 from aleph.index.entities import iter_proxies
 from aleph.logic.collections import create_collection, update_collection
 from aleph.logic.collections import delete_collection, reindex_collection
@@ -537,3 +540,9 @@ def evilshit():
 def reset_api_key_expiration():
     """Reset the expiration date of all legacy, non-expiring API keys."""
     _reset_api_key_expiration()
+
+
+@cli.command()
+def hash_plaintext_api_keys():
+    """Hash legacy plaintext API keys."""
+    _hash_plaintext_api_keys()
diff --git a/aleph/tests/test_api_keys.py b/aleph/tests/test_api_keys.py
@@ -5,7 +5,9 @@
 from aleph.logic.api_keys import (
     generate_user_api_key,
     send_api_key_expiration_notifications,
+    hash_plaintext_api_keys,
 )
+from aleph.logic.util import hash_api_key
 from aleph.tests.util import TestCase
 
 
@@ -193,3 +195,25 @@ def test_send_api_key_expiration_notifications_regenerate(self):
 
                 assert outbox[4].subject == "[Aleph] Your API key will expire in 7 days"
                 assert outbox[5].subject == "[Aleph] Your API key has expired"
+
+    def test_hash_plaintext_api_keys(self):
+        user_1 = self.create_user(foreign_id="user_1", email="user1@example.org")
+        user_1.api_key = "1234567890"
+        user_1.api_key_digest = None
+
+        user_2 = self.create_user(foreign_id="user_2", email="user2@example.org")
+        user_2.api_key = None
+        user_2.api_key_digest = None
+
+        db.session.add_all([user_1, user_2])
+        db.session.commit()
+
+        hash_plaintext_api_keys()
+
+        db.session.refresh(user_1)
+        assert user_1.api_key is None
+        assert user_1.api_key_digest == hash_api_key("1234567890")
+
+        db.session.refresh(user_2)
+        assert user_2.api_key is None
+        assert user_2.api_key_digest is None