In [None]:
!pip install sqlalchemy_utils==0.36.8 --user
!pip install cryptography==3.3.2 --user
!pip install SQLAlchemy==1.3.22 --user
!pip install pandas==0.25.2 --user
!pip install psycopg2-binary --user

In [1]:
import logging
import requests
import sqlalchemy as db
import os
from uuid import uuid4
import pandas as pd

LOGGER = logging.getLogger("test")



In [2]:
import six
from cryptography.hazmat.backends import default_backend
from sqlalchemy_utils.types.encrypted.encrypted_type import FernetEngine
from cryptography.hazmat.primitives import hashes
from cryptography.fernet import Fernet
import sqlalchemy as db
import pandas as pd

def secret_key(key):
    if isinstance(key, six.string_types):
        key = key.encode()
    digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
    digest.update(key)
    engine_key = digest.finalize()
    f = FernetEngine()
    f._initialize_engine(engine_key)
    
    
    return f.secret_key

def encrypt(message):
    """
    :param message: message To be encrypted
    :return:
    """
    return f.encrypt(bytes(message, "utf-8")).decode("utf-8")


def decrypt(enctypted_message):
    """
    Message to be decrypted
    :param enctypted_message:
    :return:
    """
    return f.decrypt(bytes(enctypted_message, "utf-8")).decode("utf-8")
class VaultEncrypter:
    """
    Class implementing Vault Backend APIs
    """
    def __init__(self, prefix_path):
        """
        :param prefix_path: Prefix path of kv store
        :param base_url: vault url
        :param token:
        """
        self._prefix_path = prefix_path
        self._vault_url = os.environ["VAULT_URL"]
        self._headers = {"X-Vault-Token": os.environ["VAULT_TOKEN"]}

    @property
    def url(self) -> str:
        """
        :return: URL
        """
        return f"{self._vault_url}{self._prefix_path}"

    def retrieve(self, key, key_error="raise"):
        """
        :param key_error: raise or ignore
        :param key:
        :return:
        """
        if key is None:
            return None

        LOGGER.info("Entering retrieve, key %s", key)
        url = f"{self.url}/{key}"
        LOGGER.info("url... %s", url)

        resp = requests.get(url=url, headers=self._headers)
        try:
            resp.raise_for_status()
            resp = resp.json()
            value = resp["data"]["value"]

        except requests.exceptions.HTTPError as ex:
            if resp.status_code != 404 or key_error != "ignore":
                LOGGER.exception(ex)
                raise KeyError("Key Not Present in Vault")
            LOGGER.info("Key Not Present. Return None")
            value = None
        LOGGER.info("Exiting retrieve")
        return value

    def store(self, key=None, value=None):
        """
        :param key:
        :param value:
        :return:
        """
        if value is None:
            return None
        if key is None:
            key = str(uuid4())
        LOGGER.info("Entering store, key %s, value %s", key, value)
        url = f"{self.url}/{key}"
        payload = {"value": value}
        LOGGER.info("url... %s", url)
        LOGGER.info("payload... %s", payload)
        result = requests.post(url=url, json=payload, headers=self._headers)
        result.raise_for_status()
        LOGGER.info("Exiting store")
        return key

    def delete(self, key):
        """
        :param key:
        :param value:
        :return:
        """
        if key is None:
            return
        LOGGER.info("Entering Delete, key %s", key)
        url = f"{self.url}/{key}"
        LOGGER.info("url... %s", url)
        result = requests.delete(url=url, headers=self._headers)
        try:
            result.raise_for_status()
        except Exception as ex: # pylint: disable=broad-except
            LOGGER.exception(ex)
        LOGGER.info("Exiting delete")

In [3]:

ENC_PASSWORD = "NWdUMqomsoRPlROH_qFqb9vLeXlukVrXwwIll_8WhxE=" # same as used in k8 secret
os.environ["VAULT_TOKEN"]="s.qw3fpdglwSkCvSCsIjtMZIEi" # GA
os.environ["VAULT_URL"] = "http://release-name-vault.vault.svc.cluster.local:8200/v1/kv/data/"
# CONN_STRING_QA = "mysql+mysqlconnector://maxiq@mosaic-k8s-qa:QA_mysql_21@mosaic-k8s-qa.mysql.database.azure.com/ai_logistics"
CONN_STRING_GA ="mysql+mysqlconnector://root:password@mosaic-k8s-ga.cqkkwwmb5gtj.us-east-1.rds.amazonaws.com/ai_logistics"
fernet_key = secret_key(ENC_PASSWORD)
f = Fernet(fernet_key)

engine = db.create_engine(CONN_STRING_GA)
# conn = engine.connect()
# conn.close()

In [None]:
conn = engine.connect()

TABLE = "nb_git_repository"
changes = []
errors = []
update_stmts=[]
resp = conn.execute(f"SELECT password, repo_id from {TABLE} where created_on is NULL")
vault = VaultEncrypter(TABLE)
for res in resp:
    old = res[0]
    repo_id = res[1]
    try:
        decrypted = decrypt(old)
        new = vault.store(value=decrypted)
        
        changes.append({"old":old,"decrypted":decrypted,"new":new, "repo_id": repo_id})
        # Uncomment below line once after verifying, dataframe and run again.
#         conn.execute(f"UPDATE nb_git_repository SET password='{new}' where repo_id='{res[1]}'")
        update_stmts.append(f"UPDATE nb_git_repository SET password='{new}' where repo_id='{res[1]}'")
    except Exception:
        print(f"error - {repo_id}")
        errors.append({"repo_id":repo_id})
        

conn.close()
df = pd.DataFrame(changes)
df.to_csv("migration-qa.csv")
df

updates = pd.DataFrame(update_stmts)
updates.to_csv("updates-ga.csv")


In [None]:
updates[0] = updates[0]+";"

In [None]:
updates.to_csv("updates-ga-2.csv", index=False)


In [None]:
updates.shape

In [4]:
decrypt("gAAAAABhKMQGoyhk-Mklbqmlls1hO322Ex2QYABhtoTZBfQsGDJHdjNUMJddcfGjXfivVGn_g5GmwnJ5vMGmFdmNaKcXuaZeu-f9NDuVtgfhCjoiZjF-NDo=")

'Tz38yiz_x2ktN4esbvyp'