Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use key/secret to obfuscate values in the local database #7958

Merged
merged 16 commits into from Oct 29, 2020

Conversation

jgsogo
Copy link
Contributor

@jgsogo jgsogo commented Oct 28, 2020

Changelog: Feature: Add CONAN_LOGIN_ENCRYPTION_KEY environment variable to obfuscate stored auth token.
Docs: conan-io/docs#1903

This PR implements a level of obfuscation over the data stored in the local database. It uses any value provided (if provided) in the CONAN_LOGIN_ENCRYPTION_KEY envvar to compose the data that will be stored in the database. It cannot be considered an encryption mechanism, this is NOT OK FOR SECURITY, but it can be useful for CI pipelines: the CI job assigns a random-unique value for each build, with this simple implementation the data stored in the Conan cache is no longer usable by other jobs/builds in the same machine.

#PYVERS: py27

@jgsogo jgsogo changed the title [wip] Use key to encrypt values in the local database [wip] Use key to obfuscate values in the local database Oct 28, 2020
@jgsogo jgsogo marked this pull request as ready for review Oct 28, 2020
@jgsogo jgsogo added this to the 1.31 milestone Oct 28, 2020
@jgsogo jgsogo requested review from danimtb and czoido Oct 28, 2020
@jgsogo jgsogo changed the title [wip] Use key to obfuscate values in the local database Use key/secret to obfuscate values in the local database Oct 28, 2020
@danimtb
Copy link
Member

danimtb commented Oct 28, 2020

@jgsogo please rebase from develop now that #7957 is merged

@jgsogo
Copy link
Contributor Author

jgsogo commented Oct 28, 2020

@jgsogo please rebase from develop now that #7957 is merged

It is already rebased 🤔

def decode(enc, key):
assert isinstance(enc, bytes), "Expected 'bytes', got '{}'".format(type(enc))
assert isinstance(key, str), "Expected 'str' type, got '{}'".format(type(key))
return urlsafe_b64decode(enc)[len(key):].decode('utf-8')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems a bit weak, as it brings the length of the key only as the thing to "crack". I would say it is worth to at least use something like the Vigenere-Cipher, that would require way more effort to crack, and seems quite straight forward to implement.

@jgsogo jgsogo marked this pull request as draft Oct 28, 2020
@jgsogo jgsogo marked this pull request as ready for review Oct 28, 2020
@jgsogo jgsogo requested a review from danimtb Oct 28, 2020
czoido
czoido approved these changes Oct 28, 2020
@memsharded memsharded merged commit 0caff8e into conan-io:develop Oct 29, 2020
2 checks passed
@jgsogo jgsogo deleted the feat/token-encryption-impl branch Oct 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants