feat(crypto): include admin db table name in 'aad' [#411]

scidsg · Jul 27, 2024 · 7799379 · 7799379
1 parent 080ae11
commit 7799379
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/hushline/model.py b/hushline/model.py
@@ -38,15 +38,17 @@ def value(self) -> bytearray:
         vault = current_app.config.get("VAULT", None)
         if self.name == self._APP_ADMIN_SECRET_SALT_NAME:
             return bytearray(self._value)
-        return bytearray(vault.decrypt(self._value, domain=self.name.encode()))
+        aad = deque([self.__tablename__.encode()])
+        return bytearray(vault.decrypt(self._value, domain=self.name.encode(), aad=aad))
 
     @value.setter
     def value(self, secret: bytes | bytearray) -> None:
         vault = current_app.config.get("VAULT", None)
         if self.name == self._APP_ADMIN_SECRET_SALT_NAME:
             self._value = bytes(secret)
         else:
-            self._value = vault.encrypt(bytes(secret), domain=self.name.encode())
+            aad = deque([self.__tablename__.encode()])
+            self._value = vault.encrypt(bytes(secret), domain=self.name.encode(), aad=aad)
 
 
 class User(Model):

diff --git a/tests/test_secrets_manager.py b/tests/test_secrets_manager.py
@@ -41,7 +41,9 @@ def test_admin_db_secrets_are_static_once_created(static_app: Flask, name: str)
             assert db_value != secret
             assert isinstance(db_value, bytes)
             assert len(db_value) > 32
-            assert vault.decrypt(db_value, domain=name.encode()) == secret
+
+            aad = deque([InfrastructureAdmin.__tablename__.encode()])
+            assert vault.decrypt(db_value, domain=name.encode(), aad=aad) == secret
 
 
 @pytest.mark.parametrize("size", list(range(33)))