fix: EncryptField unable to process values that starts with special header (#237)

piglei · web-flow · commit 1c9cbe5f57ed · 2025-08-04T17:51:38.000+08:00
diff --git a/.github/workflows/blue-krill.yml b/.github/workflows/blue-krill.yml
@@ -19,19 +19,19 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: 3.11
-      - name: Check with ruff
-        working-directory: sdks/blue-krill
-        run: |
-          pip install ruff==0.9.6
-          ruff check --config ../../pyproject.toml
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v5
+      - name: Install Poetry system-wide
+        # Use uv install to install poetry directly instead github action for simplicity
+        run: uv pip install --system poetry==2.1.3
+      - name: Ruff check
+        run: poetry install && poetry run ruff check ./sdks/blue-krill --config ./pyproject.toml
       - name: Lint with mypy
         working-directory: sdks/blue-krill
-        run: |
-          pip install mypy==0.910 types-requests==2.31.0.2 types-setuptools==57.4.18 types-dataclasses==0.1.7 types-redis==3.5.18 types-PyMySQL==1.1.0.1 types-six==0.1.9 types-toml==0.1.5
-          mypy . --config-file=pyproject.toml
+        run: poetry install && poetry run mypy . --config-file=./pyproject.toml
   test:
     strategy:
       fail-fast: false
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,10 +1,13 @@
 [tool.poetry]
-name = "蓝鲸 PaaS 平台 Python 工具集"
-version = "0.0.1"
-description = "BlueKing PaaS Python SDK"
-authors = ["blueking <blueking@tencent.com>"]
 package-mode = false
 
+[project]
+name = "bkpaas-python-sdk"
+description = "BlueKing PaaS Python SDK"
+version = "0.0.1"
+authors = [{ name = "blueking", email = "blueking@tencent.com" }]
+requires-python = '>=3.8.1,<3.12'
+
 [tool.poetry.dependencies]
 python = ">=3.8.1,<3.12"
 
diff --git a/sdks/blue-krill/blue_krill/encrypt/handler.py b/sdks/blue-krill/blue_krill/encrypt/handler.py
@@ -56,11 +56,6 @@ def encrypt_cipher_type(self):
 
     def encrypt(self, text: str) -> str:
         """根据指定加密算法，加密字段"""
-        # 已加密则不处理
-        for cls in self.cipher_classes.values():
-            if cls.header.contain_header(text):
-                return text
-
         # 根据加密类型配置选择不同的加密算法
         try:
             cipher_class = self.cipher_classes[self.encrypt_cipher_type]
diff --git a/sdks/blue-krill/blue_krill/models/fields.py b/sdks/blue-krill/blue_krill/models/fields.py
@@ -22,6 +22,11 @@
 from blue_krill.encrypt.handler import EncryptHandler
 
 
+class _EncryptedString(str):
+    """A string that is encrypted, this type is used to distinguish between normal
+    strings and encrypted ones."""
+
+
 class EncryptField(models.TextField):
     """a field which will be encrypted via cryptography/fernet"""
 
@@ -34,7 +39,10 @@ def __init__(self, encrypt_cipher_type: Optional[str] = None, secret_key: Option
     def get_prep_value(self, value):
         if value is None:
             return value
-        return self.handler.encrypt(value)
+        # 如果值已经是 _EncryptedString 实例，则直接返回，避免重复触发加密逻辑
+        if isinstance(value, _EncryptedString):
+            return value
+        return _EncryptedString(self.handler.encrypt(value))
 
     def get_db_prep_value(self, value, connection, prepared=False):
         return self.get_prep_value(value)
diff --git a/sdks/blue-krill/pyproject.toml b/sdks/blue-krill/pyproject.toml
@@ -72,3 +72,4 @@ build-backend = "poetry.core.masonry.api"
 ignore_missing_imports = true
 show_error_codes = true
 check_untyped_defs = true
+exclude = ['^tests/models/apps/.*/migrations/.*$']
diff --git a/sdks/blue-krill/tests/conftest.py b/sdks/blue-krill/tests/conftest.py
@@ -17,6 +17,7 @@
 
 
 def pytest_configure():
+    from cryptography.fernet import Fernet
     from django.conf import settings
 
     settings.configure(
@@ -28,12 +29,21 @@ def pytest_configure():
         TIME_ZONE="Asia/Shanghai",
         MIDDLEWARE=[],
         MIDDLEWARE_CLASSES=[],
-        INSTALLED_APPS=(),
+        # If the models of these apps have been updated, remember to remove all migration files so
+        # that the migrations could stay minimal because the test suite will create them from scratch.
+        INSTALLED_APPS=("tests.models.apps.test_encrypt",),
+        # For testing encrypt module
+        BKKRILL_ENCRYPT_SECRET_KEY=Fernet.generate_key(),
     )
 
     try:
         import django
+        from django.core.management import execute_from_command_line
 
         django.setup()
+
+        # Create migrations for test apps
+        execute_from_command_line(["manage.py", "makemigrations"])
+
     except AttributeError:
         pass
diff --git a/sdks/blue-krill/tests/models/__init__.py b/sdks/blue-krill/tests/models/__init__.py
diff --git a/sdks/blue-krill/tests/models/apps/__init__.py b/sdks/blue-krill/tests/models/apps/__init__.py
diff --git a/sdks/blue-krill/tests/models/apps/test_encrypt/__init__.py b/sdks/blue-krill/tests/models/apps/test_encrypt/__init__.py
diff --git a/sdks/blue-krill/tests/models/apps/test_encrypt/apps.py b/sdks/blue-krill/tests/models/apps/test_encrypt/apps.py
@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class TestEncryptConfig(AppConfig):
+    default_auto_field = "django.db.models.BigAutoField"
+    name = "tests.models.apps.test_encrypt"
diff --git a/sdks/blue-krill/tests/models/apps/test_encrypt/migrations/0001_initial.py b/sdks/blue-krill/tests/models/apps/test_encrypt/migrations/0001_initial.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.2.25 on 2025-07-30 09:53
+
+import blue_krill.models.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='TestEncryptFieldModel',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=100)),
+                ('data', blue_krill.models.fields.EncryptField(blank=True, help_text='without any explicit cipher type', null=True)),
+                ('data_fernet', blue_krill.models.fields.EncryptField(blank=True, null=True)),
+                ('data_sm4', blue_krill.models.fields.EncryptField(blank=True, null=True)),
+            ],
+        ),
+    ]
diff --git a/sdks/blue-krill/tests/models/apps/test_encrypt/migrations/__init__.py b/sdks/blue-krill/tests/models/apps/test_encrypt/migrations/__init__.py
diff --git a/sdks/blue-krill/tests/models/apps/test_encrypt/models.py b/sdks/blue-krill/tests/models/apps/test_encrypt/models.py
@@ -0,0 +1,27 @@
+# TencentBlueKing is pleased to support the open source community by making
+# 蓝鲸智云 - PaaS 平台 (BlueKing - PaaS System) available.
+# Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
+# Licensed under the MIT License (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+#     http://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# We undertake not to change the open source license (MIT license) applicable
+# to the current version of the project delivered to anyone in the future.
+from django.db import models
+
+from blue_krill.models.fields import EncryptField
+
+
+class TestEncryptFieldModel(models.Model):
+    """Test model with EncryptField for testing purposes"""
+
+    name = models.CharField(max_length=100)
+    data = EncryptField(help_text="without any explicit cipher type", null=True, blank=True)
+    data_fernet = EncryptField(encrypt_cipher_type="FernetCipher", null=True, blank=True)
+    data_sm4 = EncryptField(encrypt_cipher_type="SM4CTR", null=True, blank=True)
diff --git a/sdks/blue-krill/tests/models/test_fields.py b/sdks/blue-krill/tests/models/test_fields.py
@@ -0,0 +1,99 @@
+# -*- coding: utf-8 -*-
+# TencentBlueKing is pleased to support the open source community by making
+# 蓝鲸智云 - PaaS 平台 (BlueKing - PaaS System) available.
+# Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
+# Licensed under the MIT License (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+#     http://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# We undertake not to change the open source license (MIT license) applicable
+# to the current version of the project delivered to anyone in the future.
+
+import pytest
+
+from blue_krill.models.fields import EncryptField
+from tests.models.apps.test_encrypt.models import TestEncryptFieldModel
+
+pytestmark = pytest.mark.django_db
+
+
+class TestEncryptField:
+    @pytest.fixture(
+        params=[
+            # Test the fields with different ciphers
+            "data",
+            "data_fernet",
+            "data_sm4",
+        ]
+    )
+    def field_name(self, request):
+        return request.param
+
+    def test_basic_encryption_decryption(self, field_name):
+        test_data = "This is sensitive information"
+        obj = TestEncryptFieldModel.objects.create(name="test_object", **{field_name: test_data})
+
+        obj_from_db = TestEncryptFieldModel.objects.get(id=obj.id)
+        assert getattr(obj_from_db, field_name) == test_data
+
+    def test_none_value_handling(self, field_name):
+        obj = TestEncryptFieldModel.objects.create(name="test_none", **{field_name: None})
+
+        obj_from_db = TestEncryptFieldModel.objects.get(id=obj.id)
+        assert getattr(obj_from_db, field_name) is None
+
+    def test_empty_string_handling(self, field_name):
+        obj = TestEncryptFieldModel.objects.create(name="test_empty", **{field_name: ""})
+
+        obj_from_db = TestEncryptFieldModel.objects.get(id=obj.id)
+        assert getattr(obj_from_db, field_name) == ""
+
+    def test_value_with_encrypt_header(self):
+        # Create a value that has the Fernet header but is not a real encrypted value
+        test_data = "bkcrypt$this_looks_like_encrypted_but_is_not"
+        obj = TestEncryptFieldModel.objects.create(name="test_header_fernet", data_fernet=test_data)
+
+        retrieved_obj = TestEncryptFieldModel.objects.get(id=obj.id)
+        assert retrieved_obj.data_fernet == test_data
+
+    def test_data_is_actually_encrypted_in_db(self):
+        """Test that data is actually encrypted when stored in database"""
+        test_data = "This should be encrypted in DB"
+
+        obj = TestEncryptFieldModel.objects.create(
+            name="test_encryption_verification",
+            data_fernet=test_data,
+            data_sm4=test_data,
+        )
+
+        # Query the raw value from database
+        from django.db import connection
+
+        with connection.cursor() as cursor:
+            cursor.execute(
+                "SELECT data_fernet, data_sm4 FROM test_encrypt_testencryptfieldmodel WHERE id = %s",
+                [obj.id],
+            )
+            raw_fernet_value, raw_sm4_value = cursor.fetchone()
+
+        assert raw_fernet_value != test_data, "The value in the database should be encrypted"
+        assert raw_fernet_value.startswith("bkcrypt$")
+        assert raw_sm4_value != test_data, "The value in the database should be encrypted"
+        assert raw_sm4_value.startswith("sm4ctr$")
+
+    def test_get_prep_value_no_repeat_encryption(self):
+        """Test get_prep_value method with string value"""
+        field = EncryptField()
+        test_data = "test string"
+        # Call get_prep_value for multiple times
+        value = field.get_prep_value(test_data)
+        value = field.get_prep_value(value)
+        value = field.get_prep_value(value)
+
+        assert field.from_db_value(value, None, None, None) == test_data, "Value should not be re-encrypted"
