From 3348e0a035fe780a6aaa4f4f0b98ad509a4e5aa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:17:53 +0100 Subject: [PATCH 1/5] feat(database): encrypt transactions data --- ...29_1326-46b9e702e83f_add_encrypted_type.py | 47 ++++++++++++ 7project/backend/app/models/transaction.py | 10 ++- 7project/backend/requirements.txt | 1 + requirements.txt | 72 ------------------- 4 files changed, 56 insertions(+), 74 deletions(-) create mode 100644 7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py delete mode 100644 requirements.txt diff --git a/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py b/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py new file mode 100644 index 0000000..8f9119a --- /dev/null +++ b/7project/backend/alembic/versions/2025_10_29_1326-46b9e702e83f_add_encrypted_type.py @@ -0,0 +1,47 @@ +"""Add encrypted type + +Revision ID: 46b9e702e83f +Revises: 1f2a3c4d5e6f +Create Date: 2025-10-29 13:26:24.568523 + +""" +from typing import Sequence, Union + +import sqlalchemy_utils +from alembic import op +import sqlalchemy as sa +from sqlalchemy.dialects import mysql + +# revision identifiers, used by Alembic. +revision: str = '46b9e702e83f' +down_revision: Union[str, Sequence[str], None] = '1f2a3c4d5e6f' +branch_labels: Union[str, Sequence[str], None] = None +depends_on: Union[str, Sequence[str], None] = None + + +def upgrade() -> None: + """Upgrade schema.""" + # ### commands auto generated by Alembic - please adjust! ### + op.alter_column('transaction', 'amount', + existing_type=mysql.FLOAT(), + type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + existing_nullable=False) + op.alter_column('transaction', 'description', + existing_type=mysql.VARCHAR(length=255), + type_=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + existing_nullable=True) + # ### end Alembic commands ### + + +def downgrade() -> None: + """Downgrade schema.""" + # ### commands auto generated by Alembic - please adjust! ### + op.alter_column('transaction', 'description', + existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + type_=mysql.VARCHAR(length=255), + existing_nullable=True) + op.alter_column('transaction', 'amount', + existing_type=sqlalchemy_utils.types.encrypted.encrypted_type.EncryptedType(), + type_=mysql.FLOAT(), + existing_nullable=False) + # ### end Alembic commands ### diff --git a/7project/backend/app/models/transaction.py b/7project/backend/app/models/transaction.py index 84f3981..d432437 100644 --- a/7project/backend/app/models/transaction.py +++ b/7project/backend/app/models/transaction.py @@ -1,15 +1,21 @@ +import os from fastapi_users_db_sqlalchemy import GUID from sqlalchemy import Column, Integer, String, Float, ForeignKey, Date, func from sqlalchemy.orm import relationship +from sqlalchemy_utils import EncryptedType +from sqlalchemy_utils.types.encrypted.encrypted_type import FernetEngine + from app.core.base import Base from app.models.categories import association_table +SECRET_KEY = os.environ.get("DB_ENCRYPTION_KEY", "localdev") + class Transaction(Base): __tablename__ = "transaction" id = Column(Integer, primary_key=True, autoincrement=True) - amount = Column(Float, nullable=False) - description = Column(String(length=255), nullable=True) + amount = Column(EncryptedType(Float, SECRET_KEY, engine=FernetEngine), nullable=False) + description = Column(EncryptedType(String(length=255), SECRET_KEY, engine=FernetEngine), nullable=True) date = Column(Date, nullable=False, server_default=func.current_date()) user_id = Column(GUID, ForeignKey("user.id"), nullable=False) diff --git a/7project/backend/requirements.txt b/7project/backend/requirements.txt index 34fc377..d0699ef 100644 --- a/7project/backend/requirements.txt +++ b/7project/backend/requirements.txt @@ -54,6 +54,7 @@ sentry-sdk==2.42.0 six==1.17.0 sniffio==1.3.1 SQLAlchemy==2.0.43 +SQLAlchemy-Utils==0.42.0 starlette==0.48.0 tomli==2.2.1 typing-inspection==0.4.1 diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index f97951f..0000000 --- a/requirements.txt +++ /dev/null @@ -1,72 +0,0 @@ -aio-pika==9.5.6 -aiormq==6.8.1 -aiosqlite==0.21.0 -alembic==1.16.5 -amqp==5.3.1 -annotated-types==0.7.0 -anyio==4.11.0 -argon2-cffi==23.1.0 -argon2-cffi-bindings==25.1.0 -asyncmy==0.2.9 -bcrypt==4.3.0 -billiard==4.2.2 -celery==5.5.3 -certifi==2025.10.5 -cffi==2.0.0 -click==8.1.8 -click-didyoumean==0.3.1 -click-plugins==1.1.1.2 -click-repl==0.3.0 -cryptography==46.0.1 -dnspython==2.7.0 -email_validator==2.2.0 -exceptiongroup==1.3.0 -fastapi==0.117.1 -fastapi-users==14.0.1 -fastapi-users-db-sqlalchemy==7.0.0 -greenlet==3.2.4 -h11==0.16.0 -httpcore==1.0.9 -httptools==0.6.4 -httpx==0.28.1 -httpx-oauth==0.16.1 -idna==3.10 -iniconfig==2.3.0 -kombu==5.5.4 -makefun==1.16.0 -Mako==1.3.10 -MarkupSafe==3.0.2 -multidict==6.6.4 -packaging==25.0 -pamqp==3.3.0 -pluggy==1.6.0 -prompt_toolkit==3.0.52 -propcache==0.3.2 -pwdlib==0.2.1 -pycparser==2.23 -pydantic==2.11.9 -pydantic_core==2.33.2 -Pygments==2.19.2 -PyJWT==2.10.1 -PyMySQL==1.1.2 -pytest==8.4.2 -pytest-asyncio==1.2.0 -python-dateutil==2.9.0.post0 -python-dotenv==1.1.1 -python-multipart==0.0.20 -PyYAML==6.0.2 -six==1.17.0 -sniffio==1.3.1 -SQLAlchemy==2.0.43 -starlette==0.48.0 -tomli==2.2.1 -typing-inspection==0.4.1 -typing_extensions==4.15.0 -tzdata==2025.2 -uvicorn==0.37.0 -uvloop==0.21.0 -vine==5.1.0 -watchfiles==1.1.0 -wcwidth==0.2.14 -websockets==15.0.1 -yarl==1.20.1 From 7d2e94e683a33d0b0b31e9987b6e2cb81c017258 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:23:14 +0100 Subject: [PATCH 2/5] feat(database): add encryption key --- .github/workflows/deploy-pr.yaml | 3 ++- .github/workflows/deploy-prod.yaml | 3 ++- 7project/charts/myapp-chart/templates/app-deployment.yaml | 5 +++++ 7project/charts/myapp-chart/templates/prod.yaml | 1 + .../charts/myapp-chart/templates/worker-deployment.yaml | 7 ++++++- 7project/charts/myapp-chart/values.yaml | 1 + 6 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy-pr.yaml b/.github/workflows/deploy-pr.yaml index 56938bd..8a705b2 100644 --- a/.github/workflows/deploy-pr.yaml +++ b/.github/workflows/deploy-pr.yaml @@ -118,7 +118,8 @@ jobs: --set frontend_domain_scheme="$FRONTEND_DOMAIN_SCHEME" \ --set image.digest="$DIGEST" \ --set-string rabbitmq.password="$RABBITMQ_PASSWORD" \ - --set-string database.password="$DB_PASSWORD" + --set-string database.password="$DB_PASSWORD" \ + --set-string database.encryptionSecret="$PR" - name: Post preview URLs as PR comment uses: actions/github-script@v7 diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml index 7f99e56..769ff0c 100644 --- a/.github/workflows/deploy-prod.yaml +++ b/.github/workflows/deploy-prod.yaml @@ -129,4 +129,5 @@ jobs: --set-string oauth.mojeid.clientSecret="$MOJEID_CLIENT_SECRET" \ --set-string oauth.csas.clientId="$CSAS_CLIENT_ID" \ --set-string oauth.csas.clientSecret="$CSAS_CLIENT_SECRET" \ - --set-string sentry_dsn="$SENTRY_DSN" \ \ No newline at end of file + --set-string sentry_dsn="$SENTRY_DSN" \ + --set-string database.encryptionSecret="${{ secrets.PROD_DB_ENCRYPTION_KEY }}" \ No newline at end of file diff --git a/7project/charts/myapp-chart/templates/app-deployment.yaml b/7project/charts/myapp-chart/templates/app-deployment.yaml index dc85dbd..02afbfb 100644 --- a/7project/charts/myapp-chart/templates/app-deployment.yaml +++ b/7project/charts/myapp-chart/templates/app-deployment.yaml @@ -101,6 +101,11 @@ spec: secretKeyRef: name: prod key: SENTRY_DSN + - name: DB_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: prod + key: DB_ENCRYPTION_KEY livenessProbe: httpGet: path: / diff --git a/7project/charts/myapp-chart/templates/prod.yaml b/7project/charts/myapp-chart/templates/prod.yaml index 0b9442d..abb294a 100644 --- a/7project/charts/myapp-chart/templates/prod.yaml +++ b/7project/charts/myapp-chart/templates/prod.yaml @@ -18,3 +18,4 @@ stringData: RABBITMQ_PASSWORD: {{ .Values.rabbitmq.password | default "" | quote }} RABBITMQ_USERNAME: {{ .Values.rabbitmq.username | quote }} SENTRY_DSN: {{ .Values.sentry_dsn | quote }} + DB_ENCRYPTION_KEY: {{ required "Set .Values.database.encryptionSecret" .Values.database.encryptionSecret | quote }} diff --git a/7project/charts/myapp-chart/templates/worker-deployment.yaml b/7project/charts/myapp-chart/templates/worker-deployment.yaml index 11227d3..fbd5182 100644 --- a/7project/charts/myapp-chart/templates/worker-deployment.yaml +++ b/7project/charts/myapp-chart/templates/worker-deployment.yaml @@ -20,7 +20,7 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: - drop: ["ALL"] + drop: [ "ALL" ] command: - celery - -A @@ -80,3 +80,8 @@ spec: secretKeyRef: name: prod key: CSAS_CLIENT_SECRET + - name: DB_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: prod + key: DB_ENCRYPTION_KEY diff --git a/7project/charts/myapp-chart/values.yaml b/7project/charts/myapp-chart/values.yaml index 867728e..d20fa70 100644 --- a/7project/charts/myapp-chart/values.yaml +++ b/7project/charts/myapp-chart/values.yaml @@ -75,3 +75,4 @@ database: userName: app-demo-user secretName: app-demo-database-secret password: "" + encryptionSecret: "" From e916a57e4e72d1c8b0f7e077ca7fde4e16f78508 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:25:18 +0100 Subject: [PATCH 3/5] fix(tests): move requirements.txt --- .github/workflows/run-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index b71a6d1..1fe9501 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -46,7 +46,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install -r requirements.txt + pip install -r ./7project/backend/requirements.txt # Step 4: Run your tests! # Executes the pytest command to run your test suite. From 06dcccb321384ab4d97a1ebfa778add59b138820 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:28:25 +0100 Subject: [PATCH 4/5] fix(tests): add missing dependencies --- .github/workflows/run-tests.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 1fe9501..ffa130e 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -43,6 +43,11 @@ jobs: # Step 3: Install project dependencies # Runs shell commands to install the libraries listed in your requirements.txt. + - name: Add test dependencies to requirements + run: | + echo "pytest==8.4.2" >> ./7project/backend/requirements.txt + echo "pytest-asyncio==1.2.0" >> ./7project/backend/requirements.txt + - name: Install dependencies run: | python -m pip install --upgrade pip From d8ea25943c84441d764e140988dec08f7687411e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Trkan?= Date: Wed, 29 Oct 2025 14:32:25 +0100 Subject: [PATCH 5/5] feat(code): remove sentry debug endpoint --- 7project/backend/app/app.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/7project/backend/app/app.py b/7project/backend/app/app.py index ae50a62..12b2010 100644 --- a/7project/backend/app/app.py +++ b/7project/backend/app/app.py @@ -105,10 +105,6 @@ async def root(): async def authenticated_route(user: User = Depends(current_active_verified_user)): return {"message": f"Hello {user.email}!"} -@fastApi.get("/sentry-debug") -async def trigger_error(): - division_by_zero = 1 / 0 - @fastApi.get("/debug/scrape/csas/all", tags=["debug"]) async def debug_scrape_csas_all():