Spaces:

DataEyond
/

Agentic-Service-Data-Eyond

Running

App Files Files Community

Rifqi Hafizuddin commited on 4 days ago

Commit

0e07955

1 Parent(s): bb79f64

[NOTICKET][DB] update credential & databaseclient. update settings

Browse files

Files changed (4) hide show

src/config/settings.py +5 -0
src/db/postgres/init_db.py +8 -1
src/db/postgres/models.py +16 -0
src/utils/db_credential_encryption.py +70 -0

src/config/settings.py CHANGED Viewed

@@ -61,6 +61,11 @@ class Settings(BaseSettings):
     # Bcrypt salt (for users - existing)
     emarcal_bcrypt_salt: str = Field(alias="emarcal__bcrypt__salt", default="")
 # Singleton instance
 settings = Settings()

     # Bcrypt salt (for users - existing)
     emarcal_bcrypt_salt: str = Field(alias="emarcal__bcrypt__salt", default="")
+    # DB credential encryption (Fernet key for user-registered database creds)
+    dataeyond_db_credential_key: str = Field(
+        alias="dataeyond__db__credential__key", default=""
+    )
 # Singleton instance
 settings = Settings()

src/db/postgres/init_db.py CHANGED Viewed

@@ -2,7 +2,14 @@
 from sqlalchemy import text
 from src.db.postgres.connection import engine, Base
-from src.db.postgres.models import Document, Room, ChatMessage, User, MessageSource
 async def init_db():

 from sqlalchemy import text
 from src.db.postgres.connection import engine, Base
+from src.db.postgres.models import (
+    ChatMessage,
+    DatabaseClient,
+    Document,
+    MessageSource,
+    Room,
+    User,
+)
 async def init_db():

src/db/postgres/models.py CHANGED Viewed

@@ -4,6 +4,7 @@ from uuid import uuid4
 from sqlalchemy import Column, String, DateTime, Text, Integer, ForeignKey
 from sqlalchemy.orm import relationship
 from sqlalchemy.sql import func
 from src.db.postgres.connection import Base
@@ -81,3 +82,18 @@ class MessageSource(Base):
     created_at = Column(DateTime(timezone=True), server_default=func.now())
     message = relationship("ChatMessage", back_populates="sources")

 from sqlalchemy import Column, String, DateTime, Text, Integer, ForeignKey
 from sqlalchemy.orm import relationship
 from sqlalchemy.sql import func
+from sqlalchemy.dialects.postgresql import JSONB
 from src.db.postgres.connection import Base
     created_at = Column(DateTime(timezone=True), server_default=func.now())
     message = relationship("ChatMessage", back_populates="sources")
+class DatabaseClient(Base):
+    """User-registered external database connections."""
+    __tablename__ = "databases"
+    id = Column(String, primary_key=True, default=lambda: str(uuid4()))
+    user_id = Column(String, nullable=False, index=True)
+    name = Column(String, nullable=False)       # display name, e.g. "Prod DB"
+    db_type = Column(String, nullable=False)    # postgres|mysql|sqlserver|supabase|bigquery|snowflake
+    credentials = Column(JSONB, nullable=False) # per-type JSON; sensitive fields Fernet-encrypted
+    status = Column(String, nullable=False, default="active")  # active | inactive
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())

src/utils/db_credential_encryption.py ADDED Viewed

	@@ -0,0 +1,70 @@

+"""Fernet encryption utilities for user-registered database credentials.
+Encryption key is sourced from `dataeyond__db__credential__key` env variable,
+intentionally separate from the user-auth bcrypt salt (`emarcal__bcrypt__salt`).
+Usage:
+    from src.utils.db_credential_encryption import encrypt_credentials_dict, decrypt_credentials_dict
+    # Before INSERT:
+    safe_creds = encrypt_credentials_dict(raw_credentials)
+    # After SELECT:
+    plain_creds = decrypt_credentials_dict(row.credentials)
+"""
+from cryptography.fernet import Fernet
+from src.config.settings import settings
+# Sensitive credential field names that must be encrypted at rest.
+# Covers all supported DB types:
+#   - password      : postgres, mysql, sqlserver, supabase, snowflake
+#   - service_account_json : bigquery
+SENSITIVE_FIELDS: frozenset[str] = frozenset({"password", "service_account_json"})
+def _get_cipher() -> Fernet:
+    key = settings.dataeyond_db_credential_key
+    if not key:
+        raise ValueError(
+            "dataeyond__db__credential__key is not set. "
+            "Generate one with: Fernet.generate_key().decode()"
+        )
+    return Fernet(key.encode())
+def encrypt_credential(value: str) -> str:
+    """Encrypt a single credential string value."""
+    return _get_cipher().encrypt(value.encode()).decode()
+def decrypt_credential(value: str) -> str:
+    """Decrypt a single Fernet-encrypted credential string."""
+    return _get_cipher().decrypt(value.encode()).decode()
+def encrypt_credentials_dict(creds: dict) -> dict:
+    """Return a copy of the credentials dict with sensitive fields encrypted.
+    Call this before inserting a new DatabaseClient record.
+    """
+    cipher = _get_cipher()
+    result = dict(creds)
+    for field in SENSITIVE_FIELDS:
+        if result.get(field):
+            result[field] = cipher.encrypt(result[field].encode()).decode()
+    return result
+def decrypt_credentials_dict(creds: dict) -> dict:
+    """Return a copy of the credentials dict with sensitive fields decrypted.
+    Call this after fetching a DatabaseClient record from DB.
+    """
+    cipher = _get_cipher()
+    result = dict(creds)
+    for field in SENSITIVE_FIELDS:
+        if result.get(field):
+            result[field] = cipher.decrypt(result[field].encode()).decode()
+    return result