diff --git a/alexandria/core/management/commands/encrypt_files.py b/alexandria/core/management/commands/encrypt_files.py index 8c29f5d5..0abeef9c 100644 --- a/alexandria/core/management/commands/encrypt_files.py +++ b/alexandria/core/management/commands/encrypt_files.py @@ -15,7 +15,7 @@ def handle(self, *args, **options): if ( not settings.ALEXANDRIA_ENABLE_AT_REST_ENCRYPTION or settings.ALEXANDRIA_ENCRYPTION_METHOD - == File.EncryptionStatus.NOT_ENCRYPTED + == File.EncryptionStatus.NOT_ENCRYPTED.value ): return self.stdout.write( self.style.WARNING( diff --git a/alexandria/core/tests/test_commands.py b/alexandria/core/tests/test_commands.py new file mode 100644 index 00000000..ad9d7f26 --- /dev/null +++ b/alexandria/core/tests/test_commands.py @@ -0,0 +1,53 @@ +import pytest +from django.core.management import call_command +from io import StringIO +from alexandria.core.models import File +from django.core.files import File as DjangoFile +from alexandria.storages.backends.s3 import SsecGlobalS3Storage + + +def test_encrypt_files(db, settings, mocker, file_factory): + file_old = file_factory(encryption_status=File.EncryptionStatus.NOT_ENCRYPTED) + file_global = file_factory(encryption_status=File.EncryptionStatus.SSEC_GLOBAL_KEY) + file_object = file_factory(encryption_status=File.EncryptionStatus.SSEC_OBJECT_KEY) + + settings.ALEXANDRIA_ENABLE_AT_REST_ENCRYPTION = True + settings.ALEXANDRIA_ENCRYPTION_METHOD = File.EncryptionStatus.SSEC_GLOBAL_KEY.value + settings.DEFAULT_FILE_STORAGE = "alexandria.storages.backends.s3.S3Storage" + + mocker.patch("storages.backends.s3.S3Storage.save") + mocker.patch("storages.backends.s3.S3Storage.open") + SsecGlobalS3Storage.save.return_value = "name-of-the-file" + SsecGlobalS3Storage.open.return_value = DjangoFile(open("README.md", "rb")) + call_command("encrypt_files") + + file_old.refresh_from_db() + file_global.refresh_from_db() + file_object.refresh_from_db() + + assert SsecGlobalS3Storage.save.called_once() + assert SsecGlobalS3Storage.open.called_once() + assert file_old.encryption_status == File.EncryptionStatus.SSEC_GLOBAL_KEY + assert file_global.encryption_status == File.EncryptionStatus.SSEC_GLOBAL_KEY + assert file_object.encryption_status == File.EncryptionStatus.SSEC_OBJECT_KEY + + +@pytest.mark.parametrize( + "enable_encryption,encryption_method", + [ + (False, "ssec-global"), + (True, File.EncryptionStatus.NOT_ENCRYPTED.value), + ], +) +def test_encrypt_files_misconfigured( + db, settings, file_factory, enable_encryption, encryption_method +): + file_factory(encryption_status=File.EncryptionStatus.NOT_ENCRYPTED) + + settings.ALEXANDRIA_ENABLE_AT_REST_ENCRYPTION = enable_encryption + settings.ALEXANDRIA_ENCRYPTION_METHOD = encryption_method + + out = StringIO() + call_command("encrypt_files", stdout=out) + + assert "Encryption is not enabled. Skipping encryption of files." in out.getvalue() diff --git a/alexandria/storages/fields.py b/alexandria/storages/fields.py index 70111ca5..f139099f 100644 --- a/alexandria/storages/fields.py +++ b/alexandria/storages/fields.py @@ -36,7 +36,7 @@ def pre_save(self, instance, add): f"{File.EncryptionStatus.values}. {method} is not valid" ) raise ImproperlyConfigured(msg) - elif method == File.EncryptionStatus.NOT_ENCRYPTED: + elif method == File.EncryptionStatus.NOT_ENCRYPTED.value: raise ImproperlyConfigured( "ALEXANDRIA_ENCRYPTION_METHOD is set to NOT_ENCRYPTED while ALEXANDRIA_ENABLE_AT_REST_ENCRYPTION is enabled." ) diff --git a/alexandria/storages/tests/test_dynamic_field.py b/alexandria/storages/tests/test_dynamic_field.py index 6983b62f..6d058140 100644 --- a/alexandria/storages/tests/test_dynamic_field.py +++ b/alexandria/storages/tests/test_dynamic_field.py @@ -38,7 +38,7 @@ def test_dynamic_storage_select_global_ssec( "alexandria.storages.backends.s3.S3Storage", ), ( - "none", + File.EncryptionStatus.NOT_ENCRYPTED.value, "alexandria.storages.backends.s3.S3Storage", ), (