Encrypt task arguments in db

[noissue]
gerrod3 · Sep 13, 2023 · e585547 · e585547
1 parent 8fe2f6c
commit e585547
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 4 deletions.
diff --git a/CHANGES/+enc_task_args.bugfix b/CHANGES/+enc_task_args.bugfix
@@ -0,0 +1 @@
+Added encryption to task argument fields.
diff --git a/pulpcore/app/migrations/0111_task_enc_args_task_enc_kwargs.py b/pulpcore/app/migrations/0111_task_enc_args_task_enc_kwargs.py
@@ -0,0 +1,28 @@
+# Generated by Django 4.2.4 on 2023-09-04 11:56
+
+import django.core.serializers.json
+from django.db import migrations
+import pulpcore.app.models.fields
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("core", "0110_apiappstatus"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="task",
+            name="enc_args",
+            field=pulpcore.app.models.fields.EncryptedJSONField(
+                encoder=django.core.serializers.json.DjangoJSONEncoder, null=True
+            ),
+        ),
+        migrations.AddField(
+            model_name="task",
+            name="enc_kwargs",
+            field=pulpcore.app.models.fields.EncryptedJSONField(
+                encoder=django.core.serializers.json.DjangoJSONEncoder, null=True
+            ),
+        ),
+    ]
diff --git a/pulpcore/app/models/task.py b/pulpcore/app/models/task.py
@@ -19,6 +19,7 @@
     GenericRelationModel,
 )
 from pulpcore.app.models.status import BaseAppStatus
+from pulpcore.app.models.fields import EncryptedJSONField
 from pulpcore.constants import TASK_CHOICES, TASK_INCOMPLETE_STATES, TASK_STATES
 from pulpcore.exceptions import AdvisoryLockError, exception_to_dict
 from pulpcore.app.util import get_domain_pk, current_task
@@ -82,9 +83,15 @@ class Task(BaseModel, AutoAddObjPermsMixin):
 
     error = models.JSONField(null=True)
 
+    # These fields should finally be removed in 3.40 by a migration that checks all components are
+    # running at least <version this landed> then copies their values to enc_(kw)args and adds
+    # pulpcore >= <version this landed> in the modified tasks version_requirements.
     args = models.JSONField(null=True, encoder=DjangoJSONEncoder)
     kwargs = models.JSONField(null=True, encoder=DjangoJSONEncoder)
 
+    enc_args = EncryptedJSONField(null=True, encoder=DjangoJSONEncoder)
+    enc_kwargs = EncryptedJSONField(null=True, encoder=DjangoJSONEncoder)
+
     worker = models.ForeignKey("Worker", null=True, related_name="tasks", on_delete=models.SET_NULL)
 
     parent_task = models.ForeignKey(

diff --git a/pulpcore/tasking/tasks.py b/pulpcore/tasking/tasks.py
@@ -59,8 +59,8 @@ def _execute_task(task):
         module_name, function_name = task.name.rsplit(".", 1)
         module = importlib.import_module(module_name)
         func = getattr(module, function_name)
-        args = task.args or ()
-        kwargs = task.kwargs or {}
+        args = task.enc_args or task.args or ()
+        kwargs = task.enc_kwargs or task.kwargs or {}
         result = func(*args, **kwargs)
         if asyncio.iscoroutine(result):
             _logger.debug(_("Task is coroutine %s"), task.pk)
@@ -167,8 +167,8 @@ def dispatch(
                 logging_cid=(get_guid()),
                 task_group=task_group,
                 name=function_name,
-                args=args,
-                kwargs=kwargs,
+                enc_args=args,
+                enc_kwargs=kwargs,
                 parent_task=Task.current(),
                 reserved_resources_record=resources,
                 versions=versions,