Complete admin package restructuring

2025-05-10 08:28:15 +02:00
parent 4f970a3f71
commit 0a427b6a91
80 changed files with 1282 additions and 843 deletions
--- a/packages/sshecret-admin/src/sshecret_admin/services/master_password.py
+++ b/packages/sshecret-admin/src/sshecret_admin/services/master_password.py
@ -0,0 +1,82 @@
+"""Functions related to handling the password database master password."""
+
+import secrets
+from pathlib import Path
+from sshecret.crypto import (
+    create_private_rsa_key,
+    load_private_key,
+    encrypt_string,
+    decode_string,
+)
+from sshecret_admin.core.settings import AdminServerSettings
+
+KEY_FILENAME = "sshecret-admin-key"
+
+
+def setup_master_password(
+    settings: AdminServerSettings,
+    filename: str = KEY_FILENAME,
+    regenerate: bool = False,
+) -> str | None:
+    """Setup master password.
+
+    If regenerate is True, a new key will be generated.
+
+    This method should run just after setting up the database.
+    """
+    created = _initial_key_setup(settings, filename, regenerate)
+    if not created:
+        return None
+
+    return _generate_master_password(settings, filename)
+
+
+def decrypt_master_password(
+    settings: AdminServerSettings, encrypted: str, filename: str = KEY_FILENAME
+) -> str:
+    """Retrieve master password."""
+    keyfile = Path(filename)
+    if not keyfile.exists():
+        raise RuntimeError("Error: Private key has not been generated yet.")
+
+    private_key = load_private_key(KEY_FILENAME, password=settings.secret_key)
+    return decode_string(encrypted, private_key)
+
+
+def _generate_password() -> str:
+    """Generate a password."""
+    return secrets.token_urlsafe(32)
+
+
+def _initial_key_setup(
+    settings: AdminServerSettings,
+    filename: str = KEY_FILENAME,
+    regenerate: bool = False,
+) -> bool:
+    """Set up initial keys."""
+    keyfile = Path(filename)
+
+    if keyfile.exists() and not regenerate:
+        return False
+
+    assert settings.secret_key is not None, (
+        "Error: Could not load a secret key from environment."
+    )
+    create_private_rsa_key(keyfile, password=settings.secret_key)
+    return True
+
+
+def _generate_master_password(
+    settings: AdminServerSettings, filename: str = KEY_FILENAME
+) -> str:
+    """Generate master password for password database.
+
+    Returns the encrypted string, base64 encoded.
+    """
+    keyfile = Path(filename)
+    if not keyfile.exists():
+        raise RuntimeError("Error: Private key has not been generated yet.")
+    private_key = load_private_key(filename, password=settings.secret_key)
+    public_key = private_key.public_key()
+    master_password = _generate_password()
+    return encrypt_string(master_password, public_key)