Add and document reencrypt_fields command

2025-03-21 15:58:52 +01:00 · 2025-03-21 15:58:52 +01:00 · 4e603246f7
commit 4e603246f7
parent 899bffb974
5 changed files with 41 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@ -5,10 +5,13 @@
 SERVALA_ENVIRONMENT='development'

 # Set SERVALA_PREVIOUS_SECRET_KEY when rotating to a new secret key in order to not expire all sessions and to remain able to read encrypted fields!
+# In order to retire the previous key, run the ``reencrypt_fields`` command. Once you drop the previous secret key from
+# the rotation, all sessions that still rely on that key will be invalidated (i.e., users will have to log in again).
 # SERVALA_PREVIOUS_SECRET_KEY=''
 SERVALA_SECRET_KEY='django-insecure-8sl^1&1f-$3%w7cf)q(rcvi4jo(#s3ug-@be0ooc2ioep*&%7@'

 # Set SERVALA_PREVIOUS_SALT_KEY when rotating to a new salt in order to remain able to read encrypted fields!
+# In order to retire the previous key, run the ``reencrypt_fields`` command.
 # SERVALA_PREVIOUS_SALT_KEY=''
 SERVALA_SALT_KEY='eed6UaCi3euZojai5Iequ8ochookun1o'

--- a/README.md
+++ b/README.md
@ -91,3 +91,20 @@ See `.forgejo/workflows/build-deploy-staging.yaml` for the actual workflow.
 Deployment files are in the `deployment/kustomize` folder and makes use of [Kustomize](https://kustomize.io/) to account for differences between the deployment stages.
 Stages are configured with overlays in `deployment/kustomize/overlays/$environment`.

+## Maintenance and management commands
+
+You can interface with the Django server and project by running commands like this:
+
+```bash
+uv run --env-file=.env src/manage.py COMMAND
+```
+
+Useful commands:
+
+- ``migrate``: Make sure database migrations are applied.
+- ``showmigrations``: Show current database migrations status. Good for debugging.
+- ``runserver``: Run development server
+- ``clearsessions``: Clear away expired user sessions. Recommended to run regularly, e.g. weekly or monthly (doesn’t
+  need to be frequent, but otherwise, the database is going to bloat eventually)
+- ``reencrypt_fields``: Run after you changed your ``SERVALA_SECRET_KEY`` or ``SERVALA_SALT_KEY`` in order to use the
+  new keys, and be able to retire the previous ones.
--- a/src/servala/core/management/init.py
+++ b/src/servala/core/management/init.py
--- a/src/servala/core/management/commands/init.py
+++ b/src/servala/core/management/commands/init.py
--- a/src/servala/core/management/commands/reencrypt_fields.py
+++ b/src/servala/core/management/commands/reencrypt_fields.py
@ -0,0 +1,21 @@
+from django.core.management.base import BaseCommand
+from django.db import transaction
+
+from servala.core.models.service import ControlPlane
+
+
+class Command(BaseCommand):
+    help = "Re-encrypts all encrypted fields. Use when rotating SECRET_KEY/SALT"
+
+    def handle(self, *args, **options):
+        self.stdout.write("Starting re-encryption of ControlPlane objects...")
+
+        count = 0
+        with transaction.atomic():
+            for control_plane in ControlPlane.objects.all():
+                control_plane.save()
+                count += 1
+
+        self.stdout.write(
+            self.style.SUCCESS(f"Re-encrypted {count} ControlPlane objects")
+        )