[![PyPI](https://img.shields.io/pypi/v/vcrpy-encrypt)](https://pypi.org/project/vcrpy-encrypt/) [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/vcrpy-encrypt)](https://pypi.org/project/vcrpy-encrypt/) [![CI Status](https://img.shields.io/github/actions/workflow/status/CarloDePieri/vcrpy-encrypt/prod.yml?branch=main)](https://github.com/CarloDePieri/vcrpy-encrypt/actions/workflows/prod.yml) [![Coverage Status](https://coveralls.io/repos/github/CarloDePieri/vcrpy-encrypt/badge.svg?branch=main)](https://coveralls.io/github/CarloDePieri/vcrpy-encrypt?branch=main) [![Maintenance](https://img.shields.io/maintenance/yes/2024)](https://github.com/CarloDePieri/vcrpy-encrypt/)
Encrypt vcrpy cassettes so they can be safely kept under version control.
## Rationale
Sensitive data can easily end up in HTTP requests/responses during testing.
[Vcrpy](https://vcrpy.readthedocs.io/en/latest/index.html) has
[a way to scrub that data](https://vcrpy.readthedocs.io/en/latest/advanced.html#filter-sensitive-data-from-the-request)
from its cassettes, but sometimes the tests that logged them actually need that information to pass.
This would normally result in a choice: either don't record those test cassettes or don't keep them under version
control so that they can remain local only.
Enters vcrpy-encrypt: at its core it's a simple
[vcrpy persister](https://vcrpy.readthedocs.io/en/latest/advanced.html#register-your-own-cassette-persister) that will
encrypt cassettes before writing them to disk and decrypt them before replaying them when needed by a test. This means
that tests can replay cassettes with sensitive data in them AND those cassettes can now be safely kept under version
control and shared with others.
## Install
Simply run:
```bash
pip install vcrpy-encrypt
```
## Usage
### Provide a secret key
A secret key is needed to encrypt cassettes. It must be a 128, a 192 or a 256 bits long `bytes` object. vcrpy-encrypt
offers an easy way to generate a random key:
```bash
python -c "from vcrpy_encrypt import generate_key; print(generate_key())"
```
By default this will result in a 128 bits key, but `generate_key` can take `128` or `192` or `256` as argument to
generate a longer key.
If a specific key is preferred, it can be converted from an utf-8, 16/24/32 characters long string like this:
```python
key = "sixteensecretkey".encode("UTF-8") # len(b'sixteensecretkey') == 16
```
No matter the source, the key must be kept secret and separated from the code under version control!
### Register the persister
Vcrpy's custom persister api needs a class reference. This class can be defined inheriting from
`BaseEncryptedPersister` like this:
```python
from vcrpy_encrypt import BaseEncryptedPersister
key = ... # recover the secret key from somewhere safe
class MyEncryptedPersister(BaseEncryptedPersister):
# the encryption_key field must be initialized here with the chosen key
encryption_key: bytes = key
```
The encrypted persister can now be registered and used:
```python
import vcr
import requests
# create a custom vcr object
my_vcr = vcr.VCR()
# register the encrypted persister into the custom vcr object
my_vcr.register_persister(MyEncryptedPersister)
# use that custom vcr object with use_cassette
with my_vcr.use_cassette("encoded-cassette"):
# this request will produce an encrypted cassette and will replay it on following runs
requests.get("https://localhost/?key=super-secret")
```
Keep in mind that multiple vcr objects can coexists, so it's possible to use the default vcr everywhere while
reserving the one with the encrypted persister only for requests resulting in cassettes with sensitive data.
## Customization
Sometimes it can be handy to inspect the content of a cassette. This can be done even when using encrypted cassettes:
```python
class MyEncryptedPersister(BaseEncryptedPersister):
encryption_key: bytes = key
should_output_clear_text_as_well = True
```
This persister will output a clear text cassette side by side with the encrypted one. Remember to blacklist all clear
text cassette in the version control system! For example this will cause git to ignore all `.yaml` file inside a
cassettes' folder (at any depth):
```bash
# file: .gitignore
**/cassettes/**/*.yaml
```
Clear text cassettes are only useful for human inspection: the persister will still use only the encrypted ones to
replay network requests.
If different cassettes file name suffix are desired, they can be customized:
```python
class MyEncryptedPersister(BaseEncryptedPersister):
encryption_key: bytes = key
should_output_clear_text_as_well = True
clear_text_suffix = ".custom_clear"
encoded_suffix = ".custom_enc"
```
## Encryption performance
Currently this library is encrypting cassettes using [cryptography](https://cryptography.io/) with [AES-GCM](https://cryptography.io/en/latest/hazmat/primitives/aead/#cryptography.hazmat.primitives.ciphers.aead.AESGCM). This algorithm
implementation is striking a good balance between security and performance.
Keep in mind that key length will have an impact on encrypt time: 128 bits keys should suffice for most use cases.
## Development
Install [invoke](http://pyinvoke.org/) and [poetry](https://python-poetry.org/):
```bash
pip install invoke poetry
```
Now clone the git repo:
```bash
git clone git@github.com:CarloDePieri/vcrpy-encrypt.git
cd vcrpy-encrypt
inv install
```
This will try to create a virtualenv based on `python3.8` and install there all
project's dependencies. If a different python version is preferred, it can be
selected by specifying the `--python` (`-p`) flag like this:
```bash
inv install -p python3.9
```
The test suite can be run with commands:
```bash
inv test # run the test suite
inv test-spec # run the tests while showing the output as a spec document
inv test-cov # run the tests suite and produce a coverage report
```
To run the test suite against all supported python version (they must be in path!) run:
```bash
inv test-all-python-version
```
To test the github workflow with [act](https://github.com/nektos/act):
```bash
# First you need a .secrets file - do not version control this!
echo "repo_token: your_coveralls_token" > .secrets
# Then you can run one of these:
inv act-prod # test the dev workflow
inv act-prod -c shell # open a shell in the act container (the above must fail first!)
inv act-prod -c clean # stop and delete a failed act container
```
Raw data
{
"_id": null,
"home_page": "https://github.com/CarloDePieri/vcrpy-encrypt",
"name": "vcrpy-encrypt",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8.1,<4.0.0",
"maintainer_email": "",
"keywords": "python,vcr,vcrpy,encrypt",
"author": "Carlo De Pieri",
"author_email": "depieri.carlo@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/bd/a1/bebcd317186416e807c6565ada65abc5472196026165afad503c4aaaab0b/vcrpy_encrypt-0.9.2.tar.gz",
"platform": null,
"description": "[![PyPI](https://img.shields.io/pypi/v/vcrpy-encrypt)](https://pypi.org/project/vcrpy-encrypt/) [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/vcrpy-encrypt)](https://pypi.org/project/vcrpy-encrypt/) [![CI Status](https://img.shields.io/github/actions/workflow/status/CarloDePieri/vcrpy-encrypt/prod.yml?branch=main)](https://github.com/CarloDePieri/vcrpy-encrypt/actions/workflows/prod.yml) [![Coverage Status](https://coveralls.io/repos/github/CarloDePieri/vcrpy-encrypt/badge.svg?branch=main)](https://coveralls.io/github/CarloDePieri/vcrpy-encrypt?branch=main) [![Maintenance](https://img.shields.io/maintenance/yes/2024)](https://github.com/CarloDePieri/vcrpy-encrypt/)\n\nEncrypt vcrpy cassettes so they can be safely kept under version control.\n\n## Rationale\n\nSensitive data can easily end up in HTTP requests/responses during testing.\n[Vcrpy](https://vcrpy.readthedocs.io/en/latest/index.html) has\n[a way to scrub that data](https://vcrpy.readthedocs.io/en/latest/advanced.html#filter-sensitive-data-from-the-request)\nfrom its cassettes, but sometimes the tests that logged them actually need that information to pass.\n\nThis would normally result in a choice: either don't record those test cassettes or don't keep them under version\ncontrol so that they can remain local only.\n\nEnters vcrpy-encrypt: at its core it's a simple\n[vcrpy persister](https://vcrpy.readthedocs.io/en/latest/advanced.html#register-your-own-cassette-persister) that will\nencrypt cassettes before writing them to disk and decrypt them before replaying them when needed by a test. This means\nthat tests can replay cassettes with sensitive data in them AND those cassettes can now be safely kept under version\ncontrol and shared with others.\n\n## Install\n\nSimply run:\n\n```bash\npip install vcrpy-encrypt\n```\n\n## Usage\n\n### Provide a secret key\n\nA secret key is needed to encrypt cassettes. It must be a 128, a 192 or a 256 bits long `bytes` object. vcrpy-encrypt\noffers an easy way to generate a random key:\n\n```bash\npython -c \"from vcrpy_encrypt import generate_key; print(generate_key())\"\n```\n\nBy default this will result in a 128 bits key, but `generate_key` can take `128` or `192` or `256` as argument to\ngenerate a longer key.\n\nIf a specific key is preferred, it can be converted from an utf-8, 16/24/32 characters long string like this:\n\n```python\nkey = \"sixteensecretkey\".encode(\"UTF-8\") # len(b'sixteensecretkey') == 16\n```\n\nNo matter the source, the key must be kept secret and separated from the code under version control!\n\n### Register the persister\n\nVcrpy's custom persister api needs a class reference. This class can be defined inheriting from\n`BaseEncryptedPersister` like this:\n\n```python\nfrom vcrpy_encrypt import BaseEncryptedPersister\n\nkey = ... # recover the secret key from somewhere safe\n\nclass MyEncryptedPersister(BaseEncryptedPersister):\n # the encryption_key field must be initialized here with the chosen key\n encryption_key: bytes = key\n```\n\nThe encrypted persister can now be registered and used:\n\n```python\nimport vcr\nimport requests\n\n# create a custom vcr object\nmy_vcr = vcr.VCR()\n\n# register the encrypted persister into the custom vcr object\nmy_vcr.register_persister(MyEncryptedPersister)\n\n# use that custom vcr object with use_cassette\nwith my_vcr.use_cassette(\"encoded-cassette\"):\n # this request will produce an encrypted cassette and will replay it on following runs\n requests.get(\"https://localhost/?key=super-secret\")\n```\n\nKeep in mind that multiple vcr objects can coexists, so it's possible to use the default vcr everywhere while\nreserving the one with the encrypted persister only for requests resulting in cassettes with sensitive data.\n\n## Customization\n\nSometimes it can be handy to inspect the content of a cassette. This can be done even when using encrypted cassettes:\n\n```python\nclass MyEncryptedPersister(BaseEncryptedPersister):\n encryption_key: bytes = key\n should_output_clear_text_as_well = True\n```\n\nThis persister will output a clear text cassette side by side with the encrypted one. Remember to blacklist all clear\ntext cassette in the version control system! For example this will cause git to ignore all `.yaml` file inside a\ncassettes' folder (at any depth):\n\n```bash\n# file: .gitignore\n**/cassettes/**/*.yaml\n```\nClear text cassettes are only useful for human inspection: the persister will still use only the encrypted ones to\nreplay network requests.\n\nIf different cassettes file name suffix are desired, they can be customized:\n\n```python\nclass MyEncryptedPersister(BaseEncryptedPersister):\n encryption_key: bytes = key\n should_output_clear_text_as_well = True\n clear_text_suffix = \".custom_clear\"\n encoded_suffix = \".custom_enc\"\n```\n\n## Encryption performance\n\nCurrently this library is encrypting cassettes using [cryptography](https://cryptography.io/) with [AES-GCM](https://cryptography.io/en/latest/hazmat/primitives/aead/#cryptography.hazmat.primitives.ciphers.aead.AESGCM). This algorithm\nimplementation is striking a good balance between security and performance.\n\nKeep in mind that key length will have an impact on encrypt time: 128 bits keys should suffice for most use cases.\n\n## Development\n\nInstall [invoke](http://pyinvoke.org/) and [poetry](https://python-poetry.org/):\n\n```bash\npip install invoke poetry\n```\n\nNow clone the git repo:\n\n```bash\ngit clone git@github.com:CarloDePieri/vcrpy-encrypt.git\ncd vcrpy-encrypt\ninv install\n```\n\nThis will try to create a virtualenv based on `python3.8` and install there all\nproject's dependencies. If a different python version is preferred, it can be\nselected by specifying the `--python` (`-p`) flag like this:\n\n```bash\ninv install -p python3.9\n```\n\nThe test suite can be run with commands:\n\n```bash\ninv test # run the test suite\ninv test-spec # run the tests while showing the output as a spec document\ninv test-cov # run the tests suite and produce a coverage report\n```\n\nTo run the test suite against all supported python version (they must be in path!) run:\n\n```bash\ninv test-all-python-version\n```\n\nTo test the github workflow with [act](https://github.com/nektos/act):\n\n```bash\n# First you need a .secrets file - do not version control this!\necho \"repo_token: your_coveralls_token\" > .secrets\n\n# Then you can run one of these:\ninv act-prod # test the dev workflow\ninv act-prod -c shell # open a shell in the act container (the above must fail first!)\ninv act-prod -c clean # stop and delete a failed act container\n```\n",
"bugtrack_url": null,
"license": "GPL-3.0-only",
"summary": "Encrypt vcrpy cassettes so they can be safely kept under version control.",
"version": "0.9.2",
"project_urls": {
"Homepage": "https://github.com/CarloDePieri/vcrpy-encrypt",
"Repository": "https://github.com/CarloDePieri/vcrpy-encrypt"
},
"split_keywords": [
"python",
"vcr",
"vcrpy",
"encrypt"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "54b4e8c1fef2acc6ff3a7c1ace632bf233ea1590325872b9aa74aeb8efb764d3",
"md5": "ee6b629e4bb4f5d954261cb2d480ddb4",
"sha256": "1225750d396b51da68d4fd86bdb4120f26562d66b4de2e23679bd1945af838aa"
},
"downloads": -1,
"filename": "vcrpy_encrypt-0.9.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "ee6b629e4bb4f5d954261cb2d480ddb4",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8.1,<4.0.0",
"size": 17778,
"upload_time": "2024-02-16T11:23:11",
"upload_time_iso_8601": "2024-02-16T11:23:11.543032Z",
"url": "https://files.pythonhosted.org/packages/54/b4/e8c1fef2acc6ff3a7c1ace632bf233ea1590325872b9aa74aeb8efb764d3/vcrpy_encrypt-0.9.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "bda1bebcd317186416e807c6565ada65abc5472196026165afad503c4aaaab0b",
"md5": "eecbdaf05ee1650d0914c92104007753",
"sha256": "284cfdfda805e71bd96666b021e6b3c31a60267370726a891ae1df9d1ef74d90"
},
"downloads": -1,
"filename": "vcrpy_encrypt-0.9.2.tar.gz",
"has_sig": false,
"md5_digest": "eecbdaf05ee1650d0914c92104007753",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8.1,<4.0.0",
"size": 17191,
"upload_time": "2024-02-16T11:23:13",
"upload_time_iso_8601": "2024-02-16T11:23:13.390034Z",
"url": "https://files.pythonhosted.org/packages/bd/a1/bebcd317186416e807c6565ada65abc5472196026165afad503c4aaaab0b/vcrpy_encrypt-0.9.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-02-16 11:23:13",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "CarloDePieri",
"github_project": "vcrpy-encrypt",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "vcrpy-encrypt"
}