Skip to main content
This is a pre-production deployment of Warehouse. Changes made here affect the production instance of PyPI (pypi.python.org).
Help us improve Python packaging - Donate today!

Replace Rest Framework's IntegerField pk or id lookups with encrypted strings.

Project Description
[![PyPI](https://img.shields.io/pypi/dm/django-rest-encrypted-lookup.svg)]()
[![Build Status](https://travis-ci.org/InterSIS/django-rest-encrypted-lookup.svg?branch=master)](https://travis-ci.org/InterSIS/django-rest-encrypted-lookup)

django-rest-encrypted-lookup
=============

Drop-in ViewSets, Serializers, and Fields that replace your IntegerField pk or id lookups with encrypted string lookups.

Use a single cipher across your entire project, or provide a unique cipher for each serializer, model, user, and/or client.

The json representation of a poll:
```
{
"id": 5,
"questions": [
2,
10,
12,
]
}
```
becomes:
```
{
"id": "4xoh7gja2mtvz3i47ywy5h6ouu",
"questions": [
"t6y4zo26vutj4xclh5hpy3sc5m",
"hp7c75ggggiwv6cs5zc4mpzeoe",
"rqq5a2evfokyo7tz74loiu3bcq",
]
}
```

Choose a user-by-user cipher such that:
```
# User A GETs /api/polls/ and receives:

{
"results": [
"4xoh7gja2mtvz3i47ywy5h6ouu",
"12gc75ggggiwv6cs5zc4mpzeoe",
]
}

# User B GETs /api/polls/ and receives:

{
"results": [
"rqq5a2evfokyo7tz74loiu3bcq",
"hp7c75g84g63v6cs5zc423zeoe",
]
}
```


If you prefer hyperlinked related fields:
```
{
"id": "4xoh7gja2mtvz3i47ywy5h6ouu",
"questions": [
"https://example.com/api/questions/t6y4zo26vutj4xclh5hpy3sc5m/",
"https://example.com/api/questions/hp7c75ggggiwv6cs5zc4mpzeoe/",
"https://example.com/api/questions/rqq5a2evfokyo7tz74loiu3bcq/",
]
}
```

The endpoint:

```
/api/polls/5/
```
becomes:
```
/api/polls/4xoh7gja2mtvz3i47ywy5h6ouu/
```

Encrypted lookups are *not* appropriate to use as a security measure against users guessing object URIs. Encrypted
lookups *are* appropriate to use as a method of obfuscating object pks/ids.


Installation
===============

Install the module in your Python distribution or virtualenv:

$ pip install django-rest-encrypted-lookup

Add the application to your `INSTALLED_APPS`:

```
INSTALLED_APPS = (
...
"rest_framework_encrypted_lookup",
...
)
```

And in settings.py:

```
ENCRYPTED_LOOKUP = {
'lookup_field_name': 'id', # String value name of your drf lookup field, generally 'id' or 'pk'
'secret_key': 'uniquesecret', # Choose a string value unique secret key with which to encrypt your lookup fields
},
```

How it Works
============

Encrypted lookup strings are *not* stored in the database in association with the objects they represent. Encrypted
lookups are generated by the model serializers during response composition. Encrypted lookups presented in the endpoint
URI are decrypted in the call to dispatch, and encrypted lookups presented in data fields are decrypted by the model
deserializers.

Encryption is provided by the PyCrypto AES library.

Use
===

django-rest-encrypted-lookup provides three field classes:

from rest_framework_encrypted_lookup.fields import EncryptedLookupField, EncryptedLookupRelatedField, EncryptedLookupHyperlinkedRelatedField

two new serializer classes:

from rest_framework_encrypted_lookup.serializers import EncryptedLookupModelSerializer, EncryptedLookupHyperlinkedModelSerializer

and a generic view class:

from rest_framework_encrypted_lookup.views import EncryptedLookupGenericViewSet

Use these in place of the classes provided with Django Rest Framework 3.

Example:

```
# models.py
...
class Poll(models.Model):
...


# serializers.py
...
class PollSerializer(EncryptedLookupModelSerializer):

class Meta:
model = Poll


# views.py
...
from rest_framework import viewsets

class PollViewSet(EncryptedLookupGenericViewSet,
viewsets.mixins.ListModelMixin,
viewsets.mixins.RetrieveModelMixin,
...
)

queryset = Poll.objects.all()
serializer_class = PollSerializer

lookup_field = 'id'
```

Of the classes included in this package, the example above makes use of `EncryptedLookupModelSerializer`, and
`EncryptedLookupGenericViewSet`.

The fields `EncryptedLookupField`, `EncryptedLookupRelatedField` are used implicitly
by the EncryptedLookupModelSerializer. These fields may also be used explicitly, if needed.

We could have used `EncryptedLookupHyperlinkedModelSerializer` instead of `EncryptedLookupModelSerializer`:
```
# serializers.py
...
class PollSerializer(EncryptedLookupHyperlinkedModelSerializer):

class Meta:
model = Poll
```

In this case, PollSerializer would serialize related fields as hyperlinks, using the `EncryptedHyperlinkedLookupRelatedField`.

By default, every encrypted-lookup serializer class will use the same cypher. You can choose a non-default cypher by
overwriting your serializer's `get_cypher` method. Here is a ```get_cypher``` method that will produce a unique cypher per-model:

```
from rest_framework_encrypted_lookup.utils import IDCipher
from rest_framework_encrypted_lookup.settings import encrypted_lookup_settings

class MyEncryptedLookupModelSerializer(EncryptedLookupModelSerializer):

def get_cipher(self):
return IDCipher(secret=encrypted_lookup_settings['secret_key']+self.Meta.model)

```

Here is a ```get_cypher``` method that will produce a unique cypher per-user:

```
from rest_framework_encrypted_lookup.utils import IDCipher
from rest_framework_encrypted_lookup.settings import encrypted_lookup_settings

class MyEncryptedLookupModelSerializer(EncryptedLookupModelSerializer):

def get_cipher(self):
# Let's suppose that a user must be logged in to reach this endpoint.

return IDCipher(secret=encrypted_lookup_settings['secret_key']+self._context["request"].user.username)

```


Compatibility
=============

* Django Rest Framework 3.0, 3.1
* Django 1.6, 1.7, 1.8
* Python 2.7, 3.3, 3.4

See tox.ini for specific minor versions tested.

Additional Requirements
=======================

* PyCrypto 2.6.1

Todo
====

* Helpful exceptions.
* Coverage.

Getting Involved
================

Feel free to open pull requests or issues. GitHub is the canonical location of this project.
Release History

Release History

This version
History Node

0.10.1

History Node

0.10.0

History Node

0.9.5

History Node

0.9.0

History Node

0.8.3

History Node

0.8.1

History Node

0.8

Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
django-rest-encrypted-lookup-0.10.1.tar.gz (21.0 kB) Copy SHA256 Checksum SHA256 Source Sep 14, 2015

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting