Skip to content

feat: add encryption to the config files and add IBM secrets manager#1179

Merged
lucaseduoli merged 17 commits into
mainfrom
feat/encrypt_config
Mar 19, 2026
Merged

feat: add encryption to the config files and add IBM secrets manager#1179
lucaseduoli merged 17 commits into
mainfrom
feat/encrypt_config

Conversation

@lucaseduoli

Copy link
Copy Markdown
Collaborator

This pull request introduces comprehensive encryption and secure storage for sensitive secrets and credentials across the codebase. The most important changes include encrypting provider API keys and connection secrets, upgrading legacy unencrypted secrets to AES-256-GCM, and refactoring OAuth token handling to use encrypted files. These enhancements improve security and ensure backward compatibility by automatically upgrading old secrets.

Encryption of sensitive secrets and credentials

  • Provider API keys are now encrypted before saving to the config file, and decrypted when loading, in src/config/config_manager.py. Existing unencrypted keys are automatically upgraded to AES-256-GCM if a master secret is available. [1] [2] [3] [4]
  • Connection secrets (such as API keys and tokens) are encrypted when saving and decrypted when loading in src/connectors/connection_manager.py. Legacy unencrypted secrets are automatically upgraded. [1] [2]

OAuth token handling refactoring

  • OAuth token files for Google Drive, OneDrive, SharePoint, and authentication services are now read and written using encrypted file utilities, with automatic upgrade of legacy files. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]

Dependency updates

  • Added ibm-secrets-manager-sdk to pyproject.toml to support secure secret management.

Code cleanup

  • Removed unnecessary aiofiles imports in files that now use encrypted file utilities. [1] [2] [3] [4]

@lucaseduoli lucaseduoli requested a review from zzzming March 18, 2026 13:47
@lucaseduoli lucaseduoli self-assigned this Mar 18, 2026
@github-actions github-actions Bot added backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) enhancement 🔵 New feature or request labels Mar 18, 2026

@edwinjosechittilappilly edwinjosechittilappilly left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lucaseduoli Please move the Test Files to the Test Folders.

Also Please Ensure the Encrypt and decrypt is also implemented for IBM COS and AWS S3 connectors also.

Comment thread src/utils/encryption.py
Comment thread src/connectors/connection_manager.py

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a new encryption layer for secrets persisted to disk (config files, connection storage, and OAuth token caches), with support for retrieving a master secret from IBM Secrets Manager and auto-upgrading legacy plaintext secrets when a master secret is available.

Changes:

  • Add src/utils/encryption.py with AES-256-GCM secret envelopes plus encrypted read/write helpers for token/cache files.
  • Encrypt/decrypt provider API keys in ConfigManager and connection secrets in ConnectionManager, with auto-upgrade behavior.
  • Refactor Google Drive / OneDrive / SharePoint OAuth token-file handling and AuthService token persistence to use encrypted file utilities; add IBM Secrets Manager SDK dependency.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 13 comments.

Show a summary per file
File Description
uv.lock Locks IBM Secrets Manager SDK + dependencies.
pyproject.toml Adds ibm-secrets-manager-sdk runtime dependency.
src/utils/encryption.py New encryption + IBM Secrets Manager-backed master-secret retrieval + encrypted file helpers.
src/config/config_manager.py Decrypt provider api_key on load; encrypt on save; auto-upgrade legacy plaintext keys.
src/connectors/connection_manager.py Encrypt/decrypt connector config secrets; attempts auto-upgrade of legacy plaintext values.
src/connectors/google_drive/oauth.py Switch token file IO to encrypted read/write utilities with upgrade behavior.
src/connectors/onedrive/oauth.py Switch MSAL cache IO to encrypted read/write utilities with upgrade behavior.
src/connectors/sharepoint/oauth.py Switch MSAL cache IO to encrypted read/write utilities with upgrade behavior.
src/services/auth_service.py Writes OAuth token files via encrypted file utility.
test_encryption.py Adds ad-hoc encryption/config/connection checks (currently outside pytest’s executed paths).
test_ibm_encryption.py Adds ad-hoc master-secret fallback/cache tests (currently outside pytest’s executed paths).
test_oauth_encryption.py Adds ad-hoc OAuth upgrade checks (not structured as pytest tests).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread src/connectors/onedrive/oauth.py
Comment thread src/utils/encryption.py Outdated
Comment thread src/utils/encryption.py
Comment thread src/utils/encryption.py Outdated
Comment thread src/connectors/sharepoint/oauth.py
Comment thread test_encryption.py Outdated
Comment thread src/connectors/connection_manager.py Outdated
Comment thread test_ibm_encryption.py Outdated
Comment thread test_oauth_encryption.py Outdated
Comment thread test_ibm_encryption.py Outdated
@github-actions github-actions Bot added enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request labels Mar 18, 2026
@github-actions github-actions Bot added tests enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request labels Mar 18, 2026
@github-actions github-actions Bot added enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request labels Mar 18, 2026
@github-actions github-actions Bot added enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request labels Mar 18, 2026
@github-actions github-actions Bot removed the enhancement 🔵 New feature or request label Mar 18, 2026
@github-actions github-actions Bot added enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request documentation 📘 Improvements or additions to documentation labels Mar 18, 2026
@github-actions

This comment has been minimized.

@github-actions github-actions Bot added documentation 📘 Improvements or additions to documentation enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request documentation 📘 Improvements or additions to documentation labels Mar 18, 2026
@github-actions

This comment has been minimized.

@edwinjosechittilappilly

Copy link
Copy Markdown
Collaborator

@lucaseduoli can you add it for IBM COS and AWS S3 keys also ?

Also can you double check if the IBM AUTH .... ENv variable is used?

@zzzming zzzming left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you exit when the encryption key cannot be read successfully? It should fail on the start. introduce a env to force quit until all the prerequisite is met

@github-actions github-actions Bot added documentation 📘 Improvements or additions to documentation enhancement 🔵 New feature or request and removed enhancement 🔵 New feature or request documentation 📘 Improvements or additions to documentation labels Mar 19, 2026
@github-actions

github-actions Bot commented Mar 19, 2026

Copy link
Copy Markdown
Contributor

Build successful! ✅
Deploying docs draft.
Deploy successful! View draft

@lucaseduoli lucaseduoli requested a review from zzzming March 19, 2026 19:09
@lucaseduoli

Copy link
Copy Markdown
Collaborator Author

@lucaseduoli can you add it for IBM COS and AWS S3 keys also ?

Also can you double check if the IBM AUTH .... ENv variable is used?

IBM Auth is used, and its added for IBM COS and AWS S3, since they use connection_manager's update_connection, that is encrypted

@github-actions github-actions Bot added the lgtm label Mar 19, 2026
@lucaseduoli lucaseduoli merged commit d09c3a1 into main Mar 19, 2026
13 checks passed
@github-actions github-actions Bot removed the lgtm label Mar 19, 2026
@github-actions github-actions Bot deleted the feat/encrypt_config branch March 19, 2026 21:39
edwinjosechittilappilly pushed a commit that referenced this pull request Mar 24, 2026
…1179)

* added encryption based on env defined key

* added ibm secrets manager and salt + kdf

* changed ibm secrets manager access type and added constants

* change test folder and used pytest

* added ibm cos and aws keys as secrets

* fixed cache not being saved

* fixed error not raising

* fixed tenant id not expecting the matching tenant

* added preserve editred

* added decryption failed test

* added ibm encryption under the feature flag

* Added openrag encryption key to environment, configuration and tui

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <[email protected]>

* changed descriptions

* added tenant id as env

* fixed tests

* enforce prerequisites

---------

Co-authored-by: Copilot Autofix powered by AI <[email protected]>
lucaseduoli added a commit that referenced this pull request Mar 24, 2026
…1179)

* added encryption based on env defined key

* added ibm secrets manager and salt + kdf

* changed ibm secrets manager access type and added constants

* change test folder and used pytest

* added ibm cos and aws keys as secrets

* fixed cache not being saved

* fixed error not raising

* fixed tenant id not expecting the matching tenant

* added preserve editred

* added decryption failed test

* added ibm encryption under the feature flag

* Added openrag encryption key to environment, configuration and tui

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <[email protected]>

* changed descriptions

* added tenant id as env

* fixed tests

* enforce prerequisites

---------

Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) enhancement 🔵 New feature or request tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants