Oleksandr Bezdieniezhnykh
4.3 KiB
Security
1. High-Level Overview
Purpose: Provides AES-256-CBC encryption/decryption, multiple key derivation strategies, and OS-specific hardware fingerprinting for machine-bound access control.
Architectural Pattern: Utility / Strategy — stateless static methods for crypto operations; hardware fingerprinting with caching.
Upstream dependencies: Core Models (01) — uses Credentials type, constants.log()
Downstream consumers: Resource Management (03) — ApiClient uses all Security and HardwareService methods
2. Internal Interfaces
Interface: Security
| Method | Input | Output | Async | Error Types |
|---|---|---|---|---|
encrypt_to |
bytes input_bytes, str key |
bytes | No | cryptography errors |
decrypt_to |
bytes ciphertext_with_iv, str key |
bytes | No | cryptography errors |
get_hw_hash |
str hardware |
str | No | — |
get_api_encryption_key |
Credentials creds, str hardware_hash |
str | No | — |
get_resource_encryption_key |
— | str | No | — |
calc_hash |
str key |
str | No | — |
All methods are @staticmethod cdef (Cython-only visibility).
Interface: HardwareService
| Method | Input | Output | Async | Error Types |
|---|---|---|---|---|
get_hardware_info |
— | str | No | subprocess errors |
@staticmethod cdef with module-level caching in _CACHED_HW_INFO.
3. External API Specification
N/A — internal-only component.
4. Data Access Patterns
Caching Strategy
| Data | Cache Type | TTL | Invalidation |
|---|---|---|---|
| Hardware info | In-memory (module global) | Process lifetime | Never (static hardware) |
5. Implementation Details
Algorithmic Complexity: All crypto operations are O(n) in input size.
State Management: HardwareService has one cached string; Security is fully stateless.
Key Dependencies:
| Library | Version | Purpose |
|---|---|---|
| cryptography | 44.0.2 | AES-256-CBC cipher, PKCS7 padding |
Error Handling Strategy:
- Crypto errors propagate to caller (no catch)
subprocess.check_outputin HardwareService raisesCalledProcessErroron failure
Key Derivation Hierarchy:
- Hardware hash:
SHA-384("Azaion_{hw_string}_%$$$)0_")→ base64 - API encryption key:
SHA-384("{email}-{password}-{hw_hash}-#%@AzaionKey@%#---")→ base64 (per-user, per-machine) - Resource encryption key:
SHA-384("-#%@AzaionKey@%#---234sdfklgvhjbnn")→ base64 (fixed, shared) - AES key expansion:
SHA-256(string_key)→ 32-byte AES key (inside encrypt/decrypt)
6. Extensions and Helpers
None.
7. Caveats & Edge Cases
Known limitations:
get_resource_encryption_key()returns a fixed key — all users share the same resource encryption key- Hardware detection uses
shell=Truesubprocess — injection risk if inputs were user-controlled (they are not) - Linux hardware detection may fail on systems without
lscpu,lspci, or/sys/block/sda - Multiple GPUs: only the first GPU line is captured
Potential race conditions:
_CACHED_HW_INFOis a module global written without locking — concurrent first calls could race, but the result is idempotent
8. Dependency Graph
Must be implemented after: Core Models (01)
Can be implemented in parallel with: Resource Management (03) depends on this, so Security must be ready first
Blocks: Resource Management (03)
9. Logging Strategy
| Log Level | When | Example |
|---|---|---|
| INFO | Hardware info gathered | "Gathered hardware: CPU: ... GPU: ... Memory: ... DriveSerial: ..." |
| INFO | Cached hardware reuse | "Using cached hardware info" |
Log format: Via constants.log() — [HH:mm:ss INFO] message
Log storage: Same as Core Models logging configuration