实现数据库的连接串加密

app/infra/repositories/metadata_repository.py

@@ -2,10 +2,16 @@ from dataclasses import dataclass
 from typing import Optional, List
 from uuid import UUID
 
+from cryptography.fernet import InvalidToken
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from app.core.encryption import get_encryptor, is_encryption_configured
+from app.core.encryption import (
+    get_database_encryptor,
+    get_encryptor,
+    is_database_encryption_configured,
+    is_encryption_configured,
+)
 from app.infra.db.metadata import models
 
 
@@ -65,9 +71,7 @@ class MetadataRepository:
     def __init__(self, session: AsyncSession):
         self.session = session
 
-    async def get_user_by_keycloak_id(
-        self, keycloak_id: UUID
-    ) -> Optional[models.User]:
+    async def get_user_by_keycloak_id(self, keycloak_id: UUID) -> Optional[models.User]:
         result = await self.session.execute(
             select(models.User).where(models.User.keycloak_id == keycloak_id)
         )
@@ -102,11 +106,16 @@ class MetadataRepository:
         record = result.scalar_one_or_none()
         if not record:
             return None
-        if is_encryption_configured():
-            encryptor = get_encryptor()
+        if not is_database_encryption_configured():
+            raise ValueError("DATABASE_ENCRYPTION_KEY is not configured")
+        encryptor = get_database_encryptor()
+        try:
             dsn = encryptor.decrypt(record.dsn_encrypted)
-        else:
-            dsn = record.dsn_encrypted
+        except InvalidToken:
+            raise ValueError(
+                "Failed to decrypt project DB DSN: DATABASE_ENCRYPTION_KEY mismatch "
+                "or invalid dsn_encrypted value"
+            )
         dsn = _normalize_postgres_dsn(dsn)
         return ProjectDbRouting(
             project_id=record.project_id,