Make AESCipher and Fernet compatible

The two schemes now have compatible methods and signatures. To do this, Fernet accepts
more params than it uses. These have been added to allow for easier transition. They
will be removed in the next release to clean up the class.

Moreover, Fernet dictates a very specific format for the "key" that it accepts an uses
to encrypt and decrypt payloads. The key must be 32 url-safe bytes long in base64
format.

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/saml2/cryptography/symmetric.py

@@ -12,6 +12,8 @@
 import cryptography.hazmat.backends as _backends
 import cryptography.hazmat.primitives.ciphers as _ciphers
 
+from .errors import SymmetricCryptographyError
+
 
 class Fernet(object):
     """The default symmetric cryptography method."""
@@ -30,26 +32,65 @@ def __init__(self, key=None):
 
         :param key: byte data representing the encyption/decryption key
         """
-        self._symmetric = _fernet.Fernet(key or self.__class__.generate_key())
+        if key:
+            fernet_key_error = SymmetricCryptographyError(
+                "Fernet key must be 32 url-safe base64-encoded bytes."
+            )
+            try:
+                raw_key = _base64.b64decode(key)
+            except Exception as e:
+                raise fernet_key_error from e
+            else:
+                if len(raw_key) != 32:
+                    raise fernet_key_error
+        else:
+            key = self.__class__.generate_key()
 
-    def encrypt(self, plaintext):
+        self._symmetric = _fernet.Fernet(key)
+
+    def encrypt(self, plaintext, *args, **kwargs):
         """Encrypt the given plaintext.
 
         :param plaintext: byte data representing the plaintext
         :return: byte data representing the ciphertext
         """
+        if args or kwargs:
+            _deprecation_msg = (
+                "The '.encrypt' method does not take into account any arguements, "
+                "other than the 'ciphertext' param. "
+                "Remove any other arguements. "
+                "In the next version, this method will not allow them."
+            )
+            _warnings.warn(_deprecation_msg, DeprecationWarning)
+
         ciphertext = self._symmetric.encrypt(plaintext)
         return ciphertext
 
-    def decrypt(self, ciphertext):
+    def decrypt(self, ciphertext, *args, **kwargs):
         """Decrypt the given ciphertext.
 
         :param ciphertext: byte data representing the ciphertext
         :return: byte data representing the plaintext
         """
+        if args or kwargs:
+            _deprecation_msg = (
+                "The '.decrypt' method does not take into account any arguements, "
+                "other than the 'ciphertext' param. "
+                "Remove any other arguements. "
+                "In the next version, this method will not allow them."
+            )
+            _warnings.warn(_deprecation_msg, DeprecationWarning)
+
         plaintext = self._symmetric.decrypt(ciphertext)
         return plaintext
 
+    def build_cipher(self, *args, **kwargs):
+        _deprecation_msg = (
+            "The 'Fernet' class does not need a build_cipher method."
+            "Remove any calls to this method. "
+            "In the next version, this method will be removed."
+        ).format(name=cls.__name__, type=type(cls).__name__)
+        _warnings.warn(_deprecation_msg, DeprecationWarning)
 
 
 class AESCipher(object):
@@ -71,7 +112,9 @@ def _deprecation_notice(cls):
         _deprecation_msg = (
             '{name} {type} is deprecated. '
             'It will be removed in the next version. '
-            'Use saml2.cryptography.symmetric instead.'
+            'Use saml2.cryptography.symmetric.Default '
+            'or saml2.cryptography.symmetric.Fernet '
+            'instead.'
         ).format(name=cls.__name__, type=type(cls).__name__)
         _warnings.warn(_deprecation_msg, DeprecationWarning)