From 3f3dd3ad2123b5c762324e59389e66fa4ba6a89e Mon Sep 17 00:00:00 2001 From: Michael Kouremetis Date: Tue, 26 Sep 2023 12:05:23 -0400 Subject: [PATCH 1/3] Update auth_svc.py --- app/service/auth_svc.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/service/auth_svc.py b/app/service/auth_svc.py index 5e7e7882f..618ba29d1 100644 --- a/app/service/auth_svc.py +++ b/app/service/auth_svc.py @@ -1,5 +1,6 @@ import base64 from collections import namedtuple +from hmac import compare_digest from importlib import import_module from aiohttp import web, web_request @@ -142,9 +143,9 @@ def request_has_valid_api_key(self, request): if api_key is None: return False - if api_key == self.get_config(CONFIG_API_KEY_RED): + if compare_digest(api_key, self.get_config(CONFIG_API_KEY_RED)): return True - if api_key == self.get_config(CONFIG_API_KEY_BLUE): + if compare_digest(api_key, self.get_config(CONFIG_API_KEY_BLUE)): return True return False From 3a732793bb441df78cf65f1f2e95714acc1af5a4 Mon Sep 17 00:00:00 2001 From: mkouremetis Date: Tue, 26 Sep 2023 16:59:12 -0400 Subject: [PATCH 2/3] checking for None type for key value before comparing digest --- app/service/auth_svc.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/app/service/auth_svc.py b/app/service/auth_svc.py index 618ba29d1..d3f9a27de 100644 --- a/app/service/auth_svc.py +++ b/app/service/auth_svc.py @@ -139,16 +139,16 @@ async def login_redirect(self, request, use_template=True): raise e def request_has_valid_api_key(self, request): - api_key = request.headers.get(HEADER_API_KEY) - - if api_key is None: + request_api_key = request.headers.get(HEADER_API_KEY) + if request_api_key is None: return False - if compare_digest(api_key, self.get_config(CONFIG_API_KEY_RED)): - return True - if compare_digest(api_key, self.get_config(CONFIG_API_KEY_BLUE)): - return True + for i in [CONFIG_API_KEY_RED, CONFIG_API_KEY_BLUE]: + api_key = self.get_config(i) + if api_key is not None and compare_digest(request_api_key, api_key): + return True return False + async def request_has_valid_user_session(self, request): return await aiohttp_security_api.authorized_userid(request) is not None @@ -171,9 +171,9 @@ async def get_permissions(self, request): identity = await identity_policy.identify(request) if identity in self.user_map: return [self.Access[p.upper()] for p in self.user_map[identity].permissions] - elif request.headers.get('KEY') == self.get_config('api_key_red'): + elif request.headers.get(HEADER_API_KEY) == self.get_config(CONFIG_API_KEY_RED): return self.Access.RED, self.Access.APP - elif request.headers.get('KEY') == self.get_config('api_key_blue'): + elif request.headers.get(HEADER_API_KEY) == self.get_config(CONFIG_API_KEY_BLUE): return self.Access.BLUE, self.Access.APP return () From 1975106573d5dd2b99a6cfcaa8df576d3a5f6780 Mon Sep 17 00:00:00 2001 From: mkouremetis Date: Tue, 26 Sep 2023 17:09:20 -0400 Subject: [PATCH 3/3] pep --- app/service/auth_svc.py | 1 - 1 file changed, 1 deletion(-) diff --git a/app/service/auth_svc.py b/app/service/auth_svc.py index d3f9a27de..03fccb649 100644 --- a/app/service/auth_svc.py +++ b/app/service/auth_svc.py @@ -148,7 +148,6 @@ def request_has_valid_api_key(self, request): return True return False - async def request_has_valid_user_session(self, request): return await aiohttp_security_api.authorized_userid(request) is not None