From 38ebe23d6a784bd1ea15c72432a9ddedad97f72b Mon Sep 17 00:00:00 2001 From: "Dave St.Germain" Date: Tue, 15 Jan 2019 11:46:12 -0500 Subject: [PATCH] Obscure the user id going to the backend --- edx_proctoring/api.py | 6 +++--- edx_proctoring/utils.py | 15 +++++++++++++++ edx_proctoring/views.py | 3 ++- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/edx_proctoring/api.py b/edx_proctoring/api.py index 986ce084014..1029f2e9221 100644 --- a/edx_proctoring/api.py +++ b/edx_proctoring/api.py @@ -7,7 +7,6 @@ from __future__ import absolute_import from datetime import datetime, timedelta -import hashlib import logging import uuid import pytz @@ -50,7 +49,8 @@ from edx_proctoring.utils import ( humanized_time, - emit_event + emit_event, + obscured_user_id, ) from edx_proctoring.backends import get_backend_provider @@ -600,7 +600,7 @@ def create_exam_attempt(exam_id, user_id, taking_as_proctored=False): scheme = 'https' if getattr(settings, 'HTTPS', 'on') == 'on' else 'http' lms_host = '{scheme}://{hostname}'.format(scheme=scheme, hostname=settings.SITE_NAME) - obs_user_id = hashlib.sha1((u'%s%s' % (exam['course_id'], user_id)).encode('ascii')).hexdigest() + obs_user_id = obscured_user_id(user_id, exam['backend']) # get the name of the user, if the service is available full_name = None diff --git a/edx_proctoring/utils.py b/edx_proctoring/utils.py index a3322129ec6..86a8c3640fa 100644 --- a/edx_proctoring/utils.py +++ b/edx_proctoring/utils.py @@ -5,9 +5,13 @@ from __future__ import absolute_import from datetime import datetime, timedelta +import hashlib +import hmac import logging import pytz +import six +from django.conf import settings from django.utils.translation import ugettext as _ from opaque_keys.edx.keys import CourseKey @@ -216,3 +220,14 @@ def _emit_event(name, context, data): 'Analytics tracker not properly configured. ' 'If this message appears in a production environment, please investigate' ) + + +def obscured_user_id(user_id, *extra): + """ + Obscures the user id, returning a sha1 hash + Any extra information can be added to the hash + """ + obs_hash = hmac.new(settings.SECRET_KEY.encode('ascii'), digestmod=hashlib.sha1) + obs_hash.update(six.text_type(user_id)) + obs_hash.update(u''.join(six.text_type(ext) for ext in extra)) + return obs_hash.hexdigest() diff --git a/edx_proctoring/views.py b/edx_proctoring/views.py index 12a9a019b37..84e1c18240c 100644 --- a/edx_proctoring/views.py +++ b/edx_proctoring/views.py @@ -72,6 +72,7 @@ get_time_remaining_for_attempt, locate_attempt_by_attempt_code, humanized_time, + obscured_user_id, ) ATTEMPTS_PER_PAGE = 25 @@ -1000,7 +1001,7 @@ def get(self, request, course_id, exam_id=None): backend = get_backend_provider(exam) if backend: user = { - 'id': request.user.id, + 'id': obscured_user_id(request.user.id, exam['backend']), 'full_name': request.user.get_full_name(), 'email': request.user.email }