From 4517e28cd1a90e6e014c17f32ad705bb47cd97f8 Mon Sep 17 00:00:00 2001
From: Serghei Mihai <smihai@entrouvert.com>
Date: Fri, 9 Oct 2015 13:34:57 +0200
Subject: [PATCH] compute service api key from its orig and destination service
 key (#8580)

---
 hobo/multitenant/settings_loaders.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/hobo/multitenant/settings_loaders.py b/hobo/multitenant/settings_loaders.py
index c7f34b9..f9b964a 100644
--- a/hobo/multitenant/settings_loaders.py
+++ b/hobo/multitenant/settings_loaders.py
@@ -40,20 +40,24 @@ class KnownServices(FileBaseSettingsLoader):
         with file(path) as f:
             hobo_json = json.load(f)
         services = hobo_json.get('services')
-        base_url, secret = [(s.get('base_url'), s.get('secret_key'))
-                            for s in services if s.get('this')][0]
-        orig = urlparse.urlparse(base_url).netloc.split(':')[0]
-        secret = hashlib.sha1(orig+secret).hexdigest()
+        this = [s for s in services if s.get('this')][0]
+        base_url = this['base_url']
+        secret = this['secret_key']
 
         for service in services:
+            # Why refer to ourself ?
+            if service.get('this'):
+                continue
             service_id = service.get('service-id')
-
+            # compute a symetric shared secret using XOR
+            # secrets MUST be hexadecimal numbers of the same even length
+            shared_secret = hex(int(secret, 16) ^ int(service['secret_key'], 16))[2:-1]
             service_data = {
                 'url': service.get('base_url'),
                 'backoffice-menu-url': service.get('backoffice-menu-url'),
                 'title': service.get('title'),
                 'orig': orig,
-                'secret': secret,
+                'secret': shared_secret,
                 'variables': service.get('variables')
             }
             if service_id in known_services:
-- 
2.1.4