From 3c7b85898bc54cd7ebdc3833b13e35dd3be4969e Mon Sep 17 00:00:00 2001 From: Serghei Mihai Date: Fri, 9 Oct 2015 13:34:57 +0200 Subject: [PATCH] compute service api key from its orig and destination service key (#8580) --- hobo/multitenant/settings_loaders.py | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/hobo/multitenant/settings_loaders.py b/hobo/multitenant/settings_loaders.py index c7f34b9..254b197 100644 --- a/hobo/multitenant/settings_loaders.py +++ b/hobo/multitenant/settings_loaders.py @@ -35,25 +35,35 @@ class FileBaseSettingsLoader(object): class KnownServices(FileBaseSettingsLoader): FILENAME = 'hobo.json' + def shared_secret(self, secret1, secret2): + secret1 = hashlib.sha256(secret1).hexdigest() + secret2 = hashlib.sha256(secret2).hexdigest() + return hex(int(secret1, 16) ^ int(secret2, 16))[2:-1] + def update_settings_from_path(self, tenant_settings, path): known_services = {} with file(path) as f: hobo_json = json.load(f) services = hobo_json.get('services') - base_url, secret = [(s.get('base_url'), s.get('secret_key')) - for s in services if s.get('this')][0] + this = [s for s in services if s.get('this')][0] + base_url = this['base_url'] orig = urlparse.urlparse(base_url).netloc.split(':')[0] - secret = hashlib.sha1(orig+secret).hexdigest() + secret = this['secret_key'] for service in services: + # Why refer to ourself ? + if service.get('this'): + continue service_id = service.get('service-id') - + # compute a symetric shared secret using XOR + # secrets MUST be hexadecimal numbers of the same even length + shared_secret = self.shared_secret(secret, services['secret_key']) service_data = { 'url': service.get('base_url'), 'backoffice-menu-url': service.get('backoffice-menu-url'), 'title': service.get('title'), 'orig': orig, - 'secret': secret, + 'secret': shared_secret, 'variables': service.get('variables') } if service_id in known_services: -- 2.1.4