ozwillo: validate destruction requests using OZWILLO_DESTRUCTION_SECRET (#18785)
This commit is contained in:
parent
4d1aafbed4
commit
861b63d18a
|
@ -52,30 +52,31 @@ def run_command(args):
|
|||
return True
|
||||
|
||||
|
||||
def valid_signature_required(func):
|
||||
def valid_signature_required(setting):
|
||||
'''Validate Ozwillo signatures'''
|
||||
|
||||
signature_header_name = 'HTTP_X_HUB_SIGNATURE'
|
||||
api_secret = settings.OZWILLO_SECRET
|
||||
|
||||
def wrapper(request):
|
||||
if signature_header_name in request.META:
|
||||
if request.META[signature_header_name].startswith('sha1='):
|
||||
algo, received_hmac = request.META[signature_header_name].rsplit('=')
|
||||
computed_hmac = hmac.new(api_secret, request.body, sha1).hexdigest()
|
||||
# the received hmac is uppercase according to
|
||||
# http://doc.ozwillo.com/#ref-3-2-1
|
||||
if received_hmac.lower() != computed_hmac:
|
||||
logger.error(u'ozwillo: invalid HMAC')
|
||||
return HttpResponseForbidden('invalid HMAC')
|
||||
def decorator(func):
|
||||
def wrapper(request, *args, **kwargs):
|
||||
api_secret = getattr(settings, setting)
|
||||
if signature_header_name in request.META:
|
||||
if request.META[signature_header_name].startswith('sha1='):
|
||||
algo, received_hmac = request.META[signature_header_name].rsplit('=')
|
||||
computed_hmac = hmac.new(api_secret, request.body, sha1).hexdigest()
|
||||
# the received hmac is uppercase according to
|
||||
# http://doc.ozwillo.com/#ref-3-2-1
|
||||
if received_hmac.lower() != computed_hmac:
|
||||
logger.error(u'ozwillo: invalid HMAC')
|
||||
return HttpResponseForbidden('invalid HMAC')
|
||||
else:
|
||||
logger.error(u'ozwillo: invalid HMAC algo')
|
||||
return HttpResponseForbidden('invalid HMAC algo')
|
||||
else:
|
||||
logger.error(u'ozwillo: invalid HMAC algo')
|
||||
return HttpResponseForbidden('invalid HMAC algo')
|
||||
else:
|
||||
logger.error(u'ozwillo: no HMAC in the header')
|
||||
return HttpResponseForbidden('no HMAC in the header')
|
||||
return func(request)
|
||||
return wrapper
|
||||
logger.error(u'ozwillo: no HMAC in the header')
|
||||
return HttpResponseForbidden('no HMAC in the header')
|
||||
return func(request, *args, **kwargs)
|
||||
return wrapper
|
||||
return decorator
|
||||
|
||||
|
||||
def is_ozwillo_enabled(func):
|
||||
|
@ -88,7 +89,7 @@ def is_ozwillo_enabled(func):
|
|||
|
||||
@csrf_exempt
|
||||
@is_ozwillo_enabled
|
||||
@valid_signature_required
|
||||
@valid_signature_required(setting='OZWILLO_SECRET')
|
||||
def create_publik_instance(request):
|
||||
try:
|
||||
data = json.loads(request.body)
|
||||
|
@ -243,7 +244,7 @@ def ozwillo_deploy_thread(data):
|
|||
|
||||
@csrf_exempt
|
||||
@is_ozwillo_enabled
|
||||
@valid_signature_required
|
||||
@valid_signature_required(setting='OZWILLO_DESTRUCTION_SECRET')
|
||||
def delete_publik_instance(request):
|
||||
try:
|
||||
data = json.loads(request.body)
|
||||
|
|
Loading…
Reference in New Issue