ozwillo: validate destruction requests using OZWILLO_DESTRUCTION_SECRET (#18785)

2017-09-20 17:22:12 +02:00 · 2017-09-20 17:22:12 +02:00 · 861b63d18a
parent 4d1aafbed4
commit 861b63d18a
1 changed files with 23 additions and 22 deletions
--- a/hobo/contrib/ozwillo/views.py
+++ b/hobo/contrib/ozwillo/views.py
@ -52,30 +52,31 @@ def run_command(args):
    return True


-def valid_signature_required(func):
+def valid_signature_required(setting):
    '''Validate Ozwillo signatures'''
-
    signature_header_name = 'HTTP_X_HUB_SIGNATURE'
-    api_secret = settings.OZWILLO_SECRET

-    def wrapper(request):
-        if signature_header_name in request.META:
-            if request.META[signature_header_name].startswith('sha1='):
-                algo, received_hmac = request.META[signature_header_name].rsplit('=')
-                computed_hmac = hmac.new(api_secret, request.body, sha1).hexdigest()
-                # the received hmac is uppercase according to
-                # http://doc.ozwillo.com/#ref-3-2-1
-                if received_hmac.lower() != computed_hmac:
-                    logger.error(u'ozwillo: invalid HMAC')
-                    return HttpResponseForbidden('invalid HMAC')
+    def decorator(func):
+        def wrapper(request, *args, **kwargs):
+            api_secret = getattr(settings, setting)
+            if signature_header_name in request.META:
+                if request.META[signature_header_name].startswith('sha1='):
+                    algo, received_hmac = request.META[signature_header_name].rsplit('=')
+                    computed_hmac = hmac.new(api_secret, request.body, sha1).hexdigest()
+                    # the received hmac is uppercase according to
+                    # http://doc.ozwillo.com/#ref-3-2-1
+                    if received_hmac.lower() != computed_hmac:
+                        logger.error(u'ozwillo: invalid HMAC')
+                        return HttpResponseForbidden('invalid HMAC')
+                else:
+                    logger.error(u'ozwillo: invalid HMAC algo')
+                    return HttpResponseForbidden('invalid HMAC algo')
            else:
-                logger.error(u'ozwillo: invalid HMAC algo')
-                return HttpResponseForbidden('invalid HMAC algo')
-        else:
-            logger.error(u'ozwillo: no HMAC in the header')
-            return HttpResponseForbidden('no HMAC in the header')
-        return func(request)
-    return wrapper
+                logger.error(u'ozwillo: no HMAC in the header')
+                return HttpResponseForbidden('no HMAC in the header')
+            return func(request, *args, **kwargs)
+        return wrapper
+    return decorator


 def is_ozwillo_enabled(func):
@ -88,7 +89,7 @@ def is_ozwillo_enabled(func):

@csrf_exempt
@is_ozwillo_enabled
-@valid_signature_required
+@valid_signature_required(setting='OZWILLO_SECRET')
 def create_publik_instance(request):
    try:
        data = json.loads(request.body)
@ -243,7 +244,7 @@ def ozwillo_deploy_thread(data):

@csrf_exempt
@is_ozwillo_enabled
-@valid_signature_required
+@valid_signature_required(setting='OZWILLO_DESTRUCTION_SECRET')
 def delete_publik_instance(request):
    try:
        data = json.loads(request.body)