From f4d005c7fb00fca45a67f7cea57c07ad75a04285 Mon Sep 17 00:00:00 2001 From: venusbb Date: Fri, 3 Nov 2017 14:43:56 +0000 Subject: [PATCH 1/5] initial logging for route protection --- app/authentication/auth.py | 23 ++++++- app/cloudfoundry_config.py | 2 + app/config.py | 2 + .../app/authentication/test_authentication.py | 63 +++++++++++++++++++ tests/app/test_cloudfoundry_config.py | 4 +- 5 files changed, 91 insertions(+), 3 deletions(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index 0e01ec533..d7adc51c7 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -47,8 +47,27 @@ def requires_no_auth(): def restrict_ip_sms(): # Check route of inbound sms (Experimental) # Temporary custom header for route security - if request.headers.get("X-Custom-forwarder"): - current_app.logger.info("X-Custom-forwarder received") + # if request.headers.get("X-Custom-forwarder"): + # current_app.logger.info("X-Custom-forwarder received") + if request.headers.get("X-Custom-Forwarder"): + route_secret_key = request.headers.get("X-Custom-Forwarder") + key_1 = current_app.config.get('ROUTE_SECRET_KEY_1') + key_2 = current_app.config.get('ROUTE_SECRET_KEY_2') + key_used = 0 + route_allowed = False + if route_secret_key == key_1: + key_used = 1 + route_allowed = True + elif route_secret_key == key_2: + key_used = 2 + route_allowed = True + + current_app.logger.info({ + 'message': 'X-Custom-forwarder key {} is used'.format(key_used), + 'log_contents': { + 'passed': route_allowed, + } + }) # Check IP of SMS providers if request.headers.get("X-Forwarded-For"): diff --git a/app/cloudfoundry_config.py b/app/cloudfoundry_config.py index 33cd4f753..ee6d2ba0c 100644 --- a/app/cloudfoundry_config.py +++ b/app/cloudfoundry_config.py @@ -45,6 +45,8 @@ def extract_notify_config(notify_config): os.environ['SECRET_KEY'] = notify_config['credentials']['secret_key'] os.environ['DANGEROUS_SALT'] = notify_config['credentials']['dangerous_salt'] os.environ['SMS_INBOUND_WHITELIST'] = json.dumps(notify_config['credentials']['allow_ip_inbound_sms']) + os.environ['ROUTE_SECRET_KEY_1'] = notify_config['credentials']['route_secret_key_1'] + os.environ['ROUTE_SECRET_KEY_2'] = notify_config['credentials']['route_secret_key_2'] def extract_performance_platform_config(performance_platform_config): diff --git a/app/config.py b/app/config.py index aa74a4a84..8807218c7 100644 --- a/app/config.py +++ b/app/config.py @@ -287,6 +287,8 @@ class Config(object): FREE_SMS_TIER_FRAGMENT_COUNT = 250000 SMS_INBOUND_WHITELIST = json.loads(os.environ.get('SMS_INBOUND_WHITELIST', '[]')) + ROUTE_SECRET_KEY_1 = os.environ['ROUTE_SECRET_KEY_1'] + ROUTE_SECRET_KEY_2 = os.environ['ROUTE_SECRET_KEY_2'] # Format is as follows: # {"dataset_1": "token_1", ...} diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index cec191a13..8c58716cc 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -372,3 +372,66 @@ def test_allow_valid_ips_bits(restrict_ip_sms_app): ) assert response.status_code == 200 + + +@pytest.fixture +def route_secret_app_1(): + app = flask.Flask(__name__) + app.config['TESTING'] = True + app.config['ROUTE_SECRET_KEY_1'] = "key_1" + app.config['ROUTE_SECRET_KEY_2'] = "" + app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] + blueprint = flask.Blueprint('route_secret_app_1', __name__) + + @blueprint.route('/') + def test_endpoint(): + return 'OK', 200 + + blueprint.before_request(restrict_ip_sms) + app.register_blueprint(blueprint) + + with app.test_request_context(), app.test_client() as client: + yield client + + +def test_route_secret_key_1_is_used(route_secret_app_1): + response = route_secret_app_1.get( + path='/', + headers=[ + ('X-Custom-forwarder', 'some key 1'), + ('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'), + ] + ) + assert response.status_code == 200 + + +@pytest.fixture +def route_secret_app_2(): + app = flask.Flask(__name__) + app.config['TESTING'] = True + app.config['ROUTE_SECRET_KEY_1'] = "key_1" + app.config['ROUTE_SECRET_KEY_2'] = "key_2" + app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] + blueprint = flask.Blueprint('route_secret_app_2', __name__) + + @blueprint.route('/') + def test_endpoint(): + return 'OK', 200 + + blueprint.before_request(restrict_ip_sms) + app.register_blueprint(blueprint) + + with app.test_request_context(), app.test_client() as client: + yield client + + +def test_can_use_secret_route_key_2(route_secret_app_2): + + response = route_secret_app_2.get( + path='/', + headers=[ + ('X-Custom-forwarder', 'key_2'), + ('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'), + ] + ) + assert response.status_code == 200 diff --git a/tests/app/test_cloudfoundry_config.py b/tests/app/test_cloudfoundry_config.py index 8f90df90d..f20a0300d 100644 --- a/tests/app/test_cloudfoundry_config.py +++ b/tests/app/test_cloudfoundry_config.py @@ -16,7 +16,9 @@ def notify_config(): 'admin_client_secret': 'admin client secret', 'secret_key': 'secret key', 'dangerous_salt': 'dangerous salt', - 'allow_ip_inbound_sms': ['111.111.111.111', '100.100.100.100'] + 'allow_ip_inbound_sms': ['111.111.111.111', '100.100.100.100'], + 'route_secret_key_1': "key_1", + 'route_secret_key_2': "" } } From 81b8d62557b5f71abdfa5806fb0e7abc220d5e8d Mon Sep 17 00:00:00 2001 From: venusbb Date: Fri, 3 Nov 2017 18:19:59 +0000 Subject: [PATCH 2/5] create new method to validate secret header, new tests --- app/authentication/auth.py | 22 +++-- .../app/authentication/test_authentication.py | 87 +++++++++++++++---- 2 files changed, 88 insertions(+), 21 deletions(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index d7adc51c7..8181f7309 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -7,6 +7,7 @@ from sqlalchemy.exc import DataError from sqlalchemy.orm.exc import NoResultFound from app.dao.services_dao import dao_fetch_service_by_id_with_api_keys +from flask import jsonify class AuthError(Exception): @@ -44,16 +45,18 @@ def requires_no_auth(): pass -def restrict_ip_sms(): +def check_route_secret(): # Check route of inbound sms (Experimental) # Temporary custom header for route security - # if request.headers.get("X-Custom-forwarder"): - # current_app.logger.info("X-Custom-forwarder received") if request.headers.get("X-Custom-Forwarder"): route_secret_key = request.headers.get("X-Custom-Forwarder") + + # if route_secret_key is None: + # raise AuthError('invalid secret key', 403) + key_1 = current_app.config.get('ROUTE_SECRET_KEY_1') key_2 = current_app.config.get('ROUTE_SECRET_KEY_2') - key_used = 0 + key_used = None route_allowed = False if route_secret_key == key_1: key_used = 1 @@ -63,12 +66,21 @@ def restrict_ip_sms(): route_allowed = True current_app.logger.info({ - 'message': 'X-Custom-forwarder key {} is used'.format(key_used), + 'message': 'X-Custom-Forwarder key {} is used'.format(key_used), 'log_contents': { 'passed': route_allowed, } }) + # if not key_used: + # raise AuthError('X-Custom-Forwarder, wrong secret', 403) + + return jsonify(key_used=key_used), 200 + + +def restrict_ip_sms(): + check_route_secret() + # Check IP of SMS providers if request.headers.get("X-Forwarded-For"): # X-Forwarded-For looks like "203.0.113.195, 70.41.3.18, 150.172.238.178" diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index 8c58716cc..43fc284c4 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -12,7 +12,7 @@ from notifications_python_client.authentication import create_jwt_token from app import api_user from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key, get_unsigned_secret, expire_api_key from app.models import ApiKey, KEY_TYPE_NORMAL -from app.authentication.auth import restrict_ip_sms, AuthError +from app.authentication.auth import restrict_ip_sms, AuthError, check_route_secret # Test the require_admin_auth and require_auth methods @@ -375,63 +375,118 @@ def test_allow_valid_ips_bits(restrict_ip_sms_app): @pytest.fixture -def route_secret_app_1(): +def route_secret_app_with_key_1_only(): app = flask.Flask(__name__) app.config['TESTING'] = True app.config['ROUTE_SECRET_KEY_1'] = "key_1" app.config['ROUTE_SECRET_KEY_2'] = "" app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] - blueprint = flask.Blueprint('route_secret_app_1', __name__) + blueprint = flask.Blueprint('route_secret_app_with_key_1_only', __name__) @blueprint.route('/') def test_endpoint(): return 'OK', 200 - blueprint.before_request(restrict_ip_sms) + blueprint.before_request(check_route_secret) app.register_blueprint(blueprint) with app.test_request_context(), app.test_client() as client: yield client -def test_route_secret_key_1_is_used(route_secret_app_1): - response = route_secret_app_1.get( +def test_route_secret_key_1_is_used(route_secret_app_with_key_1_only): + response = route_secret_app_with_key_1_only.get( path='/', headers=[ - ('X-Custom-forwarder', 'some key 1'), - ('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'), + ('X-Custom-forwarder', 'key_1'), ] ) + resp_json = json.loads(response.get_data(as_text=True)) assert response.status_code == 200 + assert resp_json['key_used'] == 1 +# This tests for when we do key rotation when we use both keys @pytest.fixture -def route_secret_app_2(): +def route_secret_app_both_keys(): app = flask.Flask(__name__) app.config['TESTING'] = True app.config['ROUTE_SECRET_KEY_1'] = "key_1" app.config['ROUTE_SECRET_KEY_2'] = "key_2" app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] - blueprint = flask.Blueprint('route_secret_app_2', __name__) + blueprint = flask.Blueprint('route_secret_app_both_keys', __name__) @blueprint.route('/') def test_endpoint(): return 'OK', 200 - blueprint.before_request(restrict_ip_sms) + blueprint.before_request(check_route_secret) app.register_blueprint(blueprint) with app.test_request_context(), app.test_client() as client: yield client -def test_can_use_secret_route_key_2(route_secret_app_2): - - response = route_secret_app_2.get( +@pytest.mark.parametrize('secret_header, expected_key_used', [ + ('key_2', 2), + ('key_1', 1) +]) +def test_can_use_either_secret_route_key(route_secret_app_both_keys, secret_header, expected_key_used): + print(secret_header) + response = route_secret_app_both_keys.get( path='/', headers=[ - ('X-Custom-forwarder', 'key_2'), - ('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'), + ('X-Custom-forwarder', secret_header), ] ) + resp_json = json.loads(response.get_data(as_text=True)) assert response.status_code == 200 + assert resp_json['key_used'] == expected_key_used + + +@pytest.fixture +def route_secret_app_with_key_2_only(): + app = flask.Flask(__name__) + app.config['TESTING'] = True + app.config['ROUTE_SECRET_KEY_1'] = "" + app.config['ROUTE_SECRET_KEY_2'] = "key_2" + app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] + blueprint = flask.Blueprint('route_secret_app_with_key_2_only', __name__) + + @blueprint.route('/') + def test_endpoint(): + return 'OK', 200 + + blueprint.before_request(check_route_secret) + app.register_blueprint(blueprint) + + with app.test_request_context(), app.test_client() as client: + yield client + + +def test_route_secret_key_2_is_used(route_secret_app_with_key_2_only): + response = route_secret_app_with_key_2_only.get( + path='/', + headers=[ + ('X-Custom-Forwarder', 'key_2'), + ] + ) + resp_json = json.loads(response.get_data(as_text=True)) + assert response.status_code == 200 + assert resp_json['key_used'] == 2 + + +# TODO: expected to fail because we have not implement blocking yet +@pytest.mark.parametrize('header_name, secret', [ + pytest.mark.xfail(('some-header', 'some-value')), + pytest.mark.xfail(('X-Custom-Forwarder', 'wrong-value')), +]) +def test_no_route_secret_raise_403(route_secret_app_with_key_2_only, header_name, secret): + + response = route_secret_app_with_key_2_only.get( + path='/', + headers=[ + (header_name, secret) + ] + ) + assert response.status_code == 403 From 03fc781b8c116fe30bb33cec592593598de60f47 Mon Sep 17 00:00:00 2001 From: venusbb Date: Fri, 3 Nov 2017 18:19:59 +0000 Subject: [PATCH 3/5] create new method to validate secret header, new tests --- app/authentication/auth.py | 32 ++++- .../app/authentication/test_authentication.py | 124 +++++++++++++++--- 2 files changed, 135 insertions(+), 21 deletions(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index d7adc51c7..b6dd4d5d7 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -7,6 +7,7 @@ from sqlalchemy.exc import DataError from sqlalchemy.orm.exc import NoResultFound from app.dao.services_dao import dao_fetch_service_by_id_with_api_keys +from flask import jsonify class AuthError(Exception): @@ -44,16 +45,26 @@ def requires_no_auth(): pass -def restrict_ip_sms(): +def check_route_secret(): # Check route of inbound sms (Experimental) # Temporary custom header for route security - # if request.headers.get("X-Custom-forwarder"): - # current_app.logger.info("X-Custom-forwarder received") if request.headers.get("X-Custom-Forwarder"): route_secret_key = request.headers.get("X-Custom-Forwarder") + + if route_secret_key is None: + # Not blocking at the moment + # raise AuthError('invalid secret key', 403) + return + key_1 = current_app.config.get('ROUTE_SECRET_KEY_1') key_2 = current_app.config.get('ROUTE_SECRET_KEY_2') - key_used = 0 + + if key_1 == '' and key_2 == '': + # Not blocking at the moment + # raise AuthError('X-Custom-Forwarder, no secret was set on server', 503) + return + + key_used = None route_allowed = False if route_secret_key == key_1: key_used = 1 @@ -63,12 +74,23 @@ def restrict_ip_sms(): route_allowed = True current_app.logger.info({ - 'message': 'X-Custom-forwarder key {} is used'.format(key_used), + 'message': 'X-Custom-Forwarder key {} is used'.format(key_used), 'log_contents': { 'passed': route_allowed, } }) + if not key_used: + # Not blocking at the moment + # raise AuthError('X-Custom-Forwarder, wrong secret', 403) + return + + return jsonify(key_used=key_used), 200 + + +def restrict_ip_sms(): + check_route_secret() + # Check IP of SMS providers if request.headers.get("X-Forwarded-For"): # X-Forwarded-For looks like "203.0.113.195, 70.41.3.18, 150.172.238.178" diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py index 8c58716cc..8f19136e9 100644 --- a/tests/app/authentication/test_authentication.py +++ b/tests/app/authentication/test_authentication.py @@ -12,7 +12,7 @@ from notifications_python_client.authentication import create_jwt_token from app import api_user from app.dao.api_key_dao import get_unsigned_secrets, save_model_api_key, get_unsigned_secret, expire_api_key from app.models import ApiKey, KEY_TYPE_NORMAL -from app.authentication.auth import restrict_ip_sms, AuthError +from app.authentication.auth import restrict_ip_sms, AuthError, check_route_secret # Test the require_admin_auth and require_auth methods @@ -375,63 +375,155 @@ def test_allow_valid_ips_bits(restrict_ip_sms_app): @pytest.fixture -def route_secret_app_1(): +def route_secret_app_with_key_1_only(): app = flask.Flask(__name__) app.config['TESTING'] = True app.config['ROUTE_SECRET_KEY_1'] = "key_1" app.config['ROUTE_SECRET_KEY_2'] = "" app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] - blueprint = flask.Blueprint('route_secret_app_1', __name__) + blueprint = flask.Blueprint('route_secret_app_with_key_1_only', __name__) @blueprint.route('/') def test_endpoint(): return 'OK', 200 - blueprint.before_request(restrict_ip_sms) + blueprint.before_request(check_route_secret) app.register_blueprint(blueprint) with app.test_request_context(), app.test_client() as client: yield client -def test_route_secret_key_1_is_used(route_secret_app_1): - response = route_secret_app_1.get( +def test_route_secret_key_1_is_used(route_secret_app_with_key_1_only): + response = route_secret_app_with_key_1_only.get( path='/', headers=[ - ('X-Custom-forwarder', 'some key 1'), - ('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'), + ('X-Custom-forwarder', 'key_1'), ] ) + resp_json = json.loads(response.get_data(as_text=True)) assert response.status_code == 200 + assert resp_json['key_used'] == 1 +# This tests for when we do key rotation when we use both keys @pytest.fixture -def route_secret_app_2(): +def route_secret_app_both_keys(): app = flask.Flask(__name__) app.config['TESTING'] = True app.config['ROUTE_SECRET_KEY_1'] = "key_1" app.config['ROUTE_SECRET_KEY_2'] = "key_2" app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] - blueprint = flask.Blueprint('route_secret_app_2', __name__) + blueprint = flask.Blueprint('route_secret_app_both_keys', __name__) @blueprint.route('/') def test_endpoint(): return 'OK', 200 - blueprint.before_request(restrict_ip_sms) + blueprint.before_request(check_route_secret) app.register_blueprint(blueprint) with app.test_request_context(), app.test_client() as client: yield client -def test_can_use_secret_route_key_2(route_secret_app_2): - - response = route_secret_app_2.get( +@pytest.mark.parametrize('secret_header, expected_key_used', [ + ('key_2', 2), + ('key_1', 1) +]) +def test_can_use_either_secret_route_key(route_secret_app_both_keys, secret_header, expected_key_used): + print(secret_header) + response = route_secret_app_both_keys.get( path='/', headers=[ - ('X-Custom-forwarder', 'key_2'), - ('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'), + ('X-Custom-forwarder', secret_header), ] ) + resp_json = json.loads(response.get_data(as_text=True)) assert response.status_code == 200 + assert resp_json['key_used'] == expected_key_used + + +@pytest.fixture +def route_secret_app_with_key_2_only(): + app = flask.Flask(__name__) + app.config['TESTING'] = True + app.config['ROUTE_SECRET_KEY_1'] = "" + app.config['ROUTE_SECRET_KEY_2'] = "key_2" + app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] + blueprint = flask.Blueprint('route_secret_app_with_key_2_only', __name__) + + @blueprint.route('/') + def test_endpoint(): + return 'OK', 200 + + blueprint.before_request(check_route_secret) + app.register_blueprint(blueprint) + + with app.test_request_context(), app.test_client() as client: + yield client + + +def test_route_secret_key_2_is_used(route_secret_app_with_key_2_only): + response = route_secret_app_with_key_2_only.get( + path='/', + headers=[ + ('X-Custom-Forwarder', 'key_2'), + ] + ) + resp_json = json.loads(response.get_data(as_text=True)) + assert response.status_code == 200 + assert resp_json['key_used'] == 2 + + +# TODO: expected to fail because we have not implement blocking yet +@pytest.mark.parametrize('header_name, secret', [ + pytest.mark.xfail(('some-header', 'some-value')), + pytest.mark.xfail(('X-Custom-Forwarder', 'wrong-value')), +]) +def test_no_route_secret_raise_403(route_secret_app_with_key_2_only, header_name, secret): + + response = route_secret_app_with_key_2_only.get( + path='/', + headers=[ + (header_name, secret) + ] + ) + assert response.status_code == 403 + + +@pytest.fixture +def route_secret_app_with_no_key(): + app = flask.Flask(__name__) + app.config['TESTING'] = True + app.config['ROUTE_SECRET_KEY_1'] = "" + app.config['ROUTE_SECRET_KEY_2'] = "" + app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24'] + blueprint = flask.Blueprint('route_secret_app_with_no_key', __name__) + + @blueprint.route('/') + def test_endpoint(): + return 'OK', 200 + + blueprint.before_request(check_route_secret) + app.register_blueprint(blueprint) + + with app.test_request_context(), app.test_client() as client: + yield client + + +# TODO: expected to fail because we have not implement blocking yet +@pytest.mark.parametrize('secret', [ + pytest.mark.xfail('some-header') +]) +def test_route_secret_no_key_set_should_fail(route_secret_app_with_no_key, secret): + with pytest.raises(AuthError) as exc_info: + response = route_secret_app_with_no_key.get( + path='/', + headers=[ + ('X-Custom-Forwarder', 'some_value'), + ] + ) + resp_json = json.loads(response.get_data(as_text=True)) + exc_info.value.short_message == 'X-Custom-Forwarder, no secret was set on server' + assert resp_json['key_used'] is None From f81b6e9d99bf5c4dcd2765fae05eb9c3b65339d2 Mon Sep 17 00:00:00 2001 From: venusbb Date: Mon, 6 Nov 2017 12:27:48 +0000 Subject: [PATCH 4/5] add protection if the parameter route-secret does not exist --- app/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/config.py b/app/config.py index 8807218c7..549d060c6 100644 --- a/app/config.py +++ b/app/config.py @@ -287,8 +287,8 @@ class Config(object): FREE_SMS_TIER_FRAGMENT_COUNT = 250000 SMS_INBOUND_WHITELIST = json.loads(os.environ.get('SMS_INBOUND_WHITELIST', '[]')) - ROUTE_SECRET_KEY_1 = os.environ['ROUTE_SECRET_KEY_1'] - ROUTE_SECRET_KEY_2 = os.environ['ROUTE_SECRET_KEY_2'] + ROUTE_SECRET_KEY_1 = os.environ.get('ROUTE_SECRET_KEY_1', '') + ROUTE_SECRET_KEY_2 = os.environ.get('ROUTE_SECRET_KEY_2', '') # Format is as follows: # {"dataset_1": "token_1", ...} From cae42fe86291007565c41fdfb515090a9279c753 Mon Sep 17 00:00:00 2001 From: venusbb Date: Mon, 6 Nov 2017 13:23:41 +0000 Subject: [PATCH 5/5] Changed logging way --- app/authentication/auth.py | 50 ++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 23 deletions(-) diff --git a/app/authentication/auth.py b/app/authentication/auth.py index b6dd4d5d7..3925e588f 100644 --- a/app/authentication/auth.py +++ b/app/authentication/auth.py @@ -47,44 +47,48 @@ def requires_no_auth(): def check_route_secret(): # Check route of inbound sms (Experimental) - # Temporary custom header for route security + # Custom header for route security + auth_error_msg = '' if request.headers.get("X-Custom-Forwarder"): route_secret_key = request.headers.get("X-Custom-Forwarder") if route_secret_key is None: # Not blocking at the moment # raise AuthError('invalid secret key', 403) - return + auth_error_msg = auth_error_msg + 'invalid secret key, ' + else: - key_1 = current_app.config.get('ROUTE_SECRET_KEY_1') - key_2 = current_app.config.get('ROUTE_SECRET_KEY_2') + key_1 = current_app.config.get('ROUTE_SECRET_KEY_1') + key_2 = current_app.config.get('ROUTE_SECRET_KEY_2') - if key_1 == '' and key_2 == '': - # Not blocking at the moment - # raise AuthError('X-Custom-Forwarder, no secret was set on server', 503) - return + if key_1 == '' and key_2 == '': + # Not blocking at the moment + # raise AuthError('X-Custom-Forwarder, no secret was set on server', 503) + auth_error_msg = auth_error_msg + 'no secret was set on server, ' + else: - key_used = None - route_allowed = False - if route_secret_key == key_1: - key_used = 1 - route_allowed = True - elif route_secret_key == key_2: - key_used = 2 - route_allowed = True + key_used = None + route_allowed = False + if route_secret_key == key_1: + key_used = 1 + route_allowed = True + elif route_secret_key == key_2: + key_used = 2 + route_allowed = True + + if not key_used: + # Not blocking at the moment + # raise AuthError('X-Custom-Forwarder, wrong secret', 403) + auth_error_msg = auth_error_msg + 'wrong secret' current_app.logger.info({ - 'message': 'X-Custom-Forwarder key {} is used'.format(key_used), + 'message': 'X-Custom-Forwarder', 'log_contents': { 'passed': route_allowed, + 'key_used': key_used, + 'error': auth_error_msg } }) - - if not key_used: - # Not blocking at the moment - # raise AuthError('X-Custom-Forwarder, wrong secret', 403) - return - return jsonify(key_used=key_used), 200