initial logging for route protection

2025-12-16 10:12:32 -05:00 · 2017-11-03 14:43:56 +00:00
parent ab583c0bc6
commit f4d005c7fb
5 changed files with 91 additions and 3 deletions
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -47,8 +47,27 @@ def requires_no_auth():
 def restrict_ip_sms():
    # Check route of inbound sms (Experimental)
    # Temporary custom header for route security
-    if request.headers.get("X-Custom-forwarder"):
-        current_app.logger.info("X-Custom-forwarder received")
+    # if request.headers.get("X-Custom-forwarder"):
+    #     current_app.logger.info("X-Custom-forwarder received")
+    if request.headers.get("X-Custom-Forwarder"):
+        route_secret_key = request.headers.get("X-Custom-Forwarder")
+        key_1 = current_app.config.get('ROUTE_SECRET_KEY_1')
+        key_2 = current_app.config.get('ROUTE_SECRET_KEY_2')
+        key_used = 0
+        route_allowed = False
+        if route_secret_key == key_1:
+            key_used = 1
+            route_allowed = True
+        elif route_secret_key == key_2:
+            key_used = 2
+            route_allowed = True
+
+        current_app.logger.info({
+            'message': 'X-Custom-forwarder key {} is used'.format(key_used),
+            'log_contents': {
+                'passed': route_allowed,
+            }
+        })

    # Check IP of SMS providers
    if request.headers.get("X-Forwarded-For"):
--- a/app/cloudfoundry_config.py
+++ b/app/cloudfoundry_config.py
@@ -45,6 +45,8 @@ def extract_notify_config(notify_config):
    os.environ['SECRET_KEY'] = notify_config['credentials']['secret_key']
    os.environ['DANGEROUS_SALT'] = notify_config['credentials']['dangerous_salt']
    os.environ['SMS_INBOUND_WHITELIST'] = json.dumps(notify_config['credentials']['allow_ip_inbound_sms'])
+    os.environ['ROUTE_SECRET_KEY_1'] = notify_config['credentials']['route_secret_key_1']
+    os.environ['ROUTE_SECRET_KEY_2'] = notify_config['credentials']['route_secret_key_2']


 def extract_performance_platform_config(performance_platform_config):
--- a/app/config.py
+++ b/app/config.py
@@ -287,6 +287,8 @@ class Config(object):
    FREE_SMS_TIER_FRAGMENT_COUNT = 250000

    SMS_INBOUND_WHITELIST = json.loads(os.environ.get('SMS_INBOUND_WHITELIST', '[]'))
+    ROUTE_SECRET_KEY_1 = os.environ['ROUTE_SECRET_KEY_1']
+    ROUTE_SECRET_KEY_2 = os.environ['ROUTE_SECRET_KEY_2']

    # Format is as follows:
    # {"dataset_1": "token_1", ...}
--- a/tests/app/authentication/test_authentication.py
+++ b/tests/app/authentication/test_authentication.py
@@ -372,3 +372,66 @@ def test_allow_valid_ips_bits(restrict_ip_sms_app):
    )

    assert response.status_code == 200
+
+
+@pytest.fixture
+def route_secret_app_1():
+    app = flask.Flask(__name__)
+    app.config['TESTING'] = True
+    app.config['ROUTE_SECRET_KEY_1'] = "key_1"
+    app.config['ROUTE_SECRET_KEY_2'] = ""
+    app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24']
+    blueprint = flask.Blueprint('route_secret_app_1', __name__)
+
+    @blueprint.route('/')
+    def test_endpoint():
+        return 'OK', 200
+
+    blueprint.before_request(restrict_ip_sms)
+    app.register_blueprint(blueprint)
+
+    with app.test_request_context(), app.test_client() as client:
+        yield client
+
+
+def test_route_secret_key_1_is_used(route_secret_app_1):
+    response = route_secret_app_1.get(
+        path='/',
+        headers=[
+            ('X-Custom-forwarder', 'some key 1'),
+            ('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'),
+        ]
+    )
+    assert response.status_code == 200
+
+
+@pytest.fixture
+def route_secret_app_2():
+    app = flask.Flask(__name__)
+    app.config['TESTING'] = True
+    app.config['ROUTE_SECRET_KEY_1'] = "key_1"
+    app.config['ROUTE_SECRET_KEY_2'] = "key_2"
+    app.config['SMS_INBOUND_WHITELIST'] = ['111.111.111.111/32', '200.200.200.0/24']
+    blueprint = flask.Blueprint('route_secret_app_2', __name__)
+
+    @blueprint.route('/')
+    def test_endpoint():
+        return 'OK', 200
+
+    blueprint.before_request(restrict_ip_sms)
+    app.register_blueprint(blueprint)
+
+    with app.test_request_context(), app.test_client() as client:
+        yield client
+
+
+def test_can_use_secret_route_key_2(route_secret_app_2):
+
+    response = route_secret_app_2.get(
+        path='/',
+        headers=[
+            ('X-Custom-forwarder', 'key_2'),
+            ('X-Forwarded-For', '200.200.200.222, 222.222.222.222, 127.0.0.1'),
+        ]
+    )
+    assert response.status_code == 200
--- a/tests/app/test_cloudfoundry_config.py
+++ b/tests/app/test_cloudfoundry_config.py
@@ -16,7 +16,9 @@ def notify_config():
            'admin_client_secret': 'admin client secret',
            'secret_key': 'secret key',
            'dangerous_salt': 'dangerous salt',
-            'allow_ip_inbound_sms': ['111.111.111.111', '100.100.100.100']
+            'allow_ip_inbound_sms': ['111.111.111.111', '100.100.100.100'],
+            'route_secret_key_1': "key_1",
+            'route_secret_key_2': ""
        }
    }