Merge branch 'main' into fix/retry-attachement-fetch

cds-snc · Jan 22, 2024 · b955817 · b955817
2 parents bc52484 + 074cbfd
commit b955817
Show file tree

Hide file tree

Showing 12 changed files with 43 additions and 246 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -27,15 +27,15 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
+        uses: github/codeql-action/init@8b7fcbfac2aae0e6c24d9f9ebd5830b1290b18e4 # v2.23.0
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
+        uses: github/codeql-action/autobuild@8b7fcbfac2aae0e6c24d9f9ebd5830b1290b18e4 # v2.23.0
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
+        uses: github/codeql-action/analyze@8b7fcbfac2aae0e6c24d9f9ebd5830b1290b18e4 # v2.23.0
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
@@ -16,7 +16,7 @@ jobs:
           python-version: '3.10'
       - name: Upgrade pip
         run: python -m pip install --upgrade pip
-      - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -25,7 +25,7 @@ jobs:
         python-version: '3.10'
     - name: Upgrade pip
       run: python -m pip install --upgrade pip
-    - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+    - uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
       with:
         path: ~/.cache/pip
         key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}

diff --git a/app/api_key/rest.py b/app/api_key/rest.py
@@ -121,7 +121,8 @@ def revoke_api_keys():
 
     # Step 1
     try:
-        api_key_token = api_key_data["token"]
+        # take last 36 chars of string so that it works even if the full key is provided.
+        api_key_token = api_key_data["token"][-36:]
         api_key = get_api_key_by_secret(api_key_token)
     except Exception:
         current_app.logger.error(

diff --git a/app/authentication/auth.py b/app/authentication/auth.py
@@ -152,8 +152,19 @@ def requires_auth():
 
 
 def _auth_by_api_key(auth_token):
+    # TODO: uncomment this when the grace period for the token prefix is over
+    # orig_token = auth_token
+
     try:
+        # take last 36 chars of string so that it works even if the full key is provided.
+        auth_token = auth_token[-36:]
         api_key = get_api_key_by_secret(auth_token)
+
+        # TODO: uncomment this when the grace period for the token prefix is over
+        # check for token prefix
+        # if current_app.config["API_KEY_PREFIX"] not in orig_token:
+        #     raise AuthError("Invalid token: you must re-generate your API key to continue using GC Notify", 403, service_id=api_key.service.id, api_key_id=api_key.id)
+
     except NoResultFound:
         raise AuthError("Invalid token: API key not found", 403)
     _auth_with_api_key(api_key, api_key.service)

diff --git a/app/dao/api_key_dao.py b/app/dao/api_key_dao.py
@@ -76,30 +76,13 @@ def update_compromised_api_key_info(service_id, api_key_id, compromised_info):
     db.session.add(api_key)
 
 
-def get_api_key_by_secret(secret, service_id=None):
-    # Check the first part of the secret is the gc prefix
-    if current_app.config["API_KEY_PREFIX"] != secret[: len(current_app.config["API_KEY_PREFIX"])]:
-        raise NoResultFound()
-
-    # Check if the remaining part of the secret is a the valid api key
-    token = secret[-36:]
-    signed_with_all_keys = signer_api_key.sign_with_all_keys(str(token))
+def get_api_key_by_secret(secret):
+    signed_with_all_keys = signer_api_key.sign_with_all_keys(str(secret))
     for signed_secret in signed_with_all_keys:
         try:
-            api_key = db.on_reader().query(ApiKey).filter_by(_secret=signed_secret).options(joinedload("service")).one()
+            return db.on_reader().query(ApiKey).filter_by(_secret=signed_secret).options(joinedload("service")).one()
         except NoResultFound:
             pass
-
-    # Check the middle portion of the secret is the valid service id
-    if api_key.service_id:
-        if len(secret) >= 79:
-            service_id_from_token = str(secret[-73:-37])
-            if str(api_key.service_id) != service_id_from_token:
-                raise NoResultFound()
-        else:
-            raise NoResultFound()
-    if api_key:
-        return api_key
     raise NoResultFound()