Deprecate hash internal attributes configuration option

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

doc/README.md

@@ -119,7 +119,7 @@ linking, the `user_id_to_attr` configuration parameter should be set, since that
 service will overwrite the user identifier generated by the proxy.
 
 
-### hash
+### hash **DEPRECATED - use the hasher micro-service**
 The proxy can hash any attribute value (e.g., for obfuscation) before passing
 it on to the client. The `hash` key should contain a list of all attribute names
 for which the corresponding attribute values should be hashed before being

example/internal_attributes.yaml.example

@@ -40,6 +40,5 @@ attributes:
     orcid: [name.family-name.value]
     openid: [family_name]
     saml: [sn, surname]
-hash: [edupersontargetedid]
 user_id_from_attrs: [edupersontargetedid]
 user_id_to_attr: edupersontargetedid

src/satosa/base.py

@@ -22,6 +22,8 @@
 from .routing import ModuleRouter, SATOSANoBoundEndpointError
 from .state import cookie_to_state, SATOSAStateError, State, state_to_cookie
 
+from satosa.deprecated import hash_attributes
+
 
 _warnings.simplefilter("default")
 
@@ -53,6 +55,14 @@ def __init__(self, config):
                 ).format(opt=option)
                 _warnings.warn(msg, DeprecationWarning)
 
+        for option in ["hash"]:
+            if option in self.config["INTERNAL_ATTRIBUTES"]:
+                msg = (
+                    "'{opt}' configuration option is deprecated."
+                    " Use the hasher microservice instead."
+                ).format(opt=option)
+                _warnings.warn(msg, DeprecationWarning)
+
         logger.info("Loading backend modules...")
         backends = load_backends(self.config, self._auth_resp_callback_func,
                                  self.config["INTERNAL_ATTRIBUTES"])
@@ -145,17 +155,11 @@ def _auth_resp_finish(self, context, internal_response):
         if user_id_to_attr:
             internal_response.attributes[user_id_to_attr] = [internal_response.user_id]
 
-        # Hash all attributes specified in INTERNAL_ATTRIBUTES["hash"]
-        hash_attributes = self.config["INTERNAL_ATTRIBUTES"].get("hash", [])
-        internal_attributes = internal_response.attributes
-        for attribute in hash_attributes:
-            # hash all attribute values individually
-            if attribute in internal_attributes:
-                hashed_values = [
-                    util.hash_data(self.config["USER_ID_HASH_SALT"], v)
-                    for v in internal_attributes[attribute]
-                ]
-                internal_attributes[attribute] = hashed_values
+        hash_attributes(
+            self.config["INTERNAL_ATTRIBUTES"].get("hash", []),
+            internal_response.attributes,
+            self.config.get("USER_ID_HASH_SALT", ""),
+        )
 
         # remove all session state
         context.request = None

src/satosa/deprecated.py

@@ -184,3 +184,21 @@ def oidc_subject_type_to_hash_type(subject_type):
         return UserIdHashType.public
 
     return UserIdHashType.pairwise
+
+
+def hash_attributes(hash_attributes, internal_attributes, salt):
+    # Hash all attributes specified in INTERNAL_ATTRIBUTES["hash"]
+    for attribute in hash_attributes:
+        msg = (
+            "'USER_ID_HASH_SALT' configuration option is deprecated."
+            " 'hash' configuration option is deprecated."
+            " Use the hasher microservice instead."
+        )
+        _warnings.warn(msg, DeprecationWarning)
+
+        # hash all attribute values individually
+        if attribute in internal_attributes:
+            hashed_values = [
+                util.hash_data(salt, v) for v in internal_attributes[attribute]
+            ]
+            internal_attributes[attribute] = hashed_values