Deprecate USER_ID_HASH_SALT configuration option

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

doc/README.md

@@ -43,7 +43,7 @@ in the [example directory](../example).
 | `BACKEND_MODULES` | string[] | `[openid_connect_backend.yaml, saml2_backend.yaml]` | list of plugin configuration file paths, describing enabled backends |
 | `FRONTEND_MODULES` | string[] | `[saml2_frontend.yaml, openid_connect_frontend.yaml]` | list of plugin configuration file paths, describing enabled frontends |
 | `MICRO_SERVICES` | string[] | `[statistics_service.yaml]` | list of plugin configuration file paths, describing enabled microservices |
-| `USER_ID_HASH_SALT` | string | `61a89d2db0b9e1e2` | salt used when creating the persistent user identifier, will be overriden by the environment variable `SATOSA_USER_ID_HASH_SALT` if it is set |
+| `USER_ID_HASH_SALT` | string | `61a89d2db0b9e1e2` | **DEPRECATED - use the hasher micro-service** salt used when creating the persistent user identifier, will be overriden by the environment variable `SATOSA_USER_ID_HASH_SALT` if it is set |
 | `LOGGING` | dict | see [Python logging.conf](https://docs.python.org/3/library/logging.config.html) | optional configuration of application logging |
 
 
@@ -410,7 +410,7 @@ which should be used when configuring the attribute mapping (see above).
 ### Ping frontend for simple heartbeat monitoring
 
 The ping frontend responds to a query with a simple
-200 OK and is intended to be used as a simple heartbeat monitor, 
+200 OK and is intended to be used as a simple heartbeat monitor,
 for example by a load balancer. The default configuration file can
 be found [here](../example/plugins/frontends/ping_frontend.yaml.example).
 
@@ -581,7 +581,7 @@ The SATOSA proxy is a Python WSGI application and so may be run using any WSGI c
 
 Gunicorn 'Green Unicorn' is a Python WSGI HTTP Server for UNIX and is the server used most often
 to run the proxy. In a production deployment the Gunicorn server is often proxied by a
-full featured general purpose web server (in a reverse proxy architecture) such as Nginx or 
+full featured general purpose web server (in a reverse proxy architecture) such as Nginx or
 Apache HTTP Server to help buffer slow clients and enable more sophisticated error page rendering.
 
 Start the proxy server with the following command:

example/proxy_conf.yaml.example

@@ -13,7 +13,6 @@ FRONTEND_MODULES:
   - "plugins/frontends/saml2_frontend.yaml"
 MICRO_SERVICES:
   - "plugins/microservices/static_attributes.yaml"
-USER_ID_HASH_SALT: "61a89d2db0b9e1e27d490d050b478fe71f352fddd3528a44157f43e339c6c62f2362fb413179937d96172bf84233317"
 LOGGING:
   version: 1
   formatters:
@@ -40,4 +39,4 @@ LOGGING:
       propagate: no
   root:
     level: INFO
-    handlers: [info_file_handler]
+    handlers: [info_file_handler]

src/satosa/base.py

@@ -4,6 +4,7 @@
 import json
 import logging
 import uuid
+import warnings as _warnings
 
 from saml2.s_utils import UnknownSystemEntity
 
@@ -22,6 +23,8 @@
 from .state import cookie_to_state, SATOSAStateError, State, state_to_cookie
 
 
+_warnings.simplefilter("default")
+
 logger = logging.getLogger(__name__)
 
 STATE_KEY = "SATOSA_BASE"
@@ -41,6 +44,15 @@ def __init__(self, config):
         :param config: satosa proxy config
         """
         self.config = config
+
+        for option in ["USER_ID_HASH_SALT"]:
+            if option in self.config:
+                msg = (
+                    "'{opt}' configuration option is deprecated."
+                    " Use the hasher microservice instead."
+                ).format(opt=option)
+                _warnings.warn(msg, DeprecationWarning)
+
         logger.info("Loading backend modules...")
         backends = load_backends(self.config, self._auth_resp_callback_func,
                                  self.config["INTERNAL_ATTRIBUTES"])

tests/conftest.py

@@ -134,7 +134,6 @@ def satosa_config_dict(backend_plugin_config, frontend_plugin_config, request_mi
         "FRONTEND_MODULES": ["bar"],
         "INTERNAL_ATTRIBUTES": {"attributes": {}},
         "STATE_ENCRYPTION_KEY": "state_encryption_key",
-        "USER_ID_HASH_SALT": "user_id_hash_salt",
         "CUSTOM_PLUGIN_MODULE_PATHS": [os.path.dirname(__file__)],
         "BACKEND_MODULES": [backend_plugin_config],
         "FRONTEND_MODULES": [frontend_plugin_config],

tests/satosa/test_base.py

@@ -81,7 +81,7 @@ def test_auth_resp_callback_func_hashes_all_specified_attributes(self, context,
         base._auth_resp_callback_func(context, internal_resp)
         for attr in satosa_config["INTERNAL_ATTRIBUTES"]["hash"]:
             assert internal_resp.attributes[attr] == [
-                util.hash_data(satosa_config["USER_ID_HASH_SALT"], v)
+                util.hash_data(satosa_config.get("USER_ID_HASH_SALT", ""), v)
                 for v in attributes[attr]
             ]
 

tests/satosa/test_satosa_config.py

@@ -22,20 +22,15 @@ def non_sensitive_config_dict(self):
         return config
 
     def test_read_senstive_config_data_from_env_var(self, monkeypatch, non_sensitive_config_dict):
-        monkeypatch.setenv("SATOSA_USER_ID_HASH_SALT", "user_id_hash_salt")
         monkeypatch.setenv("SATOSA_STATE_ENCRYPTION_KEY", "state_encryption_key")
         config = SATOSAConfig(non_sensitive_config_dict)
-        assert config["USER_ID_HASH_SALT"] == "user_id_hash_salt"
         assert config["STATE_ENCRYPTION_KEY"] == "state_encryption_key"
 
     def test_senstive_config_data_from_env_var_overrides_config(self, monkeypatch, non_sensitive_config_dict):
-        non_sensitive_config_dict["USER_ID_HASH_SALT"] = "foo"
         non_sensitive_config_dict["STATE_ENCRYPTION_KEY"] = "bar"
-        monkeypatch.setenv("SATOSA_USER_ID_HASH_SALT", "user_id_hash_salt")
         monkeypatch.setenv("SATOSA_STATE_ENCRYPTION_KEY", "state_encryption_key")
 
         config = SATOSAConfig(non_sensitive_config_dict)
-        assert config["USER_ID_HASH_SALT"] == "user_id_hash_salt"
         assert config["STATE_ENCRYPTION_KEY"] == "state_encryption_key"
 
     def test_constructor_should_raise_exception_if_sensitive_keys_are_missing(self, non_sensitive_config_dict):