From 4eaf875741a0ccaa6335aa0e25de1724615c807d Mon Sep 17 00:00:00 2001 From: Feanil Patel Date: Thu, 19 Sep 2019 15:53:39 -0400 Subject: [PATCH] BOM-621 Fix hashing in a bunch of places. --- common/djangoapps/student/tests/test_models.py | 2 +- common/djangoapps/third_party_auth/pipeline.py | 8 ++++---- .../third_party_auth/tests/specs/test_google.py | 6 +++--- .../user_api/accounts/tests/test_image_helpers.py | 2 +- .../core/djangoapps/user_api/accounts/tests/test_views.py | 2 +- openedx/features/enterprise_support/utils.py | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/common/djangoapps/student/tests/test_models.py b/common/djangoapps/student/tests/test_models.py index e6b7d482e8..e3d83784fd 100644 --- a/common/djangoapps/student/tests/test_models.py +++ b/common/djangoapps/student/tests/test_models.py @@ -63,7 +63,7 @@ class CourseEnrollmentTests(SharedModuleStoreTestCase): self.assertIsNone(CourseEnrollment.generate_enrollment_status_hash(AnonymousUser())) # No enrollments - expected = hashlib.md5(self.user.username).hexdigest() + expected = hashlib.md5(self.user.username.encode('utf-8')).hexdigest() self.assertEqual(CourseEnrollment.generate_enrollment_status_hash(self.user), expected) self.assert_enrollment_status_hash_cached(self.user, expected) diff --git a/common/djangoapps/third_party_auth/pipeline.py b/common/djangoapps/third_party_auth/pipeline.py index 03a9691a3b..55008258b5 100644 --- a/common/djangoapps/third_party_auth/pipeline.py +++ b/common/djangoapps/third_party_auth/pipeline.py @@ -503,17 +503,17 @@ def redirect_to_custom_form(request, auth_entry, details, kwargs): if isinstance(secret_key, six.text_type): secret_key = secret_key.encode('utf-8') custom_form_url = form_info['url'] - data_str = json.dumps({ + data_bytes = json.dumps({ "auth_entry": auth_entry, "backend_name": backend_name, "provider_id": provider_id, "user_details": details, - }) - digest = hmac.new(secret_key, msg=data_str, digestmod=hashlib.sha256).digest() + }).encode('utf-8') + digest = hmac.new(secret_key, msg=data_bytes, digestmod=hashlib.sha256).digest() # Store the data in the session temporarily, then redirect to a page that will POST it to # the custom login/register page. request.session['tpa_custom_auth_entry_data'] = { - 'data': base64.b64encode(data_str), + 'data': base64.b64encode(data_bytes), 'hmac': base64.b64encode(digest), 'post_url': custom_form_url, } diff --git a/common/djangoapps/third_party_auth/tests/specs/test_google.py b/common/djangoapps/third_party_auth/tests/specs/test_google.py index db8661810e..9562c0a9ac 100644 --- a/common/djangoapps/third_party_auth/tests/specs/test_google.py +++ b/common/djangoapps/third_party_auth/tests/specs/test_google.py @@ -78,8 +78,8 @@ class GoogleOauth2IntegrationTest(base.Oauth2IntegrationTest): response = self.client.get(response['Location']) self.assertEqual(response.status_code, 200) - self.assertIn('action="/misc/my-custom-registration-form" method="post"', response.content) - data_decoded = base64.b64decode(response.context['data']) + self.assertIn('action="/misc/my-custom-registration-form" method="post"', response.content.decode('utf-8')) + data_decoded = base64.b64decode(response.context['data']).decode('utf-8') data_parsed = json.loads(data_decoded) # The user's details get passed to the custom page as a base64 encoded query parameter: self.assertEqual(data_parsed, { @@ -96,7 +96,7 @@ class GoogleOauth2IntegrationTest(base.Oauth2IntegrationTest): }) # Check the hash that is used to confirm the user's data in the GET parameter is correct secret_key = settings.THIRD_PARTY_AUTH_CUSTOM_AUTH_FORMS['custom1']['secret_key'] - hmac_expected = hmac.new(secret_key, msg=data_decoded, digestmod=hashlib.sha256).digest() + hmac_expected = hmac.new(secret_key.encode('utf-8'), msg=data_decoded.encode('utf-8'), digestmod=hashlib.sha256).digest() self.assertEqual(base64.b64decode(response.context['hmac']), hmac_expected) # Now our custom registration form creates or logs in the user: diff --git a/openedx/core/djangoapps/user_api/accounts/tests/test_image_helpers.py b/openedx/core/djangoapps/user_api/accounts/tests/test_image_helpers.py index b2e04e16f1..bb867c952b 100644 --- a/openedx/core/djangoapps/user_api/accounts/tests/test_image_helpers.py +++ b/openedx/core/djangoapps/user_api/accounts/tests/test_image_helpers.py @@ -73,7 +73,7 @@ class ProfileImageUrlTestCase(TestCase): """ self.user.profile.profile_image_uploaded_at = TEST_PROFILE_IMAGE_UPLOAD_DT self.user.profile.save() - expected_name = hashlib.md5('secret' + self.user.username).hexdigest() + expected_name = hashlib.md5('secret' + self.user.username.encode('utf-8')).hexdigest() actual_urls = get_profile_image_urls_for_user(self.user) self.verify_urls(actual_urls, expected_name, is_default=False) diff --git a/openedx/core/djangoapps/user_api/accounts/tests/test_views.py b/openedx/core/djangoapps/user_api/accounts/tests/test_views.py index 683651a129..0812282ee8 100644 --- a/openedx/core/djangoapps/user_api/accounts/tests/test_views.py +++ b/openedx/core/djangoapps/user_api/accounts/tests/test_views.py @@ -126,7 +126,7 @@ class UserAPITestCase(APITestCase): template = '{root}/{filename}_{{size}}.{extension}' if has_profile_image: url_root = 'http://example-storage.com/profile-images' - filename = hashlib.md5('secret' + self.user.username).hexdigest() + filename = hashlib.md5('secret' + self.user.username.encode('utf-8')).hexdigest() file_extension = 'jpg' template += '?v={}'.format(TEST_PROFILE_IMAGE_UPLOADED_AT.strftime("%s")) else: diff --git a/openedx/features/enterprise_support/utils.py b/openedx/features/enterprise_support/utils.py index 347029267d..a5a05e402c 100644 --- a/openedx/features/enterprise_support/utils.py +++ b/openedx/features/enterprise_support/utils.py @@ -39,7 +39,7 @@ def get_cache_key(**kwargs): """ key = '__'.join(['{}:{}'.format(item, value) for item, value in six.iteritems(kwargs)]) - return hashlib.md5(key).hexdigest() + return hashlib.md5(key.encode('utf-8')).hexdigest() def get_data_consent_share_cache_key(user_id, course_id):