Giters

Kinto / kinto-signer

Digital signatures to guarantee integrity and authenticity of collections of records.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Per-bucket settings are exposed as collections

glasserc opened this issue · comments

commented

The README says:

Settings can be prefixed with bucket id:

.. code-block:: ini

    kinto.signer.signer_backend = kinto_signer.signer.autograph
    kinto.signer.autograph.server_url = http://172.11.20.1:8888

    kinto.signer.<bucket-id>.autograph.hawk_id = bob
    kinto.signer.<bucket-id>.autograph.hawk_secret = a-secret

But if you do this, you end up with a setting like kinto.signer.sb2.ecdsa.public_key = /path/to/key, which kinto-signer understands to mean "a public_key setting for the collection sb2/ecdsa", which is probably not what was intended.

Example test:

    def test_includeme_sanitizes_exposed_settings(self):
        settings = {
            "signer.resources": (
                "/buckets/sb1 -> /buckets/db1\n"
                "/buckets/sb2 -> /buckets/db2\n"
            ),
            "signer.signer_backend": "kinto_signer.signer.local_ecdsa",
            "signer.ecdsa.public_key": "/path/to/key",
            "signer.ecdsa.private_key": "/path/to/private",
            "signer.sb2.signer_backend": "kinto_signer.signer.local_ecdsa",
            "signer.sb2.ecdsa.public_key": "/path/to/key",
            "signer.sb2.ecdsa.private_key": "/path/to/private",
        }
        config = self.includeme(settings)
        all_capabilities = config.registry.api_capabilities
        capabilities = all_capabilities["signer"]
        for resource in capabilities["resources"]:
            assert resource["source"]["collection"] != "ecdsa"