Get rid of the account_id hashing

ooni · Mar 15, 2024 · 6723348 · 6723348
1 parent 31eb88a
commit 6723348
Show file tree

Hide file tree

Showing 6 changed files with 0 additions and 42 deletions.
diff --git a/ooniapi/common/src/common/config.py b/ooniapi/common/src/common/config.py
@@ -14,7 +14,6 @@ class Settings(BaseSettings):
     statsd_port: int = 8125
     statsd_prefix: str = "ooniapi"
     jwt_encryption_key: str = "CHANGEME"
-    account_id_hashing_key: str = "CHANGEME"
     prometheus_metrics_password: str = "CHANGEME"
     session_expiry_days: int = 10
     login_expiry_days: int = 10

diff --git a/ooniapi/services/ooniauth/src/ooniauth/main.py b/ooniapi/services/ooniauth/src/ooniauth/main.py
@@ -83,9 +83,6 @@ async def health(
     if settings.aws_secret_access_key == "" or settings.aws_access_key_id == "":
         errors.append("bad_aws_credentials")
 
-    if settings.account_id_hashing_key == "CHANGEME":
-        errors.append("bad_prometheus_password")
-
     if len(errors) > 0:
         log.error(f"Health check errors: {errors}")
         raise HTTPException(status_code=542, detail=f"health check failed")

diff --git a/ooniapi/services/ooniauth/src/ooniauth/routers/v1.py b/ooniapi/services/ooniauth/src/ooniauth/routers/v1.py
@@ -15,7 +15,6 @@
 from ..utils import (
     create_session_token,
     get_account_role,
-    hash_email_address,
     send_login_email,
     format_login_url,
     VALID_REDIRECT_TO_FQDN,
@@ -72,17 +71,13 @@ async def user_register(
     """Auth Services: start email-based user registration"""
     email_address = user_register.email_address.lower()
 
-    account_id = hash_email_address(
-        email_address=email_address, key=settings.account_id_hashing_key
-    )
     now = datetime.now(timezone.utc)
     expiration = now + timedelta(days=1)
     # On the backend side the registration is stateless
     payload = {
         "nbf": now,
         "exp": expiration,
         "aud": "register",
-        "account_id": account_id,
         "email_address": email_address,
         "redirect_to": user_register.redirect_to,
     }

diff --git a/ooniapi/services/ooniauth/src/ooniauth/routers/v2.py b/ooniapi/services/ooniauth/src/ooniauth/routers/v2.py
@@ -15,7 +15,6 @@
 from ..utils import (
     create_session_token,
     get_account_role,
-    hash_email_address,
     send_login_email,
     format_login_url,
     VALID_REDIRECT_TO_FQDN,
@@ -69,17 +68,13 @@ async def create_user_login(
     """Auth Services: login by receiving an email"""
     email_address = req.email_address.lower()
 
-    account_id = hash_email_address(
-        email_address=email_address, key=settings.account_id_hashing_key
-    )
     now = datetime.now(timezone.utc)
     login_token_expiration = now + timedelta(days=1)
     # On the backend side the registration is stateless
     payload = {
         "nbf": now,
         "exp": login_token_expiration,
         "aud": "register",
-        "account_id": account_id,
         "email_address": email_address,
         "redirect_to": req.redirect_to,
     }

diff --git a/ooniapi/services/ooniauth/src/ooniauth/utils.py b/ooniapi/services/ooniauth/src/ooniauth/utils.py
@@ -1,4 +1,3 @@
-import hashlib
 import time
 from typing import List, Optional
 from textwrap import dedent
@@ -56,12 +55,6 @@ def get_account_role(admin_emails: List[str], email_address: str) -> str:
     return "user"
 
 
-def hash_email_address(email_address: str, key: str) -> str:
-    return hashlib.blake2b(
-        email_address.encode(), key=key.encode(), digest_size=16
-    ).hexdigest()
-
-
 def send_login_email(
     destination_address: str, source_address: str, login_url: str, ses_client
 ) -> str:

diff --git a/ooniapi/services/ooniauth/tests/conftest.py b/ooniapi/services/ooniauth/tests/conftest.py
@@ -48,11 +48,6 @@ def prometheus_password():
     return "super_secure"
 
 
-@pytest.fixture
-def account_id_hashing_key():
-    return "super_secure"
-
-
 @pytest.fixture
 def email_source_address():
     return "[email protected]"
@@ -83,33 +78,17 @@ def client(
     mock_ses_client,
     admin_email,
     jwt_encryption_key,
-    account_id_hashing_key,
     prometheus_password,
     email_source_address,
 ):
     app.dependency_overrides[get_settings] = make_override_get_settings(
         jwt_encryption_key=jwt_encryption_key,
         prometheus_metrics_password=prometheus_password,
         email_source_address=email_source_address,
-        account_id_hashing_key=account_id_hashing_key,
         aws_access_key_id="ITSCHANGED",
         admin_emails=[admin_email],
         aws_secret_access_key="ITSCHANGED",
     )
-    mock_clickhouse = MagicMock()
-    mock_clickhouse.execute = MagicMock()
-
-    # rows, coldata = q
-    # coldata = [("name", "type")]
-    def mock_execute(query, query_params, with_column_types, settings):
-        assert with_column_types == True
-        assert query.startswith("SELECT role FROM")
-        if query_params["account_id"] == hash_email_address(
-            email_address=admin_email, key=account_id_hashing_key
-        ):
-            return [("admin",)], [("role", "String")]
-
-        return [("user",)], [("role", "String")]
 
     client = TestClient(app)
     yield client