Add a specific salt key for default_bucket ID generation

[Natim]

Here https://github.com/Kinto/kinto/blob/master/kinto/plugins/default_bucket/__init__.py#L172

We are using the same secret as the BasicAuth plugin.
We should fallback to the basic auth secret but we should use another prefered key that doesn't contains secret but salt in its name.

default_bucket_ID_salt

[mansimarkaur]

@Natim How many characters and base salt do you think should be used?

[Natim]

As much as security people want's to use.

Right now they want to use this command to generate the salt:

cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c${1:-32}; echo

[sahildua2305]

@Natim how do we plan to take input for the salt (or the pattern) from the user?

[Natim]

The same way we do for the userHmacSecret I guess. Using the command kinto init to generate it and then we will have something different for kinto-heroku and in the doc we can explain to people how to change it.

[leplatrem]

Related #691

[suraj1074]

@Natim So basically we need to make this change in the file https://github.com/Kinto/kinto/blob/master/kinto/plugins/default_bucket/init.py#L172

secret = settings['default_bucket_ID_salt'] 
if secret == None:
    secret = settings['userid_hmac_secret']

[Natim]

Yes something like that as well as adding some tests and updating the kinto command.

secret = settings.get('default_bucket_ID_salt', settings['userid_hmac_secret'])

[chinchaun]

Hello there i was looking at this issue and trying to fix it, i have a question related testing the changes,
in the test files the logic is been mimic of the function default_bucket_id

def test_default_bucket_exists_and_has_user_id(self):
        bucket = self.app.get(self.bucket_url, headers=self.headers)
        result = bucket.json
        settings = self.app.app.registry.settings
        hmac_secret = settings['userid_hmac_secret']
        bucket_id = hmac_digest(hmac_secret, self.principal)[:32]

        self.assertEqual(result['data']['id'], str(UUID(bucket_id)))
        self.assertEqual(result['permissions']['write'], [self.principal])

but the method is not been invoked, i don't have to much experience in python so i don't know how to invoke the method that is need to be tested of the new behaviour implementation or maybe i'm missing something.

Kind regards

[glasserc]

The existing function needs a Request in order to run. From the specific test, it wasn't convenient to create a request so we just duplicated the logic. If you changed the default_bucket_id implementation, probably it's enough to reflect those changes in this test. Otherwise you'll have to change the test to actually use the default_bucket_id logic, either by creating a Request or by extracting a non-Request version which can be used here. Either choice might be the better move long-term anyhow.

It also occurs to me that this task might be obsoleted by #1736.

[firegolem]

Is this still relavant? If yes, i'd like to try and pick it up?

[Natim]

Yes

[ankushduacodes]

@Natim, I would like to pick this up(if its still available), could you please explain what need to be done here, and why?

[feiming]

@Natim is this still available?

[feiming]

#2647

[vas0k]

Hey guys, I'm new to open source development and would like to contribute to this issue, if its still open.

Thanks.

[leplatrem]

Hello,
I imagine that you picked this issue because of the easy pick label.
I don't think this has a high priority, and if you don't mind I would suggest you to look at the open issues labelled with bug instead.
Thank you for your interest!