remove resolved TODO, the update_secret is hashed using django's "sha1" hasher (salted sha1)

2013-09-29 15:12:24 +02:00 · 2013-09-29 15:12:24 +02:00 · 105315548a
commit 105315548a
parent 1809737ae3
2 changed files with 6 additions and 3 deletions
--- a/nsupdate/main/models.py
+++ b/nsupdate/main/models.py
@ -39,7 +39,6 @@ class Domain(models.Model):


 class Host(models.Model):
-    """TODO: hash update_secret on save (if not already hashed)"""
    #fqdn = models.CharField(max_length=256, unique=True, verbose_name="Fully qualified domain name")
    subdomain = models.CharField(max_length=256, validators=[
        RegexValidator(
@ -48,7 +47,7 @@ class Host(models.Model):
        ),
        domain_blacklist_validator])
    domain = models.ForeignKey(Domain)
-    update_secret = models.CharField(max_length=256)
+    update_secret = models.CharField(max_length=256)  # gets hashed on save
    comment = models.CharField(max_length=256, default='', blank=True, null=True)

    last_update = models.DateTimeField(auto_now=True)
@ -60,4 +59,3 @@ class Host(models.Model):

    class Meta:
        unique_together = (('subdomain', 'domain'),)
-
--- a/nsupdate/main/views.py
+++ b/nsupdate/main/views.py
@ -46,6 +46,7 @@ class OverviewView(CreateView):
    def form_valid(self, form):
        self.object = form.save(commit=False)
        self.object.created_by = self.request.user
+        # see comment in HostView about the quick hasher:
        self.object.update_secret = make_password(self.object.update_secret, hasher='sha1')
        self.object.save()
        messages.add_message(self.request, messages.SUCCESS, 'Host added.')
@ -73,6 +74,10 @@ class HostView(UpdateView):
    def form_valid(self, form):
        self.object = form.save(commit=False)
        self.object.created_by = self.request.user
+        # note: we use a quick hasher for the update_secret as expensive
+        # more modern hashes might put too much load on the servers. also
+        # many update clients might use http without ssl, so it is not too
+        # secure anyway.
        self.object.update_secret = make_password(self.object.update_secret, hasher='sha1')
        self.object.save()
        messages.add_message(self.request, messages.SUCCESS, 'Host updated.')