bug: Invalidate UAIDs that are not lowercase or contain dashes

Older UAIDs contain invalid characters and should be rejected. Closes #519
mozilla-services · Jul 15, 2016 · 4816fac · 4816fac
1 parent 7bbb7dd
commit 4816fac
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 11 deletions.
diff --git a/autopush/tests/test_db.py b/autopush/tests/test_db.py
@@ -104,6 +104,7 @@ def test_hasher(self):
         db.key_hash = ""
 
     def test_normalize_id(self):
+        # Note, yes, we forbid dashes in UAIDs, and we add them here.
         import autopush.db as db
         abnormal = "deadbeef00000000decafbad00000000"
         normal = "deadbeef-0000-0000-deca-fbad00000000"

diff --git a/autopush/tests/test_endpoint.py b/autopush/tests/test_endpoint.py
@@ -39,8 +39,8 @@
 from autopush.utils import (generate_hash, decipher_public_key)
 
 mock_dynamodb2 = mock_dynamodb2()
-dummy_uaid = str(uuid.UUID("abad1dea00000000aabbccdd00000000"))
-dummy_chid = str(uuid.UUID("deadbeef00000000decafbad00000000"))
+dummy_uaid = uuid.UUID("abad1dea00000000aabbccdd00000000").hex
+dummy_chid = str(uuid.UUID("deadbeef-0000-0000-deca-fbad00000000"))
 dummy_token = dummy_uaid + ":" + dummy_chid
 
 

diff --git a/autopush/tests/test_web_webpush.py b/autopush/tests/test_web_webpush.py
@@ -16,7 +16,7 @@
 from autopush.router.interface import IRouter, RouterResponse
 from autopush.settings import AutopushSettings
 
-dummy_request_id = "11111111-1234-1234-1234-567812345678"
+dummy_request_id = "11111111123412341234567812345678"
 dummy_uaid = str(uuid.UUID("abad1dea00000000aabbccdd00000000"))
 dummy_chid = str(uuid.UUID("deadbeef00000000decafbad00000000"))
 dummy_token = dummy_uaid + ":" + dummy_chid

diff --git a/autopush/tests/test_websocket.py b/autopush/tests/test_websocket.py
@@ -412,7 +412,7 @@ def wait_for_agent_call():  # pragma: nocover
         return d
 
     def test_hello_old(self):
-        orig_uaid = "deadbeef-0000-0000-abad-1dea00000000"
+        orig_uaid = "deadbeef00000000abad1dea00000000"
         # router.register_user returns (registered, previous
         target_day = datetime.date(2016, 2, 29)
         msg_day = datetime.date(2015, 12, 15)
@@ -466,7 +466,7 @@ def check_result(msg):
         return self._check_response(check_result)
 
     def test_hello_tomorrow(self):
-        orig_uaid = "deadbeef-0000-0000-abad-1dea00000000"
+        orig_uaid = "deadbeef00000000abad1dea00000000"
         # router.register_user returns (registered, previous
         target_day = datetime.date(2016, 2, 29)
         msg_day = datetime.date(2016, 3, 1)
@@ -548,7 +548,7 @@ def check_result(msg):
 
     def test_hello_with_uaid(self):
         self._connect()
-        uaid = str(uuid.uuid4())
+        uaid = uuid.uuid4().hex
         self._send_message(dict(messageType="hello", channelIDs=[],
                                 uaid=uaid))
 
@@ -579,6 +579,28 @@ def check_result(msg):
             assert msg["uaid"] != uaid
         return self._check_response(check_result)
 
+    def test_hello_with_bad_uaid_dash(self):
+        self._connect()
+        uaid = str(uuid.uuid4())
+        self._send_message(dict(messageType="hello", channelIDs=[],
+                                uaid=uaid))
+
+        def check_result(msg):
+            eq_(msg["status"], 200)
+            assert msg["uaid"] != uaid
+        return self._check_response(check_result)
+
+    def test_hello_with_bad_uaid_case(self):
+        self._connect()
+        uaid = uuid.uuid4().hex.upper()
+        self._send_message(dict(messageType="hello", channelIDs=[],
+                                uaid=uaid))
+
+        def check_result(msg):
+            eq_(msg["status"], 200)
+            assert msg["uaid"] != uaid
+        return self._check_response(check_result)
+
     def test_hello_failure(self):
         self._connect()
         # Fail out the register_user call
@@ -1057,7 +1079,7 @@ def test_register_kill_others(self):
         mock_agent = Mock()
         self.proto.ap_settings.agent = mock_agent
         nodeId = "http://otherhost"
-        uaid = "deadbeef-0000-0000-0000-000000000000"
+        uaid = "deadbeef000000000000000000000000"
         self.proto.ps.uaid = uaid
         connected = int(time.time())
         res = dict(node_id=nodeId, connected_at=connected, uaid=uaid)
@@ -1072,7 +1094,7 @@ def test_register_kill_others_fail(self):
         d = Deferred()
         self.proto.ap_settings.agent.request.return_value = d
         nodeId = "http://otherhost"
-        uaid = "deadbeef-0000-0000-0000-000000000000"
+        uaid = "deadbeef000000000000000000000000"
         self.proto.ps.uaid = uaid
         connected = int(time.time())
         res = dict(node_id=nodeId, connected_at=connected, uaid=uaid)
@@ -1085,7 +1107,7 @@ def test_check_kill_self(self):
         mock_agent = Mock()
         self.proto.ap_settings.agent = mock_agent
         nodeId = "http://localhost"
-        uaid = "deadbeef-0000-0000-0000-000000000000"
+        uaid = "deadbeef000000000000000000000000"
         # Test that the 'existing' connection is newer than the current one.
         connected = int(time.time() * 1000)
         ca = connected + 30000
@@ -1106,7 +1128,7 @@ def test_check_kill_existing(self):
         mock_agent = Mock()
         self.proto.ap_settings.agent = mock_agent
         nodeId = "http://localhost"
-        uaid = "deadbeef-0000-0000-0000-000000000000"
+        uaid = "deadbeef000000000000000000000000"
         # Test that the 'existing' connection is older than the current one.
         connected = int(time.time() * 1000)
         ca = connected - 30000

diff --git a/autopush/utils.py b/autopush/utils.py
@@ -45,7 +45,8 @@ def validate_uaid(uaid):
     uaid, or a new uaid if its invalid"""
     if uaid:
         try:
-            return bool(uuid.UUID(uaid)), uaid
+            if uuid.UUID(uaid).hex == uaid:
+                return True, uaid
         except ValueError:
             pass
     return False, uuid.uuid4().hex