From 2e30cca21f3775098ec62e394a33255168bbac91 Mon Sep 17 00:00:00 2001
From: Gerrit Vermeulen <gerrit@reachdigitalhealth.org>
Date: Thu, 23 Jan 2025 14:59:26 +0200
Subject: [PATCH 1/3] Add debugging to hmac and a way to turn signature
 verification off

---
 .../applications/turn_channels_api/README.md    |  1 +
 .../turn_channels_api/turn_channels_api.py      | 17 ++++++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)
 create mode 100644 src/vumi2/applications/turn_channels_api/README.md

diff --git a/src/vumi2/applications/turn_channels_api/README.md b/src/vumi2/applications/turn_channels_api/README.md
new file mode 100644
index 0000000..79e417a
--- /dev/null
+++ b/src/vumi2/applications/turn_channels_api/README.md
@@ -0,0 +1 @@
+## THIS IS A TEST APPLICATION AND SHOULD NOT BE USED IN PRODUCTION
\ No newline at end of file
diff --git a/src/vumi2/applications/turn_channels_api/turn_channels_api.py b/src/vumi2/applications/turn_channels_api/turn_channels_api.py
index de1ba29..291fae9 100644
--- a/src/vumi2/applications/turn_channels_api/turn_channels_api.py
+++ b/src/vumi2/applications/turn_channels_api/turn_channels_api.py
@@ -184,13 +184,16 @@ async def http_send_message(self) -> dict[Any, Any]:
                     if isinstance(request_data, bytes):
                         request_data = request_data.decode()
                     # Verify the hmac signature
-                    h = hmac.new(
-                        self.config.secret_key.encode(), request_data.encode(), sha256
-                    ).digest()
-                    computed_signature = str(base64.b64encode(h))
-                    signature = request.headers.get("X-Turn-Hook-Signature", "")
-                    if not hmac.compare_digest(computed_signature, signature):
-                        raise SignatureMismatchError()
+                    if self.config.secret_key:
+                        logger.info("Verifying HMAC signature")
+                        h = hmac.new(
+                            self.config.secret_key.encode(), request_data.encode(), sha256
+                        ).digest()
+                        computed_signature = str(base64.b64encode(h))
+                        signature = request.headers.get("X-Turn-Hook-Signature", "")
+                        logger.info(f"Signature from Turn: {signature}. Computed: {computed_signature}")
+                        if not hmac.compare_digest(computed_signature, signature):
+                            raise SignatureMismatchError()
 
                     msg_dict = json.loads(request_data)
                 except json.JSONDecodeError as e:

From 7cd6b645eed5868a0d704ad671f02f17ad4e4bb4 Mon Sep 17 00:00:00 2001
From: Gerrit Vermeulen <gerrit@reachdigitalhealth.org>
Date: Thu, 23 Jan 2025 15:00:52 +0200
Subject: [PATCH 2/3] lint

---
 .../applications/turn_channels_api/turn_channels_api.py   | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/vumi2/applications/turn_channels_api/turn_channels_api.py b/src/vumi2/applications/turn_channels_api/turn_channels_api.py
index 291fae9..885232a 100644
--- a/src/vumi2/applications/turn_channels_api/turn_channels_api.py
+++ b/src/vumi2/applications/turn_channels_api/turn_channels_api.py
@@ -187,11 +187,15 @@ async def http_send_message(self) -> dict[Any, Any]:
                     if self.config.secret_key:
                         logger.info("Verifying HMAC signature")
                         h = hmac.new(
-                            self.config.secret_key.encode(), request_data.encode(), sha256
+                            self.config.secret_key.encode(),
+                            request_data.encode(),
+                            sha256,
                         ).digest()
                         computed_signature = str(base64.b64encode(h))
                         signature = request.headers.get("X-Turn-Hook-Signature", "")
-                        logger.info(f"Signature from Turn: {signature}. Computed: {computed_signature}")
+                        logger.info(
+                            f"Signature from Turn: {signature}. Computed: {computed_signature}"
+                        )
                         if not hmac.compare_digest(computed_signature, signature):
                             raise SignatureMismatchError()
 

From 9d4fd6d991a956b5b414fb3602d357e41b9c6a67 Mon Sep 17 00:00:00 2001
From: Gerrit Vermeulen <gerrit@reachdigitalhealth.org>
Date: Thu, 23 Jan 2025 15:02:23 +0200
Subject: [PATCH 3/3] format file

---
 src/vumi2/applications/turn_channels_api/turn_channels_api.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/vumi2/applications/turn_channels_api/turn_channels_api.py b/src/vumi2/applications/turn_channels_api/turn_channels_api.py
index 885232a..d03d291 100644
--- a/src/vumi2/applications/turn_channels_api/turn_channels_api.py
+++ b/src/vumi2/applications/turn_channels_api/turn_channels_api.py
@@ -194,7 +194,8 @@ async def http_send_message(self) -> dict[Any, Any]:
                         computed_signature = str(base64.b64encode(h))
                         signature = request.headers.get("X-Turn-Hook-Signature", "")
                         logger.info(
-                            f"Signature from Turn: {signature}. Computed: {computed_signature}"
+                            f"Signature from Turn: {signature}."
+                            "Computed: {computed_signature}"
                         )
                         if not hmac.compare_digest(computed_signature, signature):
                             raise SignatureMismatchError()