Merge pull request #2823 from mitre/run_tests/use-secure-comparison

Update auth_svc.py

app/service/auth_svc.py

@@ -1,5 +1,6 @@
 import base64
 from collections import namedtuple
+from hmac import compare_digest
 from importlib import import_module
 
 from aiohttp import web, web_request
@@ -138,14 +139,13 @@ async def login_redirect(self, request, use_template=True):
                 raise e
 
     def request_has_valid_api_key(self, request):
-        api_key = request.headers.get(HEADER_API_KEY)
-
-        if api_key is None:
+        request_api_key = request.headers.get(HEADER_API_KEY)
+        if request_api_key is None:
             return False
-        if api_key == self.get_config(CONFIG_API_KEY_RED):
-            return True
-        if api_key == self.get_config(CONFIG_API_KEY_BLUE):
-            return True
+        for i in [CONFIG_API_KEY_RED, CONFIG_API_KEY_BLUE]:
+            api_key = self.get_config(i)
+            if api_key is not None and compare_digest(request_api_key, api_key):
+                return True
         return False
 
     async def request_has_valid_user_session(self, request):
@@ -170,9 +170,9 @@ async def get_permissions(self, request):
         identity = await identity_policy.identify(request)
         if identity in self.user_map:
             return [self.Access[p.upper()] for p in self.user_map[identity].permissions]
-        elif request.headers.get('KEY') == self.get_config('api_key_red'):
+        elif request.headers.get(HEADER_API_KEY) == self.get_config(CONFIG_API_KEY_RED):
             return self.Access.RED, self.Access.APP
-        elif request.headers.get('KEY') == self.get_config('api_key_blue'):
+        elif request.headers.get(HEADER_API_KEY) == self.get_config(CONFIG_API_KEY_BLUE):
             return self.Access.BLUE, self.Access.APP
         return ()