Merge pull request #29 from Akshaykdubey/master

Adding oauth ext lib and tests

Author: Akshaykdubey

README.md

@@ -107,6 +107,47 @@ signer = OAuthSigner(consumer_key, signing_key)
 request = signer.sign_request(uri, request)
 ```
 
+
+#### Usage of the `oauth_ext`
+The requests library supports custom authentication extensions, with which the procedure of creating and calling such requests can simplify the process of request signing. Please, see the examples below:
+
+###### POST example
+
+```python
+from oauth1.oauth_ext import OAuth1RSA
+from oauth1.oauth_ext import HASH_SHA256
+import requests
+
+uri = 'https://sandbox.api.mastercard.com/service'
+oauth = OAuth1RSA(consumer_key, signing_key)
+header = {'Content-type' : 'application/json', 'Accept' : 'application/json'}
+
+# Passing payload for data parameter as string
+payload = '{"key" : "value"}'
+request = requests.post(uri, data=payload, auth=oauth, headers=header)
+
+# Passing payload for data parameter as Json object
+payload = {'key' : 'value'}
+request = requests.post(uri, data=json.dumps(payload), auth=oauth, headers=header)
+
+# Passing payload for json parameter Json object
+payload = {'key' : 'value'}
+request = requests.post(uri, json=payload, auth=oauth, headers=header)
+```
+
+###### GET example
+
+```python
+from oauth1.oauth_ext import OAuth1RSA
+import requests
+
+uri = 'https://sandbox.api.mastercard.com/service'
+oauth = OAuth1RSA(consumer_key, signing_key)
+
+# Operation for get call
+request = requests.get(uri, auth=oauth)
+```
+
 ### Integrating with OpenAPI Generator API Client Libraries <a name="integrating-with-openapi-generator-api-client-libraries"></a>
 
 [OpenAPI Generator](https://github.com/OpenAPITools/openapi-generator) generates API client libraries from [OpenAPI Specs](https://github.com/OAI/OpenAPI-Specification). 
@@ -125,7 +166,7 @@ Client libraries can be generated using the following command:
 ```shell
 java -jar openapi-generator-cli.jar generate -i openapi-spec.yaml -g python -o out
 ```
-See also: 
+See also:
 * [OpenAPI Generator (executable)](https://mvnrepository.com/artifact/org.openapitools/openapi-generator-cli)
 * [CONFIG OPTIONS for python](https://github.com/OpenAPITools/openapi-generator/blob/master/docs/generators/python.md)
 

oauth1/oauth_ext.py

@@ -0,0 +1,132 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Copyright 2020-2021 Mastercard
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification, are
+# permitted provided that the following conditions are met:
+#
+# Redistributions of source code must retain the above copyright notice, this list of
+# conditions and the following disclaimer.
+# Redistributions in binary form must reproduce the above copyright notice, this list of
+# conditions and the following disclaimer in the documentation and/or other materials
+# provided with the distribution.
+# Neither the name of the MasterCard International Incorporated nor the names of its
+# contributors may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+import time
+from uuid import uuid4
+
+from requests.auth import AuthBase
+from OpenSSL.crypto import PKey
+from OpenSSL import crypto
+from requests import PreparedRequest
+import hashlib
+from . import coreutils as util
+
+HASH_SHA256 = 'SHA256'
+
+
+def hash_func(hash_alg):
+    return {
+        HASH_SHA256: hashlib.sha256
+    }[hash_alg]
+
+
+class OAuth1RSA(AuthBase):
+    """OAuth1 RSA-SHA256 requests's auth helper
+    Usage:
+        >>> from oauth1 import authenticationutils
+        >>> from oauth1.auth_ext import OAuth1RSA
+        >>> import requests
+        >>> CONSUMER_KEY = 'secret-consumer-key'
+        >>> pk = authenticationutils.load_signing_key('instance/masterpass.pfx', 'a3fa02536a')
+        >>> oauth = OAuth1RSA(CONSUMER_KEY, pk)
+        >>> requests.post('https://endpoint.com/the/route', data={'foo': 'bar'}, auth=oauth)
+    """
+
+    def __init__(self, consumer_key: str, signing_key: PKey):
+        self.consumer_key = consumer_key
+        self.signing_key = signing_key
+        self.hash_alg = HASH_SHA256
+        self.hash_f = hash_func(HASH_SHA256)
+
+    def __call__(self, r: PreparedRequest):
+        payload = {
+            'oauth_version': '1.0',
+            'oauth_nonce': self.nonce(),
+            'oauth_timestamp': str(self.timestamp()),
+            'oauth_signature_method': f'RSA-{self.hash_alg}',
+            'oauth_consumer_key': self.consumer_key
+        }
+
+        # Google's body hash extension
+        payload = self.oauth_body_hash(r, payload)
+
+        signable_message = self.signable_message(r, payload)
+        signature = self.signature(signable_message)
+        payload['oauth_signature'] = signature
+
+        h = self._generate_header(payload)
+
+        r.headers['Authorization'] = h
+        return r
+
+    @staticmethod
+    def nonce():
+        return str(uuid4())
+
+    @staticmethod
+    def timestamp():
+        return int(time.time())
+
+    def _hash(self, message: str) -> str:
+        if type(message) is str:
+            return self.hash_f(message.encode('utf8')).digest()
+        elif type(message) is bytes:
+            return self.hash_f(message).digest()
+        else:
+            # Generally for calls where the payload is empty. Eg: get calls
+            # Fix for AttributeError: 'NoneType' object has no attribute 'encode'
+            return self.hash_f(str(message).encode('utf8')).digest()
+
+    @staticmethod
+    def signable_message(r: PreparedRequest, payload: dict):
+        params = [
+            r.method.upper(),
+            util.normalize_url(r.url),
+            util.normalize_params(r.url, payload)
+        ]
+        params = map(util.uri_rfc3986_encode, params)
+        return '&'.join(params)
+
+    def signature(self, message: str):
+        signature = crypto.sign(self.signing_key, message, self.hash_alg)
+        return util.base64_encode(signature)
+
+    @staticmethod
+    def _generate_header(payload: dict):
+        _ = util.uri_rfc3986_encode
+        pts = [f'{_(k)}="{_(v)}"' for k, v in sorted(payload.items())]
+        msg = ','.join(pts)
+        return f'OAuth {msg}'
+
+    def oauth_body_hash(self, r: PreparedRequest, payload: dict):
+        if r.headers and r.headers.get('content-type') == 'multipart/form-data':
+            return payload
+
+        body = r.body
+        payload['oauth_body_hash'] = util.uri_rfc3986_encode(util.base64_encode(self._hash(body)))
+        return payload

tests/test_oauth.py

@@ -37,18 +37,19 @@
 class OAuthTest(unittest.TestCase):
 
     signing_key = authenticationutils.load_signing_key('./test_key_container.p12', "Password1")
+    uri = 'https://www.example.com'
 
     def test_get_authorization_header_nominal(self):
-        header = OAuth().get_authorization_header('https://www.example.com', 'POST', 'payload', 'dummy', OAuthTest.signing_key)
+        header = OAuth().get_authorization_header(OAuthTest.uri, 'POST', 'payload', 'dummy', OAuthTest.signing_key)
         self.assertTrue("OAuth" in header)
         self.assertTrue("dummy" in header)
 
     def test_get_authorization_header_should_compute_body_hash(self):
-        header = OAuth().get_authorization_header('https://www.example.com', 'POST', '{}', 'dummy', OAuthTest.signing_key)
+        header = OAuth().get_authorization_header(OAuthTest.uri, 'POST', '{}', 'dummy', OAuthTest.signing_key)
         self.assertTrue('RBNvo1WzZ4oRRq0W9+hknpT7T8If536DEMBg9hyq/4o=' in header)
 
     def test_get_authorization_header_should_return_empty_string_body_hash(self):
-        header = OAuth().get_authorization_header('https://www.example.com', 'GET', None, 'dummy', OAuthTest.signing_key)
+        header = OAuth().get_authorization_header(OAuthTest.uri, 'GET', None, 'dummy', OAuthTest.signing_key)
         self.assertTrue('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' in header)
 
     def test_get_nonce(self):
@@ -60,8 +61,8 @@ def test_get_timestamp(self):
         self.assertEqual(len(str(timestamp)),10)
 
     def test_sign_message(self):
-        baseString = 'POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Ffraud%2Fmerchant%2Fv1%2Ftermination-inquiry&Format%3DXML%26PageLength%3D10%26PageOffset%3D0%26oauth_body_hash%3DWhqqH%252BTU95VgZMItpdq78BWb4cE%253D%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce%3D1111111111111111111%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1111111111%26oauth_version%3D1.0'
-        signature = OAuth().sign_message(baseString, OAuthTest.signing_key)
+        base_string = 'POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Ffraud%2Fmerchant%2Fv1%2Ftermination-inquiry&Format%3DXML%26PageLength%3D10%26PageOffset%3D0%26oauth_body_hash%3DWhqqH%252BTU95VgZMItpdq78BWb4cE%253D%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce%3D1111111111111111111%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1111111111%26oauth_version%3D1.0'
+        signature = OAuth().sign_message(base_string, OAuthTest.signing_key)
         signature = Util.uri_rfc3986_encode(signature)
         self.assertEqual(signature,"DvyS3R795sUb%2FcvBfiFYZzPDU%2BRVefW6X%2BAfyu%2B9fxjudQft%2BShXhpounzJxYCwOkkjZWXOR0ICTMn6MOuG04TTtmPMrOxj5feGwD3leMBsi%2B3XxcFLPi8BhZKqgapcAqlGfjEhq0COZ%2FF9aYDcjswLu0zgrTMSTp4cqXYMr9mbQVB4HL%2FjiHni5ejQu9f6JB9wWW%2BLXYhe8F6b4niETtzIe5o77%2B%2BkKK67v9wFIZ9pgREz7ug8K5DlxX0DuwdUKFhsenA5z%2FNNCZrJE%2BtLu0tSjuF5Gsjw5GRrvW33MSoZ0AYfeleh5V3nLGgHrhVjl5%2BiS40pnG2po%2F5hIAUT5ag%3D%3D")
 
@@ -95,7 +96,7 @@ def test_nonce_length(self):
     def test_nonce_uniqueness(self):
         init = OAuth.get_nonce(self)
         l = []
-        for i  in range(0,100000):
+        for _ in range(0,100000):
             l.append(init +  OAuth.get_nonce(self))
 
         self.assertEqual(self.list_duplicates(l), [])
@@ -168,10 +169,6 @@ def test_signature_base_string2(self):
         encoded_hash = Util.base64_encode(Util.sha256_encode(body))
         oauth_parameters.set_oauth_body_hash(encoded_hash)
 
-        oauth_parameters_base = oauth_parameters.get_base_parameters_dict()
-        merge_parameters = oauth_parameters_base.copy()
-
-        query_params = Util.normalize_params(url, merge_parameters)
         base_string = OAuth.get_base_string(self, url, method, oauth_parameters.get_base_parameters_dict())
         expected = "POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Ffraud%2Fmerchant%2Fv1%2Ftermination-inquiry&Format%3DXML%26PageLength%3D10%26PageOffset%3D0%26oauth_body_hash%3Dh2Pd7zlzEZjZVIKB4j94UZn%2FxxoR3RoCjYQ9%2FJdadGQ%3D%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce%3D1111111111111111111%26oauth_timestamp%3D1111111111%26oauth_version%3D1.0"
 
@@ -181,9 +178,9 @@ def test_sign_signature_base_string_invalid_key(self):
         self.assertRaises(AttributeError, OAuth.sign_message, self, "some string", None)
 
     def test_sign_signature_base_string(self):
-        expectedSignatureString = "IJeNKYGfUhFtj5OAPRI92uwfjJJLCej3RCMLbp7R6OIYJhtwxnTkloHQ2bgV7fks4GT/A7rkqrgUGk0ewbwIC6nS3piJHyKVc7rvQXZuCQeeeQpFzLRiH3rsb+ZS+AULK+jzDje4Fb+BQR6XmxuuJmY6YrAKkj13Ln4K6bZJlSxOizbNvt+Htnx+hNd4VgaVBeJKcLhHfZbWQxK76nMnjY7nDcM/2R6LUIR2oLG1L9m55WP3bakAvmOr392ulv1+mWCwDAZZzQ4lakDD2BTu0ZaVsvBW+mcKFxYeTq7SyTQMM4lEwFPJ6RLc8jJJ+veJXHekLVzWg4qHRtzNBLz1mA=="
+        expected_signature_string = "IJeNKYGfUhFtj5OAPRI92uwfjJJLCej3RCMLbp7R6OIYJhtwxnTkloHQ2bgV7fks4GT/A7rkqrgUGk0ewbwIC6nS3piJHyKVc7rvQXZuCQeeeQpFzLRiH3rsb+ZS+AULK+jzDje4Fb+BQR6XmxuuJmY6YrAKkj13Ln4K6bZJlSxOizbNvt+Htnx+hNd4VgaVBeJKcLhHfZbWQxK76nMnjY7nDcM/2R6LUIR2oLG1L9m55WP3bakAvmOr392ulv1+mWCwDAZZzQ4lakDD2BTu0ZaVsvBW+mcKFxYeTq7SyTQMM4lEwFPJ6RLc8jJJ+veJXHekLVzWg4qHRtzNBLz1mA=="
         signing_string = OAuth.sign_message(self, "baseString", OAuthTest.signing_key)
-        self.assertEqual(expectedSignatureString, signing_string)
+        self.assertEqual(expected_signature_string, signing_string)
 
     def test_url_normalization_rfc_examples1(self):
         uri = "https://www.example.net:8080"