Merge pull request #34 from Mastercard/feature/encode-oauth-signature

`oauth_signature` not encoded in versions 1.2.0 and 1.3.0

Author: ech0s7r

.github/workflows/lint.yml

@@ -0,0 +1,18 @@
+name: Linter
+'on':
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: 0 16 * * *
+jobs:
+  sonarcloud:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Python Style Checker
+        uses: andymckay/[email protected]

.github/workflows/sonar.yml

@@ -3,11 +3,9 @@ name: Sonar
   push:
     branches:
       - main
-  pull_request_target:
-    types:
-      - opened
-      - synchronize
-      - reopened
+  pull_request:
+    branches:
+      - main
   schedule:
     - cron: 0 16 * * *
 jobs:
@@ -35,4 +33,4 @@ jobs:
         uses: SonarSource/sonarcloud-github-action@master
         env:
           GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
-          SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'
+          SONAR_TOKEN: '${{ secrets.SONAR_TOKEN }}'

README.md

@@ -60,20 +60,20 @@ signing_key = authenticationutils.load_signing_key('<insert PKCS#12 key file pat
 ```
 
 ### Creating the OAuth Authorization Header <a name="creating-the-oauth-authorization-header"></a>
-The method that does all the heavy lifting is `OAuth().get_authorization_header`. You can call into it directly and as long as you provide the correct parameters, it will return a string that you can add into your request's `Authorization` header.
+The method that does all the heavy lifting is `OAuth.get_authorization_header`. You can call into it directly and as long as you provide the correct parameters, it will return a string that you can add into your request's `Authorization` header.
 
 #### POST example
 
 ```python
 uri = 'https://sandbox.api.mastercard.com/service'
 payload = 'Hello world!'
-authHeader = OAuth().get_authorization_header(uri, 'POST', payload, '<insert consumer key>', signing_key)
+authHeader = OAuth.get_authorization_header(uri, 'POST', payload, '<insert consumer key>', signing_key)
 ```
 
 #### GET example
 ```python
 uri = 'https://sandbox.api.mastercard.com/service'
-authHeader = OAuth().get_authorization_header(uri, 'GET', None, '<insert consumer key>', signing_key)
+authHeader = OAuth.get_authorization_header(uri, 'GET', None, '<insert consumer key>', signing_key)
 ```
 
 #### Use of authHeader with requests module (POST and GET example)

oauth1/authenticationutils.py

@@ -1,7 +1,6 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*- 
+# -*- coding: utf-8 -*-
 #
-# Copyright 2019-2020 Mastercard
+# Copyright 2019-2021 Mastercard
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification, are
@@ -28,10 +27,10 @@
 #
 from OpenSSL import crypto
 
+
 def load_signing_key(pkcs12_filename, password):
     private_key_file = open(pkcs12_filename, 'rb')
     p12 = crypto.load_pkcs12(private_key_file.read(), password.encode("utf-8"))
     private_key = p12.get_privatekey()
     private_key_file.close()
     return private_key
-

oauth1/coreutils.py

@@ -1,7 +1,6 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*- 
+# -*- coding: utf-8 -*-
 #
-# Copyright 2019-2020 Mastercard
+# Copyright 2019-2021 Mastercard
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification, are
@@ -31,8 +30,12 @@
 """
 import hashlib
 import base64
+import urllib
+import time
+from random import SystemRandom
+
+from urllib.parse import urlparse, parse_qsl
 
-from urllib.parse import urlparse, quote, parse_qsl
 
 def normalize_params(url, params):
     """
@@ -44,36 +47,26 @@ def normalize_params(url, params):
 
     # Get the query list
     qs_list = parse_qsl(parse.query, keep_blank_values=True)
+    must_encode = False if parse.query == urllib.parse.unquote(parse.query) else True
     if params is None:
         combined_list = qs_list
     else:
-        combined_list = list(qs_list)
+        # Needs to be encoded before sorting
+        combined_list = [encode_pair(must_encode, key, value) for (key, value) in list(qs_list)]
         combined_list += params.items()
 
-    # Needs to be encoded before sorting
-    encoded_list = [encode_pair(key, value) for (key, value) in combined_list]
-    sorted_list = sorted(encoded_list, key=lambda x:x)
+    encoded_list = ["%s=%s" % (key, value) for (key, value) in combined_list]
+    sorted_list = sorted(encoded_list, key=lambda x: x)
 
     return "&".join(sorted_list)
 
 
-def encode_pair(key, value):
-    encoded_key = oauth_query_string_element_encode(key)
-    encoded_value = oauth_query_string_element_encode(value if isinstance(value, bytes) else str(value))
-    return "%s=%s" % (encoded_key, encoded_value)
-
-def oauth_query_string_element_encode(value):
-    """
-    RFC 3986 encodes the value
+def encode_pair(must_encode, key, value):
+    encoded_key = percent_encode(key) if must_encode else key.replace(' ', '+')
+    value = value if isinstance(value, bytes) else str(value)
+    encoded_value = percent_encode(value) if must_encode else value.replace(' ', '+')
+    return encoded_key, encoded_value
 
-    Note. This is based on RFC3986 but according to https://tools.ietf.org/html/rfc5849#section-3.6
-    it replaces space with %20 not "+".
-    """
-    encoded = quote(value)
-    encoded = str.replace(encoded, ':', '%3A')
-    encoded = str.replace(encoded, '+', '%2B')
-    encoded = str.replace(encoded, '*', '%2A')
-    return encoded
 
 def normalize_url(url):
     """
@@ -83,40 +76,69 @@ def normalize_url(url):
 
     # netloc should be lowercase
     netloc = parse.netloc.lower()
-    if parse.scheme=="http":
+    if parse.scheme == "http":
         if netloc.endswith(":80"):
             netloc = netloc[:-3]
 
-    elif parse.scheme=="https" and netloc.endswith(":443"):
+    elif parse.scheme == "https" and netloc.endswith(":443"):
         netloc = netloc[:-4]
 
     # add a '/' at the end of the netloc if there in no path
     if not parse.path:
-        netloc = netloc+"/"
+        netloc = netloc + "/"
 
     return "{}://{}{}".format(parse.scheme, netloc, parse.path)
 
 
-def uri_rfc3986_encode(value):
-    """
-    RFC 3986 encodes the value
-    """
-    return quote(value, safe='%')
-
-
 def sha256_encode(text):
     """
     Returns the digest of SHA-256 of the text
     """
-    return hashlib.sha256(str(text).encode('utf-8')).digest()
+    _hash = hashlib.sha256
+    if type(text) is str:
+        return _hash(text.encode('utf8')).digest()
+    elif type(text) is bytes:
+        return _hash(text).digest()
+    elif not text:
+        # Generally for calls where the payload is empty. Eg: get calls
+        # Fix for AttributeError: 'NoneType' object has no attribute 'encode'
+        return _hash("".encode('utf8')).digest()
+    else:
+        return _hash(str(text).encode('utf-8')).digest()
 
 
 def base64_encode(text):
     """
     Base64 encodes the given input
     """
+    if not isinstance(text, (bytes, bytearray)):
+        text = bytes(text.encode())
     encode = base64.b64encode(text)
-    if isinstance(encode, (bytearray, bytes)):
-        return encode.decode('ascii')
-    else:
-        return encode
+    return encode.decode('ascii')
+
+
+def percent_encode(text):
+    """
+    Percent encodes a string as per https://tools.ietf.org/html/rfc3986
+    """
+    if text is None:
+        return ''
+    text = text.encode('utf-8') if isinstance(text, str) else text
+    text = urllib.parse.quote(text, safe=b'~')
+    return text.replace('+', '%20').replace('*', '%2A').replace('%7E', '~')
+
+
+def get_nonce(length=16):
+    """
+    Returns a random string of length=@length
+    """
+    characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+    charlen = len(characters)
+    return "".join([characters[SystemRandom().randint(0, charlen - 1)] for _ in range(0, length)])
+
+
+def get_timestamp():
+    """
+    Returns the UTC timestamp (seconds passed since epoch)
+    """
+    return int(time.time())