Signing method (#60)

* Added signature method implementation.
* Fixed issue for non-string values.

Author: judy2k

docs/quickstart.rst

@@ -62,6 +62,10 @@ In order to check signatures for incoming webhook requests, you'll also
 need to specify the ``signature_secret`` argument (or the
 ``NEXMO_SIGNATURE_SECRET`` environment variable).
 
+If the argument ``signature_method`` is omitted, it will default to the md5 hash
+algorithm. Otherwise, it will use the selected method as in md5, sha1, sha256 or
+sha512 with hmac.
+
 SMS API
 -------
 
@@ -256,6 +260,16 @@ Validate webhook signatures
     else:
       # invalid signature
 
+
+    or by using signature method via POST:
+
+    client = nexmo.Client(signature_secret='secret', signature_method='sha256')
+
+    if client.check_signature(request.body.decode()):
+      # valid signature
+    else:
+      # invalid signature
+
 Docs:
 `https://docs.nexmo.com/messaging/signing-messages <https://docs.nexmo.com/messaging/signing-messages?utm_source=DEV_REL&utm_medium=github&utm_campaign=python-client-library>`__
 

nexmo/__init__.py

@@ -41,6 +41,16 @@ def __init__(self, **kwargs):
         self.api_secret = kwargs.get('secret', None) or os.environ.get('NEXMO_API_SECRET', None)
 
         self.signature_secret = kwargs.get('signature_secret', None) or os.environ.get('NEXMO_SIGNATURE_SECRET', None)
+        self.signature_method = kwargs.get('signature_method', None) or os.environ.get('NEXMO_SIGNATURE_METHOD', None)
+
+        if self.signature_method == 'md5':
+            self.signature_method = hashlib.md5
+        elif self.signature_method == 'sha1':
+            self.signature_method = hashlib.sha1
+        elif self.signature_method == 'sha256':
+            self.signature_method = hashlib.sha256
+        elif self.signature_method == 'sha512':
+            self.signature_method = hashlib.sha512
 
         self.application_id = kwargs.get('application_id', None)
 
@@ -245,25 +255,32 @@ def send_dtmf(self, uuid, params=None, **kwargs):
     def check_signature(self, params):
         params = dict(params)
 
-        signature = params.pop('sig', '')
+        signature = params.pop('sig', '').lower()
 
         return hmac.compare_digest(signature, self.signature(params))
 
     def signature(self, params):
-        md5 = hashlib.md5()
+        if self.signature_method:
+            hasher = hmac.new(self.signature_secret.encode(), digestmod=self.signature_method)
+        else:
+            hasher = hashlib.md5()
 
         # Add timestamp if not already present
         if not params.get("timestamp"):
             params["timestamp"] = int(time.time())
 
         for key in sorted(params):
-            # Replace & and = with _ in parameter values to avoid
-            # parameter injection.
-            safe_key = key.replace("&", "_").replace("=", "_")
-            safe_value = str(params[key]).replace("&", "_").replace("=", "_")
-            md5.update(u'&{0}={1}'.format(safe_key, safe_value).encode('utf-8'))
-        md5.update(self.signature_secret.encode('utf-8'))
-        return md5.hexdigest()
+            value = params[key]
+
+            if isinstance(value, str):
+                value = value.replace('&', '_').replace('=', '_')
+
+            hasher.update('&{0}={1}'.format(key, value).encode('utf-8'))
+
+        if self.signature_method is None:
+            hasher.update(self.signature_secret.encode())
+
+        return hasher.hexdigest()
 
     def get(self, host, request_uri, params=None):
         uri = 'https://' + host + request_uri

tests/conftest.py

@@ -14,6 +14,7 @@ def __init__(self):
         import nexmo
         self.api_key = 'nexmo-api-key'
         self.api_secret = 'nexmo-api-secret'
+        self.signature_secret = 'secret'
         self.application_id = 'nexmo-application-id'
         self.private_key = read_file('data/private_key.txt')
         self.public_key = read_file('data/public_key.txt')

tests/test_nexmo.py

@@ -118,6 +118,46 @@ def test_signature_adds_timestamp(dummy_data):
     assert params['timestamp'] is not None
 
 
+def test_signature_md5(dummy_data):
+    params = {'a': '1', 'b': '2', 'timestamp': '1461605396'}
+    client = nexmo.Client(
+        key=dummy_data.api_key,
+        secret=dummy_data.api_secret,
+        signature_secret=dummy_data.signature_secret,
+        signature_method='md5')
+    assert client.signature(params) == 'c15c21ced558c93a226c305f58f902f2'
+
+
+def test_signature_sha1(dummy_data):
+    params = {'a': '1', 'b': '2', 'timestamp': '1461605396'}
+    client = nexmo.Client(
+        key=dummy_data.api_key,
+        secret=dummy_data.api_secret,
+        signature_secret=dummy_data.signature_secret,
+        signature_method='sha1')
+    assert client.signature(params) == '3e19a4e6880fdc2c1426bfd0587c98b9532f0210'
+
+
+def test_signature_sha256(dummy_data):
+    params = {'a': '1', 'b': '2', 'timestamp': '1461605396'}
+    client = nexmo.Client(
+        key=dummy_data.api_key,
+        secret=dummy_data.api_secret,
+        signature_secret=dummy_data.signature_secret,
+        signature_method='sha256')
+    assert client.signature(params) == 'a321e824b9b816be7c3f28859a31749a098713d39f613c80d455bbaffae1cd24'
+
+
+def test_signature_sha512(dummy_data):
+    params = {'a': '1', 'b': '2', 'timestamp': '1461605396'}
+    client = nexmo.Client(
+        key=dummy_data.api_key,
+        secret=dummy_data.api_secret,
+        signature_secret=dummy_data.signature_secret,
+        signature_method='sha512')
+    assert client.signature(params) == '812a18f76680fa0fe1b8bd9ee1625466ceb1bd96242e4d050d2cfd9a7b40166c63ed26ec9702168781b6edcf1633db8ff95af9341701004eec3fcf9550572ee8'
+
+
 def test_client_doesnt_require_api_key():
     client = nexmo.Client(application_id='myid', private_key='abc\nde')
     assert client is not None