From 01ad617473868c69ab74d08a0a442cb10633423c Mon Sep 17 00:00:00 2001
From: Serghei Mihai <smihai@entrouvert.com>
Date: Wed, 29 Jul 2015 10:06:51 +0200
Subject: [PATCH 1/2] fix key type in request signing (#7866)

Tests for anonymous and signed api access added
---
 passerelle/base/signature.py |  2 ++
 tests/test_api_access.py     | 51 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 tests/test_api_access.py

diff --git a/passerelle/base/signature.py b/passerelle/base/signature.py
index 153785a..b1d5f9d 100644
--- a/passerelle/base/signature.py
+++ b/passerelle/base/signature.py
@@ -33,6 +33,8 @@ def sign_query(query, key, algo='sha256', timestamp=None, nonce=None):
 
 def sign_string(s, key, algo='sha256', timedelta=30):
     digestmod = getattr(hashlib, algo)
+    if isinstance(key, unicode):
+        key = key.encode('utf-8')
     hash = hmac.HMAC(key, digestmod=digestmod, msg=s)
     return hash.digest()
 
diff --git a/tests/test_api_access.py b/tests/test_api_access.py
new file mode 100644
index 0000000..f845149
--- /dev/null
+++ b/tests/test_api_access.py
@@ -0,0 +1,51 @@
+import re
+import sys
+
+from django.contrib.auth.models import User
+from django.core.wsgi import get_wsgi_application
+from django.contrib.contenttypes.models import ContentType
+from django.core.urlresolvers import reverse
+
+import pytest
+from webtest import TestApp
+
+from passerelle.base import signature
+from passerelle.base.models import ApiUser, AccessRight
+from oxyd.models import OxydSMSGateway
+
+pytestmark = pytest.mark.django_db
+
+@pytest.fixture
+def setup():
+    app = TestApp(get_wsgi_application())
+    oxyd = OxydSMSGateway.objects.create(title='eservices',
+                slug='eservices',
+                username='user',
+                description='oxyd',
+                password='secret')
+    return app, oxyd
+
+def test_anonymous_access(setup):
+    app, oxyd = setup
+    resp = app.post_json(reverse('oxyd-send', kwargs={'slug': oxyd.slug})+'?raise=1',
+                         {}, status=403)
+
+def test_access_with_good_signature(setup):
+    app, oxyd = setup
+    api = ApiUser.objects.create(username='eservices',
+                    fullname='Eservices User',
+                    description='eservices',
+                    keytype='SIGN',
+                    key='12345')
+    obj_type = ContentType.objects.get_for_model(OxydSMSGateway)
+
+    AccessRight.objects.create(codename='can_send_messages',
+                    apiuser=api,
+                    resource_type=obj_type,
+                    resource_pk=oxyd.pk,
+    )
+    url = signature.sign_url(reverse('oxyd-send', kwargs={'slug': oxyd.slug}) + '?orig=eservices', '12345')
+    # for empty payload the connector returns 500 with
+    # {"err_desc": "missing \"message\" in JSON payload"}
+    resp = app.post_json(url, {}, status=500)
+    assert resp.json['err_desc'] == 'missing "message" in JSON payload'
-- 
2.5.0