bug 3204: implement request signing for Amazon Web Services

After 2009-08-15, Amazon Web Services will expect that all requests to the Product Advertising API, which is what Koha uses for retrieving reviews and other enhanced content from Amazon, include signatures. This patch and subsequenct patches implement this functionality. What this means in practice (assuming the user has elected to use any enhanced content from Amazon) is that [1] The user must get a Amazon Secret Access Key. This can be done by logging in to the user's AWS account at (e.g.) http://aws.amazon.com/, going to the 'Access Identifiers' page, and from there retrieving and/or creating a new Secret Access Key. [2] The contents of the Secret Access Key should then be entered into the new AWSPrivateKey system preference. Once that is done, grabbing reviews and table of contents from Amazon should work as normal. If the user doesn't do this before 2009-08-15, reviews and TOCs will no longer be supplied from Amazon, although there should be no crashes - the content will simply not show up. Note that the requirement to sign requests does *NOT* appear to apply to simply displaying book covers from Amazon. Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
liblime · Aug 13, 2009 · 54f7ca4 · 54f7ca4
1 parent baa0b08
commit 54f7ca4
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 12 deletions.
diff --git a/C4/External/Amazon.pm b/C4/External/Amazon.pm
@@ -22,6 +22,9 @@ use LWP::Simple;
 use LWP::UserAgent;
 use HTTP::Request::Common;
 use C4::Koha;
+use URI::Escape;
+use POSIX;
+use Digest::SHA qw(hmac_sha256_base64);
 
 use strict;
 use warnings;
@@ -129,18 +132,25 @@ sub get_amazon_details {
     my %hformat = ( a => 'Books', g => 'Video', j => 'Music' );
     my $search_index = $hformat{ substr($record->leader(),6,1) } || 'Books';
 
-    my $url =
-        "http://ecs.amazonaws" . get_amazon_tld() .
-        "/onca/xml?Service=AWSECommerceService" .
-        "&AWSAccessKeyId=" . C4::Context->preference('AWSAccessKeyID') .
-        "&Operation=ItemLookup" .
-        "&AssociateTag=" . C4::Context->preference('AmazonAssocTag') .
-        "&Version=2009-02-01" .
-        "&ItemId=$item_id" .
-        "&IdType=$id_type" .
-        "&ResponseGroup=" . join( ',',  @aws );
-	$url .= "&SearchIndex=$search_index" if $id_type ne 'ASIN';
-    #warn $url;
+	my $parameters={Service=>"AWSECommerceService" ,
+        "AWSAccessKeyId"=> C4::Context->preference('AWSAccessKeyID') ,
+        "Operation"=>"ItemLookup", 
+        "AssociateTag"=>  C4::Context->preference('AmazonAssocTag') ,
+        "Version"=>"2009-06-01",
+        "ItemId"=>$item_id,
+        "IdType"=>$id_type,
+        "ResponseGroup"=>  join( ',',  @aws ),
+        "Timestamp"=>strftime("%Y-%m-%dT%H:%M:%SZ", gmtime)
+		};
+	$$parameters{"SearchIndex"} = $search_index if $id_type ne 'ASIN';
+	my @params;
+	while (my ($key,$value)=each %$parameters){
+		push @params, qq{$key=}.uri_escape($value, "^A-Za-z0-9\-_.~" );
+	}
+
+    my $url =qq{http://webservices.amazon}.  get_amazon_tld(). 
+        "/onca/xml?".join("&",sort @params).qq{&Signature=}.uri_escape(SignRequest(@params),"^A-Za-z0-9\-_.~" );
+
     my $content = get($url);
     warn "could not retrieve $url" unless $content;
     my $xmlsimple = XML::Simple->new();
@@ -151,6 +161,17 @@ sub get_amazon_details {
     return $response;
 }
 
+sub SignRequest{
+	my @params=@_;
+    my $tld=get_amazon_tld(); 
+    my $string = qq{ 
+GET 
+webservices.amazon$tld 
+/onca/xml 
+}.join("&",sort @params);
+ 	return hmac_sha256_base64($string,C4::Context->preference('AWSPrivateKey'));
+}
+
 sub check_search_inside {
         my $isbn = shift;
         my $ua = LWP::UserAgent->new(

diff --git a/Makefile.PL b/Makefile.PL
@@ -549,6 +549,7 @@ WriteMakefile(
                             'Date::ICal'                       => 1.72,
                             'Date::Manip'                      => 5.44,
                             'Digest::MD5'                      => 2.36,
+                            'Digest::SHA'                      => 5.43,
                             'Email::Date'                      => 1.103,
                             'File::Temp'                       => 0.16,
                             'GD'                               => 2.39,    #optional
@@ -599,6 +600,7 @@ WriteMakefile(
                             'Time::HiRes'                      => 1.86,
                             'Time::localtime'                  => 1.02,
                             'Unicode::Normalize'               => 0.32,
+                            'URI::Escape'                      => 1.36,
                             'XML::Dumper'                      => 0.81,
                             'XML::LibXML'                      => 1.59,
                             'XML::LibXSLT'                     => 1.59,

diff --git a/install_misc/debian-lenny.packages b/install_misc/debian-lenny.packages
@@ -29,6 +29,7 @@ libdbd-mysql-perl	install
 libdbd-mysql-perl install
 libdbd-sqlite2-perl	install
 libdbi-perl	install
+libdigest-sha-perl	install
 libemail-date-perl	install
 libemail-date-perl	install
 libgcrypt11-dev install

diff --git a/installer/data/mysql/en/mandatory/sysprefs.sql b/installer/data/mysql/en/mandatory/sysprefs.sql
@@ -249,3 +249,4 @@ INSERT INTO systempreferences (variable,value,explanation,options,type)VALUES('v
 INSERT INTO systempreferences (variable,value,explanation,options,type)VALUES('FilterBeforeOverdueReport','0','Do not run overdue report until filter selected','','YesNo');
 INSERT INTO systempreferences (variable,value,options,explanation,type)VALUES('SpineLabelFormat', '<itemcallnumber><copynumber>', '30|10', 'This preference defines the format for the quick spine label printer. Just list the fields you would like to see in the order you would like to see them, surrounded by <>, for example <itemcallnumber>.', 'Textarea');
 INSERT INTO systempreferences (variable,value,options,explanation,type)VALUES('SpineLabelAutoPrint', '0', '', 'If this setting is turned on, a print dialog will automatically pop up for the quick spine label printer.', 'YesNo');
+INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('AWSPrivateKey','','See:  http://aws.amazon.com','','free');
diff --git a/installer/data/mysql/fr-FR/1-Obligatoire/unimarc_standard_systemprefs.sql b/installer/data/mysql/fr-FR/1-Obligatoire/unimarc_standard_systemprefs.sql
@@ -251,3 +251,4 @@ INSERT INTO systempreferences (variable,value,explanation,options,type)VALUES('v
 INSERT INTO systempreferences (variable,value,explanation,options,type)VALUES('FilterBeforeOverdueReport','0','Ne pas lancer le rapport sur les retards tant qu''il n''y a pas de filtre','','YesNo');
 INSERT INTO systempreferences (variable,value,options,explanation,type)VALUES('SpineLabelFormat', '<itemcallnumber><copynumber>', '30|10', 'This preference defines the format for the quick spine label printer. Just list the fields you would like to see in the order you would like to see them, surrounded by <>, for example <itemcallnumber>.', 'Textarea');
 INSERT INTO systempreferences (variable,value,options,explanation,type)VALUES('SpineLabelAutoPrint', '0', '', 'If this setting is turned on, a print dialog will automatically pop up for the quick spine label printer.', 'YesNo');
+INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('AWSPrivateKey','','See:  http://aws.amazon.com','','free');