make sure personal lookups and headers actually work (bug 774852)

Andy McKay · Andy McKay · commit bbdbe8933f0e · 2012-07-20T14:14:35.000-07:00
diff --git a/lib/paypal/client.py b/lib/paypal/client.py
@@ -102,7 +102,7 @@ def receivers(self, seller_email, amount, preapproval, chains=None):
 
         return result
 
-    def call(self, service, data):
+    def call(self, service, data, auth_token=None):
         """
         Wrapper around calling the requested paypal service using
         data provided. Adds in timing and logging.
@@ -111,7 +111,7 @@ def call(self, service, data):
         url = urls[service]
         with statsd.timer('solitude.paypal.%s' % service):
             log.info('Calling service: %s' % service)
-            return self._call(url, data)
+            return self._call(url, data, auth_token=auth_token)
 
     def headers(self, url, auth_token=None):
         """
@@ -127,7 +127,6 @@ def headers(self, url, auth_token=None):
         if auth_token:
             ts, sig = get_auth_header(auth['USER'], auth['PASSWORD'],
                     auth_token['token'], auth_token['secret'], 'POST', url)
-
             headers['X-PAYPAL-AUTHORIZATION'] = (
                     'timestamp=%s,token=%s,signature=%s' %
                     (ts, auth_token['token'], sig))
@@ -202,13 +201,14 @@ def check_permission(self, token, permissions):
         result = [v for (k, v) in res.iteritems() if k.startswith('scope')]
         return {'status': set(permissions).issubset(set(result))}
 
-    def get_permission_token(self, token, code):
+    def get_permission_token(self, token, verifier):
         """
         Send request for permissions token, after user has granted the
         requested permissions via the PayPal page we redirected them to.
         Documentation: http://bit.ly/Mjh51D
         """
-        res = self.call('get-permission-token', {'token': token, 'code': code})
+        res = self.call('get-permission-token', {'token': token,
+                                                 'verifier': verifier})
         return {'token': res['token'], 'secret': res['tokenSecret']}
 
     def get_preapproval_key(self, start, end, return_url, cancel_url):
@@ -289,7 +289,8 @@ def get_personal_basic(self, token):
         keys = ['first_name', 'last_name', 'email', 'full_name',
                 'company', 'country', 'payerID']
         data = {'attributeList.attribute': [PAYPAL_PERSONAL[k] for k in keys]}
-        return self.parse_personal(self.call('get-personal', data))
+        return self.parse_personal(self.call('get-personal', data,
+                                             auth_token=token))
 
     def get_personal_advanced(self, token):
         """
@@ -299,7 +300,8 @@ def get_personal_advanced(self, token):
         keys = ['post_code', 'address_one', 'address_two', 'city', 'state',
                 'phone']
         data = {'attributeList.attribute': [PAYPAL_PERSONAL[k] for k in keys]}
-        return self.parse_personal(self.call('get-personal', data))
+        return self.parse_personal(self.call('get-personal-advanced', data,
+                                             auth_token=token))
 
     def parse_refund(self, res):
         responses = defaultdict(lambda: defaultdict(dict))
diff --git a/lib/paypal/forms.py b/lib/paypal/forms.py
@@ -109,11 +109,11 @@ class CheckPermission(ArgForm):
 
 class GetPermissionToken(ArgForm):
     token = forms.CharField()
-    code = forms.CharField()
+    verifier = forms.CharField()
     seller = forms.ModelChoiceField(queryset=SellerPaypal.objects.all(),
                                     to_field_name='seller__uuid')
 
-    _args = ('token', 'code')
+    _args = ('token', 'verifier')
 
 
 class KeyValidation(forms.Form):
@@ -142,7 +142,16 @@ class GetPersonal(ArgForm):
     seller = forms.ModelChoiceField(queryset=SellerPaypal.objects.all(),
                                     to_field_name='seller__uuid')
 
-    _args = ('seller',)
+    _args = ('token',)
+
+    def clean(self):
+        seller = self.cleaned_data.get('seller')
+        if (not seller.token or not seller.secret):
+            raise forms.ValidationError('Empty permissions token.')
+
+        self.cleaned_data['token'] = {'token': seller.token,
+                                      'secret': seller.secret}
+        return self.cleaned_data
 
 
 class IPNForm(forms.Form):
diff --git a/lib/paypal/header.py b/lib/paypal/header.py
@@ -1,23 +1,36 @@
 import base64
 import hmac
 import hashlib
+import re
 import time
-import urllib
+
+x = re.compile(r'([A-Za-z0-9_]+)')
+
+
+def escape(value):
+    # PayPal bizarre escaping.
+    res = []
+    for c in str(value):
+        if not x.match(c):
+            res.append('%' + hex(ord(c))[2:])
+        else:
+            res.append(c)
+    return ''.join(res)
 
 
 # TODO: replace this with a damn OAuth library.
 def get_auth_header(api_user, api_pass, access_tok, sec_tok,
                     http_method, script_uri):
-    timestamp = time.time()
-    data = {
-        'api_pass': sec_tok,
-        'http_method': http_method,
-        'oauth_consumer_key': api_user,
-        'oauth_signature_method': 'HMAC-SHA1',
-        'oauth_timestamp': timestamp,
-        'oauth_token': access_tok,
-        'oauth_version': 1.0,
-    }
-    data = urllib.urlencode(data)
-    hashed = hmac.new(api_pass, data, hashlib.sha1)
+    timestamp = int(time.time())
+    data = (
+        ('oauth_consumer_key', api_user),
+        ('oauth_signature_method', 'HMAC-SHA1'),
+        ('oauth_timestamp', timestamp),
+        ('oauth_token', access_tok),
+        ('oauth_version', 1.0),
+    )
+    data = ['%s=%s' % (k, v) for k, v in data]
+    data = '&'.join((http_method, escape(script_uri), escape('&'.join(data))))
+    key = '&'.join((api_pass, escape(sec_tok)))
+    hashed = hmac.new(key, data, hashlib.sha1)
     return str(timestamp), base64.b64encode(hashed.digest())
diff --git a/lib/paypal/resources/personal.py b/lib/paypal/resources/personal.py
@@ -16,6 +16,7 @@ def obj_create(self, bundle, request, **kwargs):
         for k, v in result.items():
             setattr(form.cleaned_data['seller'], k, v)
         form.cleaned_data['seller'].save()
+        bundle.data = result
         bundle.obj = form.cleaned_data['seller']
         return bundle
 
diff --git a/lib/paypal/tests/test_client.py b/lib/paypal/tests/test_client.py
@@ -359,6 +359,7 @@ def setUp(self):
     def test_personal_works(self, _call):
         _call.return_value = good_personal_basic
         eq_(self.paypal.get_personal_basic('foo')['email'], 'batman@gmail.com')
+        eq_(_call.call_args[1]['auth_token'], 'foo')
 
     def test_personal_absent(self, _call):
         _call.return_value = good_personal_basic
diff --git a/lib/paypal/tests/test_forms.py b/lib/paypal/tests/test_forms.py
@@ -2,7 +2,7 @@
 import test_utils
 
 from lib.buyers.models import Buyer, BuyerPaypal
-from lib.paypal.forms import PayValidation
+from lib.paypal.forms import GetPersonal, PayValidation
 from lib.sellers.models import Seller, SellerPaypal
 from lib.transactions.models import PaypalTransaction
 
@@ -90,3 +90,28 @@ def test_duplicate_uuid(self):
         data['uuid'] = 'sample:uuid'
         form = PayValidation(data)
         assert not form.is_valid(), form.errors
+
+
+class TestKeyValidation(test_utils.TestCase):
+
+    def setUp(self):
+        self.uuid = 'sample:uid'
+        self.seller = Seller.objects.create(uuid=self.uuid)
+        self.paypal = SellerPaypal.objects.create(seller=self.seller,
+                                                  paypal_id='foo@bar.com')
+
+    def test_empty_token(self):
+        form = GetPersonal({'seller': self.uuid})
+        assert not form.is_valid()
+
+    def test_no_seller(self):
+        form = GetPersonal()
+        assert not form.is_valid()
+
+    def test_token(self):
+        self.paypal.token = 'token'
+        self.paypal.secret = 'secret'
+        self.paypal.save()
+
+        form = GetPersonal({'seller': self.uuid})
+        assert form.is_valid()
diff --git a/lib/paypal/tests/test_permission.py b/lib/paypal/tests/test_permission.py
@@ -62,7 +62,7 @@ def setUp(self):
         self.list_url = self.get_list_url('permission-token')
 
     def get_data(self):
-        return {'token': 'foo', 'code': 'bar', 'seller': 'sample:uuid'}
+        return {'token': 'foo', 'verifier': 'bar', 'seller': 'sample:uuid'}
 
     def test_check_no_seller(self, key):
         data = self.get_data()
diff --git a/lib/paypal/tests/test_personal.py b/lib/paypal/tests/test_personal.py
@@ -3,11 +3,12 @@
 from mock import patch
 from nose.tools import eq_
 
+from lib.paypal.header import escape
 from lib.sellers.models import Seller, SellerPaypal
 from solitude.base import APITest
 
 
-class TestGetBasic(APITest):
+class TestGet(APITest):
 
     def setUp(self):
         self.api_name = 'paypal'
@@ -21,6 +22,7 @@ def test_basic_data(self, result):
         res = self.client.post(self.get_list_url('personal-basic'),
                                data={'seller': self.uid})
         eq_(res.status_code, 201)
+        eq_(json.loads(res.content)['first_name'], '..')
         obj = SellerPaypal.objects.get(pk=self.paypal.pk)
         eq_(obj.first_name, '..')
 
@@ -30,5 +32,11 @@ def test_advanced_data(self, result):
         res = self.client.post(self.get_list_url('personal-advanced'),
                                data={'seller': self.uid})
         eq_(res.status_code, 201)
+        eq_(json.loads(res.content)['phone'], '..')
         obj = SellerPaypal.objects.get(pk=self.paypal.pk)
         eq_(obj.phone, '..')
+
+
+def test_header():
+    eq_(escape('foo'), 'foo')
+    eq_(escape('&'), '%26')
