Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

add in a secret api (bug 817886)

  • Loading branch information...
commit f33aee9d5a511f4fd533083341e8677ab7b51816 1 parent 8baa547
@andymckay andymckay authored
View
12 lib/solitude/api.py
@@ -106,6 +106,18 @@ def get_buyer(self, uuid):
res = self.safe_run(self.slumber.generic.buyer.get, uuid=uuid)
return self._buyer_from_response(res)
+ def get_secret(self, uuid):
+ """Retrieves a seller secret by their uuid.
+
+ :param uuid: Sellers uuid.
+ :rtype: dictionary
+ """
+ res = self.parse_res(self.safe_run(self.slumber.generic.product.get,
+ uuid=uuid))
+ if len(res['objects']) != 1:
+ raise ValueError('Not exactly one result found.')
+ return res['objects'][0]['secret']
+
def confirm_pin(self, uuid, pin):
"""Confirms the buyer's pin, marking it at confirmed in solitude
View
19 lib/solitude/tests.py
@@ -122,3 +122,22 @@ def test_create_bango(self, slumber):
assert slumber.generic.product.post.called
assert slumber.bango.rating.post.called
assert slumber.bango.premium.post.called
+
+
+@mock.patch('lib.solitude.api.client.slumber')
+class SecretTest(TestCase):
+
+ def test_no_secret(self, slumber):
+ slumber.generic.product.get.return_value = {'objects': []}
+ with self.assertRaises(ValueError):
+ client.get_secret('x')
+
+ def test_too_many_secrets(self, slumber):
+ slumber.generic.product.get.return_value = {'objects': [1, 2]}
+ with self.assertRaises(ValueError):
+ client.get_secret('x')
+
+ def test_some_secret(self, slumber):
+ slumber.generic.product.get.return_value = {'objects':
+ [{'secret': 'k'}]}
+ eq_(client.get_secret('x'), 'k')
View
11 webpay/pay/forms.py
@@ -4,7 +4,7 @@
import jwt
from tower import ugettext as _
-from models import Issuer, ISSUER_ACTIVE
+from lib.solitude.api import client
class VerifyForm(forms.Form):
@@ -35,15 +35,14 @@ def clean_req(self):
# This is an app purchase because it matches the settings.
self.key, self.secret = app_id, settings.SECRET
else:
- # In app config, go look it up.
try:
- issuer = Issuer.objects.get(issuer_key=app_id,
- status=ISSUER_ACTIVE)
- except Issuer.DoesNotExist:
+ # Assuming that the app_id is also going to be the seller.uuid.
+ secret = client.get_secret(app_id)
+ except ValueError:
raise forms.ValidationError(
# L10n: the first argument is a key to identify an issuer.
_('No one has been registered for JWT issuer {0}.')
.format(repr(app_id)))
- self.key, self.secret = app_id, issuer.get_private_key()
+ self.key, self.secret = app_id, secret
return data
View
17 webpay/pay/tests/test_views.py
@@ -7,6 +7,7 @@
from django.core.urlresolvers import reverse
import mock
+from nose import SkipTest
from nose.tools import eq_
from webpay.pay.forms import VerifyForm
@@ -74,7 +75,9 @@ def test_post(self):
def test_get(self):
eq_(self.client.get(self.url).status_code, 400)
- def test_inapp(self):
+ @mock.patch('lib.solitude.api.SolitudeAPI.get_secret')
+ def test_inapp(self, get_secret):
+ get_secret.return_value = self.secret
payload = self.request(iss=self.key, app_secret=self.secret)
eq_(self.get(payload).status_code, 200)
@@ -164,13 +167,19 @@ def test_broken(self):
def test_unicode(self):
self.failed(VerifyForm({'req': u'Հ'}))
- def test_non_existant(self):
+ @mock.patch('lib.solitude.api.SolitudeAPI.get_secret')
+ def test_non_existant(self, get_secret):
+ get_secret.side_effect = ValueError
payload = self.request(iss=self.key + '.nope', app_secret=self.secret)
with self.settings(INAPP_KEY_PATHS={None: sample}, DEBUG=True):
form = VerifyForm({'req': payload})
assert not form.is_valid()
def test_not_public(self):
+ # Should this be moved down to solitude? There currently isn't
+ # an active status in solitude.
+ raise SkipTest
+
@kumar303 Owner

Actually, yes, can you file a bug for that? It's crucial that we have the ability to disable app payments immediately (per seller uuid) for when in-app secrets get compromised. We had a feature in devhub where dev could log in and revoke their secret if they knew their server had been hacked. Ditto for an admin page.

@andymckay Owner

Bug filed and done. Although I forgot to unskip this test: cdfa09 and https://bugzilla.mozilla.org/show_bug.cgi?id=822735

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
self.iss.status = ISSUER_INACTIVE
self.iss.save()
payload = self.request(iss=self.key, app_secret=self.secret)
@@ -178,7 +187,9 @@ def test_not_public(self):
form = VerifyForm({'req': payload})
assert not form.is_valid()
- def test_valid_inapp(self):
+ @mock.patch('lib.solitude.api.SolitudeAPI.get_secret')
+ def test_valid_inapp(self, get_secret):
+ get_secret.return_value = self.secret
payload = self.request(iss=self.key, app_secret=self.secret)
with self.settings(INAPP_KEY_PATHS={None: sample}, DEBUG=True):
form = VerifyForm({'req': payload})

2 comments on commit f33aee9

@kumar303
Owner

for some reason this slowed down the test suite 1x times. I'm not sure why though. If it's using the mock it shouldn't be doing much.

@andymckay
Owner

Curious

Please sign in to comment.
Something went wrong with that request. Please try again.