Merge branch 'master' into stable

paypalrestsdk/config.py

@@ -1,4 +1,4 @@
-__version__ = "1.10.0"
+__version__ = "1.10.1"
 __pypi_username__ = "paypal"
 __pypi_packagename__ = "paypalrestsdk"
 __github_username__ = "paypal"

paypalrestsdk/notifications.py

@@ -131,6 +131,16 @@ def _verify_signature(cls, transmission_id, timestamp, webhook_id, event_body, c
     def verify(cls, transmission_id, timestamp, webhook_id, event_body, cert_url, actual_sig, auth_algo='sha256'):
         """Verify certificate and payload
         """
+        __auth_algo_map = {
+            'SHA256withRSA': 'sha256WithRSAEncryption',
+            'SHA1withRSA': 'sha1WithRSAEncryption'
+        }
+        try:
+            if auth_algo != 'sha256' and auth_algo not in __auth_algo_map.values():
+                auth_algo = __auth_algo_map[auth_algo]
+        except KeyError as e:
+            print('Authorization algorithm mapping not found in verify method.')
+            return False
         cert = WebhookEvent._get_cert(cert_url)
         return WebhookEvent._verify_certificate(cert) and WebhookEvent._verify_signature(transmission_id, timestamp, webhook_id, event_body, cert, actual_sig, auth_algo)
 

release_notes.md

@@ -1,6 +1,11 @@
 PayPal Python SDK release notes
 ============================
 
+v1.10.1
+----
+* Webhook cert patch
+* Support PAYPAL_AUTH_ALGO header for webhook validation
+
 v1.10.0
 ----
 * Webhook certificate chain, common name and expiry validation added

setup.py

@@ -28,6 +28,7 @@
   license=license,
   description='The PayPal REST SDK provides Python APIs to create, process and manage payments.',
   long_description=long_description,
+  package_data={'paypalrestsdk': ['data/*.crt.pem']},
   install_requires=['requests>=1.0.0', 'six>=1.0.0', 'pyopenssl>=0.15'],
   classifiers=[
     'Intended Audience :: Developers',

test/unit_tests/notifications_test.py

@@ -78,6 +78,28 @@ def test_verify(self):
             self.transmission_id, self.timestamp, self.webhook_id, self.event_body, self.cert_url, self.actual_signature, 'sha256')
         self.assertEqual(response, True)
 
+    def test_verify_with_auth_algo_header(self):
+        # Test digest method mapping works
+        response = paypal.WebhookEvent.verify(
+            self.transmission_id, self.timestamp, self.webhook_id, self.event_body, self.cert_url, self.actual_signature, 'SHA256withRSA')
+        self.assertEqual(response, True)
+
+    def test_verify_with_auth_algo_value(self):
+        # Test digest method mapped value passed in directly works
+        response = paypal.WebhookEvent.verify(
+            self.transmission_id, self.timestamp, self.webhook_id, self.event_body, self.cert_url, self.actual_signature, 'sha256WithRSAEncryption')
+        self.assertEqual(response, True)
+
+    def test_verify_with_invalid_auth_algo_name(self):
+        response = paypal.WebhookEvent.verify(
+            self.transmission_id, self.timestamp, self.webhook_id, self.event_body, self.cert_url, self.actual_signature, 'invalid_digest_method')
+        self.assertEqual(response, False)
+
+    def test_verify_with_incorrect_auth_algo(self):
+        response = paypal.WebhookEvent.verify(
+            self.transmission_id, self.timestamp, self.webhook_id, self.event_body, self.cert_url, self.actual_signature, 'SHA1withRSA')
+        self.assertEqual(response, False)
+
     def test_verify_certificate(self):
         cert = paypal.WebhookEvent._get_cert(self.cert_url)
         response = paypal.WebhookEvent._verify_certificate(cert)