Fix valid signature

Description

  1.  

    1.  

      1. Description

[OSPR-](https://openedx.atlassian.net/browse/OSPR-)

The reason the signature doesn't match in the ```verify_student``` app its because the headers and body used for signing are different when send and coming back from Software Secure. My solution is to match the headers and body. For the headers is just adding the ```Content-Type``` header to the dict. For the body when you are creating the request the body is this
```
body = {
"EdX-ID": str(self.receipt_id),
"ExpectedName": self.name,
"PhotoID": photo_id_url,
"PhotoIDKey": photo_id_key,
"SendResponseTo": callback_url,
"UserPhoto": self.image_url("face"),
"UserPhotoKey": self._encrypted_user_photo_key_str(),
}
```

but what Software Secure returns is this
```
receipt_id = body_dict.get("EdX-ID")
result = body_dict.get("Result")
reason = body_dict.get("Reason", "")
error_code = body_dict.get("MessageType", "")
```

As you can see the body will not match, hence the signature validation will fail. The only common thing between the two of them is the ```EdX-ID``` so using only this param will make the body the same. At the end the header and body are transformed to strings and then hashed
```
hashed = hmac.new(secret_key.encode('utf-8'), message, sha256)
signature = binascii.b2a_base64(hashed.digest()).rstrip('\n')
```
so it really doesn't matter how big the body is.

  1.  

    1.  

      1. Notes

I'm assuming that the date header that is send to Software Secure and the date header send back from them is the same. If they are not then the only thing to do is to remove the this header from the request.

  1.  

    1.  

      1. How to test this PR

```
print has_valid_signature(
"POST",
headers,
body_for_signature,
settings.VERIFY_STUDENT["SOFTWARE_SECURE"]["API_ACCESS_KEY"],
settings.VERIFY_STUDENT["SOFTWARE_SECURE"]["API_SECRET_KEY"]
)
```

  1.  

    1.  

      1. Reviewers

(I don't know who I should tag, feel free to remove yourself if this doesn't apply to you)

  • [ ] Code review: @schenedx

  • [ ] Code review: @ahsan-ul-haq

  • [ ] Code review: @shaunagm

  • [ ] Code review: @OmarIthawi

  • [ ] Code review: @sambapete

  • [ ] Code review: @hasnain-naveed

  • [ ] Code review: @ibrahimahmed443

  • [ ] Code review: @malikshahzad228

  • [ ] Code review: @douglashall

Activity

Show:
Simon Chen
July 24, 2017, 4:11 PM

This one was merged, but we found it introduced production issues, and I had to back it out.
The new PR is at https://github.com/edx/edx-platform/pull/15352
So, we should not update the ticket status as such.

Simon Chen
June 8, 2017, 5:47 PM

I made comments on the PR. Please help the user to get the PR in a merge-able state

George Song
April 19, 2017, 5:30 PM

Can you confirm that the learner team should handle this? If not, let me know who should. Thanks.

Joel Barciauskas
November 10, 2016, 4:14 PM

Actually looks like it should be ecom

Joel Barciauskas
November 3, 2016, 3:13 PM

should this be solutions or TNL? Not platform I don't think.

Won't Do

Assignee

Simon Chen

Reporter

Open Source Pull Request Bot

Contributor Name

José Antonio González Rodriguez

Repo

edx/edx-platform

Customer

None

Epic Link

None

OSCM Assignee

Ned Batchelder

Platform Map Area (Levels 1 & 2)

None

Platform Map Area (Levels 3 & 4)

None

Blended Hour Utilization Percentage

None

edX Theme

None

edX Squad

None

Github Lines Added

None

Github Lines Deleted

None

Priority

Unset