Fix valid signature

Description

  1.  

    1.  

      1. Description

[OSPR-](https://openedx.atlassian.net/browse/OSPR-)

The reason the signature doesn't match in the ```verify_student``` app its because the headers and body used for signing are different when send and coming back from Software Secure. My solution is to match the headers and body. For the headers is just adding the ```Content-Type``` header to the dict. For the body when you are creating the request the body is this
```
body = {
"EdX-ID": str(self.receipt_id),
"ExpectedName": self.name,
"PhotoID": photo_id_url,
"PhotoIDKey": photo_id_key,
"SendResponseTo": callback_url,
"UserPhoto": self.image_url("face"),
"UserPhotoKey": self._encrypted_user_photo_key_str(),
}
```

but what Software Secure returns is this
```
receipt_id = body_dict.get("EdX-ID")
result = body_dict.get("Result")
reason = body_dict.get("Reason", "")
error_code = body_dict.get("MessageType", "")
```

As you can see the body will not match, hence the signature validation will fail. The only common thing between the two of them is the ```EdX-ID``` so using only this param will make the body the same. At the end the header and body are transformed to strings and then hashed
```
hashed = hmac.new(secret_key.encode('utf-8'), message, sha256)
signature = binascii.b2a_base64(hashed.digest()).rstrip('\n')
```
so it really doesn't matter how big the body is.

  1.  

    1.  

      1. Notes

I'm assuming that the date header that is send to Software Secure and the date header send back from them is the same. If they are not then the only thing to do is to remove the this header from the request.

  1.  

    1.  

      1. How to test this PR

```
print has_valid_signature(
"POST",
headers,
body_for_signature,
settings.VERIFY_STUDENT["SOFTWARE_SECURE"]["API_ACCESS_KEY"],
settings.VERIFY_STUDENT["SOFTWARE_SECURE"]["API_SECRET_KEY"]
)
```

  1.  

    1.  

      1. Reviewers

(I don't know who I should tag, feel free to remove yourself if this doesn't apply to you)

  • [ ] Code review: @schenedx

  • [ ] Code review: @ahsan-ul-haq

  • [ ] Code review: @shaunagm

  • [ ] Code review: @OmarIthawi

  • [ ] Code review: @sambapete

  • [ ] Code review: @hasnain-naveed

  • [ ] Code review: @ibrahimahmed443

  • [ ] Code review: @malikshahzad228

  • [ ] Code review: @douglashall

Status

Assignee

Simon Chen

Reporter

Open Source Pull Request Bot

Contributor Name

José Antonio González Rodriguez

Repo

edx/edx-platform

Customer

None

Epic Link

None

OSCM Assignee

Ned Batchelder

Priority

Unset
Configure