From e8f4b3858077cf2b3d07ff0feb423a0992959eea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nagy=20Kriszti=C3=A1n?= <knagy@emarsys.com>
Date: Fri, 7 Jun 2024 12:17:19 +0000
Subject: [PATCH] SECURITY-5161: pull in new test cases, fix tests

Co-authored-by: Laszlo Hammerl <laszlo.hammerl@emarsys.com>
---
 docker-compose.yml       |  1 -
 escherauth/escherauth.py | 24 ++++++++++++++++--------
 requirements-dev.txt     |  2 +-
 test-cases               |  2 +-
 tests/test_escherauth.py | 15 +++++++++++++++
 5 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8f07a94..178c429 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,3 @@
-version: '3'
 services:
   escher:
     build: .
diff --git a/escherauth/escherauth.py b/escherauth/escherauth.py
index 2a3ffd3..7f83c5d 100644
--- a/escherauth/escherauth.py
+++ b/escherauth/escherauth.py
@@ -236,6 +236,7 @@ def __init__(self, api_key, api_secret, credential_scope, options=None):
         self.clock_skew = options.get('clock_skew', 300)
         self.algo = self.create_algo()
         self.algo_id = self.algo_prefix + '-HMAC-' + self.hash_algo
+        self.debug_info = {}
 
     def sign_request(self, request, headers_to_sign=None):
         request = EscherRequest(request)
@@ -262,13 +263,14 @@ def sign_request(self, request, headers_to_sign=None):
             else:
                 request.add_header(self.date_header_name, self.long_date(current_time))
 
-        signature = self.generate_signature(self.api_secret, request, headers_to_sign, current_time)
-        request.add_header(self.auth_header_name, ", ".join([
-            self.algo_id + ' Credential=' + self.api_key + '/' + self.short_date(
-                current_time) + '/' + self.credential_scope,
+        auth_header_value = self.algo_id + ' ' + ', '.join([
+            'Credential=' + self.credential(current_time),
             'SignedHeaders=' + self.prepare_headers_to_sign(headers_to_sign),
-            'Signature=' + signature
-        ]))
+            'Signature=' + self.generate_signature(self.api_secret, request, headers_to_sign, current_time),
+        ])
+        request.add_header(self.auth_header_name, auth_header_value)
+        self.debug_info['auth_header_value'] = auth_header_value
+
         return request.request
 
     def presign_url(self, url, expires):
@@ -279,7 +281,7 @@ def presign_url(self, url, expires):
 
         url_to_sign = url + ('&' if '?' in url else '?') + urlencode({
             f'X-{self.vendor_key}-Algorithm': self.algo_id,
-            f'X-{self.vendor_key}-Credentials': self.api_key + '/' + self.short_date(current_time) + '/' + self.credential_scope,
+            f'X-{self.vendor_key}-Credentials': self.credential(current_time),
             f'X-{self.vendor_key}-Date': self.long_date(current_time),
             f'X-{self.vendor_key}-Expires': expires,
             f'X-{self.vendor_key}-SignedHeaders': 'host',
@@ -360,6 +362,9 @@ def generate_signature(self, api_secret, req, headers_to_sign, current_time):
         canonicalized_request = self.canonicalize(req, headers_to_sign)
         string_to_sign = self.get_string_to_sign(canonicalized_request, current_time)
 
+        self.debug_info['canonicalized_request'] = canonicalized_request
+        self.debug_info['string_to_sign'] = string_to_sign
+
         signing_key = self.hmac_digest(self.algo_prefix + api_secret, self.short_date(current_time))
         for data in self.credential_scope.split('/'):
             signing_key = self.hmac_digest(signing_key, data)
@@ -408,7 +413,7 @@ def normalize_white_spaces(self, value):
         return '"'.join(value_normalized).strip()
 
     def canonicalize_query(self, query_parts):
-        safe = "~+!'*"
+        safe = "!*"
         query_list = []
         for key, value in query_parts:
             if key == 'X-' + self.vendor_key + '-Signature':
@@ -430,6 +435,9 @@ def create_algo(self):
         if self.hash_algo == 'SHA512':
             return sha512
 
+    def credential(self, time):
+        return self.api_key + '/' + self.short_date(time) + '/' + self.credential_scope
+
     def header_date(self, time):
         return time.strftime('%a, %d %b %Y %H:%M:%S GMT')
 
diff --git a/requirements-dev.txt b/requirements-dev.txt
index 7002309..b03eec6 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,3 +1,3 @@
-nose2==0.14.1
+nose2==0.15.1
 requests>=2.0.0,<3.0.0
 pycodestyle==2.11.1
\ No newline at end of file
diff --git a/test-cases b/test-cases
index fb3d9f9..94d4468 160000
--- a/test-cases
+++ b/test-cases
@@ -1 +1 @@
-Subproject commit fb3d9f936c046de69aa22eda77fea405cdc458ef
+Subproject commit 94d4468f4ccb364469a91fb04ed8fd0cff41b885
diff --git a/tests/test_escherauth.py b/tests/test_escherauth.py
index 788fbba..7876227 100644
--- a/tests/test_escherauth.py
+++ b/tests/test_escherauth.py
@@ -115,6 +115,21 @@ def test_sign_request(self, test_case: TestCase):
 
         try:
             request = escher.sign_request(test_case.request, test_case.headers_to_sign)
+            if 'canonicalizedRequest' in test_case.expected:
+                self.assertEqual(
+                    escher.debug_info['canonicalized_request'],
+                    test_case.expected['canonicalizedRequest']
+                )
+            if 'stringToSign' in test_case.expected:
+                self.assertEqual(
+                    escher.debug_info['string_to_sign'],
+                    test_case.expected['stringToSign']
+                )
+            if 'authHeader' in test_case.expected:
+                self.assertEqual(
+                    escher.debug_info['auth_header_value'],
+                    test_case.expected['authHeader']
+                )
             if 'request' in test_case.expected:
                 self.assertEqual(request, test_case.expected['request'])
             else: