Add sig check API (bug 905794)

.gitignore

@@ -7,6 +7,7 @@ shellng_local.py
 .vagrant
 pip-log.txt
 docs/_gh-pages
+docs/api/_build
 lib/product_json/.gitignore
 lib/product_json/*.json
 lib/product_json/.last_update

docs/api/topics/payment.rst

@@ -292,6 +292,32 @@ Produces the JWT that is passed to `navigator.mozPay`_.
     :status 403: app cannot be purchased.
     :status 409: app already purchased.
 
+Signature Check
+===============
+
+Retrieve a JWT that can be used to check the signature for making payments.
+This is intended for system health checks and requires no authorization.
+You can pass the retrieved JWT to the `WebPay`_ API to verify its signature.
+
+.. http:post:: /api/v1/webpay/sig_check/
+
+    **Request**
+
+    No parameters are necessary.
+
+    **Response**
+
+    .. code-block:: json
+
+        {
+            "sig_check_jwt": "eyJhbGciOiAiSFMyNT...XsgG6JKCSw"
+        }
+
+    :param sig_check_jwt: a JWT that can be passed to `WebPay`_.
+    :type sig_check_jwt: string
+
+    :status 201: successfully created resource.
+
 .. _payment-status-label:
 
 Payment status

mkt/settings.py

@@ -278,6 +278,10 @@ APP_PURCHASE_AUD = 'marketplace-dev.allizom.org'
 # On B2G this must match a provider in the whitelist.
 APP_PURCHASE_TYP = 'mozilla/payments/pay/v1'
 
+# This is the typ for signature checking JWTs.
+# This is used to integrate with WebPay.
+SIG_CHECK_TYP = 'mozilla/payments/sigcheck/v1'
+
 # This is the base filename of the `.zip` containing the packaged app for the
 # consumer-facing pages of the Marketplace (aka Fireplace). Expected path:
 #     /media/packaged-apps/<path>

mkt/webpay/resources.py

@@ -1,8 +1,14 @@
+import calendar
+import time
+
 from django.conf import settings
 from django.conf.urls.defaults import url
 from django.core.exceptions import ObjectDoesNotExist
 
 import commonware.log
+from rest_framework.decorators import api_view, permission_classes
+from rest_framework.permissions import AllowAny
+from rest_framework.response import Response
 import waffle
 from tastypie import fields, http
 from tastypie.exceptions import ImmediateHttpResponse
@@ -23,7 +29,7 @@ from mkt.api.base import (CORSResource, GenericObject, http_error,
                           MarketplaceModelResource, MarketplaceResource)
 from mkt.webpay.forms import FailureForm, PrepareForm, ProductIconForm
 from mkt.webpay.models import ProductIcon
-from mkt.purchase.webpay import _prepare_pay
+from mkt.purchase.webpay import _prepare_pay, sign_webpay_jwt
 from market.models import Price, price_locale
 from stats.models import Contribution
 
@@ -202,3 +208,25 @@ class ProductIconResource(CORSResource, MarketplaceModelResource):
                                        bundle.data['size'])
         # Tell the client that deferred processing will create an object.
         raise ImmediateHttpResponse(response=http.HttpAccepted())
+
+
+@api_view(['POST'])
+@permission_classes((AllowAny,))
+def sig_check(request):
+    """
+    Returns a signed JWT to use for signature checking.
+
+    This is for Nagios checks to ensure that Marketplace's
+    signed tokens are valid when processed by Webpay.
+    """
+    issued_at = calendar.timegm(time.gmtime())
+    req = {
+        'iss': settings.APP_PURCHASE_KEY,
+        'typ': settings.SIG_CHECK_TYP,
+        'aud': settings.APP_PURCHASE_AUD,
+        'iat': issued_at,
+        'exp': issued_at + 3600,  # expires in 1 hour
+        'request': {}
+    }
+    return Response({'sig_check_jwt': sign_webpay_jwt(req)},
+                    status=201)

mkt/webpay/tests/test_resources.py

@@ -1,5 +1,6 @@
 import json
 from decimal import Decimal
+import jwt
 
 from django.core import mail
 
@@ -8,6 +9,7 @@ from nose.tools import eq_, ok_
 from waffle.models import Flag
 
 from amo import CONTRIB_PENDING, CONTRIB_PURCHASE
+from amo.tests import TestCase
 from amo.urlresolvers import reverse
 from constants.payments import PROVIDER_BANGO
 from market.models import Price, PriceCurrency
@@ -16,10 +18,10 @@ from users.models import UserProfile
 from mkt.api.base import get_url, list_url
 from mkt.api.tests.test_oauth import BaseOAuth
 from mkt.constants import regions
-from mkt.webpay.models import ProductIcon
-from mkt.site.fixtures import fixture
-from stats.models import Contribution
 from mkt.purchase.tests.utils import PurchaseTest
+from mkt.site.fixtures import fixture
+from mkt.webpay.models import ProductIcon
+from stats.models import Contribution
 
 
 class TestPrepare(PurchaseTest, BaseOAuth):
@@ -318,3 +320,21 @@ class TestProductIconResource(BaseOAuth):
 
         ob = json.loads(res.content)['objects'][0]
         eq_(ob['url'], icon.url())
+
+
+class TestSigCheck(TestCase):
+
+    def test(self):
+        key = 'marketplace'
+        aud = 'webpay'
+        secret = 'third door on the right'
+        with self.settings(APP_PURCHASE_SECRET=secret,
+                           APP_PURCHASE_KEY=key,
+                           APP_PURCHASE_AUD=aud):
+            res = self.client.post(reverse('webpay.sig_check'))
+        eq_(res.status_code, 201, res)
+        data = json.loads(res.content)
+        req = jwt.decode(data['sig_check_jwt'].encode('ascii'), secret)
+        eq_(req['iss'], key)
+        eq_(req['aud'], aud)
+        eq_(req['typ'], 'mozilla/payments/sigcheck/v1')

mkt/webpay/urls.py

@@ -4,7 +4,8 @@ from tastypie.api import Api
 
 from mkt.webpay.resources import (FailureNotificationResource,
                                   PreparePayResource, PriceResource,
-                                  ProductIconResource, StatusPayResource)
+                                  ProductIconResource, sig_check,
+                                  StatusPayResource)
 
 api = Api(api_name='webpay')
 api.register(FailureNotificationResource())
@@ -15,4 +16,5 @@ api.register(StatusPayResource())
 
 urlpatterns = patterns('',
     url(r'^', include(api.urls)),
+    url(r'^webpay/sig_check/$', sig_check, name='webpay.sig_check')
 )