Merge pull request #3834 from magento-tsg/2.1.17-develop-pr65

[TSG] Backporting for 2.1 (pr65) (2.1.17)

Author: Alexander Akimov

app/code/Magento/Authorizenet/Model/Directpost.php

@@ -549,16 +549,16 @@ public function setResponseData(array $postData)
     public function validateResponse()
     {
         $response = $this->getResponse();
-        //md5 check
-        if (
-            !$this->getConfigData('trans_md5')
-            || !$this->getConfigData('login')
-            || !$response->isValidHash($this->getConfigData('trans_md5'), $this->getConfigData('login'))
+        $hashConfigKey = !empty($response->getData('x_SHA2_Hash')) ? 'signature_key' : 'trans_md5';
+
+        //hash check
+        if (!$response->isValidHash($this->getConfigData($hashConfigKey), $this->getConfigData('login'))
         ) {
             throw new \Magento\Framework\Exception\LocalizedException(
                 __('The transaction was declined because the response hash validation failed.')
             );
         }
+
         return true;
     }
 

app/code/Magento/Authorizenet/Model/Directpost/Request.php

@@ -7,6 +7,7 @@
 namespace Magento\Authorizenet\Model\Directpost;
 
 use Magento\Authorizenet\Model\Request as AuthorizenetRequest;
+use Magento\Framework\Intl\DateTimeFactory;
 
 /**
  * Authorize.net request model for DirectPost model
@@ -18,9 +19,33 @@ class Request extends AuthorizenetRequest
      */
     protected $_transKey = null;
 
+    /**
+     * Hexadecimal signature key.
+     *
+     * @var string
+     */
+    private $signatureKey = '';
+
+    /**
+     * @var DateTimeFactory
+     */
+    private $dateTimeFactory;
+
+    /**
+     * @param DateTimeFactory $dateTimeFactory
+     * @param array $data
+     */
+    public function __construct(
+        DateTimeFactory $dateTimeFactory,
+        array $data = []
+    ) {
+        $this->dateTimeFactory = $dateTimeFactory;
+        parent::__construct($data);
+    }
+
     /**
      * Return merchant transaction key.
-     * Needed to generate sign.
+     * Needed to generate MD5 sign.
      *
      * @return string
      */
@@ -31,7 +56,7 @@ protected function _getTransactionKey()
 
     /**
      * Set merchant transaction key.
-     * Needed to generate sign.
+     * Needed to generate MD5 sign.
      *
      * @param string $transKey
      * @return $this
@@ -43,7 +68,7 @@ protected function _setTransactionKey($transKey)
     }
 
     /**
-     * Generates the fingerprint for request.
+     * Generates the MD5 fingerprint for request.
      *
      * @param string $merchantApiLoginId
      * @param string $merchantTransactionKey
@@ -63,7 +88,7 @@ public function generateRequestSign(
     ) {
         return hash_hmac(
             "md5",
-            $merchantApiLoginId . "^" . $fpSequence . "^" . $fpTimestamp . "^" . $amount . "^" . $currencyCode,
+            $merchantApiLoginId . '^' . $fpSequence . '^' . $fpTimestamp . '^' . $amount . '^' . $currencyCode,
             $merchantTransactionKey
         );
     }
@@ -85,6 +110,7 @@ public function setConstantData(\Magento\Authorizenet\Model\Directpost $paymentM
             ->setXRelayUrl($paymentMethod->getRelayUrl());
 
         $this->_setTransactionKey($paymentMethod->getConfigData('trans_key'));
+        $this->setSignatureKey($paymentMethod->getConfigData('signature_key'));
         return $this;
     }
 
@@ -168,17 +194,81 @@ public function setDataFromOrder(
      */
     public function signRequestData()
     {
-        $fpTimestamp = time();
-        $hash = $this->generateRequestSign(
-            $this->getXLogin(),
-            $this->_getTransactionKey(),
-            $this->getXAmount(),
-            $this->getXCurrencyCode(),
-            $this->getXFpSequence(),
-            $fpTimestamp
-        );
+        $fpDate = $this->dateTimeFactory->create('now', new \DateTimeZone('UTC'));
+        $fpTimestamp = $fpDate->getTimestamp();
+
+        if (!empty($this->getSignatureKey())) {
+            $hash = $this->generateSha2RequestSign(
+                $this->getXLogin(),
+                $this->getSignatureKey(),
+                $this->getXAmount(),
+                $this->getXCurrencyCode(),
+                $this->getXFpSequence(),
+                $fpTimestamp
+            );
+        } else {
+            $hash = $this->generateRequestSign(
+                $this->getXLogin(),
+                $this->_getTransactionKey(),
+                $this->getXAmount(),
+                $this->getXCurrencyCode(),
+                $this->getXFpSequence(),
+                $fpTimestamp
+            );
+        }
+
         $this->setXFpTimestamp($fpTimestamp);
         $this->setXFpHash($hash);
+
         return $this;
     }
+
+    /**
+     * Generates the SHA2 fingerprint for request.
+     *
+     * @param string $merchantApiLoginId
+     * @param string $merchantSignatureKey
+     * @param string $amount
+     * @param string $currencyCode
+     * @param string $fpSequence An invoice number or random number.
+     * @param string $fpTimestamp
+     * @return string The fingerprint.
+     */
+    private function generateSha2RequestSign(
+        $merchantApiLoginId,
+        $merchantSignatureKey,
+        $amount,
+        $currencyCode,
+        $fpSequence,
+        $fpTimestamp
+    ) {
+        $message = $merchantApiLoginId . '^' . $fpSequence . '^' . $fpTimestamp . '^' . $amount . '^' . $currencyCode;
+
+        return strtoupper(hash_hmac('sha512', $message, pack('H*', $merchantSignatureKey)));
+    }
+
+    /**
+     * Return merchant hexadecimal signature key.
+     *
+     * Needed to generate SHA2 sign.
+     *
+     * @return string
+     */
+    private function getSignatureKey()
+    {
+        return $this->signatureKey;
+    }
+
+    /**
+     * Set merchant hexadecimal signature key.
+     *
+     * Needed to generate SHA2 sign.
+     *
+     * @param string $signatureKey
+     * @return void
+     */
+    private function setSignatureKey($signatureKey)
+    {
+        $this->signatureKey = $signatureKey;
+    }
 }

app/code/Magento/Authorizenet/Model/Directpost/Response.php

@@ -24,25 +24,31 @@ class Response extends AuthorizenetResponse
      */
     public function generateHash($merchantMd5, $merchantApiLogin, $amount, $transactionId)
     {
-        if (!$amount) {
-            $amount = '0.00';
-        }
-
         return strtoupper(md5($merchantMd5 . $merchantApiLogin . $transactionId . $amount));
     }
 
     /**
      * Return if is valid order id.
      *
-     * @param string $merchantMd5
+     * @param string $storedHash
      * @param string $merchantApiLogin
      * @return bool
      */
-    public function isValidHash($merchantMd5, $merchantApiLogin)
+    public function isValidHash($storedHash, $merchantApiLogin)
     {
-        $hash = $this->generateHash($merchantMd5, $merchantApiLogin, $this->getXAmount(), $this->getXTransId());
+        if (empty($this->getData('x_amount'))) {
+            $this->setData('x_amount', '0.00');
+        }
 
-        return Security::compareStrings($hash, $this->getData('x_MD5_Hash'));
+        if (!empty($this->getData('x_SHA2_Hash'))) {
+            $hash = $this->generateSha2Hash($storedHash);
+            return Security::compareStrings($hash, $this->getData('x_SHA2_Hash'));
+        } elseif (!empty($this->getData('x_MD5_Hash'))) {
+            $hash = $this->generateHash($storedHash, $merchantApiLogin, $this->getXAmount(), $this->getXTransId());
+            return Security::compareStrings($hash, $this->getData('x_MD5_Hash'));
+        }
+
+        return false;
     }
 
     /**
@@ -54,4 +60,57 @@ public function isApproved()
     {
         return $this->getXResponseCode() == \Magento\Authorizenet\Model\Directpost::RESPONSE_CODE_APPROVED;
     }
+
+    /**
+     * Generates an SHA2 hash to compare against AuthNet's.
+     *
+     * @param string $signatureKey
+     * @return string
+     * @see https://support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement
+     */
+    private function generateSha2Hash($signatureKey)
+    {
+        $hashFields = [
+            'x_trans_id',
+            'x_test_request',
+            'x_response_code',
+            'x_auth_code',
+            'x_cvv2_resp_code',
+            'x_cavv_response',
+            'x_avs_code',
+            'x_method',
+            'x_account_number',
+            'x_amount',
+            'x_company',
+            'x_first_name',
+            'x_last_name',
+            'x_address',
+            'x_city',
+            'x_state',
+            'x_zip',
+            'x_country',
+            'x_phone',
+            'x_fax',
+            'x_email',
+            'x_ship_to_company',
+            'x_ship_to_first_name',
+            'x_ship_to_last_name',
+            'x_ship_to_address',
+            'x_ship_to_city',
+            'x_ship_to_state',
+            'x_ship_to_zip',
+            'x_ship_to_country',
+            'x_invoice_num',
+        ];
+
+        $message = '^';
+        foreach ($hashFields as $field) {
+            if (!empty($this->getData($field))) {
+                $message .= $this->getData($field);
+            }
+            $message .= '^';
+        }
+
+        return strtoupper(hash_hmac('sha512', $message, pack('H*', $signatureKey)));
+    }
 }

app/code/Magento/Authorizenet/Test/Unit/Model/Directpost/RequestTest.php

@@ -0,0 +1,80 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Authorizenet\Test\Unit\Model\Directpost;
+
+use Magento\Authorizenet\Model\Directpost\Request;
+use Magento\Framework\Intl\DateTimeFactory;
+
+class RequestTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var DateTimeFactory|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $dateTimeFactory;
+
+    /**
+     * @var Request
+     */
+    private $requestModel;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        $this->dateTimeFactory = $this->getMockBuilder(DateTimeFactory::class)->disableOriginalConstructor()->getMock();
+        $dateTime = new \DateTime('2016-07-05 00:00:00', new \DateTimeZone('UTC'));
+        $this->dateTimeFactory->method('create')->willReturn($dateTime);
+
+        $this->requestModel = new Request($this->dateTimeFactory);
+    }
+
+    /**
+     * @param string $signatureKey
+     * @param string $expectedHash
+     * @return void
+     * @dataProvider signRequestDataProvider
+     */
+    public function testSignRequestData($signatureKey, $expectedHash)
+    {
+        /** @var \Magento\Authorizenet\Model\Directpost|\PHPUnit_Framework_MockObject_MockObject $paymentMethod */
+        $paymentMethod = $this->getMock(\Magento\Authorizenet\Model\Directpost::class, [], [], '', false);
+        $paymentMethod->method('getConfigData')
+            ->willReturnMap(
+                [
+                    ['test', null, true],
+                    ['login', null, 'login'],
+                    ['trans_key', null, 'trans_key'],
+                    ['signature_key', null, $signatureKey],
+                ]
+            );
+
+        $this->requestModel->setConstantData($paymentMethod);
+        $this->requestModel->signRequestData();
+        $signHash = $this->requestModel->getXFpHash();
+
+        $this->assertEquals($expectedHash, $signHash);
+    }
+
+    /**
+     * @return array
+     */
+    public function signRequestDataProvider()
+    {
+        return [
+            [
+                'signatureKey' => '3EAFCE5697C1B4B9748385C1FCD29D86F3B9B41C7EED85A3A01DFF65' .
+                    '70C8C29373C2A153355C3313CDF4AF723C0036DBF244A0821713A910024EE85547CEF37F',
+                'expectedHash' => '719ED94DF5CF3510CB5531E8115462C8F12CBCC8E917BD809E8D40B4FF06' .
+                    '1E14953554403DD9813CCCE0F31B184EB4DEF558E9C0747505A0C25420372DB00BE1'
+            ],
+            [
+                'signatureKey' => '',
+                'expectedHash' => '3656211f2c41d1e4c083606f326c0460'
+            ],
+        ];
+    }
+}