Skip webhook tests if pynacl is unavailable, support Django versions pre-4.2, do not attempt to validate webhooks if webhook key is not set

paul-oms · paul-oms · commit 32e75c1edc57 · 2024-02-04T19:56:47.000Z
diff --git a/anymail/webhooks/mailpace.py b/anymail/webhooks/mailpace.py
@@ -6,6 +6,7 @@
 from django.utils.dateparse import parse_datetime
 
 from anymail.exceptions import (
+    AnymailConfigurationError,
     AnymailImproperlyInstalled,
     AnymailWebhookValidationFailure,
     _LazyError,
@@ -50,9 +51,12 @@ class MailPaceTrackingWebhookView(MailPaceBaseWebhookView):
     webhook_key = None
 
     def __init__(self, **kwargs):
-        self.webhook_key = get_anymail_setting(
-            "webhook_key", esp_name=self.esp_name, kwargs=kwargs, allow_bare=True
-        )
+        try:
+            get_anymail_setting(
+                "webhook_key", esp_name=self.esp_name, kwargs=kwargs, allow_bare=True
+            )
+        except AnymailConfigurationError:
+            self.webhook_key = None
 
         super().__init__(**kwargs)
 
@@ -71,26 +75,29 @@ def __init__(self, **kwargs):
     # MailPace doesn't send a signature for inbound webhooks, yet
     # When/if MailPace does this, move this to the parent class
     def validate_request(self, request):
-        try:
-            signature_base64 = request.headers["X-MailPace-Signature"]
-            signature = base64.b64decode(signature_base64)
-        except (KeyError, binascii.Error):
-            raise AnymailWebhookValidationFailure(
-                "MailPace webhook called with invalid or missing signature"
-            )
-
-        verify_key_base64 = self.webhook_key
-
-        verify_key = VerifyKey(base64.b64decode(verify_key_base64))
-
-        message = request.body
-
-        try:
-            verify_key.verify(message, signature)
-        except (CryptoError, ValueError):
-            raise AnymailWebhookValidationFailure(
-                "MailPace webhook called with incorrect signature"
-            )
+        if self.webhook_key is None:
+            return True
+        else:
+            try:
+                signature_base64 = request.headers["X-MailPace-Signature"]
+                signature = base64.b64decode(signature_base64)
+            except (KeyError, binascii.Error):
+                raise AnymailWebhookValidationFailure(
+                    "MailPace webhook called with invalid or missing signature"
+                )
+
+            verify_key_base64 = self.webhook_key
+
+            verify_key = VerifyKey(base64.b64decode(verify_key_base64))
+
+            message = request.body
+
+            try:
+                verify_key.verify(message, signature)
+            except (CryptoError, ValueError):
+                raise AnymailWebhookValidationFailure(
+                    "MailPace webhook called with incorrect signature"
+                )
 
     def esp_to_anymail_event(self, esp_event):
         event_type = self.event_record_types.get(esp_event["event"], EventType.UNKNOWN)
diff --git a/tests/test_mailpace_webhooks.py b/tests/test_mailpace_webhooks.py
@@ -1,18 +1,19 @@
 import json
+import unittest
 from base64 import b64encode
 from unittest.mock import ANY
 
 from django.test import tag
 
 from anymail.signals import AnymailTrackingEvent
 from anymail.webhooks.mailpace import MailPaceTrackingWebhookView
-from tests.utils import ClientWithCsrfChecks
 
 from .utils_mailpace import ClientWithMailPaceSignature, make_key
 from .webhook_cases import WebhookTestCase
 
 # These tests are triggered both with and without 'pynacl' installed,
-# if pynacl is unavailable, we use the ClientWithCsrfChecks class
+# without the ability to generate a signing key, there is no way to test
+# the webhook signature validation.
 try:
     from nacl.signing import SigningKey
 
@@ -22,13 +23,13 @@
 
 
 @tag("mailpace")
+@unittest.skipUnless(PYNACL_INSTALLED, "pynacl is not installed")
 class MailPaceWebhookSecurityTestCase(WebhookTestCase):
     client_class = ClientWithMailPaceSignature
 
     def setUp(self):
         super().setUp()
         self.clear_basic_auth()
-
         self.client.set_private_key(make_key())
 
     def test_failed_signature_check(self):
@@ -58,16 +59,13 @@ def test_failed_signature_check(self):
 
 
 @tag("mailpace")
+@unittest.skipUnless(PYNACL_INSTALLED, "pynacl is not installed")
 class MailPaceDeliveryTestCase(WebhookTestCase):
-    if PYNACL_INSTALLED:
-        client_class = ClientWithMailPaceSignature
-    else:
-        client_class = ClientWithCsrfChecks
+    client_class = ClientWithMailPaceSignature
 
     def setUp(self):
         super().setUp()
         self.clear_basic_auth()
-
         self.client.set_private_key(make_key())
 
     def test_queued_event(self):
diff --git a/tests/utils_mailpace.py b/tests/utils_mailpace.py
@@ -50,7 +50,16 @@ def post(self, *args, **kwargs):
 
         webhook_key = derive_public_webhook_key(self.private_key)
         with override_settings(ANYMAIL={"MAILPACE_WEBHOOK_KEY": webhook_key}):
-            return super().post(*args, **kwargs)
+            # Django 4.2+ test Client allows headers=headers;
+            # before that, must convert to HTTP_ args:
+            return super().post(
+                *args,
+                **kwargs,
+                **{
+                    f"HTTP_{header.upper().replace('-', '_')}": value
+                    for header, value in headers.items()
+                },
+            )
 
 
 ClientWithMailPaceSignature = _ClientWithMailPaceSignature
