Add more tests and comments

jsmnbom · jsmnbom · commit a464ea59dcdd · 2018-08-23T11:14:00.000+02:00
diff --git a/telegram/bot.py b/telegram/bot.py
@@ -26,16 +26,10 @@
 import warnings
 from datetime import datetime
 
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
 from future.utils import string_types
 
-try:
-    from cryptography.hazmat.backends import default_backend
-    from cryptography.hazmat.primitives import serialization
-
-    CRYPTO = True
-except ImportError:
-    CRYPTO = False
-
 from telegram import (User, Message, Update, Chat, ChatMember, UserProfilePhotos, File,
                       ReplyMarkup, TelegramObject, WebhookInfo, GameHighScore, StickerSet,
                       PhotoSize, Audio, Document, Sticker, Video, Animation, Voice, VideoNote,
@@ -133,8 +127,7 @@ def __init__(self, token, base_url=None, base_file_url=None, request=None, priva
         if private_key:
             self.private_key = serialization.load_pem_private_key(private_key,
                                                                   password=private_key_password,
-                                                                  backend=default_backend()
-                                                                  )
+                                                                  backend=default_backend())
 
     @property
     def request(self):
diff --git a/telegram/files/inputfile.py b/telegram/files/inputfile.py
@@ -28,8 +28,6 @@
 from telegram import TelegramError
 
 DEFAULT_MIME_TYPE = 'application/octet-stream'
-FILE_TYPES = ('audio', 'document', 'photo', 'sticker', 'video', 'voice', 'certificate',
-              'video_note', 'png_sticker')
 
 
 class InputFile(object):
diff --git a/telegram/passport/credentials.py b/telegram/passport/credentials.py
@@ -20,24 +20,23 @@
 import json
 from base64 import b64decode
 
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric.padding import OAEP, MGF1
+from cryptography.hazmat.primitives.ciphers import Cipher
+from cryptography.hazmat.primitives.ciphers.algorithms import AES
+from cryptography.hazmat.primitives.ciphers.modes import CBC
+from cryptography.hazmat.primitives.hashes import SHA512, SHA256, Hash, SHA1
 from future.utils import bord
 
-try:
-    from cryptography.hazmat.backends import default_backend
-    from cryptography.hazmat.primitives.asymmetric.padding import OAEP, MGF1
-    from cryptography.hazmat.primitives.ciphers import Cipher
-    from cryptography.hazmat.primitives.ciphers.algorithms import AES
-    from cryptography.hazmat.primitives.ciphers.modes import CBC
-    from cryptography.hazmat.primitives.hashes import SHA512, SHA256, Hash, SHA1
-
-    CRYPTO = True
-except ImportError:
-    CRYPTO = False
-
 from telegram import TelegramObject
 
 
 class _TelegramDecryptionError(Exception):
+    """
+    Something went wrong with decryption. Never exposed to the user, gets turned into a
+    warning inside PassportData.
+    This is because if we raise an error during a update fetch, it might hang the Updater.
+    """
     pass
 
 
@@ -61,6 +60,7 @@ def decrypt(secret, hash, data):
         :obj:`bytes`: The decrypted data as bytes
 
     """
+    # First make sure that if secret, hash, or data was base64 encoded, to decode it into bytes
     try:
         secret = b64decode(secret)
     except (binascii.Error, TypeError):
@@ -73,18 +73,25 @@ def decrypt(secret, hash, data):
         data = b64decode(data)
     except (binascii.Error, TypeError):
         pass
+    # Make a SHA512 hash of secret + update
     digest = Hash(SHA512(), backend=default_backend())
     digest.update(secret + hash)
     secret_hash_hash = digest.finalize()
+    # First 32 chars is our key, next 16 is the initialisation vector
     key, iv = secret_hash_hash[:32], secret_hash_hash[32:32 + 16]
+    # Init a AES-CBC cipher and decrypt the data
     cipher = Cipher(AES(key), CBC(iv), backend=default_backend())
     decryptor = cipher.decryptor()
     data = decryptor.update(data) + decryptor.finalize()
+    # Calculate SHA256 hash of the decrypted data
     digest = Hash(SHA256(), backend=default_backend())
     digest.update(data)
     data_hash = digest.finalize()
+    # If the newly calculated hash did not match the one telegram gave us
     if data_hash != hash:
+        # Raise a error that is caught inside telegram.PassportData and transformed into a warning
         raise _TelegramDecryptionError("Hashes are not equal! {} != {}".format(data_hash, hash))
+    # Return data without padding
     return data[bord(data[0]):]
 
 
@@ -140,19 +147,28 @@ def de_json(cls, data, bot):
         if not data:
             return None
 
-        # If already decrypted
+        # If already decrypted just create the data object directly
         if isinstance(data['data'], dict):
             data['data'] = Credentials.de_json(data['data'], bot=bot)
         else:
             try:
+                # Try decrypting according to step 1 at
+                # https://core.telegram.org/passport#decrypting-data
+                # We make sure to base64 decode the secret first.
+                # Telegram says to use OAEP padding so we do that. The Mask Generation Function
+                # is the default for OAEP, the algorithm is the default for PHP which is what
+                # Telegram's backend servers run.
                 data['secret'] = bot.private_key.decrypt(b64decode(data.get('secret')), OAEP(
                     mgf=MGF1(algorithm=SHA1()),
                     algorithm=SHA1(),
                     label=None
                 ))
             except ValueError as e:
+                # If decryption fails raise exception that is then caught inside PassportData
+                # and turned into a warning
                 raise _TelegramDecryptionError(e)
 
+            # Now that secret is decrypted, we can decrypt the data
             data['data'] = Credentials.de_json(decrypt_json(data.get('secret'),
                                                             data.get('hash'),
                                                             data.get('data')),
diff --git a/telegram/passport/passportdata.py b/telegram/passport/passportdata.py
@@ -63,17 +63,23 @@ def de_json(cls, data, bot):
         if not data:
             return None
 
+        # User did not configure any private_key, ignore PassportData (and therefore the entire
+        # Update)
         if not hasattr(bot, 'private_key'):
             warnings.warn('Received update with PassportData but no private key is specified! '
                           'See https://git.io/fAvYd for more info.')
             return None
 
         try:
+            # Try decrypting the credentials
             data = super(PassportData, cls).de_json(data, bot)
             data['credentials'] = EncryptedCredentials.de_json(data.get('credentials'), bot)
+            # Passing them to where they are needed
             data['data'] = EncryptedPassportElement.de_list(data.get('data'), bot,
                                                             credentials=data['credentials'])
         except _TelegramDecryptionError as e:
+            # _TelegramDecryptionError is raised on a decryption error, we turn it into a
+            # warning here, since if we allowed it to propagate it might hang the Updater.
             warnings.warn('Telegram passport decryption error: {} '
                           'See https://git.io/fAvYd for more info.'.format(e))
             return None
diff --git a/tests/test_passport.py b/tests/test_passport.py
@@ -21,7 +21,8 @@
 
 import pytest
 
-from telegram import PassportData, PassportFile, Bot, Update
+from telegram import (PassportData, PassportFile, Bot, Update, File, PassportElementErrorSelfie,
+                      PassportElementErrorDataField)
 
 RAW_PASSPORT_DATA = {'data': [{'type': 'personal_details',
                                'data': 'tj3pNwOpN+ZHsyb6F3aJcNmEyPxrOtGTbu3waBlCQDNaQ9oJlkbXpw+HI3y9faq/+TCeB/WsS/2TxRXTKZw4zXvGP2UsfdRkJ2SQq6x+Ffe/oTF9/q8sWp2BwU3hHUOz7ec1/QrdPBhPJjbwSykEBNggPweiBVDZ0x/DWJ0guCkGT9smYGqog1vqlqbIWG7AWcxVy2fpUy9w/zDXjxj5WQ3lRpHJmi46s9xIHobNGGBvWw6/bGBCInMoovgqRCEu1sgz2QXF3wNiUzGFycEzLz7o+1htLys5n8Pdi9MG4RY='},
@@ -99,6 +100,8 @@ class TestPassport(object):
     driver_license_reverse_side_file_id = 'DgADBAADNQQAAtoagFPf4wwmFZdmyQI'
     utility_bill_1_file_id = 'DgADBAADLAMAAhwfgVMyfGa5Nr0LvAI'
     utility_bill_2_file_id = 'DgADBAADaQQAAsFxgVNVfLZuT-_3ZQI'
+    driver_license_selfie_credentials_file_hash = 'Cila/qLXSBH7DpZFbb5bRZIRxeFW2uv/ulL0u0JNsYI='
+    driver_license_selfie_credentials_secret = 'tivdId6RNYNsvXYPppdzrbxOBuBOr9wXRPDcCvnXU7E='
 
     def test_creation(self, passport_data):
         assert isinstance(passport_data, PassportData)
@@ -218,6 +221,44 @@ def test_wrong_key(self, bot):
                                              'Decryption failed.'):
             PassportData.de_json(data, bot=b)
 
+    def test_mocked_download_passport_file(self, passport_data, monkeypatch):
+        # The files are not coming from our test bot, therefore the file id is invalid/wrong
+        # when coming from this bot, so we monkeypatch the call, to make sure that Bot.get_file
+        # at least gets called
+        # TODO: Actually download a passport file in a test
+        selfie = passport_data.data[1].selfie
+
+        def get_file(*args, **kwargs):
+            return File(args[1])
+
+        monkeypatch.setattr('telegram.Bot.get_file', get_file)
+        file = selfie.get_file()
+        assert file.file_id == selfie.file_id
+        assert file._credentials.file_hash == self.driver_license_selfie_credentials_file_hash
+        assert file._credentials.secret == self.driver_license_selfie_credentials_secret
+
+    def test_mocked_set_passport_data_errors(self, monkeypatch, bot, chat_id, passport_data):
+        def test(_, url, data, **kwargs):
+            return (data['user_id'] == chat_id and
+                    data['errors'][0]['file_hash'] == (passport_data.credentials.data.secure_data
+                                                       .driver_license.selfie.file_hash) and
+                    data['errors'][1]['data_hash'] == (passport_data.credentials.data.secure_data
+                                                       .driver_license.data.data_hash))
+
+        monkeypatch.setattr('telegram.utils.request.Request.post', test)
+        message = bot.set_passport_data_errors(chat_id, [
+            PassportElementErrorSelfie('driver_license',
+                                       (passport_data.credentials.data
+                                        .secure_data.driver_license.selfie.file_hash),
+                                       'You\'re not handsome enough to use this app!'),
+            PassportElementErrorDataField('driver_license',
+                                          'expiry_date',
+                                          (passport_data.credentials.data
+                                           .secure_data.driver_license.data.data_hash),
+                                          'Your driver license is expired!')
+        ])
+        assert message
+
     def test_equality(self, passport_data):
         a = PassportData(passport_data.data, passport_data.credentials)
         b = PassportData(passport_data.data, passport_data.credentials)
diff --git a/tests/test_updater.py b/tests/test_updater.py
@@ -351,3 +351,8 @@ def test_mutual_exclude_token_bot(self):
     def test_no_token_or_bot(self):
         with pytest.raises(ValueError):
             Updater()
+
+    def test_mutual_exclude_bot_private_key(self):
+        bot = Bot('123:zyxw')
+        with pytest.raises(ValueError):
+            Updater(bot=bot, private_key=b'key')
