require 'active_merchant/billing/gateways/migs/migs_codes' require 'openssl' # Used in add_secure_hash module ActiveMerchant #:nodoc: module Billing #:nodoc: class MigsGateway < Gateway include MigsCodes API_VERSION = 1 class_attribute :server_hosted_url, :merchant_hosted_url self.server_hosted_url = 'https://migs.mastercard.com.au/vpcpay' self.merchant_hosted_url = 'https://migs.mastercard.com.au/vpcdps' self.live_url = self.server_hosted_url # MiGS is supported throughout Asia Pacific, Middle East and Africa # MiGS is used in Australia (AU) by ANZ (eGate), CBA (CommWeb) and more # Source of Country List: http://www.scribd.com/doc/17811923 self.supported_countries = %w(AU AE BD BN EG HK ID IN JO KW LB LK MU MV MY NZ OM PH QA SA SG TT VN) # The card types supported by the payment gateway self.supported_cardtypes = [:visa, :master, :american_express, :diners_club, :jcb] self.money_format = :cents self.currencies_without_fractions = %w(IDR) # The homepage URL of the gateway self.homepage_url = 'http://mastercard.com/mastercardsps' # The name of the gateway self.display_name = 'MasterCard Internet Gateway Service (MiGS)' # Creates a new MigsGateway # The advanced_login/advanced_password fields are needed for # advanced methods such as the capture, refund and status methods # # ==== Options # # * :login -- The MiGS Merchant ID (REQUIRED) # * :password -- The MiGS Access Code (REQUIRED) # * :secure_hash -- The MiGS Secure Hash # (Required for Server Hosted payments) # * :advanced_login -- The MiGS AMA User # * :advanced_password -- The MiGS AMA User's password def initialize(options = {}) requires!(options, :login, :password) super end # ==== Options # # * :order_id -- A reference for tracking the order (REQUIRED) # * :unique_id -- A unique id for this request (Max 40 chars). # If not supplied one will be generated. def purchase(money, creditcard, options = {}) requires!(options, :order_id) post = {} add_amount(post, money, options) add_invoice(post, options) add_creditcard(post, creditcard) add_standard_parameters('pay', post, options[:unique_id]) add_3ds(post, options) commit(post) end # MiGS works by merchants being either purchase only or authorize/capture # So authorize is the same as purchase when in authorize mode alias_method :authorize, :purchase # ==== Options # # * :unique_id -- A unique id for this request (Max 40 chars). # If not supplied one will be generated. def capture(money, authorization, options = {}) requires!(@options, :advanced_login, :advanced_password) post = options.merge(:TransNo => authorization) add_amount(post, money, options) add_advanced_user(post) add_standard_parameters('capture', post, options[:unique_id]) commit(post) end # ==== Options # # * :unique_id -- A unique id for this request (Max 40 chars). # If not supplied one will be generated. def refund(money, authorization, options = {}) requires!(@options, :advanced_login, :advanced_password) post = options.merge(:TransNo => authorization) add_amount(post, money, options) add_advanced_user(post) add_standard_parameters('refund', post, options[:unique_id]) commit(post) end def void(authorization, options = {}) requires!(@options, :advanced_login, :advanced_password) post = options.merge(:TransNo => authorization) add_advanced_user(post) add_standard_parameters('voidAuthorisation', post, options[:unique_id]) commit(post) end def credit(money, authorization, options = {}) ActiveMerchant.deprecated CREDIT_DEPRECATION_MESSAGE refund(money, authorization, options) end def verify(credit_card, options={}) MultiResponse.run do |r| r.process { authorize(100, credit_card, options) } r.process(:ignore_result) { void(r.authorization, options) } end end # Checks the status of a previous transaction # This can be useful when a response is not received due to network issues # # ==== Parameters # # * unique_id -- Unique id of transaction to find. # This is the value of the option supplied in other methods or # if not supplied is returned with key :MerchTxnRef def status(unique_id) requires!(@options, :advanced_login, :advanced_password) post = {} add_advanced_user(post) add_standard_parameters('queryDR', post, unique_id) commit(post) end # Generates a URL to redirect user to MiGS to process payment # Once user is finished MiGS will redirect back to specified URL # With a response hash which can be turned into a Response object # with purchase_offsite_response # # ==== Options # # * :order_id -- A reference for tracking the order (REQUIRED) # * :locale -- Change the language of the redirected page # Values are 2 digit locale, e.g. en, es # * :return_url -- the URL to return to once the payment is complete # * :card_type -- Providing this skips the card type step. # Values are ActiveMerchant formats: e.g. master, visa, american_express, diners_club # * :unique_id -- Unique id of transaction to find. # If not supplied one will be generated. def purchase_offsite_url(money, options = {}) requires!(options, :order_id, :return_url) requires!(@options, :secure_hash) post = {} add_amount(post, money, options) add_invoice(post, options) add_creditcard_type(post, options[:card_type]) if options[:card_type] post.merge!( :Locale => options[:locale] || 'en', :ReturnURL => options[:return_url] ) add_standard_parameters('pay', post, options[:unique_id]) add_secure_hash(post) self.server_hosted_url + '?' + post_data(post) end # Parses a response from purchase_offsite_url once user is redirected back # # ==== Parameters # # * data -- All params when offsite payment returns # e.g. returns to http://company.com/return?a=1&b=2, then input "a=1&b=2" def purchase_offsite_response(data) requires!(@options, :secure_hash) response_hash = parse(data) expected_secure_hash = calculate_secure_hash(response_hash, @options[:secure_hash]) unless response_hash[:SecureHash] == expected_secure_hash raise SecurityError, "Secure Hash mismatch, response may be tampered with" end response_object(response_hash) end def test? @options[:login].start_with?('TEST') end def supports_scrubbing? true end def scrub(transcript) transcript. gsub(%r((&?CardNum=)\d*(&?)), '\1[FILTERED]\2'). gsub(%r((&?CardSecurityCode=)\d*(&?)), '\1[FILTERED]\2'). gsub(%r((&?AccessCode=)[^&]*(&?)), '\1[FILTERED]\2'). gsub(%r((&?Password=)[^&]*(&?)), '\1[FILTERED]\2') end private def add_amount(post, money, options) post[:Amount] = localized_amount(money, options[:currency]) post[:Currency] = options[:currency] if options[:currency] end def add_advanced_user(post) post[:User] = @options[:advanced_login] post[:Password] = @options[:advanced_password] end def add_invoice(post, options) post[:OrderInfo] = options[:order_id] end def add_3ds(post, options) post[:VerType] = options[:ver_type] if options[:ver_type] post[:VerToken] = options[:ver_token] if options[:ver_token] post["3DSXID"] = options[:three_ds_xid] if options[:three_ds_xid] post["3DSECI"] = options[:three_ds_eci] if options[:three_ds_eci] post["3DSenrolled"] = options[:three_ds_enrolled] if options[:three_ds_enrolled] post["3DSstatus"] = options[:three_ds_status] if options[:three_ds_status] end def add_creditcard(post, creditcard) post[:CardNum] = creditcard.number post[:CardSecurityCode] = creditcard.verification_value if creditcard.verification_value? post[:CardExp] = format(creditcard.year, :two_digits) + format(creditcard.month, :two_digits) end def add_creditcard_type(post, card_type) post[:Gateway] = 'ssl' post[:card] = CARD_TYPES.detect{|ct| ct.am_code == card_type}.migs_long_code end def parse(body) params = CGI::parse(body) hash = {} params.each do |key, value| hash[key.gsub('vpc_', '').to_sym] = value[0] end hash end def commit(post) add_secure_hash(post) if @options[:secure_hash] data = ssl_post self.merchant_hosted_url, post_data(post) response_hash = parse(data) response_object(response_hash) end def response_object(response) avs_response_code = response[:AVSResultCode] avs_response_code = 'S' if avs_response_code == "Unsupported" cvv_result_code = response[:CSCResultCode] cvv_result_code = 'P' if cvv_result_code == "Unsupported" Response.new(success?(response), response[:Message], response, :test => test?, :authorization => response[:TransactionNo], :fraud_review => fraud_review?(response), :avs_result => { :code => avs_response_code }, :cvv_result => cvv_result_code ) end def success?(response) response[:TxnResponseCode] == '0' end def fraud_review?(response) ISSUER_RESPONSE_CODES[response[:AcqResponseCode]] == 'Suspected Fraud' end def add_standard_parameters(action, post, unique_id = nil) post.merge!( :Version => API_VERSION, :Merchant => @options[:login], :AccessCode => @options[:password], :Command => action, :MerchTxnRef => unique_id || generate_unique_id.slice(0, 40) ) end def post_data(post) post.collect { |key, value| "vpc_#{key}=#{CGI.escape(value.to_s)}" }.join("&") end def add_secure_hash(post) post[:SecureHash] = calculate_secure_hash(post, @options[:secure_hash]) post[:SecureHashType] = 'SHA256' end def calculate_secure_hash(post, secure_hash) input = post .reject { |k| %i[SecureHash SecureHashType].include?(k) } .sort .map { |(k, v)| "vpc_#{k}=#{v}" } .join('&') OpenSSL::HMAC.hexdigest('SHA256', [secure_hash].pack('H*'), input).upcase end end end end