Compatibility with earlier Python 2.7 versions

Compatibility with Python 2.7 versions older than 2.7.7

* Use Django's constant_time_compare method
* Include sparkpost in test requirements
* Don't use non-public `EnvironmentVarGuard` in tests

Fixes #41

anymail/webhooks/mailgun.py

@@ -3,6 +3,7 @@ from datetime import datetime
 
 import hashlib
 import hmac
+from django.utils.crypto import constant_time_compare
 from django.utils.timezone import utc
 
 from .base import AnymailBaseWebhookView
@@ -34,7 +35,7 @@ class MailgunBaseWebhookView(AnymailBaseWebhookView):
             raise AnymailWebhookValidationFailure("Mailgun webhook called without required security fields")
         expected_signature = hmac.new(key=self.api_key, msg='{}{}'.format(timestamp, token).encode('ascii'),
                                       digestmod=hashlib.sha256).hexdigest()
-        if not hmac.compare_digest(signature, expected_signature):
+        if not constant_time_compare(signature, expected_signature):
             raise AnymailWebhookValidationFailure("Mailgun webhook called with incorrect signature")
 
     def parse_events(self, request):

anymail/webhooks/mandrill.py

@@ -4,6 +4,7 @@ from datetime import datetime
 import hashlib
 import hmac
 from base64 import b64encode
+from django.utils.crypto import constant_time_compare
 from django.utils.timezone import utc
 
 from .base import AnymailBaseWebhookView
@@ -44,7 +45,7 @@ class MandrillSignatureMixin(object):
 
         expected_signature = b64encode(hmac.new(key=self.webhook_key, msg=signed_data.encode('utf-8'),
                                                 digestmod=hashlib.sha1).digest())
-        if not hmac.compare_digest(signature, expected_signature):
+        if not constant_time_compare(signature, expected_signature):
             raise AnymailWebhookValidationFailure("Mandrill webhook called with incorrect signature")