apigee-oauth 0.4.0

data/lib/oauth/signature.rb

@@ -0,0 +1,45 @@
+module OAuth
+  module Signature
+    # Returns a list of available signature methods
+    def self.available_methods
+      @available_methods ||= {}
+    end
+
+    # Build a signature from a +request+.
+    #
+    # Raises UnknownSignatureMethod exception if the signature method is unknown.
+    def self.build(request, options = {}, &block)
+      request = OAuth::RequestProxy.proxy(request, options)
+      klass = available_methods[
+        (request.signature_method ||
+        ((c = request.options[:consumer]) && c.options[:signature_method]) ||
+        "").downcase]
+      raise UnknownSignatureMethod, request.signature_method unless klass
+      klass.new(request, options, &block)
+    end
+
+    # Sign a +request+
+    def self.sign(request, options = {}, &block)
+      self.build(request, options, &block).signature
+    end
+
+    # Verify the signature of +request+
+    def self.verify(request, options = {}, &block)
+      self.build(request, options, &block).verify
+    end
+
+    # Create the signature base string for +request+. This string is the normalized parameter information.
+    #
+    # See Also: {OAuth core spec version 1.0, section 9.1.1}[http://oauth.net/core/1.0#rfc.section.9.1.1]
+    def self.signature_base_string(request, options = {}, &block)
+      self.build(request, options, &block).signature_base_string
+    end
+
+    # Create the body hash for a request
+    def self.body_hash(request, options = {}, &block)
+      self.build(request, options, &block).body_hash
+    end
+
+    class UnknownSignatureMethod < Exception; end
+  end
+end

data/lib/oauth/signature/base.rb

@@ -0,0 +1,110 @@
+require 'oauth/signature'
+require 'oauth/helper'
+require 'oauth/request_proxy/base'
+require 'base64'
+
+module OAuth::Signature
+  class Base
+    include OAuth::Helper
+
+    attr_accessor :options
+    attr_reader :token_secret, :consumer_secret, :request
+
+    def self.implements(signature_method = nil)
+      return @implements if signature_method.nil? 
+      @implements = signature_method
+      OAuth::Signature.available_methods[@implements] = self
+    end
+
+    def self.digest_class(digest_class = nil)
+      return @digest_class if digest_class.nil?
+      @digest_class = digest_class
+    end
+    
+    def self.digest_klass(digest_klass = nil)
+      return @digest_klass if digest_klass.nil?
+      @digest_klass = digest_klass
+    end
+
+    def self.hash_class(hash_class = nil)
+      return @hash_class if hash_class.nil?
+      @hash_class = hash_class
+    end
+
+    def initialize(request, options = {}, &block)
+      raise TypeError unless request.kind_of?(OAuth::RequestProxy::Base)
+      @request = request
+      @options = options
+
+      ## consumer secret was determined beforehand
+
+      @consumer_secret = options[:consumer].secret if options[:consumer]
+
+      # presence of :consumer_secret option will override any Consumer that's provided
+      @consumer_secret = options[:consumer_secret] if options[:consumer_secret]
+
+      ## token secret was determined beforehand
+
+      @token_secret = options[:token].secret if options[:token]
+
+      # presence of :token_secret option will override any Token that's provided
+      @token_secret = options[:token_secret] if options[:token_secret]
+
+      # override secrets based on the values returned from the block (if any)
+      if block_given?
+        # consumer secret and token secret need to be looked up based on pieces of the request
+        secrets = yield block.arity == 1 ? request : [token, consumer_key, nonce, request.timestamp]
+        if secrets.is_a?(Array) && secrets.size == 2
+          @token_secret = secrets[0]
+          @consumer_secret = secrets[1]
+        end
+      end
+    end
+
+    def signature
+      Base64.encode64(digest).chomp.gsub(/\n/,'')
+    end
+
+    def ==(cmp_signature)
+      Base64.decode64(signature) == Base64.decode64(cmp_signature)
+    end
+
+    def verify
+      self == self.request.signature
+    end
+
+    def signature_base_string
+      request.signature_base_string
+    end
+
+    def body_hash
+      if self.class.hash_class
+        Base64.encode64(self.class.hash_class.digest(request.body || '')).chomp.gsub(/\n/,'')
+      else
+        nil # no body hash algorithm defined, so don't generate one
+      end
+    end
+
+  private
+
+    def token
+      request.token
+    end
+
+    def consumer_key
+      request.consumer_key
+    end
+
+    def nonce
+      request.nonce
+    end
+
+    def secret
+      "#{escape(consumer_secret)}&#{escape(token_secret)}"
+    end
+
+    def digest
+      self.class.digest_class.digest(signature_base_string)
+    end
+  end
+end

data/lib/oauth/signature/hmac/base.rb

@@ -0,0 +1,15 @@
+# -*- encoding: utf-8 -*-
+
+require 'oauth/signature/base'
+require 'digest/hmac'
+
+module OAuth::Signature::HMAC
+  class Base < OAuth::Signature::Base
+
+  private
+    def digest
+      self.class.digest_class Object.module_eval("::Digest::#{self.class.digest_klass}")
+      Digest::HMAC.digest(signature_base_string, secret, self.class.digest_class)
+    end
+  end
+end

data/lib/oauth/signature/hmac/md5.rb

@@ -0,0 +1,8 @@
+require 'oauth/signature/hmac/base'
+
+module OAuth::Signature::HMAC
+  class MD5 < Base
+    implements 'hmac-md5'
+    digest_class 'MD5'
+  end
+end

data/lib/oauth/signature/hmac/rmd160.rb

@@ -0,0 +1,8 @@
+require 'oauth/signature/hmac/base'
+
+module OAuth::Signature::HMAC
+  class RMD160 < Base
+    implements 'hmac-rmd160'
+    digest_klass 'RMD160'
+  end
+end

data/lib/oauth/signature/hmac/sha1.rb

@@ -0,0 +1,9 @@
+require 'oauth/signature/hmac/base'
+
+module OAuth::Signature::HMAC
+  class SHA1 < Base    
+    implements 'hmac-sha1'
+    digest_klass 'SHA1'
+    hash_class ::Digest::SHA1
+  end
+end

data/lib/oauth/signature/hmac/sha2.rb

@@ -0,0 +1,8 @@
+require 'oauth/signature/hmac/base'
+
+module OAuth::Signature::HMAC
+  class SHA2 < Base
+    implements 'hmac-sha2'
+    digest_klass 'SHA2'
+  end
+end

data/lib/oauth/signature/md5.rb

@@ -0,0 +1,13 @@
+require 'oauth/signature/base'
+require 'digest/md5'
+
+module OAuth::Signature
+  class MD5 < Base
+    implements 'md5'
+    digest_class Digest::MD5
+
+    def signature_base_string
+      secret + super
+    end
+  end
+end

data/lib/oauth/signature/plaintext.rb

@@ -0,0 +1,23 @@
+require 'oauth/signature/base'
+
+module OAuth::Signature
+  class PLAINTEXT < Base
+    implements 'plaintext'
+
+    def signature
+      signature_base_string
+    end
+
+    def ==(cmp_signature)
+      signature.to_s == cmp_signature.to_s
+    end
+
+    def signature_base_string
+      secret
+    end
+
+    def secret
+      super
+    end
+  end
+end

data/lib/oauth/signature/rsa/sha1.rb

@@ -0,0 +1,46 @@
+require 'oauth/signature/base'
+require 'openssl'
+
+module OAuth::Signature::RSA
+  class SHA1 < OAuth::Signature::Base
+    implements 'rsa-sha1'
+    hash_class ::Digest::SHA1
+
+    def ==(cmp_signature)
+      public_key.verify(OpenSSL::Digest::SHA1.new, Base64.decode64(cmp_signature.is_a?(Array) ? cmp_signature.first : cmp_signature), signature_base_string)
+    end
+
+    def public_key
+      if consumer_secret.is_a?(String)
+        decode_public_key
+      elsif consumer_secret.is_a?(OpenSSL::X509::Certificate)
+        consumer_secret.public_key
+      else
+        consumer_secret
+      end
+    end
+
+  private
+
+    def decode_public_key
+      case consumer_secret
+      when /-----BEGIN CERTIFICATE-----/
+        OpenSSL::X509::Certificate.new( consumer_secret).public_key
+      else
+        OpenSSL::PKey::RSA.new( consumer_secret)
+      end
+    end
+
+    def digest
+      private_key = OpenSSL::PKey::RSA.new(
+        if options[:private_key_file]
+          IO.read(options[:private_key_file])
+        else
+          consumer_secret
+        end
+      )
+
+      private_key.sign(OpenSSL::Digest::SHA1.new, signature_base_string)
+    end
+  end
+end

data/lib/oauth/signature/sha1.rb

@@ -0,0 +1,13 @@
+require 'oauth/signature/base'
+require 'digest/sha1'
+
+module OAuth::Signature
+  class SHA1 < Base
+    implements 'sha1'
+    digest_class Digest::SHA1
+
+    def signature_base_string
+      secret + super
+    end
+  end
+end

data/lib/oauth/token.rb

@@ -0,0 +1,7 @@
+# this exists for backwards-compatibility
+
+require 'oauth/tokens/token'
+require 'oauth/tokens/server_token'
+require 'oauth/tokens/consumer_token'
+require 'oauth/tokens/request_token'
+require 'oauth/tokens/access_token'

data/lib/oauth/tokens/access_token.rb

@@ -0,0 +1,68 @@
+module OAuth
+  # The Access Token is used for the actual "real" web service calls that you perform against the server
+  class AccessToken < ConsumerToken
+    # The less intrusive way. Otherwise, if we are to do it correctly inside consumer,
+    # we need to restructure and touch more methods: request(), sign!(), etc.
+    def request(http_method, path, *arguments)
+      request_uri = URI.parse(path)
+      site_uri = consumer.uri
+      is_service_uri_different = (request_uri.absolute? && request_uri != site_uri)
+      consumer.uri(request_uri) if is_service_uri_different
+      @response = super(http_method, path, *arguments)
+      # NOTE: reset for wholesomeness? meaning that we admit only AccessToken service calls may use different URIs?
+      # so reset in case consumer is still used for other token-management tasks subsequently?
+      consumer.uri(site_uri) if is_service_uri_different
+      @response
+    end
+
+    # Make a regular GET request using AccessToken
+    #
+    #   @response = @token.get('/people')
+    #   @response = @token.get('/people', { 'Accept'=>'application/xml' })
+    #
+    def get(path, headers = {})
+      request(:get, path, headers)
+    end
+
+    # Make a regular HEAD request using AccessToken
+    #
+    #   @response = @token.head('/people')
+    #
+    def head(path, headers = {})
+      request(:head, path, headers)
+    end
+
+    # Make a regular POST request using AccessToken
+    #
+    #   @response = @token.post('/people')
+    #   @response = @token.post('/people', { :name => 'Bob', :email => 'bob@mailinator.com' })
+    #   @response = @token.post('/people', { :name => 'Bob', :email => 'bob@mailinator.com' }, { 'Accept' => 'application/xml' })
+    #   @response = @token.post('/people', nil, {'Accept' => 'application/xml' })
+    #   @response = @token.post('/people', @person.to_xml, { 'Accept'=>'application/xml', 'Content-Type' => 'application/xml' })
+    #
+    def post(path, body = '', headers = {})
+      request(:post, path, body, headers)
+    end
+
+    # Make a regular PUT request using AccessToken
+    #
+    #   @response = @token.put('/people/123')
+    #   @response = @token.put('/people/123', { :name => 'Bob', :email => 'bob@mailinator.com' })
+    #   @response = @token.put('/people/123', { :name => 'Bob', :email => 'bob@mailinator.com' }, { 'Accept' => 'application/xml' })
+    #   @response = @token.put('/people/123', nil, { 'Accept' => 'application/xml' })
+    #   @response = @token.put('/people/123', @person.to_xml, { 'Accept' => 'application/xml', 'Content-Type' => 'application/xml' })
+    #
+    def put(path, body = '', headers = {})
+      request(:put, path, body, headers)
+    end
+
+    # Make a regular DELETE request using AccessToken
+    #
+    #   @response = @token.delete('/people/123')
+    #   @response = @token.delete('/people/123', { 'Accept' => 'application/xml' })
+    #
+    def delete(path, headers = {})
+      request(:delete, path, headers)
+    end
+  end
+end

data/lib/oauth/tokens/consumer_token.rb

@@ -0,0 +1,33 @@
+module OAuth
+  # Superclass for tokens used by OAuth Clients
+  class ConsumerToken < Token
+    attr_accessor :consumer, :params
+    attr_reader   :response
+
+    def self.from_hash(consumer, hash)
+      token = self.new(consumer, hash[:oauth_token], hash[:oauth_token_secret])
+      token.params = hash
+      token
+    end
+
+    def initialize(consumer, token="", secret="")
+      super(token, secret)
+      @consumer = consumer
+      @params   = {}
+    end
+
+    # Make a signed request using given http_method to the path
+    #
+    #   @token.request(:get,  '/people')
+    #   @token.request(:post, '/people', @person.to_xml, { 'Content-Type' => 'application/xml' })
+    #
+    def request(http_method, path, *arguments)
+      @response = consumer.request(http_method, path, self, {}, *arguments)
+    end
+
+    # Sign a request generated elsewhere using Net:HTTP::Post.new or friends
+    def sign!(request, options = {})
+      consumer.sign!(request, self, options)
+    end
+  end
+end

data/lib/oauth/tokens/request_token.rb

@@ -0,0 +1,32 @@
+module OAuth
+  # The RequestToken is used for the initial Request.
+  # This is normally created by the Consumer object.
+  class RequestToken < ConsumerToken
+
+    # Generate an authorization URL for user authorization
+    def authorize_url(params = nil)
+      params = (params || {}).merge(:oauth_token => self.token)
+      build_authorize_url(consumer.authorize_url, params)
+    end
+
+    def callback_confirmed?
+      params[:oauth_callback_confirmed] == "true"
+    end
+
+    # exchange for AccessToken on server
+    def get_access_token(options = {}, *arguments)
+      response = consumer.token_request(consumer.http_method, (consumer.access_token_url? ? consumer.access_token_url : consumer.access_token_path), self, options, *arguments)
+      OAuth::AccessToken.from_hash(consumer, response)
+    end
+
+  protected
+
+    # construct an authorization url
+    def build_authorize_url(base_url, params)
+      uri = URI.parse(base_url.to_s)
+      # TODO doesn't handle array values correctly
+      uri.query = params.map { |k,v| [k, CGI.escape(v)] * "=" } * "&"
+      uri.to_s
+    end
+  end
+end