oauth 0.2.4 → 0.2.6

data/History.txt

@@ -1,3 +1,13 @@
+== 0.2.6 2008-9-9 The lets RSA release
+
+- Bill Kocik's fix for Ruby 1.8.7
+- Fixed rsa verification, so you can actually create an OAuth server yourself now using Ruby and RSA
+- Added better testing for RSA
+- Fixed issue where token was being included for rsa signatures
+- Chris Mear added support for a private_key_file option for rsa signatures 
+- Scott Hill fixed several edge cases where parameters were incorrectly being signed
+- Patch from choonkeat fixing a problem with rsa signing.
+
 == 0.2.2 2008-2-22 Lets actually support SSL release
 
 It didn't actually use https when required.

data/README.txt

@@ -1 +1,73 @@
-README
+= Ruby OAuth GEM
+
+== What
+
+This is a RubyGem for implementing both OAuth clients and servers in Ruby applications.
+
+See the OAuth specs http://oauth.net/core/1.0/
+
+== Installing
+
+  sudo gem install oauth
+
+You can also install it from the oauth rubyforge project http://rubyforge.org/projects/oauth/.
+
+The source code is now hosted on the OAuth GitHub Project http://github.com/pelle/oauth/tree/master
+
+== The basics
+
+This is a ruby library which is intended to be used in creating Ruby Consumer and Service Provider applications. It is NOT a Rails plugin, but could easily be used for the foundation for such a Rails plugin.
+
+As a matter of fact it has been pulled out from an OAuth Rails Plugin http://code.google.com/p/oauth-plugin/ which now requires this GEM.
+
+== Demonstration of usage
+
+Create a new consumer instance by passing it a configuration hash:
+
+  @consumer=OAuth::Consumer.new( "key","secret", {
+    :site=>"https://agree2"
+    })
+
+Start the process by requesting a token
+
+  @request_token=@consumer.get_request_token
+  session[:request_token]=@request_token
+  redirect_to @request_token.authorize_url
+
+When user returns create an access_token
+
+  @access_token=@request_token.get_access_token
+  @photos=@access_token.get('/photos.xml')
+
+For more detailed instructions I have written this OAuth Client Tutorial http://stakeventures.com/articles/2008/02/23/developing-oauth-clients-in-ruby and "How to turn your rails site into an OAuth Provider ":http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider .
+
+Finally be sure to check out the OAuth RDoc Manual http://oauth.rubyforge.org/rdoc/ .
+
+== Documentation Wiki
+
+There is some documentation on the Google Code project for the "OAuth Rails Plugin":http://code.google.com/p/oauth-plugin/ :
+
+* RequestToken http://code.google.com/p/oauth-plugin/wiki/RequestToken
+* AccessToken http://code.google.com/p/oauth-plugin/wiki/AccessToken
+
+== Forum
+
+http://groups.google.com/group/oauth-ruby
+
+
+== How to submit patches
+
+Read the "8 steps for fixing other people's code" http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/.
+
+The source code is now hosted on the OAuth GitHub Project http://github.com/pelle/oauth/tree/master
+
+To submit a patch, please fork the oauth project and create a patch with tests. Once you're happy with it send a pull request and post a message to the google group.
+
+== License
+
+This code is free to use under the terms of the MIT license. 
+
+== Contact
+
+Comments are welcome. Send an email to "Pelle Braendgaard" pelleb@gmail.com email via the OAuth Ruby mailing list http://groups.google.com/group/oauth-ruby
+

data/lib/oauth/client/helper.rb

@@ -56,7 +56,7 @@ module OAuth::Client
 
     def header
       parameters = oauth_parameters
-      parameters.merge!( { 'oauth_signature' => signature( { :parameters => parameters } ) } )
+      parameters.merge!( { 'oauth_signature' => signature( options.merge({ :parameters => parameters }) ) } )
 
       header_params_str = parameters.map { |k,v| "#{k}=\"#{escape(v)}\"" }.join(', ')
 

data/lib/oauth/client/net_http.rb

@@ -1,3 +1,4 @@
+require 'oauth/helper'
 require 'oauth/client/helper'
 require 'oauth/request_proxy/net_http'
 

data/lib/oauth/consumer.rb

@@ -6,7 +6,7 @@ module OAuth
     
     @@default_options={
       # Signature method used by server. Defaults to HMAC-SHA1
-      :oauth_signature_method=>'HMAC-SHA1',
+      :signature_method => 'HMAC-SHA1',
       
       # default paths on site. These are the same as the defaults set up by the generators
       :request_token_path=>'/oauth/request_token',
@@ -77,16 +77,21 @@ module OAuth
     end
     
     # Contains the root URI for this site
-    def uri(url=nil)
-      @uri||=URI.parse(url||site)
+    def uri(custom_uri=nil)
+      if custom_uri
+        @uri = custom_uri
+        @http = create_http # yike, oh well. less intrusive this way
+      else  # if no custom passed, we use existing, which, if unset, is set to site uri
+        @uri ||= URI.parse(site)
+      end
     end
     
     # Makes a request to the service for a new OAuth::RequestToken
     #   
     #  @request_token=@consumer.get_request_token
     #
-    def get_request_token
-      response=token_request(http_method,request_token_path)
+    def get_request_token(request_options={}, *arguments)
+      response=token_request(http_method,request_token_path, nil, request_options, *arguments)
       OAuth::RequestToken.new(self,response[:oauth_token],response[:oauth_token_secret])
     end
     
@@ -121,16 +126,16 @@ module OAuth
 
     # Sign the Request object. Use this if you have an externally generated http request object you want to sign.
     def sign!(request,token=nil, request_options = {})
-      request.oauth!(http,self,token,{:scheme=>scheme}.merge(request_options))
+      request.oauth!(http, self, token, options.merge(request_options))
     end
     
     # Return the signature_base_string
     def signature_base_string(request,token=nil, request_options = {})
-      request.signature_base_string(http,self,token,{:scheme=>scheme}.merge(request_options))
+      request.signature_base_string(http, self, token, options.merge(request_options))
     end
 
     def site
-      @options[:site]
+      @options[:site].to_s
     end
 
     def scheme
@@ -203,6 +208,11 @@ module OAuth
       request
     end
     
-    
+    # Unset cached http instance because it cannot be marshalled when
+    # it has already been used and use_ssl is set to true
+    def marshal_dump(*args)
+      @http = nil
+      self
+    end
   end
 end

data/lib/oauth/request_proxy/action_controller_request.rb

@@ -27,6 +27,28 @@ module OAuth::RequestProxy
         params.merge(options[:parameters] || {})
       end
     end
+    
+    # Override from OAuth::RequestProxy::Base to avoid roundtrip
+    # conversion to Hash or Array and thus preserve the original
+    # parameter names
+    def parameters_for_signature
+      params = []
+      params << options[:parameters].to_query if options[:parameters]
+
+      unless options[:clobber_request]
+        params << header_params.to_query
+        params << request.query_string unless request.query_string.blank?
+        if request.content_type == Mime::Type.lookup("application/x-www-form-urlencoded")
+          params << CGI.unescape(request.raw_post)
+        end
+      end
+      
+      params.
+        join('&').split('&').
+        reject { |kv| kv =~ /^oauth_signature=.*/}.
+        reject(&:blank?).
+        map { |p| p.split('=') }
+    end
 
     protected
 

data/lib/oauth/request_proxy/base.rb

@@ -24,6 +24,7 @@ module OAuth::RequestProxy
     def parameters_for_signature
       p = parameters.dup
       p.delete("oauth_signature")
+      p.delete("oauth_token") if signature_method=='RSA-SHA1'
       p
     end
 

data/lib/oauth/request_proxy/net_http.rb

@@ -44,7 +44,10 @@ module OAuth::RequestProxy::Net
       end
 
       def query_string
-        [ query_params, post_params, auth_header_params ].compact.join('&')
+        params = [ query_params, auth_header_params ]
+        is_form_urlencoded = request['Content-Type'] != nil && request['Content-Type'].downcase == 'application/x-www-form-urlencoded'
+        params << post_params if method.to_s.upcase == 'POST' && is_form_urlencoded
+        params.compact.join('&')
       end
       
       def query_params

data/lib/oauth/signature/base.rb

@@ -7,6 +7,8 @@ module OAuth::Signature
   class Base
     include OAuth::Helper
     
+    attr_accessor :options
+    
     def self.implements(signature_method)
       OAuth::Signature.available_methods[signature_method] = self
     end
@@ -21,16 +23,17 @@ module OAuth::Signature
     def initialize(request, options = {}, &block)
       raise TypeError unless request.kind_of?(OAuth::RequestProxy::Base)
       @request = request
+      @options = options
       if block_given?
         @token_secret, @consumer_secret = yield block.arity == 1 ? token : [token, consumer_key,nonce,request.timestamp]
       else
-        @consumer_secret = options[:consumer].secret
-        @token_secret = options[:token] ? options[:token].secret : ''
+        @consumer_secret = @options[:consumer].secret
+        @token_secret = @options[:token] ? @options[:token].secret : ''
       end
     end
 
     def signature
-      Base64.encode64(digest).chomp
+      Base64.encode64(digest).chomp.gsub(/\n/,'')
     end
 
     def ==(cmp_signature)

data/lib/oauth/signature/plaintext.rb

@@ -15,5 +15,9 @@ module OAuth::Signature
     def signature_base_string
       secret
     end
+    
+    def secret
+      escape super
+    end
   end
 end

data/lib/oauth/signature/rsa/sha1.rb

@@ -6,14 +6,38 @@ module OAuth::Signature::RSA
     implements 'rsa-sha1'
 
     def ==(cmp_signature)
-      public_key = OpenSSL::PKey::RSA.new(request.consumer.secret)
-      public_key.verify(OpenSSL::Digest::SHA1.new, cmp_signature, signature_base_string)
+      public_key.verify(OpenSSL::Digest::SHA1.new, Base64.decode64(cmp_signature.is_a?(Array) ? cmp_signature.first : cmp_signature), signature_base_string)
     end
 
+    def public_key
+      if consumer_secret.is_a?(String)
+        decode_public_key
+      elsif consumer_secret.is_a?(OpenSSL::X509::Certificate)
+        consumer_secret.public_key
+      else
+        consumer_secret
+      end
+    end
+    
     private
-
+    
+    def decode_public_key
+      case consumer_secret
+      when /-----BEGIN CERTIFICATE-----/
+        OpenSSL::X509::Certificate.new( consumer_secret).public_key
+      else
+        OpenSSL::PKey::RSA.new( consumer_secret)
+      end
+    end
+    
     def digest
-      private_key = OpenSSL::PKey::RSA.new(request.consumer.secret)
+      private_key = OpenSSL::PKey::RSA.new(
+        if options[:private_key_file]
+          IO.read(options[:private_key_file])
+        else
+          consumer_secret
+        end
+      )
       private_key.sign(OpenSSL::Digest::SHA1.new, signature_base_string)
     end
   end

data/lib/oauth/token.rb

@@ -69,6 +69,20 @@ module OAuth
   
   # The Access Token is used for the actual "real" web service calls thatyou perform against the server
   class AccessToken<ConsumerToken
+
+    # The less intrusive way. Otherwise, if we are to do it correctly inside consumer,
+    # we need to restructure and touch more methods: requst(), sign!(), etc.
+    def request(http_method, path, *arguments)
+      request_uri = URI.parse(path)
+      site_uri = consumer.uri
+      is_service_uri_different = (request_uri.absolute? && request_uri != site_uri)
+      consumer.uri(request_uri) if is_service_uri_different
+      resp = super(http_method, path, *arguments)
+      # NOTE: reset for wholesomeness? meaning that we admit only AccessToken service calls may use different URIs?
+      # so reset in case consumer is still used for other token-management tasks subsequently?
+      consumer.uri(site_uri) if is_service_uri_different
+      resp
+    end
     
     # Make a regular get request using AccessToken
     #

data/lib/oauth/version.rb

@@ -2,7 +2,7 @@ module Oauth #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 0
     MINOR = 2
-    TINY  = 4
+    TINY  = 6
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/tasks/deployment.rake

@@ -31,4 +31,4 @@ namespace :manifest do
   task :refresh do
     `rake check_manifest | patch -p0 > Manifest.txt`
   end
-end
+end

data/test/test_action_controller_request_proxy.rb

@@ -1,10 +1,27 @@
 require File.dirname(__FILE__) + '/test_helper.rb'
 require 'oauth/request_proxy/action_controller_request.rb'
+require 'action_controller'
+require 'action_controller/test_process'
 
 class ActionControllerRequestProxyTest < Test::Unit::TestCase
 
-  def test_truth
-    assert true
+  def request_proxy(parameters)
+    request = ActionController::TestRequest.new({}, parameters)
+    request.env['CONTENT_TYPE'] = 'application/x-www-form-urlencoded'
+    OAuth::RequestProxy.proxy(request)
+  end
+ 
+  def test_parameter_keys_should_preserve_brackets_from_hash
+    assert_equal(
+      [["message[body]", "This is a test"]],
+      request_proxy({ :message => { :body => 'This is a test' }}).parameters_for_signature
+    )
   end
 
+  def test_parameter_keys_should_preserve_brackets_from_array
+    assert_equal(
+      [["foo[]", "123"], ["foo[]", "456"]],
+      request_proxy({ :foo => [123, 456] }).parameters_for_signature.sort
+    )
+  end
 end

data/test/test_consumer.rb

@@ -1,5 +1,9 @@
+require 'rubygems'
+gem 'oauth'
 require 'test/unit'
 require 'oauth/consumer'
+require 'oauth/signature/rsa/sha1'
+
 
 # This performs testing against Andy Smith's test server http://term.ie/oauth/example/
 # Thanks Andy.
@@ -84,7 +88,42 @@ class ConsumerTest < Test::Unit::TestCase
     
     assert_equal 'GET', request.method
     assert_equal '/test?key=value', request.path
-    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"1oO2izFav1GP4kEH2EskwXkCRFg%3D\", oauth_version=\"1.0\"", request['authorization']
+    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"1oO2izFav1GP4kEH2EskwXkCRFg%3D\", oauth_version=\"1.0\"".split(', ').sort, request['authorization'].split(', ').sort
+  end
+
+  def test_that_setting_signature_method_on_consumer_effects_signing
+    require 'oauth/signature/plaintext'
+    request = Net::HTTP::Get.new(@request_uri.path)
+    consumer = @consumer.dup
+    consumer.options[:signature_method] = 'PLAINTEXT'
+    token = OAuth::ConsumerToken.new(consumer, 'token_411a7f', '3196ffd991c8ebdb')
+    token.sign!(request, {:nonce => @nonce, :timestamp => @timestamp})
+    
+    assert_no_match /oauth_signature_method="HMAC-SHA1"/, request['authorization']
+    assert_match    /oauth_signature_method="PLAINTEXT"/, request['authorization']
+  end
+
+  def test_that_setting_signature_method_on_consumer_effects_signature_base_string
+    require 'oauth/signature/plaintext'
+    request = Net::HTTP::Get.new(@request_uri.path)
+    consumer = @consumer.dup
+    consumer.options[:signature_method] = 'PLAINTEXT'
+    
+    request = Net::HTTP::Get.new('/')
+    signature_base_string = consumer.signature_base_string(request)
+
+    assert_no_match /HMAC-SHA1/, signature_base_string
+    assert_equal "#{consumer.secret}%26", signature_base_string
+  end
+
+  def test_that_plaintext_signature_works
+    require 'oauth/signature/plaintext'
+    consumer = OAuth::Consumer.new("key", "secret", 
+      :site => "http://term.ie", :signature_method => 'PLAINTEXT')
+    access_token = OAuth::AccessToken.new(consumer, 'accesskey', 'accesssecret')
+    response = access_token.get("/oauth/example/echo_api.php?echo=hello")
+
+    assert_equal 'echo=hello', response.body
   end
 
   def test_that_signing_auth_headers_on_post_requests_works
@@ -96,7 +135,7 @@ class ConsumerTest < Test::Unit::TestCase
     assert_equal 'POST', request.method
     assert_equal '/test', request.path
     assert_equal 'key=value', request.body
-    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"26g7wHTtNO6ZWJaLltcueppHYiI%3D\", oauth_version=\"1.0\"", request['authorization']
+    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"26g7wHTtNO6ZWJaLltcueppHYiI%3D\", oauth_version=\"1.0\"".split(', ').sort, request['authorization'].split(', ').sort
   end
  
   def test_that_signing_post_params_works
@@ -115,7 +154,7 @@ class ConsumerTest < Test::Unit::TestCase
     
     assert_equal 'GET', request.method
     assert_equal '/test?key=value', request.path
-    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"1oO2izFav1GP4kEH2EskwXkCRFg%3D\", oauth_version=\"1.0\"", request['authorization']
+    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"1oO2izFav1GP4kEH2EskwXkCRFg%3D\", oauth_version=\"1.0\"".split(', ').sort, request['authorization'].split(', ').sort
   end
 
   def test_that_using_auth_headers_on_post_on_create_signed_requests_works
@@ -123,7 +162,7 @@ class ConsumerTest < Test::Unit::TestCase
     assert_equal 'POST', request.method
     assert_equal '/test', request.path
     assert_equal 'key=value', request.body
-    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"26g7wHTtNO6ZWJaLltcueppHYiI%3D\", oauth_version=\"1.0\"", request['authorization']
+    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"26g7wHTtNO6ZWJaLltcueppHYiI%3D\", oauth_version=\"1.0\"".split(', ').sort, request['authorization'].split(', ').sort
   end
 
   def test_that_signing_post_params_works
@@ -192,12 +231,54 @@ class ConsumerTest < Test::Unit::TestCase
     assert_equal "200",@response.code
     assert_equal( "ok=hello&test=this",@response.body)    
   end
+
+
+  # This test does an actual https request (the result doesn't matter)
+  # to initialize the same way as get_request_token does. Can be any
+  # site that supports https.
+  #
+  # It also generates "warning: using default DH parameters." which I
+  # don't know how to get rid of
+  def test_serialization_with_https
+    consumer = OAuth::Consumer.new('token', 'secret', :site => 'https://plazes.net')
+    consumer.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    consumer.http.get('/')
+    
+    assert_nothing_raised do
+      # Specifically this should not raise TypeError: no marshal_dump
+      # is defined for class OpenSSL::SSL::SSLContext
+      Marshal.dump(consumer)
+    end
+  end
+  
+  def test_get_request_token_with_custom_arguments
+    @consumer=OAuth::Consumer.new( 
+        "key",
+        "secret",
+        {
+        :site=>"http://term.ie",
+        :request_token_path=>"/oauth/example/request_token.php",
+        :access_token_path=>"/oauth/example/access_token.php",
+        :authorize_path=>"/oauth/example/authorize.php"
+        })
+    
+    
+    debug = ""
+    @consumer.http.set_debug_output(debug)
+    
+    # get_request_token should receive our custom request_options and *arguments parameters from get_request_token.
+    @consumer.get_request_token({}, {:scope => "http://www.google.com/calendar/feeds http://picasaweb.google.com/data"})
+    
+    # Because this is a POST request, create_http_request should take the first element of *arguments
+    # and turn it into URL-encoded data in the body of the POST.
+    assert_match /^<- "scope=http%3a%2f%2fwww.google.com%2fcalendar%2ffeeds%20http%3a%2f%2fpicasaweb.google.com%2fdata"/,
+      debug
+  end
+
   protected
 
   def request_parameters_to_s
     @request_parameters.map { |k,v| "#{k}=#{v}" }.join("&")
   end
-
   
 end
-

data/test/test_net_http_client.rb

@@ -19,7 +19,7 @@ class NetHTTPClientTest < Test::Unit::TestCase
     
     assert_equal 'GET', request.method
     assert_equal '/test?key=value', request.path
-    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"1oO2izFav1GP4kEH2EskwXkCRFg%3D\", oauth_version=\"1.0\"", request['authorization']
+    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"1oO2izFav1GP4kEH2EskwXkCRFg%3D\", oauth_version=\"1.0\"".split(', ').sort, request['authorization'].split(', ').sort
   end
 
   def test_that_using_auth_headers_on_post_requests_works
@@ -30,7 +30,7 @@ class NetHTTPClientTest < Test::Unit::TestCase
     assert_equal 'POST', request.method
     assert_equal '/test', request.path
     assert_equal 'key=value', request.body
-    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"26g7wHTtNO6ZWJaLltcueppHYiI%3D\", oauth_version=\"1.0\"", request['authorization']
+    assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"26g7wHTtNO6ZWJaLltcueppHYiI%3D\", oauth_version=\"1.0\"".split(', ').sort, request['authorization'].split(', ').sort
   end
  
   def test_that_using_post_params_works
@@ -100,7 +100,7 @@ class NetHTTPClientTest < Test::Unit::TestCase
     request.oauth!(http, consumer, token, {:nonce => nonce, :timestamp => timestamp,:realm=>"http://photos.example.net/"})
 
     assert_equal 'GET', request.method
-    assert_equal 'OAuth realm="http://photos.example.net/", oauth_nonce="kllo9940pd9333jh", oauth_signature_method="HMAC-SHA1", oauth_token="nnch734d00sl2jdk", oauth_timestamp="1191242096", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D", oauth_version="1.0"', request['authorization']
+    assert_equal 'OAuth realm="http://photos.example.net/", oauth_nonce="kllo9940pd9333jh", oauth_signature_method="HMAC-SHA1", oauth_token="nnch734d00sl2jdk", oauth_timestamp="1191242096", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D", oauth_version="1.0"'.split(', ').sort, request['authorization'].split(', ').sort
     
   end
   
@@ -129,6 +129,36 @@ class NetHTTPClientTest < Test::Unit::TestCase
 #    assert_equal request['authorization'],response.body
     assert_equal "oauth_token=requestkey&oauth_token_secret=requestsecret",response.body
   end
+  
+  def test_that_put_bodies_not_signed
+    request = Net::HTTP::Put.new(@request_uri.path)
+    request.body = "<?xml version=\"1.0\"?><foo><bar>baz</bar></foo>"
+    request["Content-Type"] = "application/xml"
+    signature_base_string=request.signature_base_string(@http, @consumer, nil, { :nonce => @nonce, :timestamp => @timestamp })
+    assert_equal "PUT&http%3A%2F%2Fexample.com%2Ftest&oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_token%3D%26oauth_version%3D1.0", signature_base_string
+  end
+
+  def test_that_put_bodies_not_signed_even_if_form_urlencoded
+    request = Net::HTTP::Put.new(@request_uri.path)
+    request.set_form_data( { 'key2' => 'value2' } )
+    signature_base_string=request.signature_base_string(@http, @consumer, nil, { :nonce => @nonce, :timestamp => @timestamp })
+    assert_equal "PUT&http%3A%2F%2Fexample.com%2Ftest&oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_token%3D%26oauth_version%3D1.0", signature_base_string
+  end
+  
+  def test_that_post_bodies_signed_if_form_urlencoded
+    request = Net::HTTP::Post.new(@request_uri.path)
+    request.set_form_data( { 'key2' => 'value2' } )
+    signature_base_string=request.signature_base_string(@http, @consumer, nil, { :nonce => @nonce, :timestamp => @timestamp })
+    assert_equal "POST&http%3A%2F%2Fexample.com%2Ftest&key2%3Dvalue2%26oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_token%3D%26oauth_version%3D1.0", signature_base_string
+  end
+  
+  def test_that_post_bodies_not_signed_if_other_content_type
+    request = Net::HTTP::Post.new(@request_uri.path)
+    request.body = "<?xml version=\"1.0\"?><foo><bar>baz</bar></foo>"
+    request["Content-Type"] = "application/xml"
+    signature_base_string=request.signature_base_string(@http, @consumer, nil, { :nonce => @nonce, :timestamp => @timestamp })
+    assert_equal "POST&http%3A%2F%2Fexample.com%2Ftest&oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_token%3D%26oauth_version%3D1.0", signature_base_string
+  end
 
   protected
 

data/test/test_rsa_sha1.rb

@@ -0,0 +1,59 @@
+require File.dirname(__FILE__) + '/test_helper.rb'
+require 'oauth/consumer'
+require 'oauth/signature/rsa/sha1'
+
+class TestSignatureRsaSha1 < Test::Unit::TestCase
+  
+  def setup
+    @request = Net::HTTP::Get.new('/photos?file=vacaction.jpg&size=original&oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=nnch734d00sl2jdk&oauth_timestamp=1196666512&oauth_nonce=13917289812797014437&oauth_signature_method=RSA-SHA1')
+
+    @consumer = OAuth::Consumer.new('dpf43f3p2l4k3l03', OpenSSL::PKey::RSA.new(IO.read(File.dirname(__FILE__) + "/keys/rsa.pem")))
+    
+  end
+  
+  def test_that_rsa_sha1_implements_rsa_sha1
+    assert OAuth::Signature.available_methods.include?('rsa-sha1')
+  end
+  
+  def test_that_get_request_from_oauth_test_cases_produces_matching_signature_base_string
+    sbs = OAuth::Signature.signature_base_string(@request, { :consumer => @consumer,
+                                                 :uri => 'http://photos.example.net/photos' } )
+
+    assert_equal 'GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacaction.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3D13917289812797014437%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1196666512%26oauth_version%3D1.0%26size%3Doriginal', sbs
+  end
+
+  def test_that_get_request_from_oauth_test_cases_produces_matching_signature
+    signature = OAuth::Signature.sign(@request, { :consumer => @consumer,
+                                                 :uri => 'http://photos.example.net/photos' } )
+
+    assert_equal 'jvTp/wX1TYtByB1m+Pbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2/9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW//e+RinhejgCuzoH26dyF8iY2ZZ/5D1ilgeijhV/vBka5twt399mXwaYdCwFYE=', signature
+    
+  end
+
+  def test_that_get_request_from_oauth_test_cases_produces_matching_signature_using_private_key_file
+    @consumer = OAuth::Consumer.new('dpf43f3p2l4k3l03',nil)
+
+    signature = OAuth::Signature.sign(@request, { :consumer => @consumer,
+                                                  :private_key_file=>File.dirname(__FILE__) + "/keys/rsa.pem",
+                                                 :uri => 'http://photos.example.net/photos' } )
+
+    assert_equal 'jvTp/wX1TYtByB1m+Pbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2/9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW//e+RinhejgCuzoH26dyF8iY2ZZ/5D1ilgeijhV/vBka5twt399mXwaYdCwFYE=', signature
+  end
+
+  def test_that_get_request_from_oauth_test_cases_verifies_signature
+    @request = Net::HTTP::Get.new('/photos?oauth_signature_method=RSA-SHA1&oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_timestamp=1196666512&oauth_nonce=13917289812797014437&file=vacaction.jpg&size=original&oauth_signature=jvTp%2FwX1TYtByB1m%2BPbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2%2F9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW%2F%2Fe%2BRinhejgCuzoH26dyF8iY2ZZ%2F5D1ilgeijhV%2FvBka5twt399mXwaYdCwFYE%3D')
+    @consumer = OAuth::Consumer.new('dpf43f3p2l4k3l03',OpenSSL::X509::Certificate.new(IO.read(File.dirname(__FILE__) + "/keys/rsa.cert")))
+
+    assert OAuth::Signature.verify(@request, { :consumer => @consumer,
+                                                 :uri => 'http://photos.example.net/photos' } )
+
+  end
+  
+  def test_that_get_request_from_oauth_test_cases_verifies_signature_with_pem
+    @request = Net::HTTP::Get.new('/photos?oauth_signature_method=RSA-SHA1&oauth_version=1.0&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_timestamp=1196666512&oauth_nonce=13917289812797014437&file=vacaction.jpg&size=original&oauth_signature=jvTp%2FwX1TYtByB1m%2BPbyo0lnCOLIsyGCH7wke8AUs3BpnwZJtAuEJkvQL2%2F9n4s5wUmUl4aCI4BwpraNx4RtEXMe5qg5T1LVTGliMRpKasKsW%2F%2Fe%2BRinhejgCuzoH26dyF8iY2ZZ%2F5D1ilgeijhV%2FvBka5twt399mXwaYdCwFYE%3D')
+    assert OAuth::Signature.verify(@request, { :consumer => @consumer,
+                                                 :uri => 'http://photos.example.net/photos' } )
+
+  end
+
+end

data/website/index.html

@@ -33,103 +33,50 @@
     <h1>Ruby OAuth GEM</h1>
     <div id="version" class="clickable" onclick='document.location = "http://rubyforge.org/projects/oauth"; return false'>
       <p>Get Version</p>
-      <a href="http://rubyforge.org/projects/oauth" class="numbers">0.2.3</a>
+      <a href="http://rubyforge.org/projects/oauth" class="numbers">0.2.5</a>
     </div>
     <h2>What</h2>
-
-
-	<p>This is a RubyGem for implementing both OAuth clients and servers in Ruby applications.</p>
-
-
-	<p>See the <a href="http://oauth.net/core/1.0/">OAuth specs</a></p>
-
-
-	<h2>Installing</h2>
-
-
-	<p><pre class='syntax'><span class="ident">sudo</span> <span class="ident">gem</span> <span class="ident">install</span> <span class="ident">oauth</span></pre></p>
-
-
-	<p>You can also install it from the <a href="http://rubyforge.org/projects/oauth/">oauth rubyforge project</a>.</p>
-
-
-	<h2>The basics</h2>
-
-
-	<p>This is a ruby library which is intended to be used in creating Ruby Consumer and Service Provider applications. It is <span class="caps">NOT</span> a Rails plugin, but could easily be used for the foundation for such a Rails plugin.</p>
-
-
-	<p>As a matter of fact it has been pulled out from an <a href="http://code.google.com/p/oauth-plugin/">OAuth Rails Plugin</a> which now requires this <span class="caps">GEM</span>.</p>
-
-
-	<h2>Demonstration of usage</h2>
-
-
-	<p>Create a new consumer instance by passing it a configuration hash:</p>
-
-
+<p>This is a RubyGem for implementing both OAuth clients and servers in Ruby applications.</p>
+<p>See the <a href="http://oauth.net/core/1.0/">OAuth specs</a></p>
+<h2>Installing</h2>
+<p><pre class='syntax'><span class="ident">sudo</span> <span class="ident">gem</span> <span class="ident">install</span> <span class="ident">oauth</span></pre></p>
+<p>You can also install it from the <a href="http://rubyforge.org/projects/oauth/">oauth rubyforge project</a>.</p>
+<p>The source code is now hosted on the <a href="http://github.com/pelle/oauth/tree/master">OAuth GitHub Project</a></p>
+<h2>The basics</h2>
+<p>This is a ruby library which is intended to be used in creating Ruby Consumer and Service Provider applications. It is <span class="caps">NOT</span> a Rails plugin, but could easily be used for the foundation for such a Rails plugin.</p>
+<p>As a matter of fact it has been pulled out from an <a href="http://code.google.com/p/oauth-plugin/">OAuth Rails Plugin</a> which now requires this <span class="caps">GEM</span>.</p>
+<h2>Demonstration of usage</h2>
+<p>Create a new consumer instance by passing it a configuration hash:</p>
 <pre><code>@consumer=OAuth::Consumer.new( "key","secret", {
-    :site=&gt;"https://agree2" 
+    :site=&gt;"https://agree2"
     })</code></pre>
-
-	<p>Start the process by requesting a token</p>
-
-
+<p>Start the process by requesting a token</p>
 <pre><code>@request_token=@consumer.get_request_token
 session[:request_token]=@request_token
 redirect_to @request_token.authorize_url</code></pre>
-
-	<p>When user returns create an access_token</p>
-
-
+<p>When user returns create an access_token</p>
 <pre><code>@access_token=@request_token.get_access_token
 @photos=@access_token.get('/photos.xml')</code></pre>
-
-	<p>For more detailed instructions I have written this <a href="http://stakeventures.com/articles/2008/02/23/developing-oauth-clients-in-ruby">OAuth Client Tutorial</a> and <a href="http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider">How to turn your rails site into an OAuth Provider</a>.</p>
-
-
-	<p>Finally be sure to check out the <a href="http://oauth.rubyforge.org/rdoc/">OAuth RDoc Manual</a>.</p>
-
-
-	<h2>Documentation Wiki</h2>
-
-
-	<p>There is some documentation on the Google Code project for the <a href="http://code.google.com/p/oauth-plugin/">OAuth Rails Plugin</a> :</p>
-
-
-	<ul>
+<p>For more detailed instructions I have written this <a href="http://stakeventures.com/articles/2008/02/23/developing-oauth-clients-in-ruby">OAuth Client Tutorial</a> and &quot;How to turn your rails site into an OAuth Provider &quot;:http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider.</p>
+<p>Finally be sure to check out the <a href="http://oauth.rubyforge.org/rdoc/">OAuth RDoc Manual</a>.</p>
+<h2>Documentation Wiki</h2>
+<p>There is some documentation on the Google Code project for the <a href="http://code.google.com/p/oauth-plugin/">OAuth Rails Plugin</a> :</p>
+<ul>
 	<li><a href="http://code.google.com/p/oauth-plugin/wiki/RequestToken">RequestToken</a></li>
-		<li><a href="http://code.google.com/p/oauth-plugin/wiki/AccessToken">AccessToken</a></li>
-	</ul>
-
-
-	<h2>Forum</h2>
-
-
-	<p><a href="http://groups.google.com/group/oauth-ruby">http://groups.google.com/group/oauth-ruby</a></p>
-
-
-	<h2>How to submit patches</h2>
-
-
-	<p>Read the <a href="http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/">8 steps for fixing other people&#8217;s code</a> and for section <a href="http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/#8b-google-groups">8b: Submit patch to Google Groups</a>, use the Google Group above.</p>
-
-
-	<p>The trunk repository is <code>http://oauth.rubyforge.org/svn/trunk/</code> for anonymous access.</p>
-
-
-	<h2>License</h2>
-
-
-	<p>This code is free to use under the terms of the <span class="caps">MIT</span> license.</p>
-
-
-	<h2>Contact</h2>
-
-
-	<p>Comments are welcome. Send an email to <a href="mailto:pelleb@gmail.com">Pelle Braendgaard</a> email via the <a href="http://groups.google.com/group/oauth-ruby">OAuth Ruby mailing list</a></p>
+	<li><a href="http://code.google.com/p/oauth-plugin/wiki/AccessToken">AccessToken</a></li>
+</ul>
+<h2>Forum</h2>
+<p><a href="http://groups.google.com/group/oauth-ruby">http://groups.google.com/group/oauth-ruby</a></p>
+<h2>How to submit patches</h2>
+<p>Read the <a href="http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/">8 steps for fixing other people&#8217;s code</a>.</p>
+<p>The source code is now hosted on the <a href="http://github.com/pelle/oauth/tree/master">OAuth GitHub Project</a></p>
+<p>To submit a patch, please fork the oauth project and create a patch with tests. Once you&#8217;re happy with it send a pull request and post a message to the google group.</p>
+<h2>License</h2>
+<p>This code is free to use under the terms of the <span class="caps">MIT</span> license.</p>
+<h2>Contact</h2>
+<p>Comments are welcome. Send an email to <a href="mailto:pelleb@gmail.com">Pelle Braendgaard</a> email via the <a href="http://groups.google.com/group/oauth-ruby">OAuth Ruby mailing list</a></p>
     <p class="coda">
-      <a href="FIXME email">FIXME full name</a>, 25th February 2008<br>
+      <a href="FIXME email">FIXME full name</a>, 8th September 2008<br>
       Theme extended from <a href="http://rb2js.rubyforge.org/">Paul Battley</a>
     </p>
 </div>

data/website/index.txt

@@ -12,6 +12,8 @@ h2. Installing
 
 You can also install it from the "oauth rubyforge project":http://rubyforge.org/projects/oauth/.
 
+The source code is now hosted on the "OAuth GitHub Project":http://github.com/pelle/oauth/tree/master
+
 h2. The basics
 
 This is a ruby library which is intended to be used in creating Ruby Consumer and Service Provider applications. It is NOT a Rails plugin, but could easily be used for the foundation for such a Rails plugin.
@@ -55,9 +57,11 @@ h2. Forum
 
 h2. How to submit patches
 
-Read the "8 steps for fixing other people's code":http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/ and for section "8b: Submit patch to Google Groups":http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/#8b-google-groups, use the Google Group above.
+Read the "8 steps for fixing other people's code":http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/.
+
+The source code is now hosted on the "OAuth GitHub Project":http://github.com/pelle/oauth/tree/master
 
-The trunk repository is <code>http://oauth.rubyforge.org/svn/trunk/</code> for anonymous access.
+To submit a patch, please fork the oauth project and create a patch with tests. Once you're happy with it send a pull request and post a message to the google group.
 
 h2. License
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: oauth
 version: !ruby/object:Gem::Version 
-  version: 0.2.4
+  version: 0.2.6
 platform: ruby
 authors: 
 - Pelle Braendgaard
@@ -14,11 +14,12 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-04-27 00:00:00 -07:00
+date: 2008-09-09 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: ruby-hmac
+  type: :runtime
   version_requirement: 
   version_requirements: !ruby/object:Gem::Requirement 
     requirements: 
@@ -26,6 +27,16 @@ dependencies:
       - !ruby/object:Gem::Version 
         version: 0.3.1
     version: 
+- !ruby/object:Gem::Dependency 
+  name: hoe
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.7.0
+    version: 
 description: OAuth Core Ruby implementation
 email: pelleb@gmail.com
 executables: []
@@ -117,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: oauth
-rubygems_version: 1.1.1
+rubygems_version: 1.2.0
 signing_key: 
 specification_version: 2
 summary: OAuth Core Ruby implementation
@@ -129,6 +140,7 @@ test_files:
 - test/test_net_http_client.rb
 - test/test_net_http_request_proxy.rb
 - test/test_rack_request_proxy.rb
+- test/test_rsa_sha1.rb
 - test/test_server.rb
 - test/test_signature.rb
 - test/test_signature_base.rb