pelle-oauth 0.3.1 → 0.3.5

data/lib/oauth/errors.rb

@@ -0,0 +1,3 @@
+require 'oauth/errors/error'
+require 'oauth/errors/unauthorized'
+require 'oauth/errors/problem'

data/lib/oauth/errors/error.rb

@@ -0,0 +1,4 @@
+module OAuth
+  class Error < StandardError
+  end
+end

data/lib/oauth/errors/problem.rb

@@ -0,0 +1,14 @@
+module OAuth
+  class Problem < OAuth::Unauthorized
+    attr_reader :problem, :params
+    def initialize(problem, request = nil, params = {})
+      super(request)
+      @problem = problem
+      @params  = params
+    end
+
+    def to_s
+      problem
+    end
+  end
+end

data/lib/oauth/errors/unauthorized.rb

@@ -0,0 +1,12 @@
+module OAuth
+  class Unauthorized < OAuth::Error
+    attr_reader :request
+    def initialize(request = nil)
+      @request = request
+    end
+
+    def to_s
+      [request.code, request.message] * " "
+    end
+  end
+end

data/lib/oauth/helper.rb

@@ -1,17 +1,78 @@
 require 'openssl'
 require 'base64'
-require 'cgi'
+
 module OAuth
   module Helper
     extend self
 
+    # Escape +value+ by URL encoding all non-reserved character. 
+    #
+    # See Also: {OAuth core spec version 1.0, section 5.1}[http://oauth.net/core/1.0#rfc.section.5.1]
     def escape(value)
-      CGI.escape(value.to_s).gsub("%7E", '~').gsub("+", "%20")
+      URI::escape(value.to_s, OAuth::RESERVED_CHARACTERS)
     end
-    
+
+    # Generate a random key of up to +size+ bytes. The value returned is Base64 encoded with non-word
+    # characters removed.
     def generate_key(size=32)
-      Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/,'')
-    end    
-    
+      Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/, '')
+    end
+
+    alias_method :generate_nonce, :generate_key
+
+    def generate_timestamp #:nodoc:
+      Time.now.to_i.to_s
+    end
+
+    # Normalize a +Hash+ of parameter values. Parameters are sorted by name, using lexicographical
+    # byte value ordering. If two or more parameters share the same name, they are sorted by their value.
+    # Parameters are concatenated in their sorted order into a single string. For each parameter, the name
+    # is separated from the corresponding value by an "=" character, even if the value is empty. Each
+    # name-value pair is separated by an "&" character.
+    #
+    # See Also: {OAuth core spec version 1.0, section 9.1.1}[http://oauth.net/core/1.0#rfc.section.9.1.1]
+    def normalize(params)
+      params.sort.map do |k, values|
+
+        if values.is_a?(Array)
+          # multiple values were provided for a single key
+          values.sort.collect do |v|
+            [escape(k),escape(v)] * "="
+          end
+        else
+          [escape(k),escape(values)] * "="
+        end
+      end * "&"
+    end
+
+    # Parse an Authorization / WWW-Authenticate header into a hash. Takes care of unescaping and
+    # removing surrounding quotes. Raises a OAuth::Problem if the header is not parsable into a
+    # valid hash. Does not validate the keys or values.
+    #
+    #   hash = parse_header(headers['Authorization'] || headers['WWW-Authenticate'])
+    #   hash['oauth_timestamp']
+    #     #=>"1234567890"
+    # 
+    def parse_header(header)
+      # decompose
+      params = header[6,header.length].split(/[,=]/)
+
+      # odd number of arguments - must be a malformed header.
+      raise OAuth::Problem.new("Invalid authorization header") if params.size % 2 != 0
+
+      params.map! do |v|
+        # strip and unescape
+        val = unescape(v.strip)
+        # strip quotes
+        val.sub(/^\"(.*)\"$/, '\1')
+      end
+
+      # convert into a Hash
+      Hash[*params.flatten]
+    end
+
+    def unescape(value)
+      URI.unescape(value.gsub('+', '%2B'))
+    end
   end
 end

data/lib/oauth/oauth.rb

@@ -0,0 +1,11 @@
+module OAuth
+  # request tokens are passed between the consumer and the provider out of
+  # band (i.e. callbacks cannot be used), per section 6.1.1
+  OUT_OF_BAND = "oob"
+
+  # required parameters, per sections 6.1.1, 6.3.1, and 7
+  PARAMETERS = %w(oauth_callback oauth_consumer_key oauth_token oauth_signature_method oauth_timestamp oauth_nonce oauth_verifier oauth_version oauth_signature)
+
+  # reserved character regexp, per section 5.1
+  RESERVED_CHARACTERS = /[^a-zA-Z0-9\-\.\_\~]/
+end

data/lib/oauth/oauth_test_helper.rb

@@ -1,26 +1,25 @@
 require 'action_controller'
 require 'action_controller/test_process'
+
 module OAuth
   module OAuthTestHelper
-    
     def mock_incoming_request_with_query(request)
-      incoming=ActionController::TestRequest.new(request.to_hash)
-      incoming.request_uri=request.path
-      incoming.env["SERVER_PORT"]=request.uri.port
-      incoming.host=request.uri.host
-      incoming.env['REQUEST_METHOD']=request.http_method
+      incoming = ActionController::TestRequest.new(request.to_hash)
+      incoming.request_uri = request.path
+      incoming.host = request.uri.host
+      incoming.env["SERVER_PORT"] = request.uri.port
+      incoming.env['REQUEST_METHOD'] = request.http_method
       incoming
     end
 
     def mock_incoming_request_with_authorize_header(request)
-      incoming=ActionController::TestRequest.new
-      incoming.env["HTTP_AUTHORIZATION"]=request.to_auth_string
-      incoming.request_uri=request.path
-      incoming.env["SERVER_PORT"]=request.uri.port
-      incoming.host=request.uri.host
-      incoming.env['REQUEST_METHOD']=request.http_method
+      incoming = ActionController::TestRequest.new
+      incoming.request_uri = request.path
+      incoming.host = request.uri.host
+      incoming.env["HTTP_AUTHORIZATION"] = request.to_auth_string
+      incoming.env["SERVER_PORT"] = request.uri.port
+      incoming.env['REQUEST_METHOD'] = request.http_method
       incoming
     end
-  
   end
 end

data/lib/oauth/request_proxy/action_controller_request.rb

@@ -1,5 +1,5 @@
-require 'rubygems'
 require 'active_support'
+require 'action_controller'
 require 'action_controller/request'
 require 'oauth/request_proxy/base'
 require 'uri'
@@ -25,7 +25,7 @@ module OAuth::RequestProxy
         params.merge(options[:parameters] || {})
       end
     end
-    
+
     # Override from OAuth::RequestProxy::Base to avoid roundtrip
     # conversion to Hash or Array and thus preserve the original
     # parameter names
@@ -36,19 +36,19 @@ module OAuth::RequestProxy
       unless options[:clobber_request]
         params << header_params.to_query
         params << request.query_string unless request.query_string.blank?
-        if request.content_type == Mime::Type.lookup("application/x-www-form-urlencoded")
-          params << CGI.unescape(request.raw_post)
+        if request.post? && request.content_type == Mime::Type.lookup("application/x-www-form-urlencoded")
+          params << request.raw_post
         end
       end
-      
+
       params.
         join('&').split('&').
-        reject { |kv| kv =~ /^oauth_signature=.*/}.
         reject(&:blank?).
-        map { |p| p.split('=') }
+        map { |p| p.split('=').map{|esc| CGI.unescape(esc)} }.
+        reject { |kv| kv[0] == 'oauth_signature'}
     end
 
-    protected
+  protected
 
     def query_params
       request.query_parameters

data/lib/oauth/request_proxy/base.rb

@@ -16,70 +16,133 @@ module OAuth::RequestProxy
       @options = options
     end
 
-    def token
-      parameters['oauth_token']
-    end
+    ## OAuth parameters
 
-    def consumer_key
-      parameters['oauth_consumer_key']
+    def oauth_callback
+      parameters['oauth_callback']
     end
 
-    def parameters_for_signature
-      p = parameters.dup
-      p.delete("oauth_signature")
-      p
+    def oauth_consumer_key
+      parameters['oauth_consumer_key']
     end
 
-    def nonce
+    def oauth_nonce
       parameters['oauth_nonce']
     end
 
-    def timestamp
-      parameters['oauth_timestamp']
+    def oauth_signature
+      # TODO can this be nil?
+      parameters['oauth_signature'] || ""
     end
 
-    def signature_method
+    def oauth_signature_method
       case parameters['oauth_signature_method']
-      when Array: parameters['oauth_signature_method'].first
+      when Array
+        parameters['oauth_signature_method'].first
       else
         parameters['oauth_signature_method']
       end
     end
 
-    def signature
-      parameters['oauth_signature'] || ""
+    def oauth_timestamp
+      parameters['oauth_timestamp']
+    end
+
+    def oauth_token
+      parameters['oauth_token']
+    end
+
+    def oauth_verifier
+      parameters['oauth_verifier']
+    end
+
+    def oauth_version
+      parameters["oauth_version"]
+    end
+
+    # TODO deprecate these
+    alias_method :consumer_key,     :oauth_consumer_key
+    alias_method :token,            :oauth_token
+    alias_method :nonce,            :oauth_nonce
+    alias_method :timestamp,        :oauth_timestamp
+    alias_method :signature,        :oauth_signature
+    alias_method :signature_method, :oauth_signature_method
+
+    ## Parameter accessors
+
+    def parameters
+      raise NotImplementedError, "Must be implemented by subclasses"
     end
-    
+
+    def parameters_for_signature
+      parameters.reject { |k,v| k == "oauth_signature" }
+    end
+
+    def oauth_parameters
+      parameters.select { |k,v| OAuth::PARAMETERS.include?(k) }.reject { |k,v| v == "" }
+    end
+
+    def non_oauth_parameters
+      parameters.reject { |k,v| OAuth::PARAMETERS.include?(k) }
+    end
+
     # See 9.1.2 in specs
     def normalized_uri
-      u=URI.parse(uri)
-      "#{u.scheme.downcase}://#{u.host.downcase}#{(u.scheme.downcase=='http'&&u.port!=80)||(u.scheme.downcase=='https'&&u.port!=443) ? ":#{u.port}" : ""}#{(u.path&&u.path!='') ? u.path : '/'}"
+      u = URI.parse(uri)
+      "#{u.scheme.downcase}://#{u.host.downcase}#{(u.scheme.downcase == 'http' && u.port != 80) || (u.scheme.downcase == 'https' && u.port != 443) ? ":#{u.port}" : ""}#{(u.path && u.path != '') ? u.path : '/'}"
     end
-    
+
     # See 9.1.1. in specs Normalize Request Parameters
     def normalized_parameters
-      parameters_for_signature.sort.map do |k, values|
+      normalize(parameters_for_signature)
+    end
 
-        if values.is_a?(Array)
-          # multiple values were provided for a single key
-          values.sort.collect do |v|
-            [escape(k),escape(v)] * "="
-          end
-        else
-          [escape(k),escape(values)] * "="
-        end
-      end * "&"
+    def sign(options = {})
+      OAuth::Signature.sign(self, options)
     end
-    
+
+    def sign!(options = {})
+      parameters["oauth_signature"] = sign(options)
+      @signed = true
+      signature
+    end
+
     # See 9.1 in specs
     def signature_base_string
       base = [method, normalized_uri, normalized_parameters]
       base.map { |v| escape(v) }.join("&")
     end
-    
-    
-    protected
-    
+
+    # Has this request been signed yet?
+    def signed?
+      @signed
+    end
+
+    # URI, including OAuth parameters
+    def signed_uri(with_oauth = true)
+      if signed?
+        if with_oauth
+          params = parameters
+        else
+          params = non_oauth_parameters
+        end
+
+        [uri, normalize(params)] * "?"
+      else
+        STDERR.puts "This request has not yet been signed!"
+      end
+    end
+
+    # Authorization header for OAuth
+    def oauth_header(options = {})
+      header_params_str = oauth_parameters.map { |k,v| "#{k}=\"#{escape(v)}\"" }.join(', ')
+
+      realm = "realm=\"#{options[:realm]}\", " if options[:realm]
+      "OAuth #{realm}#{header_params_str}"
+    end
+
+  protected
+
     def header_params
       %w( X-HTTP_AUTHORIZATION Authorization HTTP_AUTHORIZATION ).each do |header|
         next unless request.env.include?(header)
@@ -87,10 +150,10 @@ module OAuth::RequestProxy
         header = request.env[header]
         next unless header[0,6] == 'OAuth '
 
-        oauth_param_string = header[6,header.length].split(/[,=]/)
-        oauth_param_string.map! { |v| unescape(v.strip) }
-        oauth_param_string.map! { |v| v =~ /^\".*\"$/ ? v[1..-2] : v }
-        oauth_params = Hash[*oauth_param_string.flatten]
+        # parse the header into a Hash
+        oauth_params = OAuth::Helper.parse_header(header)
+
+        # remove non-OAuth parameters
         oauth_params.reject! { |k,v| k !~ /^oauth_/ }
 
         return oauth_params
@@ -98,10 +161,5 @@ module OAuth::RequestProxy
 
       return {}
     end
-    
-    def unescape(value)
-      URI.unescape(value.gsub('+', '%2B'))
-    end
-    
   end
 end

data/lib/oauth/request_proxy/jabber_request.rb

@@ -32,11 +32,10 @@ module OAuth
       def uri
         [@request.from.strip.to_s, @request.to.strip.to_s].join("&")
       end
-      
+
       def normalized_uri
         uri
       end
-      
     end
   end
 end

data/lib/oauth/request_proxy/mock_request.rb

@@ -28,6 +28,14 @@ module OAuth
         @request["method"]
       end
 
+      def normalized_uri
+        super
+      rescue
+        # if this is a non-standard URI, it may not parse properly
+        # in that case, assume that it's already been normalized
+        uri
+      end
+
       def uri
         @request["uri"]
       end

data/lib/oauth/request_proxy/net_http.rb

@@ -25,7 +25,7 @@ module OAuth::RequestProxy::Net
         end
       end
 
-      private
+    private
 
       def all_parameters
         request_params = CGI.parse(query_string)
@@ -47,7 +47,7 @@ module OAuth::RequestProxy::Net
         params << post_params if method.to_s.upcase == 'POST' && is_form_urlencoded
         params.compact.join('&')
       end
-      
+
       def query_params
         URI.parse(request.path).query
       end