rares-oauth 0.2.7

data/History.txt

@@ -0,0 +1,33 @@
+Fix in plain text signatures to bug found by Andrew Arrow. Who contributed new new unit tests for plain text sigs.
+
+== 0.2.7 2008-9-10 The lets fix the last release release
+
+There was an error in the RSA requests using oauth tokens. Thanks to Philip Lipu Tsai for noticing this.
+
+== 0.2.6 2008-9-9 The lets RSA release
+
+- Bill Kocik's fix for Ruby 1.8.7
+- Fixed rsa verification, so you can actually create an OAuth server yourself now using Ruby and RSA
+- Added better testing for RSA
+- Fixed issue where token was being included for rsa signatures
+- Chris Mear added support for a private_key_file option for rsa signatures 
+- Scott Hill fixed several edge cases where parameters were incorrectly being signed
+- Patch from choonkeat fixing a problem with rsa signing.
+
+== 0.2.2 2008-2-22 Lets actually support SSL release
+
+It didn't actually use https when required.
+
+== 0.2 2008-1-19 All together now release
+
+This is a big release, where we have merged the efforts of various parties into one common library. This means there are definitely some API changes you should be aware of. They should be minimal but please have a look at the unit tests.
+
+== 0.1.2 2007-12-1
+
+* 1 Fixed a problem where incoming request didn't check whether oauth parameters where missing. While not giving unauthorized access it did cause extra processing where not necessary.
+* 2 Includes Pat's fix for getting the realm out.
+
+== 0.1.1 2007-11-26
+
+* 1 First release as a GEM
+  * Moved all non rails functions into this GEM from the Rails plugin http://code.google.com/p/oauth-plugin/

data/License.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2007 Blaine Cook, Larry Halff, Pelle Braendgaard
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Manifest.txt

@@ -0,0 +1,55 @@
+History.txt
+License.txt
+Manifest.txt
+README.txt
+Rakefile
+config/hoe.rb
+config/requirements.rb
+lib/oauth.rb
+lib/oauth/client.rb
+lib/oauth/client/action_controller_request.rb
+lib/oauth/client/helper.rb
+lib/oauth/client/net_http.rb
+lib/oauth/consumer.rb
+lib/oauth/helper.rb
+lib/oauth/request_proxy.rb
+lib/oauth/request_proxy/action_controller_request.rb
+lib/oauth/request_proxy/base.rb
+lib/oauth/request_proxy/net_http.rb
+lib/oauth/request_proxy/rack_request.rb
+lib/oauth/server.rb
+lib/oauth/signature.rb
+lib/oauth/signature/base.rb
+lib/oauth/signature/hmac/base.rb
+lib/oauth/signature/hmac/md5.rb
+lib/oauth/signature/hmac/rmd160.rb
+lib/oauth/signature/hmac/sha1.rb
+lib/oauth/signature/hmac/sha2.rb
+lib/oauth/signature/md5.rb
+lib/oauth/signature/plaintext.rb
+lib/oauth/signature/rsa/sha1.rb
+lib/oauth/signature/sha1.rb
+lib/oauth/token.rb
+lib/oauth/version.rb
+script/destroy
+script/generate
+script/txt2html
+setup.rb
+tasks/deployment.rake
+tasks/environment.rake
+tasks/website.rake
+test/test_action_controller_request_proxy.rb
+test/test_consumer.rb
+test/test_helper.rb
+test/test_hmac_sha1.rb
+test/test_net_http_client.rb
+test/test_net_http_request_proxy.rb
+test/test_rack_request_proxy.rb
+test/test_signature.rb
+test/test_signature_base.rb
+test/test_token.rb
+website/index.html
+website/index.txt
+website/javascripts/rounded_corners_lite.inc.js
+website/stylesheets/screen.css
+website/template.rhtml

data/Rakefile

@@ -0,0 +1,4 @@
+require 'config/requirements'
+require 'config/hoe' # setup Hoe + all gem configuration
+
+Dir['tasks/**/*.rake'].each { |rake| load rake }

data/config/hoe.rb

@@ -0,0 +1,71 @@
+require 'oauth/version'
+
+AUTHOR = ['Pelle Braendgaard','Blaine Cook','Larry Halff','Jesse Clark','Jon Crosby', 'Seth Fitzsimmons']  # can also be an array of Authors
+EMAIL = "pelleb@gmail.com"
+DESCRIPTION = "OAuth Core Ruby implementation"
+GEM_NAME = 'oauth' # what ppl will type to install your gem
+RUBYFORGE_PROJECT = 'oauth' # The unix name for your project
+HOMEPATH = "http://#{RUBYFORGE_PROJECT}.rubyforge.org"
+DOWNLOAD_PATH = "http://rubyforge.org/projects/#{RUBYFORGE_PROJECT}"
+
+@config_file = "~/.rubyforge/user-config.yml"
+@config = nil
+RUBYFORGE_USERNAME = "unknown"
+def rubyforge_username
+  unless @config
+    begin
+      @config = YAML.load(File.read(File.expand_path(@config_file)))
+    rescue
+      puts <<-EOS
+ERROR: No rubyforge config file found: #{@config_file}
+Run 'rubyforge setup' to prepare your env for access to Rubyforge
+ - See http://newgem.rubyforge.org/rubyforge.html for more details
+      EOS
+      exit
+    end
+  end
+  RUBYFORGE_USERNAME.replace @config["username"]
+end
+
+
+REV = nil 
+# UNCOMMENT IF REQUIRED: 
+# REV = `svn info`.each {|line| if line =~ /^Revision:/ then k,v = line.split(': '); break v.chomp; else next; end} rescue nil
+VERS = Oauth::VERSION::STRING + (REV ? ".#{REV}" : "")
+RDOC_OPTS = ['--quiet', '--title', 'oauth documentation',
+    "--opname", "index.html",
+    "--line-numbers", 
+    "--main", "README",
+    "--inline-source"]
+
+class Hoe
+  def extra_deps 
+    @extra_deps.reject! { |x| Array(x).first == 'hoe' } 
+    @extra_deps
+  end 
+end
+
+# Generate all the Rake tasks
+# Run 'rake -T' to see list of generated tasks (from gem root directory)
+hoe = Hoe.new(GEM_NAME, VERS) do |p|
+  p.author = AUTHOR 
+  p.description = DESCRIPTION
+  p.email = EMAIL
+  p.summary = DESCRIPTION
+  p.url = HOMEPATH
+  p.rubyforge_name = RUBYFORGE_PROJECT if RUBYFORGE_PROJECT
+  p.test_globs = ["test/**/test_*.rb"]
+  p.clean_globs |= ['**/.*.sw?', '*.gem', '.config', '**/.DS_Store']  #An array of file patterns to delete on clean.
+  
+  # == Optional
+  p.changes = p.paragraphs_of("History.txt", 0..1).join("\n\n")
+  p.extra_deps = [['ruby-hmac','>= 0.3.1'] ]    # An array of rubygem dependencies [name, version], e.g. [ ['active_support', '>= 1.3.1'] ]
+  
+  #p.spec_extras = {}    # A hash of extra values to set in the gemspec.
+  
+end
+
+CHANGES = hoe.paragraphs_of('History.txt', 0..1).join("\\n\\n")
+PATH    = (RUBYFORGE_PROJECT == GEM_NAME) ? RUBYFORGE_PROJECT : "#{RUBYFORGE_PROJECT}/#{GEM_NAME}"
+hoe.remote_rdoc_dir = File.join(PATH.gsub(/^#{RUBYFORGE_PROJECT}\/?/,''), 'rdoc')
+hoe.rsync_args = '-av --delete --ignore-errors'

data/config/requirements.rb

@@ -0,0 +1,17 @@
+require 'fileutils'
+include FileUtils
+
+require 'rubygems'
+%w[rake hoe newgem rubigen].each do |req_gem|
+  begin
+    require req_gem
+  rescue LoadError
+    puts "This Rakefile requires the '#{req_gem}' RubyGem."
+    puts "Installation: gem install #{req_gem} -y"
+    exit
+  end
+end
+
+$:.unshift(File.join(File.dirname(__FILE__), %w[.. lib]))
+
+require 'oauth'

data/lib/oauth.rb

@@ -0,0 +1,3 @@
+$:.unshift File.dirname(__FILE__)
+
+module OAuth; end

data/lib/oauth/client.rb

@@ -0,0 +1,4 @@
+module OAuth
+  module Client
+  end
+end

data/lib/oauth/client/action_controller_request.rb

@@ -0,0 +1,52 @@
+require 'oauth/client/helper'
+require 'oauth/request_proxy/action_controller_request'
+require 'action_controller/test_process'
+
+module ActionController
+  class Base
+    def process_with_oauth(request,response=nil)
+      request.apply_oauth!
+      process_without_oauth(request,response)
+    end
+
+    alias_method_chain :process, :oauth
+  end
+
+  class TestRequest
+    def self.use_oauth=(bool)
+      @use_oauth = bool
+    end
+
+    def self.use_oauth?
+      @use_oauth 
+    end
+
+    def configure_oauth(consumer = nil, token = nil, options = {})
+      @oauth_options = { :consumer => consumer,
+                   :token => token,
+                   :scheme => 'header',
+                   :signature_method => nil,
+                   :nonce => nil,
+                   :timestamp => nil }.merge(options)
+    end
+
+    def apply_oauth!
+      return unless ActionController::TestRequest.use_oauth? && @oauth_options
+      @oauth_helper = OAuth::Client::Helper.new(self, @oauth_options.merge( { :request_uri => request_uri } ))
+
+      self.send("set_oauth_#{@oauth_options[:scheme]}")
+    end
+
+    def set_oauth_header
+      env['Authorization'] = @oauth_helper.header
+    end
+
+    def set_oauth_parameters
+      @query_parameters = @oauth_helper.parameters_with_oauth
+      @query_parameters.merge!( { :oauth_signature => @oauth_helper.signature } )
+    end
+    
+    def set_oauth_query_string
+    end
+  end
+end

data/lib/oauth/client/helper.rb

@@ -0,0 +1,88 @@
+require 'oauth/client'
+require 'oauth/consumer'
+require 'oauth/helper'
+require 'oauth/token'
+require 'oauth/signature/hmac/sha1'
+
+module OAuth::Client
+  class Helper
+    include OAuth::Helper
+    
+    def initialize(request, options = {})
+      @request = request
+      @options = options
+      @options[:signature_method] ||= 'HMAC-SHA1'
+    end
+
+    def options
+      @options
+    end
+
+    def nonce
+      options[:nonce] ||= generate_key
+    end
+
+    def timestamp
+      options[:timestamp] ||= generate_timestamp
+    end
+
+    def generate_timestamp
+      Time.now.to_i.to_s
+    end
+
+    def oauth_parameters
+      params = {
+        'oauth_consumer_key'     => options[:consumer].key,
+        'oauth_token'            => options[:token] ? options[:token].token : '',
+        'oauth_signature_method' => options[:signature_method],
+        'oauth_timestamp'        => timestamp,
+        'oauth_nonce'            => nonce,
+        'oauth_version'          => '1.0'
+      }
+      
+      prune_oauth_token_if_not_present params
+      params
+    end
+
+    def signature(extra_options = {})
+      OAuth::Signature.sign(@request, { :uri      => options[:request_uri],
+                                                    :consumer => options[:consumer],
+                                                    :token    => options[:token] }.merge(extra_options) )
+    end
+
+    def signature_base_string(extra_options = {})
+      OAuth::Signature.signature_base_string(@request, { :uri      => options[:request_uri],
+                                                    :consumer => options[:consumer],
+                                                    :token    => options[:token],
+                                                    :parameters => oauth_parameters}.merge(extra_options) )
+    end
+
+    def header
+      parameters = oauth_parameters
+      parameters.merge!( { 'oauth_signature' => signature( options.merge({ :parameters => parameters }) ) } )
+
+      header_params_str = parameters.map { |k,v| "#{k}=\"#{escape(v)}\"" }.join(', ')
+
+      return "OAuth realm=\"#{options[:realm]||''}\", #{header_params_str}"
+    end
+
+    def parameters
+      OAuth::RequestProxy.proxy(@request).parameters
+    end
+
+    def parameters_with_oauth
+      oauth_parameters.merge( parameters )
+    end
+    
+    protected 
+    
+    # If the oauth_token key is present, strip it. This _can't_ go up in the 
+    # RequestToken when using HMAC-SHA1. The hashing validation gets blowed up.
+    # HACK: the request signing in Consumer,rb and Token.rb need a little refatoring 
+    # so this isn't needed.
+    def prune_oauth_token_if_not_present(params = {})
+      params.delete("oauth_token") if params["oauth_token"].nil? or params["oauth_token"].empty?
+    end
+    
+  end
+end

data/lib/oauth/client/net_http.rb

@@ -0,0 +1,75 @@
+require 'oauth/helper'
+require 'oauth/client/helper'
+require 'oauth/request_proxy/net_http'
+
+class Net::HTTPRequest
+  include OAuth::Helper
+
+  def oauth!(http, consumer = nil, token = nil, options = {})
+    options = { :request_uri => oauth_full_request_uri(http),
+                :consumer => consumer,
+                :token => token,
+                :scheme => 'header',
+                :signature_method => nil,
+                :nonce => nil,
+                :timestamp => nil }.merge(options)
+
+    @oauth_helper = OAuth::Client::Helper.new(self, options)
+    self.send("set_oauth_#{options[:scheme]}")
+  end
+
+  def signature_base_string(http, consumer = nil, token = nil, options = {})
+    options = { :request_uri => oauth_full_request_uri(http),
+                :consumer => consumer,
+                :token => token,
+                :scheme => 'header',
+                :signature_method => nil,
+                :nonce => nil,
+                :timestamp => nil }.merge(options)
+
+    OAuth::Client::Helper.new(self, options).signature_base_string
+  end
+  
+  def oauth_helper
+    @oauth_helper
+  end
+  private
+
+  def oauth_full_request_uri(http)
+    uri = URI.parse(self.path)
+    uri.host = http.address
+    uri.port = http.port
+    if http.respond_to?(:use_ssl?)
+      uri.scheme = http.use_ssl? ? 'https' : 'http'
+    end
+    uri.to_s
+  end
+
+  def set_oauth_header
+    self['Authorization'] = @oauth_helper.header
+  end
+
+  # FIXME: if you're using a POST body and query string parameters, using this
+  # method will convert those parameters on the query string into parameters in
+  # the body. this is broken, and should be fixed.
+  def set_oauth_body
+    self.set_form_data(@oauth_helper.parameters_with_oauth)
+    params_with_sig = @oauth_helper.parameters.merge(:oauth_signature => @oauth_helper.signature)
+    self.set_form_data(params_with_sig)
+  end
+
+  def set_oauth_query_string
+    oauth_params_str = @oauth_helper.oauth_parameters.map { |k,v| "#{k}=#{v}" }.join("&")
+
+    uri = URI.parse(path)
+    if !uri.query || uri.query == ''
+      uri.query = oauth_params_str
+    else
+      uri.query = uri.query + "&" + oauth_params_str
+    end
+
+    @path = uri.to_s
+
+    @path << "&oauth_signature=#{escape(@oauth_helper.signature)}"
+  end
+end

data/lib/oauth/consumer.rb

@@ -0,0 +1,218 @@
+require 'net/http'
+require 'net/https'
+require 'oauth/client/net_http'
+module OAuth
+  class Consumer
+    
+    @@default_options={
+      # Signature method used by server. Defaults to HMAC-SHA1
+      :signature_method => 'HMAC-SHA1',
+      
+      # default paths on site. These are the same as the defaults set up by the generators
+      :request_token_path=>'/oauth/request_token',
+      :authorize_path=>'/oauth/authorize',
+      :access_token_path=>'/oauth/access_token',
+      
+      # How do we send the oauth values to the server see 
+      # http://oauth.net/core/1.0/#consumer_req_param for more info
+      #
+      # Possible values:
+      #
+      #   :header - via the Authorize header (Default) ( option 1. in spec)
+      #   :body - url form encoded in body of POST request ( option 2. in spec)
+      #   :query_string - via the query part of the url ( option 3. in spec)
+      :scheme=>:header, 
+      
+      # Default http method used for OAuth Token Requests (defaults to :post)
+      :http_method=>:post, 
+      
+      :oauth_version=>"1.0"
+    }
+    
+    attr_accessor :site,:options, :key, :secret,:http
+    
+    
+    # Create a new consumer instance by passing it a configuration hash:
+    #
+    #   @consumer=OAuth::Consumer.new( key,secret,{
+    #     :site=>"http://term.ie",
+    #     :scheme=>:header,
+    #     :http_method=>:post,
+    #     :request_token_path=>"/oauth/example/request_token.php",
+    #     :access_token_path=>"/oauth/example/access_token.php",
+    #     :authorize_path=>"/oauth/example/authorize.php"
+    #    })
+    #
+    # Start the process by requesting a token
+    #
+    #   @request_token=@consumer.get_request_token
+    #   session[:request_token]=@request_token
+    #   redirect_to @request_token.authorize_url
+    #
+    # When user returns create an access_token
+    #
+    #   @access_token=@request_token.get_access_token
+    #   @photos=@access_token.get('/photos.xml')
+    #
+    #
+    
+    def initialize(consumer_key,consumer_secret,options={})
+      # ensure that keys are symbols
+      @options=@@default_options.merge( options.inject({}) do |options, (key, value)|
+        options[key.to_sym] = value
+        options
+      end)
+      @key = consumer_key
+      @secret = consumer_secret
+    end
+    
+    # The default http method
+    def http_method
+      @http_method||=@options[:http_method]||:post
+    end
+    
+    # The HTTP object for the site. The HTTP Object is what you get when you do Net::HTTP.new
+    def http
+      @http ||= create_http
+    end
+    
+    # Contains the root URI for this site
+    def uri(custom_uri=nil)
+      if custom_uri
+        @uri = custom_uri
+        @http = create_http # yike, oh well. less intrusive this way
+      else  # if no custom passed, we use existing, which, if unset, is set to site uri
+        @uri ||= URI.parse(site)
+      end
+    end
+    
+    # Makes a request to the service for a new OAuth::RequestToken
+    #   
+    #  @request_token=@consumer.get_request_token
+    #
+    def get_request_token(request_options={}, *arguments)
+      response=token_request(http_method,request_token_path, nil, request_options, *arguments)
+      OAuth::RequestToken.new(self,response[:oauth_token],response[:oauth_token_secret])
+    end
+    
+    # Creates, signs and performs an http request.
+    # It's recommended to use the OAuth::Token classes to set this up correctly.
+    # The arguments parameters are a hash or string encoded set of parameters if it's a post request as well as optional http headers.
+    # 
+    #   @consumer.request(:get,'/people',@token,{:scheme=>:query_string})
+    #   @consumer.request(:post,'/people',@token,{},@person.to_xml,{ 'Content-Type' => 'application/xml' })
+    #
+    def request(http_method,path, token=nil,request_options={},*arguments)
+      http.request(create_signed_request(http_method,path,token,request_options,*arguments))
+    end
+    
+    # Creates and signs an http request.
+    # It's recommended to use the Token classes to set this up correctly
+    def create_signed_request(http_method,path, token=nil,request_options={},*arguments)
+      request=create_http_request(http_method,path,*arguments)
+      sign!(request,token,request_options)
+      request
+    end
+    
+    # Creates a request and parses the result as url_encoded. This is used internally for the RequestToken and AccessToken requests.
+    def token_request(http_method,path,token=nil,request_options={},*arguments)
+      response=request(http_method,path,token,request_options,*arguments)
+      if response.code=="200"
+        CGI.parse(response.body).inject({}){|h,(k,v)| h[k.to_sym]=v.first;h}
+      else 
+        response.error! 
+      end
+    end
+
+    # Sign the Request object. Use this if you have an externally generated http request object you want to sign.
+    def sign!(request,token=nil, request_options = {})
+      request.oauth!(http, self, token, options.merge(request_options))
+    end
+    
+    # Return the signature_base_string
+    def signature_base_string(request,token=nil, request_options = {})
+      request.signature_base_string(http, self, token, options.merge(request_options))
+    end
+
+    def site
+      @options[:site].to_s
+    end
+
+    def scheme
+      @options[:scheme]
+    end
+    
+    def request_token_path
+      @options[:request_token_path]
+    end
+    
+    def authorize_path
+      @options[:authorize_path]
+    end
+    
+    def access_token_path
+      @options[:access_token_path]
+    end
+    
+    # TODO this is ugly, rewrite
+    def request_token_url
+      @options[:request_token_url]||site+request_token_path
+    end
+
+    def authorize_url
+      @options[:authorize_url]||site+authorize_path
+    end
+
+    def access_token_url
+      @options[:access_token_url]||site+access_token_path
+    end
+
+    protected
+    
+    #Instantiates the http object
+    def create_http
+      http_object=Net::HTTP.new(uri.host, uri.port)
+      http_object.use_ssl = true if uri.scheme=="https"
+      http_object
+    end
+    
+    # create the http request object for a given http_method and path
+    def create_http_request(http_method,path,*arguments)
+      http_method=http_method.to_sym
+      if [:post,:put].include?(http_method)
+        data=arguments.shift
+      end
+      headers=(arguments.first.is_a?(Hash) ? arguments.shift : {})
+      case http_method
+      when :post
+        request=Net::HTTP::Post.new(path,headers)
+        request["Content-Length"]=0 # Default to 0
+      when :put
+        request=Net::HTTP::Put.new(path,headers)
+        request["Content-Length"]=0 # Default to 0
+      when :get
+        request=Net::HTTP::Get.new(path,headers)
+      when :delete
+        request=Net::HTTP::Delete.new(path,headers)
+      when :head
+        request=Net::HTTP::Head.new(path,headers)
+      else
+        raise ArgumentError, "Don't know how to handle http_method: :#{http_method.to_s}"
+      end
+      if data.is_a?(Hash)
+        request.set_form_data(data)
+      elsif data
+        request.body=data.to_s
+        request["Content-Length"]=request.body.length
+      end
+      request
+    end
+    
+    # Unset cached http instance because it cannot be marshalled when
+    # it has already been used and use_ssl is set to true
+    def marshal_dump(*args)
+      @http = nil
+      self
+    end
+  end
+end