lib/oauth/client.rb lib/oauth/client/action_controller_request.rb lib/oauth/client/helper.rb lib/oauth/client/net_http.rb lib/oauth/helper.rb lib/oauth/request_proxy.rb lib/oauth/request_proxy/action_controller_request.rb lib/oauth/request_proxy/base.rb lib/oauth/request_proxy/net_http.rb lib/oauth/signature/base.rb lib/oauth/signature/hmac/base.rb lib/oauth/signature/hmac/md5.rb lib/oauth/signature/hmac/rmd160.rb lib/oauth/signature/hmac/sha1.rb lib/oauth/signature/hmac/sha2.rb lib/oauth/signature/md5.rb lib/oauth/signature/plaintext.rb lib/oauth/signature/rsa/sha1.rb lib/oauth/signature/sha1.rb @@ -1,3 +1,7 @@ +== 0.2 2007-1-19 All together now release + +This is a big release, where we have merged the efforts of various parties into one common library. This means there are definitely some API changes you should be aware of. They should be minimal but please have a look at the unit tests. + == 0.1.2 2007-12-1 * 1 Fixed a problem where incoming request didn't check whether oauth parameters where missing. While not giving unauthorized access it did cause extra processing where not necessary. History.txt @@ -1,4 +1,4 @@ -Copyright (c) 2007 Pelle Braendgaard +Copyright (c) 2007 Blaine Cook, Larry Halff, Pelle Braendgaard Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the License.txt @@ -6,13 +6,28 @@ Rakefile config/hoe.rb config/requirements.rb lib/oauth.rb +lib/oauth/client.rb +lib/oauth/client/action_controller_request.rb +lib/oauth/client/helper.rb +lib/oauth/client/net_http.rb lib/oauth/consumer.rb -lib/oauth/consumer_credentials.rb -lib/oauth/key.rb -lib/oauth/oauth_test_helper.rb -lib/oauth/request.rb +lib/oauth/helper.rb +lib/oauth/request_proxy.rb +lib/oauth/request_proxy/action_controller_request.rb +lib/oauth/request_proxy/base.rb +lib/oauth/request_proxy/net_http.rb lib/oauth/server.rb lib/oauth/signature.rb +lib/oauth/signature/base.rb +lib/oauth/signature/hmac/base.rb +lib/oauth/signature/hmac/md5.rb +lib/oauth/signature/hmac/rmd160.rb +lib/oauth/signature/hmac/sha1.rb +lib/oauth/signature/hmac/sha2.rb +lib/oauth/signature/md5.rb +lib/oauth/signature/plaintext.rb +lib/oauth/signature/rsa/sha1.rb +lib/oauth/signature/sha1.rb lib/oauth/token.rb lib/oauth/version.rb script/destroy @@ -22,12 +37,15 @@ setup.rb tasks/deployment.rake tasks/environment.rake tasks/website.rake +test/test_action_controller_request_proxy.rb test/test_consumer.rb test/test_helper.rb -test/test_oauth.rb -test/test_request.rb -test/test_server.rb +test/test_hmac_sha1.rb +test/test_net_http_client.rb +test/test_net_http_request_proxy.rb test/test_signature.rb +test/test_signature_base.rb +test/test_token.rb website/index.html website/index.txt website/javascripts/rounded_corners_lite.inc.js Manifest.txt @@ -1,6 +1,6 @@ require 'oauth/version' -AUTHOR = 'Pelle Braendgaard' # can also be an array of Authors +AUTHOR = ['Pelle Braendgaard','Blaine Cook','Larry Halff'] # can also be an array of Authors EMAIL = "pelleb@gmail.com" DESCRIPTION = "OAuth Core Ruby implementation" GEM_NAME = 'oauth' # what ppl will type to install your gem config/hoe.rb @@ -1,14 +1,3 @@ $:.unshift File.dirname(__FILE__) -require 'rubygems' -require 'oauth/key' -require 'oauth/request' -require 'oauth/signature' -require 'oauth/consumer_credentials' -require 'oauth/consumer' -require 'oauth/server' -require 'oauth/token' -require 'oauth/oauth_test_helper' -module OAuth - -end \ No newline at end of file +module OAuth; end lib/oauth.rb @@ -1,7 +1,9 @@ +require 'net/http' +require 'oauth/client/net_http' module OAuth - class Consumer<ConsumerCredentials + class Consumer - @@default_params={ + @@default_options={ # Signature method used by server. Defaults to HMAC-SHA1 :oauth_signature_method=>'HMAC-SHA1', @@ -15,10 +17,10 @@ module OAuth # # Possible values: # - # :authorize - via the Authorize header (Default) ( option 1. in spec) - # :post - url form encoded in body of POST request ( option 2. in spec) - # :query - via the query part of the url ( option 3. in spec) - :auth_method=>:authorize, + # :header - via the Authorize header (Default) ( option 1. in spec) + # :body - url form encoded in body of POST request ( option 2. in spec) + # :query_string - via the query part of the url ( option 3. in spec) + :scheme=>:header, # Default http method used for OAuth Token Requests (defaults to :post) :http_method=>:post, @@ -26,15 +28,14 @@ module OAuth :oauth_version=>"1.0" } - attr_accessor :site,:params + attr_accessor :site,:options, :key, :secret,:http + # Create a new consumer instance by passing it a configuration hash: # - # @consumer=OAuth::Consumer.new( { - # :consumer_key=>"key", - # :consumer_secret=>"secret", + # @consumer=OAuth::Consumer.new( key,secret,{ # :site=>"http://term.ie", - # :auth_method=>:authorize, + # :scheme=>:header, # :http_method=>:post, # :request_token_path=>"/oauth/example/request_token.php", # :access_token_path=>"/oauth/example/access_token.php", @@ -43,81 +44,149 @@ module OAuth # # Start the process by requesting a token # - # @request_token=@consumer.request_token + # @request_token=@consumer.get_request_token # session[:request_token]=@request_token # redirect_to @request_token.authorize_url # # When user returns create an access_token # - # @access_token=@request_token.access_token - # @photos=@access_token.get('http://test.com/photos.xml') + # @access_token=@request_token.get_access_token + # @photos=@access_token.get('/photos.xml') # # - def initialize(params) + def initialize(consumer_key,consumer_secret,options={}) # ensure that keys are symbols - @params=@@default_params.merge( params.inject({}) do |options, (key, value)| + @options=@@default_options.merge( options.inject({}) do |options, (key, value)| options[key.to_sym] = value options end) - super @params[:consumer_key],@params[:consumer_secret] - @site=@params[:site] - raise ArgumentError, 'Missing site URI' unless @site + @key = consumer_key + @secret = consumer_secret end def http_method - @http_method||=@params[:http_method]||:post + @http_method||=@options[:http_method]||:post + end + + def http + @http ||= Net::HTTP.new(uri.host, uri.port) + end + + # will change + def uri(url=nil) + @uri||=URI.parse(url||site) end # Get a Request Token def get_request_token - request=create_request(http_method,request_token_path) - response=request.perform_token_request(self.secret) + response=token_request(http_method,request_token_path) OAuth::RequestToken.new(self,response[:oauth_token],response[:oauth_token_secret]) end - def create_request(http_method,path, oauth_params={},*arguments) - OAuth::Request.new(http_method,site,path,oauth_params.merge({ - :oauth_consumer_key=>self.key, - :realm=>authorize_url, - :oauth_signature_method=>params[:oauth_signature_method], - :oauth_version=>params[:oauth_version], - :auth_method=>auth_method - }),*arguments) + # Creates, signs and performs an http request. + # It's recommended to use the Token classes to set this up correctly. + # The arguments parameters are a hash or string encoded set of parameters if it's a post request as well as optional http headers. + # + # @consumer.request(:get,'/people',@token,{:scheme=>:query_string}) + # @consumer.request(:post,'/people',@token,{},@person.to_xml,{ 'Content-Type' => 'application/xml' }) + # + def request(http_method,path, token=nil,request_options={},*arguments) + http.request(create_signed_request(http_method,path,token,request_options,*arguments)) + end + + # Creates and signs an http request. + # It's recommended to use the Token classes to set this up correctly + def create_signed_request(http_method,path, token=nil,request_options={},*arguments) + request=create_http_request(http_method,path,*arguments) + sign!(request,token,request_options) + request + end + + # Creates a request and parses the result as url_encoded. This is used internally for the RequestToken and AccessToken requests. + def token_request(http_method,path,token=nil,request_options={},*arguments) + response=request(http_method,path,token,request_options,*arguments) + if response.code=="200" + CGI.parse(response.body).inject({}){|h,(k,v)| h[k.to_sym]=v.first;h} + else + response.error! + end end - def signed_request(http_method, path, oauth_params={},token_secret=nil,*arguments) - request=create_request(http_method,path,oauth_params,*arguments) - request.sign(self.secret,token_secret) - request + # Sign the Request object. Use this if you have an externally generated http request object you want to sign. + def sign!(request,token=nil, request_options = {}) + request.oauth!(http,self,token,{:scheme=>scheme}.merge(request_options)) end - def auth_method - @params[:auth_method] + # Return the signature_base_string + def signature_base_string(request,token=nil, request_options = {}) + request.signature_base_string(http,self,token,{:scheme=>scheme}.merge(request_options)) + end + + def site + @options[:site] + end + + def scheme + @options[:scheme] end def request_token_path - @params[:request_token_path] + @options[:request_token_path] end def authorize_path - @params[:authorize_path] + @options[:authorize_path] end def access_token_path - @params[:access_token_path] + @options[:access_token_path] end - + + # TODO this is ugly, rewrite def request_token_url - site+request_token_path + @options[:request_token_url]||site+request_token_path end def authorize_url - site+authorize_path + @options[:authorize_url]||site+authorize_path end def access_token_url - site+access_token_path + @options[:access_token_url]||site+access_token_path end + + protected + + # create the http request object for a given http_method and path + def create_http_request(http_method,path,*arguments) + http_method=http_method.to_sym + if [:post,:put].include?(http_method) + data=arguments.shift + end + headers=(arguments.first.is_a?(Hash) ? arguments.shift : {}) + case http_method + when :post + request=Net::HTTP::Post.new(path,headers) + when :put + request=Net::HTTP::Put.new(path,headers) + when :get + request=Net::HTTP::Get.new(path,headers) + when :delete + request=Net::HTTP::Delete.new(path,headers) + when :head + request=Net::HTTP::Head.new(path,headers) + else + raise ArgumentError, "Don't know how to handle http_method: :#{http_method.to_s}" + end + if data.is_a?(Hash) + request.set_form_data(data) + elsif data + request.body=data.to_s + end + request + end + + end end lib/oauth/consumer.rb @@ -1,7 +1,9 @@ +require 'oauth/helper' +require 'oauth/consumer' module OAuth # This is mainly used to create consumer credentials and can pretty much be ignored if you want to create your own class Server - include OAuth::Key + include OAuth::Helper attr_accessor :base_url @@server_paths={ @@ -20,19 +22,20 @@ module OAuth end def generate_consumer_credentials(params={}) - ConsumerCredentials.new( *generate_credentials) + Consumer.new( *generate_credentials) end # mainly for testing purposes def create_consumer credentials=generate_credentials - Consumer.new( { - :site=>base_url, - :consumer_key=>credentials[0], - :consumer_secret=>credentials[1], - :request_token_path=>request_token_path, - :authorize_path=>authorize_path, - :access_token_path=>access_token_path + Consumer.new( + credentials[0], + credentials[1], + { + :site=>base_url, + :request_token_path=>request_token_path, + :authorize_path=>authorize_path, + :access_token_path=>access_token_path }) end lib/oauth/server.rb @@ -1,155 +1,28 @@ -require 'cgi' -require 'hmac' # make sure to install: sudo gem install ruby-hmac -require 'hmac-sha1' -require 'hmac-md5' -require 'hmac-sha2' -require 'hmac-rmd160' - -require 'base64' module OAuth - # Much of this code has been blatantly stolen fron Blaine Cooke of Twitter and Larry Halff of ma.gnolia.com - # and lovingly hand modified with the utmost respect. - - # You should not need to use this directly as the request object encapsulates it in the sign and verify methods module Signature - def self.create(oauth_request,consumer_secret,token_secret=nil) - klass = case oauth_request.signature_method.downcase - when 'hmac-md5': OAuth::Signature::HashedMessageAuth::MD5 - when 'hmac-sha1': OAuth::Signature::HashedMessageAuth::SHA1 - when 'hmac-sha2': OAuth::Signature::HashedMessageAuth::SHA2 - when 'hmac-rmd160': OAuth::Signature::HashedMessageAuth::RMD160 - when 'plaintext': - if oauth_request.uri.scheme=="https" - OAuth::Signature::PLAINTEXT - else - raise InsecureSignatureMethod - end - when 'rsa-sha1': OAuth::Signature::RSA::SHA1 - when 'sha1': raise InsecureSignatureMethod, oauth_request.signature_method - when 'md5': raise InsecureSignatureMethod, oauth_request.signature_method - else - raise UnknownSignatureMethod, oauth_request.signature_method - end - - klass.new(oauth_request,consumer_secret,token_secret) + def self.available_methods + @available_methods ||= {} end - class UnknownSignatureMethod < Exception; end - - class InsecureSignatureMethod < Exception; end - - class Base - include OAuth::Key - - attr_accessor :request - - def initialize(request,consumer_secret,token_secret=nil) - @request=request - @consumer_secret=consumer_secret - @token_secret=token_secret - end - - def base_string - [@request.http_method,@request.normalized_url,@request.to_query_without_signature].collect{|p| @request.escape(p)}.join('&') - end - - def key - "#{@consumer_secret}&#{@token_secret}" - end - - def consumer_secret - @consumer_secret||="" - end - - def token_secret - @token_secret||="" - end - - def sign - Base64.encode64(digest).chomp - end - - def sign! - @request.signature=sign - end - - def verify? - return false unless @request.signed? - @request.signature==sign - end - - protected - - def digest - digest_class.digest(base_string) - end + def self.build(request, options = {}, &block) + request = OAuth::RequestProxy.proxy(request, options) + klass = available_methods[(request.signature_method || "").downcase] + raise UnknownSignatureMethod, request.signature_method unless klass + klass.new(request, options, &block) end - - class PLAINTEXT < Base - - def sign - base_string - end - - def base_string - "#{escape(consumer_secret)}&#{escape(token_secret)}" - end - - private - def digest; signature_base_string; end + def self.sign(request, options = {}, &block) + self.build(request, options, &block).signature end - - module HashedMessageAuth - class Base < OAuth::Signature::Base - private - - def digest - hmac_class.digest(secret, base_string) - end - - def secret - "#{escape(consumer_secret)}&#{escape(token_secret)}" - end - end - - class MD5 < Base - private - def hmac_class; HMAC::MD5; end - end - - class RMD160 < Base - private - def hmac_class; HMAC::RMD160; end - end - - class SHA1 < Base - private - def hmac_class; HMAC::SHA1; end - end - - class SHA2 < Base - private - def hmac_class; HMAC::SHA1; end - end + def self.verify(request, options = {}, &block) + self.build(request, options, &block).verify end - module RSA - class SHA1 < OAuth::Signature::Base - def ==(cmp_signature) - public_key = OpenSSL::PKey::RSA.new(consumer_secret) - public_key.verify(OpenSSL::Digest::SHA1.new, cmp_signature, base_string) - end - - private - - def digest - private_key = OpenSSL::PKey::RSA.new(consumer_secret) - private_key.sign(OpenSSL::Digest::SHA1.new, base_string) - end - end + def self.signature_base_string(request, options = {}, &block) + self.build(request, options, &block).signature_base_string end - + + class UnknownSignatureMethod < Exception; end end end lib/oauth/signature.rb @@ -1,9 +1,10 @@ +require 'oauth/helper' module OAuth # Superclass for the various tokens used by OAuth class Token - include OAuth::Key + include OAuth::Helper attr_accessor :token, :secret @@ -33,6 +34,21 @@ module OAuth super token,secret @consumer=consumer end + + # Make a signed request using given http_method to the path + # + # @token.request(:get,'/people') + # @token.request(:post,'/people',@person.to_xml,{ 'Content-Type' => 'application/xml' }) + # + def request(http_method,path,*arguments) + response=consumer.request(http_method,path,self,{},*arguments) + end + + # Sign a request generated elsewhere using Net:HTTP::Post.new or friends + def sign!(request,options = {}) + consumer.sign!(request,self,options) + end + end # The RequestToken is used for the initial Request. @@ -45,9 +61,8 @@ module OAuth end # exchange for AccessToken on server - def get_access_token - request=consumer.create_request(consumer.http_method,consumer.access_token_path,{:oauth_token=>self.token}) - response=request.perform_token_request(consumer.secret,self.secret) + def get_access_token(options={}) + response=consumer.token_request(consumer.http_method,consumer.access_token_path,self,options) OAuth::AccessToken.new(consumer,response[:oauth_token],response[:oauth_token_secret]) end end @@ -55,29 +70,54 @@ module OAuth # The Access Token is used for the actual "real" web service calls thatyou perform against the server class AccessToken<ConsumerToken + # Make a regular get request using AccessToken + # + # @response=@token.get('/people') + # @response=@token.get('/people',{'Accept'=>'application/xml'}) + # def get(path,headers={}) - perform(:get,path,headers) + request(:get,path,headers) end + # Make a regular head request using AccessToken + # + # @response=@token.head('/people') + # def head(path,headers={}) - perform(:head,path,headers) + request(:head,path,headers) end + # Make a regular post request using AccessToken + # + # @response=@token.post('/people') + # @response=@token.post('/people',{:name=>'Bob',:email=>'bob@mailinator.com'}) + # @response=@token.post('/people',{:name=>'Bob',:email=>'bob@mailinator.com'},{'Accept'=>'application/xml'}) + # @response=@token.post('/people',nil,{'Accept'=>'application/xml'}) + # @response=@token.post('/people',@person.to_xml,{'Accept'=>'application/xml','Content-Type' => 'application/xml'}) + # def post(path, body = '',headers={}) - perform(:post,path,body,headers) + request(:post,path,body,headers) end + # Make a regular put request using AccessToken + # + # @response=@token.put('/people/123') + # @response=@token.put('/people/123',{:name=>'Bob',:email=>'bob@mailinator.com'}) + # @response=@token.put('/people/123',{:name=>'Bob',:email=>'bob@mailinator.com'},{'Accept'=>'application/xml'}) + # @response=@token.put('/people/123',nil,{'Accept'=>'application/xml'}) + # @response=@token.put('/people/123',@person.to_xml,{'Accept'=>'application/xml','Content-Type' => 'application/xml'}) + # def put(path, body = '', headers={}) - perform(:put,path,body,headers) + request(:put,path,body,headers) end + # Make a regular delete request using AccessToken + # + # @response=@token.delete('/people/123') + # @response=@token.delete('/people/123',{'Accept'=>'application/xml'}) + # def delete(path,headers={}) - perform(:delete,path,headers) - end - - def perform(http_method,path,*arguments) - request=consumer.create_request(http_method,path,{:oauth_token=>self.token},*arguments) - response=request.perform(consumer.secret,self.secret) + request(:delete,path,headers) end end end lib/oauth/token.rb @@ -1,8 +1,8 @@ module Oauth #:nodoc: module VERSION #:nodoc: MAJOR = 0 - MINOR = 1 - TINY = 2 + MINOR = 2 + TINY = 0 STRING = [MAJOR, MINOR, TINY].join('.') end lib/oauth/version.rb @@ -1,41 +1,49 @@ require 'test/unit' -require 'oauth' +require 'oauth/consumer' # This performs testing against Andy Smith's test server http://term.ie/oauth/example/ # Thanks Andy. # This also means you have to be online to be able to run these. class ConsumerTest < Test::Unit::TestCase def setup - @consumer=OAuth::Consumer.new( { - :consumer_key=>"key", - :consumer_secret=>"secret", - :site=>"http://term.ie", + @consumer=OAuth::Consumer.new( + 'consumer_key_86cad9', '5888bf0345e5d237', + { + :site=>"http://blabla.bla", :request_token_path=>"/oauth/example/request_token.php", :access_token_path=>"/oauth/example/access_token.php", :authorize_path=>"/oauth/example/authorize.php", - :auth_method=>:query, + :scheme=>:header, :http_method=>:get }) + @token = OAuth::ConsumerToken.new(@consumer,'token_411a7f', '3196ffd991c8ebdb') + @request_uri = URI.parse('http://example.com/test?key=value') + @request_parameters = { 'key' => 'value' } + @nonce = 225579211881198842005988698334675835446 + @timestamp = "1199645624" + @consumer.http=Net::HTTP.new(@request_uri.host, @request_uri.port) end def test_initializer - assert_equal "key",@consumer.key - assert_equal "secret",@consumer.secret - assert_equal "http://term.ie",@consumer.site + assert_equal "consumer_key_86cad9",@consumer.key + assert_equal "5888bf0345e5d237",@consumer.secret + assert_equal "http://blabla.bla",@consumer.site assert_equal "/oauth/example/request_token.php",@consumer.request_token_path assert_equal "/oauth/example/access_token.php",@consumer.access_token_path - assert_equal "http://term.ie/oauth/example/request_token.php",@consumer.request_token_url - assert_equal "http://term.ie/oauth/example/access_token.php",@consumer.access_token_url - assert_equal :query,@consumer.auth_method + assert_equal "http://blabla.bla/oauth/example/request_token.php",@consumer.request_token_url + assert_equal "http://blabla.bla/oauth/example/access_token.php",@consumer.access_token_url + assert_equal "http://blabla.bla/oauth/example/authorize.php",@consumer.authorize_url + assert_equal :header,@consumer.scheme assert_equal :get,@consumer.http_method end def test_defaults - @consumer=OAuth::Consumer.new( { - :consumer_key=>"key", - :consumer_secret=>"secret", - :site=>"http://twitter.com" - }) + @consumer=OAuth::Consumer.new( + "key", + "secret", + { + :site=>"http://twitter.com" + }) assert_equal "key",@consumer.key assert_equal "secret",@consumer.secret assert_equal "http://twitter.com",@consumer.site @@ -43,54 +51,126 @@ class ConsumerTest < Test::Unit::TestCase assert_equal "/oauth/access_token",@consumer.access_token_path assert_equal "http://twitter.com/oauth/request_token",@consumer.request_token_url assert_equal "http://twitter.com/oauth/access_token",@consumer.access_token_url - assert_equal :authorize,@consumer.auth_method + assert_equal "http://twitter.com/oauth/authorize",@consumer.authorize_url + assert_equal :header,@consumer.scheme assert_equal :post,@consumer.http_method end - - def test_create_request - request=@consumer.create_request :get,'/oauth/example/request_token.php' - assert_equal 'http://term.ie/oauth/example/request_token.php',request.url - assert "key",request[:consumer_key] - assert !request.signed? + + def test_override_paths + @consumer=OAuth::Consumer.new( + "key", + "secret", + { + :site=>"http://twitter.com", + :request_token_url=>"http://oauth.twitter.com/request_token", + :access_token_url=>"http://oauth.twitter.com/access_token", + :authorize_url=>"http://site.twitter.com/authorize" + }) + assert_equal "key",@consumer.key + assert_equal "secret",@consumer.secret + assert_equal "http://twitter.com",@consumer.site + assert_equal "/oauth/request_token",@consumer.request_token_path + assert_equal "/oauth/access_token",@consumer.access_token_path + assert_equal "http://oauth.twitter.com/request_token",@consumer.request_token_url + assert_equal "http://oauth.twitter.com/access_token",@consumer.access_token_url + assert_equal "http://site.twitter.com/authorize",@consumer.authorize_url + assert_equal :header,@consumer.scheme + assert_equal :post,@consumer.http_method end - - def test_create_post_request - request=@consumer.create_request(:post,'/oauth/example',{:oauth_token=>"token"},"BODY") - assert_equal "token",request[:oauth_token] - assert_equal "BODY",request.body + + def test_that_signing_auth_headers_on_get_requests_works + request = Net::HTTP::Get.new(@request_uri.path + "?" + request_parameters_to_s) + @token.sign!(request, {:nonce => @nonce, :timestamp => @timestamp}) + + assert_equal 'GET', request.method + assert_equal '/test?key=value', request.path + assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"1oO2izFav1GP4kEH2EskwXkCRFg%3D\", oauth_version=\"1.0\"", request['authorization'] end - def test_create_put_request - request=@consumer.create_request(:put,'/oauth/example',{:oauth_token=>"token"},"BODY") - assert_equal "token",request[:oauth_token] - assert_equal "BODY",request.body + def test_that_signing_auth_headers_on_post_requests_works + request = Net::HTTP::Post.new(@request_uri.path) + request.set_form_data( @request_parameters ) + @token.sign!(request, {:nonce => @nonce, :timestamp => @timestamp}) +# assert_equal "",request.oauth_helper.signature_base_string + + assert_equal 'POST', request.method + assert_equal '/test', request.path + assert_equal 'key=value', request.body + assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"26g7wHTtNO6ZWJaLltcueppHYiI%3D\", oauth_version=\"1.0\"", request['authorization'] end - - def test_signed_request - request=@consumer.signed_request :get,'/oauth/example/request_token.php' - assert_equal 'http://term.ie/oauth/example/request_token.php',request.url - assert "key",request[:consumer_key] - assert request.signed? - assert request.verify?(@consumer.secret) + + def test_that_signing_post_params_works + request = Net::HTTP::Post.new(@request_uri.path) + request.set_form_data( @request_parameters ) + @token.sign!(request, {:scheme => 'body', :nonce => @nonce, :timestamp => @timestamp}) + + assert_equal 'POST', request.method + assert_equal '/test', request.path + assert_equal "key=value&oauth_consumer_key=consumer_key_86cad9&oauth_nonce=225579211881198842005988698334675835446&oauth_signature=iMZaUTbQof%2fHMFyIde%2bOIkhW5is%3d&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1199645624&oauth_token=token_411a7f&oauth_version=1.0", request.body.split("&").sort.join("&") + assert_equal nil, request['authorization'] end - - def test_create_signed_post_request - request=@consumer.signed_request(:post,'/oauth/example',{:oauth_token=>"token"},'token secret',"BODY") - assert_equal "token",request[:oauth_token] - assert_equal "BODY",request.body - assert request.signed? - assert request.verify?(@consumer.secret,'token secret') + + def test_that_using_auth_headers_on_get_on_create_signed_requests_works + request=@consumer.create_signed_request(:get,@request_uri.path+ "?" + request_parameters_to_s,@token,{:nonce => @nonce, :timestamp => @timestamp},@request_parameters) + + assert_equal 'GET', request.method + assert_equal '/test?key=value', request.path + assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"1oO2izFav1GP4kEH2EskwXkCRFg%3D\", oauth_version=\"1.0\"", request['authorization'] + end + + def test_that_using_auth_headers_on_post_on_create_signed_requests_works + request=@consumer.create_signed_request(:post,@request_uri.path,@token,{:nonce => @nonce, :timestamp => @timestamp},@request_parameters,{}) + assert_equal 'POST', request.method + assert_equal '/test', request.path + assert_equal 'key=value', request.body + assert_equal "OAuth realm=\"\", oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"26g7wHTtNO6ZWJaLltcueppHYiI%3D\", oauth_version=\"1.0\"", request['authorization'] + end + + def test_that_signing_post_params_works + request=@consumer.create_signed_request(:post,@request_uri.path,@token,{:scheme => 'body', :nonce => @nonce, :timestamp => @timestamp},@request_parameters,{}) + + assert_equal 'POST', request.method + assert_equal '/test', request.path + assert_equal "key=value&oauth_consumer_key=consumer_key_86cad9&oauth_nonce=225579211881198842005988698334675835446&oauth_signature=26g7wHTtNO6ZWJaLltcueppHYiI%3d&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1199645624&oauth_token=token_411a7f&oauth_version=1.0", request.body.split("&").sort.join("&") + assert_equal nil, request['authorization'] end - def test_create_signed_put_request - request=@consumer.signed_request(:put,'/oauth/example',{:oauth_token=>"token"},'token secret',"BODY") - assert_equal "token",request[:oauth_token] - assert_equal "BODY",request.body - assert request.signed? - assert request.verify?(@consumer.secret,'token secret') + def test_step_by_step_token_request + @consumer=OAuth::Consumer.new( + "key", + "secret", + { + :site=>"http://term.ie", + :request_token_path=>"/oauth/example/request_token.php", + :access_token_path=>"/oauth/example/access_token.php", + :authorize_path=>"/oauth/example/authorize.php", + :scheme=>:header + }) + options={:nonce=>'nonce',:timestamp=>Time.now.to_i.to_s} + + request = Net::HTTP::Get.new("/oauth/example/request_token.php") + signature_base_string=@consumer.signature_base_string(request,nil,options) + assert_equal "GET&http%3A%2F%2Fterm.ie%2Foauth%2Fexample%2Frequest_token.php&oauth_consumer_key%3Dkey%26oauth_nonce%3D#{options[:nonce]}%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D#{options[:timestamp]}%26oauth_token%3D%26oauth_version%3D1.0",signature_base_string + @consumer.sign!(request, nil,options) + + assert_equal 'GET', request.method + assert_equal nil, request.body + response=@consumer.http.request(request) + assert_equal "200",response.code + assert_equal "oauth_token=requestkey&oauth_token_secret=requestsecret",response.body end - def test_get_token_sequence + def test_get_token_sequence + @consumer=OAuth::Consumer.new( + "key", + "secret", + { + :site=>"http://term.ie", + :request_token_path=>"/oauth/example/request_token.php", + :access_token_path=>"/oauth/example/access_token.php", + :authorize_path=>"/oauth/example/authorize.php" + }) + @request_token=@consumer.get_request_token assert_not_nil @request_token assert_equal "requestkey",@request_token.token @@ -107,10 +187,17 @@ class ConsumerTest < Test::Unit::TestCase assert_equal "200",@response.code assert_equal( "ok=hello&test=this",@response.body) - @response=@access_token.post("/oauth/example/echo_api.php","ok=hello&test=this") + @response=@access_token.post("/oauth/example/echo_api.php",{'ok'=>'hello','test'=>'this'}) assert_not_nil @response assert_equal "200",@response.code - assert_equal( "ok=hello&test=this",@response.body) - + assert_equal( "ok=hello&test=this",@response.body) end + protected + + def request_parameters_to_s + @request_parameters.map { |k,v| "#{k}=#{v}" }.join("&") + end + + end + test/test_consumer.rb @@ -1,2 +1,6 @@ require 'test/unit' require File.dirname(__FILE__) + '/../lib/oauth' + +def requests(request) + Marshal.load(File.read(File.dirname(__FILE__) + '/fixtures/' + request)) +end test/test_helper.rb @@ -1,5 +1,5 @@ require 'test/unit' -require 'oauth' +require 'oauth/server' class ServerTest < Test::Unit::TestCase def setup @server=OAuth::Server.new "http://test.com" @@ -37,11 +37,4 @@ class ServerTest < Test::Unit::TestCase assert_equal "http://test.com/oauth/access_token",@consumer.access_token_url end - def test_verify_request - @consumer=@server.create_consumer - @request=@consumer.signed_request :get,@consumer.request_token_path - assert @request.signed? - - assert @request.verify?(@consumer.secret) - end end test/test_server.rb @@ -1,113 +1,11 @@ -require 'test/unit' -require 'oauth' -class SignatureTest < Test::Unit::TestCase - def setup - # From example in Apendix A of the spec - @consumer_secret="kd94hf93k423kf44" - @token_secret="pfkkdhi9sl3r4s00" - @test_params={ - :oauth_consumer_key=>"dpf43f3p2l4k3l03", - :oauth_token=>"nnch734d00sl2jdk", - :oauth_timestamp=>"1191242096", - :oauth_nonce=>"kllo9940pd9333jh" - } - - @request=OAuth::Request.new( :get,'http://photos.example.net','/photos?file=vacation.jpg&size=original', @test_params) - @signature=OAuth::Signature.create(@request,@consumer_secret,@token_secret) - end - - def test_base_string - from_spec="GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal" - assert_equal from_spec,@signature.base_string - end - - def test_base_string_with_post_params - @request=OAuth::Request.new( :post,'http://photos.example.net','/photos', @test_params,'file=vacation.jpg&size=original') - @signature=OAuth::Signature.create(@request,@consumer_secret,@token_secret) - from_spec="POST&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal" - assert_equal from_spec,@signature.base_string - end - - def test_signature_key - assert_equal "kd94hf93k423kf44&pfkkdhi9sl3r4s00",@signature.key - end - - def test_signature - assert_equal "tR3+Ty81lMeYAr/Fid0kMTYa/WM=",@signature.sign - end - - def test_sign_hmac_sha1 - assert !@request.signed? - assert !@signature.verify? - @signature.sign! - assert @request.signed? - assert @signature.verify? - end - - def test_sign_hmac_md5 - @request.signature_method="hmac-md5" - @signature=OAuth::Signature.create(@request,@consumer_secret,@token_secret) - - assert !@request.signed? - assert !@signature.verify? - @signature.sign! - assert @request.signed? - assert @signature.verify? - end - - def test_sign_hmac_sha2 - @request.signature_method="hmac-sha2" - @signature=OAuth::Signature.create(@request,@consumer_secret,@token_secret) - - assert !@request.signed? - assert !@signature.verify? - @signature.sign! - assert @request.signed? - assert @signature.verify? - end - - def test_sign_hmac_rmd160 - @request.signature_method="hmac-rmd160" - @signature=OAuth::Signature.create(@request,@consumer_secret,@token_secret) - - assert !@request.signed? - assert !@signature.verify? - @signature.sign! - assert @request.signed? - assert @signature.verify? - end - - def test_sign_plain_with_https - @request.site='https://photos.example.net' - @request.signature_method="plaintext" - @signature=OAuth::Signature.create(@request,@consumer_secret,@token_secret) - - assert !@request.signed? - assert !@signature.verify? - @signature.sign! - assert @request.signed? - assert @signature.verify? - end - - def test_sign_plain_with_http - @request.signature_method="plaintext" - assert_raise(OAuth::Signature::InsecureSignatureMethod) do - OAuth::Signature.create(@request,@consumer_secret,@token_secret) - end - end - - def test_sign_sha1 - @request.signature_method="sha1" - assert_raise(OAuth::Signature::InsecureSignatureMethod) do - OAuth::Signature.create(@request,@consumer_secret,@token_secret) - end - end - - def test_sign_md5 - @request.signature_method="md5" - assert_raise(OAuth::Signature::InsecureSignatureMethod) do - OAuth::Signature.create(@request,@consumer_secret,@token_secret) - end - end - -end +require File.dirname(__FILE__) + '/test_helper.rb' + +class TestOauth < Test::Unit::TestCase + + def setup + end + + def test_truth + assert true + end +end test/test_signature.rb @@ -33,7 +33,7 @@ <h1>Ruby OAuth GEM</h1> <div id="version" class="clickable" onclick='document.location = "http://rubyforge.org/projects/oauth"; return false'> <p>Get Version</p> - <a href="http://rubyforge.org/projects/oauth" class="numbers">0.1.1</a> + <a href="http://rubyforge.org/projects/oauth" class="numbers">0.2.0</a> </div> <h2>What</h2> @@ -41,7 +41,7 @@ <p>This is a RubyGem for implementing both OAuth clients and servers in Ruby applications.</p> - <p>See the <a href="http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/7/spec.html">OAuth specs</a></p> + <p>See the <a href="http://oauth.net/core/1.0/">OAuth specs</a></p> <h2>Installing</h2> @@ -50,6 +50,9 @@ <p><pre class='syntax'><span class="ident">sudo</span> <span class="ident">gem</span> <span class="ident">install</span> <span class="ident">oauth</span></pre></p> + <p>You can also install it from the <a href="http://rubyforge.org/projects/oauth/">oauth rubyforge project</a>.</p> + + <h2>The basics</h2> @@ -65,9 +68,7 @@ <p>Create a new consumer instance by passing it a configuration hash:</p> -<pre><code>@consumer=OAuth::Consumer.new( { - :consumer_key=&gt;"key", - :consumer_secret=&gt;"secret", +<pre><code>@consumer=OAuth::Consumer.new( "key","secret", { :site=&gt;"https://agree2" })</code></pre> @@ -108,7 +109,7 @@ redirect_to @request_token.authorize_url</code></pre> <p>Read the <a href="http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/">8 steps for fixing other people&#8217;s code</a> and for section <a href="http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/#8b-google-groups">8b: Submit patch to Google Groups</a>, use the Google Group above.</p> - <p>The trunk repository is <code>svn://rubyforge.org/var/svn/oauth/trunk</code> for anonymous access.</p> + <p>The trunk repository is <code>http://oauth.rubyforge.org/svn/trunk/</code> for anonymous access.</p> <h2>License</h2> @@ -120,9 +121,9 @@ redirect_to @request_token.authorize_url</code></pre> <h2>Contact</h2> - <p>Comments are welcome. Send an email to <a href="mailto:pelleb@gmail.com">Pelle Braendgaard</a> email via the <a href="http://groups.google.com/group/oauth">forum</a></p> + <p>Comments are welcome. Send an email to <a href="mailto:pelleb@gmail.com">Pelle Braendgaard</a> email via the <a href="http://groups.google.com/group/oauth-ruby">OAuth Ruby mailing list</a></p> <p class="coda"> - <a href="FIXME email">FIXME full name</a>, 26th November 2007<br> + <a href="FIXME email">FIXME full name</a>, 21st January 2008<br> Theme extended from <a href="http://rb2js.rubyforge.org/">Paul Battley</a> </p> </div> website/index.html @@ -4,7 +4,7 @@ h2. What This is a RubyGem for implementing both OAuth clients and servers in Ruby applications. -See the "OAuth specs":http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/7/spec.html +See the "OAuth specs":http://oauth.net/core/1.0/ h2. Installing @@ -22,9 +22,7 @@ h2. Demonstration of usage Create a new consumer instance by passing it a configuration hash: -<pre><code>@consumer=OAuth::Consumer.new( { - :consumer_key=>"key", - :consumer_secret=>"secret", +<pre><code>@consumer=OAuth::Consumer.new( "key","secret", { :site=>"https://agree2" })</code></pre> @@ -55,7 +53,7 @@ h2. How to submit patches Read the "8 steps for fixing other people's code":http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/ and for section "8b: Submit patch to Google Groups":http://drnicwilliams.com/2007/06/01/8-steps-for-fixing-other-peoples-code/#8b-google-groups, use the Google Group above. -The trunk repository is <code>svn://rubyforge.org/var/svn/oauth/trunk</code> for anonymous access. +The trunk repository is <code>http://oauth.rubyforge.org/svn/trunk/</code> for anonymous access. h2. License @@ -63,5 +61,5 @@ This code is free to use under the terms of the MIT license. h2. Contact -Comments are welcome. Send an email to "Pelle Braendgaard":mailto:pelleb@gmail.com email via the "forum":http://groups.google.com/group/oauth +Comments are welcome. Send an email to "Pelle Braendgaard":mailto:pelleb@gmail.com email via the "OAuth Ruby mailing list":http://groups.google.com/group/oauth-ruby website/index.txt lib/oauth/consumer_credentials.rb lib/oauth/key.rb lib/oauth/request.rb test/test_oauth.rb test/test_request.rb fe1a4ab84c19a41d31b855646f1584f93082baac Pelle Braendgaard pelleb@gmail.com http://github.com/pelle/oauth/commit/51a95e48501618fc9b12858f7078cee8a367672f 51a95e48501618fc9b12858f7078cee8a367672f 2008-01-21T11:13:42-08:00 2008-01-21T11:13:42-08:00 Changes from http://oauth.googlecode.com/svn/code/ruby/oauth/ merged in ff0ddd97f24999908e6dbf21401c5a8d6c2eaf01 Pelle Braendgaard pelleb@gmail.com