public ConsumerInfo getConsumerKeyAndSecret( SecurityToken securityToken, String serviceName, OAuthServiceProvider provider) throws GadgetException { ++consumerKeyLookupCount; BasicOAuthStoreConsumerIndex pk = new BasicOAuthStoreConsumerIndex(); pk.setGadgetUri(securityToken.getAppUrl()); pk.setServiceName(serviceName); BasicOAuthStoreConsumerKeyAndSecret cks = consumerInfos.get(pk); if (cks == null) { cks = defaultKey; } if (cks == null) { throw new GadgetException(GadgetException.Code.INTERNAL_SERVER_ERROR, "No key for gadget " + securityToken.getAppUrl() + " and service " + serviceName); } OAuthConsumer consumer = null; if (cks.getKeyType() == KeyType.RSA_PRIVATE) { consumer = new OAuthConsumer(null, cks.getConsumerKey(), null, provider); // The oauth.net java code has lots of magic. By setting this property here, code thousands // of lines away knows that the consumerSecret value in the consumer should be treated as // an RSA private key and not an HMAC key. consumer.setProperty(OAuth.OAUTH_SIGNATURE_METHOD, OAuth.RSA_SHA1); consumer.setProperty(RSA_SHA1.PRIVATE_KEY, cks.getConsumerSecret()); } else { consumer = new OAuthConsumer(null, cks.getConsumerKey(), cks.getConsumerSecret(), provider); consumer.setProperty(OAuth.OAUTH_SIGNATURE_METHOD, OAuth.HMAC_SHA1); } String callback = (cks.getCallbackUrl() != null ? cks.getCallbackUrl() : defaultCallbackUrl); return new ConsumerInfo(consumer, cks.getKeyName(), callback); }
private void addCallback(List<Parameter> requestTokenParams) throws OAuthRequestException { // This will be either the consumer key callback URL or the global callback URL. String baseCallback = StringUtils.trimToNull(accessorInfo.getConsumer().getCallbackUrl()); if (baseCallback != null) { String callbackUrl = fetcherConfig.getOAuthCallbackGenerator().generateCallback( fetcherConfig, baseCallback, realRequest, responseParams); if (callbackUrl != null) { requestTokenParams.add(new Parameter(OAuth.OAUTH_CALLBACK, callbackUrl)); } } }
/** * Add signature type to the message. */ private void addSignatureParams(List<Parameter> params) { if (accessorInfo.getConsumer().getConsumer().consumerKey == null) { params.add( new Parameter(OAuth.OAUTH_CONSUMER_KEY, realRequest.getSecurityToken().getDomain())); } if (accessorInfo.getConsumer().getKeyName() != null) { params.add(new Parameter(XOAUTH_PUBLIC_KEY_OLD, accessorInfo.getConsumer().getKeyName())); params.add(new Parameter(XOAUTH_PUBLIC_KEY_NEW, accessorInfo.getConsumer().getKeyName())); } params.add(new Parameter(OAuth.OAUTH_VERSION, OAuth.VERSION_1_0)); params.add(new Parameter(OAuth.OAUTH_TIMESTAMP, Long.toString(fetcherConfig.getClock().currentTimeMillis() / 1000L))); // the oauth.net java code uses a clock to generate nonces, which causes nonce collisions // under heavy load. A random nonce is more reliable. params.add(new Parameter(OAuth.OAUTH_NONCE, String.valueOf(Math.abs(Crypto.RAND.nextLong())))); }
HttpRequest signed = sanitizeAndSign(request, msgParams, true, this.accessorInfo.getConsumer().isOauthBodyHash());
responseParams, fetcherConfig); assertEquals(OAuthParamLocation.URI_QUERY, info.getParamLocation()); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertEquals("token", info.getAccessor().accessToken); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertNull(info.getAccessor().accessToken);
return new ConsumerInfo(consumer, cks.getKeyName(), callback, cks.isOauthBodyHash());
responseParams, fetcherConfig); assertEquals(OAuthParamLocation.URI_QUERY, info.getParamLocation()); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertEquals("token", info.getAccessor().accessToken); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertNull(info.getAccessor().accessToken);
responseParams, fetcherConfig); assertEquals(OAuthParamLocation.URI_QUERY, info.getParamLocation()); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertEquals("token", info.getAccessor().accessToken); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertNull(info.getAccessor().accessToken);
public ConsumerInfo getConsumerKeyAndSecret( SecurityToken securityToken, String serviceName, OAuthServiceProvider provider) throws GadgetException { ++consumerKeyLookupCount; BasicOAuthStoreConsumerIndex pk = new BasicOAuthStoreConsumerIndex(); pk.setGadgetUri(securityToken.getAppUrl()); pk.setServiceName(serviceName); BasicOAuthStoreConsumerKeyAndSecret cks = consumerInfos.get(pk); if (cks == null) { cks = defaultKey; } if (cks == null) { throw new GadgetException(GadgetException.Code.INTERNAL_SERVER_ERROR, "No key for gadget " + securityToken.getAppUrl() + " and service " + serviceName); } OAuthConsumer consumer = null; if (cks.getKeyType() == KeyType.RSA_PRIVATE) { consumer = new OAuthConsumer(null, cks.getConsumerKey(), null, provider); // The oauth.net java code has lots of magic. By setting this property here, code thousands // of lines away knows that the consumerSecret value in the consumer should be treated as // an RSA private key and not an HMAC key. consumer.setProperty(OAuth.OAUTH_SIGNATURE_METHOD, OAuth.RSA_SHA1); consumer.setProperty(RSA_SHA1.PRIVATE_KEY, cks.getConsumerSecret()); } else { consumer = new OAuthConsumer(null, cks.getConsumerKey(), cks.getConsumerSecret(), provider); consumer.setProperty(OAuth.OAUTH_SIGNATURE_METHOD, OAuth.HMAC_SHA1); } String callback = (cks.getCallbackUrl() != null ? cks.getCallbackUrl() : defaultCallbackUrl); return new ConsumerInfo(consumer, cks.getKeyName(), callback); }
@Test public void testDefaultKey() throws Exception { FakeGadgetToken t = new FakeGadgetToken(); t.setAppUrl("http://localhost:8080/not-in-store.xml"); OAuthServiceProvider provider = new OAuthServiceProvider("req", "authorize", "access"); try { store.getConsumerKeyAndSecret(t, "", provider); fail(); } catch (GadgetException e) { // good } BasicOAuthStoreConsumerKeyAndSecret cks = new BasicOAuthStoreConsumerKeyAndSecret( "somekey", "default", KeyType.RSA_PRIVATE, "keyname", null); store.setDefaultKey(cks); ConsumerInfo consumer = store.getConsumerKeyAndSecret(t, "", provider); assertEquals("somekey", consumer.getConsumer().consumerKey); assertNull(consumer.getConsumer().consumerSecret); assertEquals("RSA-SHA1", consumer.getConsumer().getProperty("oauth_signature_method")); assertEquals("default", consumer.getConsumer().getProperty(RSA_SHA1.PRIVATE_KEY)); assertEquals(provider, consumer.getConsumer().serviceProvider); assertEquals("keyname", consumer.getKeyName()); assertEquals("default callback", consumer.getCallbackUrl()); cks = new BasicOAuthStoreConsumerKeyAndSecret( "somekey", "default", KeyType.RSA_PRIVATE, "keyname", "callback"); store.setDefaultKey(cks); consumer = store.getConsumerKeyAndSecret(t, "", provider); assertEquals("callback", consumer.getCallbackUrl()); }
@Test public void testDefaultKey() throws Exception { FakeGadgetToken t = new FakeGadgetToken(); t.setAppUrl("http://localhost:8080/not-in-store.xml"); OAuthServiceProvider provider = new OAuthServiceProvider("req", "authorize", "access"); try { store.getConsumerKeyAndSecret(t, "", provider); fail(); } catch (GadgetException e) { // good } BasicOAuthStoreConsumerKeyAndSecret cks = new BasicOAuthStoreConsumerKeyAndSecret( "somekey", "default", KeyType.RSA_PRIVATE, "keyname", null); store.setDefaultKey(cks); ConsumerInfo consumer = store.getConsumerKeyAndSecret(t, "", provider); assertEquals("somekey", consumer.getConsumer().consumerKey); assertNull(consumer.getConsumer().consumerSecret); assertEquals("RSA-SHA1", consumer.getConsumer().getProperty("oauth_signature_method")); assertEquals("default", consumer.getConsumer().getProperty(RSA_SHA1.PRIVATE_KEY)); assertEquals(provider, consumer.getConsumer().serviceProvider); assertEquals("keyname", consumer.getKeyName()); assertEquals("default callback", consumer.getCallbackUrl()); cks = new BasicOAuthStoreConsumerKeyAndSecret( "somekey", "default", KeyType.RSA_PRIVATE, "keyname", "callback"); store.setDefaultKey(cks); consumer = store.getConsumerKeyAndSecret(t, "", provider); assertEquals("callback", consumer.getCallbackUrl()); }
@Test public void testDefaultKey() throws Exception { FakeGadgetToken t = new FakeGadgetToken(); t.setAppUrl("http://localhost:8080/not-in-store.xml"); OAuthServiceProvider provider = new OAuthServiceProvider("req", "authorize", "access"); try { store.getConsumerKeyAndSecret(t, "", provider); fail(); } catch (GadgetException e) { // good } BasicOAuthStoreConsumerKeyAndSecret cks = new BasicOAuthStoreConsumerKeyAndSecret( "somekey", "default", KeyType.RSA_PRIVATE, "keyname", null); store.setDefaultKey(cks); ConsumerInfo consumer = store.getConsumerKeyAndSecret(t, "", provider); assertEquals("somekey", consumer.getConsumer().consumerKey); assertNull(consumer.getConsumer().consumerSecret); assertEquals("RSA-SHA1", consumer.getConsumer().getProperty("oauth_signature_method")); assertEquals("default", consumer.getConsumer().getProperty(RSA_SHA1.PRIVATE_KEY)); assertEquals(provider, consumer.getConsumer().serviceProvider); assertEquals("keyname", consumer.getKeyName()); assertEquals("default callback", consumer.getCallbackUrl()); cks = new BasicOAuthStoreConsumerKeyAndSecret( "somekey", "default", KeyType.RSA_PRIVATE, "keyname", "callback"); store.setDefaultKey(cks); consumer = store.getConsumerKeyAndSecret(t, "", provider); assertEquals("callback", consumer.getCallbackUrl()); }
@Test public void testGetOAuthAccessor_socialOAuth_privatePage() throws Exception { BasicOAuthStoreConsumerIndex index = new BasicOAuthStoreConsumerIndex(); index.setGadgetUri(GADGET_URL); index.setServiceName("testservice"); BasicOAuthStoreConsumerKeyAndSecret cks = new BasicOAuthStoreConsumerKeyAndSecret("hmac", "hmacsecret", KeyType.HMAC_SYMMETRIC, null, null); backingStore.setConsumerKeyAndSecret(index, cks); OAuthArguments arguments = new OAuthArguments(); arguments.setServiceName("testservice"); arguments.setUseToken(UseToken.IF_AVAILABLE); AccessorInfo info = store.getOAuthAccessor(privateToken, arguments, clientState, responseParams, fetcherConfig); assertEquals(OAuthParamLocation.URI_QUERY, info.getParamLocation()); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertNull(info.getAccessor().accessToken); assertNull(info.getAccessor().tokenSecret); }
@Test public void testInit() throws Exception { FakeGadgetToken t = new FakeGadgetToken(); t.setAppUrl("http://localhost:8080/gadgets/oauth.xml"); OAuthServiceProvider provider = new OAuthServiceProvider("req", "authorize", "access"); ConsumerInfo consumerInfo = store.getConsumerKeyAndSecret(t, "", provider); OAuthConsumer consumer = consumerInfo.getConsumer(); assertEquals("gadgetConsumer", consumer.consumerKey); assertEquals("gadgetSecret", consumer.consumerSecret); assertEquals("HMAC-SHA1", consumer.getProperty("oauth_signature_method")); assertEquals(provider, consumer.serviceProvider); assertNull(consumerInfo.getKeyName()); assertEquals("default callback", consumerInfo.getCallbackUrl()); t.setAppUrl("http://rsagadget/test.xml"); consumerInfo = store.getConsumerKeyAndSecret(t, "", provider); consumer = consumerInfo.getConsumer(); assertEquals("rsaconsumer", consumer.consumerKey); assertNull(consumer.consumerSecret); assertEquals("RSA-SHA1", consumer.getProperty("oauth_signature_method")); assertEquals(provider, consumer.serviceProvider); assertEquals("rsaprivate", consumer.getProperty(RSA_SHA1.PRIVATE_KEY)); assertNull(consumerInfo.getKeyName()); assertEquals("callback", consumerInfo.getCallbackUrl()); }
@Test public void testInit() throws Exception { FakeGadgetToken t = new FakeGadgetToken(); t.setAppUrl("http://localhost:8080/gadgets/oauth.xml"); OAuthServiceProvider provider = new OAuthServiceProvider("req", "authorize", "access"); ConsumerInfo consumerInfo = store.getConsumerKeyAndSecret(t, "", provider); OAuthConsumer consumer = consumerInfo.getConsumer(); assertEquals("gadgetConsumer", consumer.consumerKey); assertEquals("gadgetSecret", consumer.consumerSecret); assertEquals("HMAC-SHA1", consumer.getProperty("oauth_signature_method")); assertEquals(provider, consumer.serviceProvider); assertNull(consumerInfo.getKeyName()); assertEquals("default callback", consumerInfo.getCallbackUrl()); t.setAppUrl("http://rsagadget/test.xml"); consumerInfo = store.getConsumerKeyAndSecret(t, "", provider); consumer = consumerInfo.getConsumer(); assertEquals("rsaconsumer", consumer.consumerKey); assertNull(consumer.consumerSecret); assertEquals("RSA-SHA1", consumer.getProperty("oauth_signature_method")); assertEquals(provider, consumer.serviceProvider); assertEquals("rsaprivate", consumer.getProperty(RSA_SHA1.PRIVATE_KEY)); assertNull(consumerInfo.getKeyName()); assertEquals("callback", consumerInfo.getCallbackUrl()); }
@Test public void testGetOAuthAccessor_oauthParamsInBody() throws Exception { OAuthArguments arguments = new OAuthArguments(); arguments.setServiceName("testservice"); arguments.setUseToken(UseToken.ALWAYS); privateToken.setAppUrl("http://www.example.com/body.xml"); AccessorInfo info = store.getOAuthAccessor(privateToken, arguments, clientState, responseParams, fetcherConfig); assertEquals( FakeOAuthServiceProvider.REQUEST_TOKEN_URL, info.getConsumer().getConsumer().serviceProvider.requestTokenURL); assertEquals( FakeOAuthServiceProvider.APPROVAL_URL, info.getConsumer().getConsumer().serviceProvider.userAuthorizationURL); assertEquals( FakeOAuthServiceProvider.ACCESS_TOKEN_URL, info.getConsumer().getConsumer().serviceProvider.accessTokenURL); assertEquals(HttpMethod.POST, info.getHttpMethod()); assertEquals(OAuthParamLocation.POST_BODY, info.getParamLocation()); }
@Test public void testGetOAuthAccessor_oauthParamsInHeader() throws Exception { OAuthArguments arguments = new OAuthArguments(); arguments.setServiceName("testservice"); arguments.setUseToken(UseToken.ALWAYS); privateToken.setAppUrl("http://www.example.com/header.xml"); AccessorInfo info = store.getOAuthAccessor(privateToken, arguments, clientState, responseParams, fetcherConfig); assertEquals( FakeOAuthServiceProvider.REQUEST_TOKEN_URL, info.getConsumer().getConsumer().serviceProvider.requestTokenURL); assertEquals( FakeOAuthServiceProvider.APPROVAL_URL, info.getConsumer().getConsumer().serviceProvider.userAuthorizationURL); assertEquals( FakeOAuthServiceProvider.ACCESS_TOKEN_URL, info.getConsumer().getConsumer().serviceProvider.accessTokenURL); assertEquals(HttpMethod.GET, info.getHttpMethod()); assertEquals(OAuthParamLocation.AUTH_HEADER, info.getParamLocation()); }
@Test public void testGetOAuthAccessor_oauthParamsInBody() throws Exception { OAuthArguments arguments = new OAuthArguments(); arguments.setServiceName("testservice"); arguments.setUseToken(UseToken.ALWAYS); privateToken.setAppUrl("http://www.example.com/body.xml"); AccessorInfo info = store.getOAuthAccessor(privateToken, arguments, clientState, responseParams, fetcherConfig); assertEquals( FakeOAuthServiceProvider.REQUEST_TOKEN_URL, info.getConsumer().getConsumer().serviceProvider.requestTokenURL); assertEquals( FakeOAuthServiceProvider.APPROVAL_URL, info.getConsumer().getConsumer().serviceProvider.userAuthorizationURL); assertEquals( FakeOAuthServiceProvider.ACCESS_TOKEN_URL, info.getConsumer().getConsumer().serviceProvider.accessTokenURL); assertEquals(HttpMethod.POST, info.getHttpMethod()); assertEquals(OAuthParamLocation.POST_BODY, info.getParamLocation()); }
@Test public void testGetOAuthAccessor_fullOAuth_socialPage() throws Exception { BasicOAuthStoreConsumerIndex index = new BasicOAuthStoreConsumerIndex(); index.setGadgetUri(GADGET_URL); index.setServiceName("testservice"); BasicOAuthStoreConsumerKeyAndSecret cks = new BasicOAuthStoreConsumerKeyAndSecret("hmac", "hmacsecret", KeyType.HMAC_SYMMETRIC, null, null); backingStore.setConsumerKeyAndSecret(index, cks); OAuthArguments arguments = new OAuthArguments(); arguments.setServiceName("testservice"); arguments.setUseToken(UseToken.ALWAYS); AccessorInfo info = store.getOAuthAccessor(socialToken, arguments, clientState, responseParams, fetcherConfig); assertEquals(OAuthParamLocation.URI_QUERY, info.getParamLocation()); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertNull(info.getAccessor().accessToken); assertNull(info.getAccessor().tokenSecret); }
@Test public void testGetOAuthAccessor_signedFetch_hmacKey() throws Exception { BasicOAuthStoreConsumerIndex index = new BasicOAuthStoreConsumerIndex(); index.setGadgetUri(GADGET_URL); index.setServiceName("hmac"); BasicOAuthStoreConsumerKeyAndSecret cks = new BasicOAuthStoreConsumerKeyAndSecret("hmac", "hmacsecret", KeyType.HMAC_SYMMETRIC, null, null); backingStore.setConsumerKeyAndSecret(index, cks); OAuthArguments arguments = new OAuthArguments(); arguments.setUseToken(UseToken.NEVER); arguments.setServiceName("hmac"); AccessorInfo info = store.getOAuthAccessor(socialToken, arguments, clientState, responseParams, fetcherConfig); assertEquals(OAuthParamLocation.URI_QUERY, info.getParamLocation()); Assert.assertNull(info.getConsumer().getKeyName()); assertEquals("hmac", info.getConsumer().getConsumer().consumerKey); assertEquals("hmacsecret", info.getConsumer().getConsumer().consumerSecret); assertNull(info.getAccessor().requestToken); assertNull(info.getAccessor().accessToken); assertNull(info.getAccessor().tokenSecret); }