1 files changed, 240 insertions, 0 deletions
diff --git a/lib/oauth-consumer.cc b/lib/oauth-consumer.cc
new file mode 100644
index 0000000..d717ed3
--- a/dev/null
+++ b/lib/oauth-consumer.cc
@@ -0,0 +1,240 @@
+#include <openssl/sha.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <opkele/oauth/consumer.h>
+#include <opkele/exception.h>
+#include <opkele/util.h>
+#include <opkele/curl.h>
+#include <opkele/debug.h>
+#include "config.h"
+#ifdef HAVE_LIBUUID
+# include <uuid/uuid.h>
+#endif
+namespace opkele {
+    namespace oauth {
+        const service_endpoint_t&
+            simple_provider_endpoints::get_request_token_endpoint() const {
+            return sep_request_token; }
+        const service_endpoint_t&
+            simple_provider_endpoints::get_authorize_user_endpoint() const {
+            return sep_authorize_user; }
+        const service_endpoint_t&
+            simple_provider_endpoints::get_access_token_endpoint() const {
+            return sep_access_token; }
+        service_endpoint_t&
+            simple_provider_endpoints::get_url_endpoint(service_endpoint_t& sep,
+                    const string& url) const {
+            sep = sep_generic;
+            sep.url = url;
+            return sep; }
+        token_t basic_consumer::get_request_token() {
+            return acquire_token(get_endpoints().get_request_token_endpoint());
+        }
+        const string basic_consumer::get_authorize_url(const token_t& rt,const string& callback) {
+            fields_t f;
+            f.set_field("oauth_token",rt.key);
+            if(!callback.empty())
+                f.set_field("oauth_callback",callback);
+            return f.append_query(
+                    get_endpoints().get_authorize_user_endpoint().url );
+        }
+        token_t basic_consumer::get_access_token(const token_t& rt) {
+            return acquire_token(get_endpoints().get_access_token_endpoint(),&rt);
+        }
+        const string basic_consumer::signature(
+                const string& method, const string& url,
+                const basic_fields& fields,
+                const token_t* at) {
+            if(fields.get_field("oauth_signature_method")!="HMAC-SHA1")
+                throw opkele::not_implemented(OPKELE_CP_
+                        "only HMAC-SHA1 signature is implemented");
+            string key = util::url_encode(consumer_token.secret);
+            key += '&';
+            if(at)
+                key += util::url_encode(at->secret);
+            /* TODO: do not build the whole subject */
+            string subject = method;
+            subject += '&';
+            string u = util::rfc_3986_normalize_uri(url);
+            string::size_type uco = u.find_first_of("#?");
+            if(uco!=string::npos) u.erase(uco);
+            subject += util::url_encode(u);
+            subject += '&';
+            subject += util::url_encode( fields.query_string() );
+            unsigned char md[SHA_DIGEST_LENGTH];
+            unsigned int md_len = 0;
+            HMAC( EVP_sha1(),
+                    key.c_str(),key.size(),
+                    (const unsigned char *)subject.c_str(),subject.size(),
+                    md,&md_len );
+            assert(md_len==sizeof(md));
+            return util::encode_base64(md,md_len);
+        }
+        static void noquerize_url(string& url,const string& sepurl,basic_fields& f) {
+            string::size_type q = sepurl.find('?'),
+                p = sepurl.find('#');
+            if(q==string::npos) {
+                url = sepurl.substr(0,p);
+            }else{
+                fields_t tmp;
+                tmp.from_query(sepurl.substr(
+                            q+1,
+                            (p==string::npos)?string::npos:(p-q-q)));
+                tmp.append_to(f);
+                url = sepurl.substr(0,(p==string::npos)?q:min(p,q));
+            }
+        }
+        token_t basic_consumer::acquire_token(
+                const service_endpoint_t& sep,
+                const token_t* rt) {
+            util::curl_pick_t curl = util::curl_t::easy_init();
+            CURLcode r;
+            (r=curl.misc_sets())
+                || (r=curl.set_write());
+            if(r)
+                throw exception_curl(OPKELE_CP_ "failed to set basic curly options",r);
+            http_request_t hr(
+                    (sep.oauth_method==oauth_post_body)?"POST":"GET",
+                    "");
+            fields_t uq;
+            noquerize_url(hr.url,sep.url,uq);
+            prepare_request(hr,uq,fields_t(),sep,rt);
+            switch(sep.oauth_method) {
+                case oauth_auth_header:
+                    throw opkele::not_implemented(OPKELE_CP_
+                            "auth header for token acquisition isn't (yet?) supported");
+                    break;
+                case oauth_post_body:
+                    (r=curl.easy_setopt(CURLOPT_POST,1))
+                        || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,hr.body.c_str()))
+                        || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,hr.body.size()));
+                    break;
+                case oauth_url_query:
+                    break;
+                default:
+                    throw opkele::exception(OPKELE_CP_ /* TODO: specialize */
+                            "invalid oauth_method for request_token endpoint");
+            };
+            if(r)
+                throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
+            if( (r=curl.easy_setopt(CURLOPT_URL,hr.url.c_str())) )
+                throw exception_curl(OPKELE_CP_ "failed to set curly urlie",r);
+            if( (r=curl.easy_perform()) )
+                throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
+            token_t rv;
+            string::size_type p=0;
+            while(p!=string::npos) {
+                string::size_type np = curl.response.find('&',p);
+                string part;
+                if(np==string::npos) {
+                    part.assign(curl.response.c_str()+p); p = string::npos;
+                }else{
+                    part.assign(curl.response,p,np-p); p = np+1;
+                }
+                string::size_type eq = part.find('=');
+                if(eq==string::npos) continue;
+                string n(part,0,eq);
+                if(n=="oauth_token") {
+                    if(!rv.key.empty()) /* TODO: specialize */
+                        throw opkele::exception(OPKELE_CP_ "found oauth_token twice");
+                    rv.key = util::url_decode(part.substr(eq+1));
+                }else if(n=="oauth_token_secret") {
+                    if(!rv.secret.empty()) /* TODO: specialize */
+                        throw opkele::exception(OPKELE_CP_ "found oauth_secret twice");
+                    rv.secret = util::url_decode(part.substr(eq+1));
+                }
+            }
+            return rv;
+        }
+        void basic_consumer::prepare_request(
+                http_request_t& req,
+                const basic_fields& qf,const basic_fields& pf,
+                oauth_method_t om,const string& sm,
+                const token_t *t,const string& realm) {
+            fields_t op;
+            op.set_field("oauth_consumer_key",consumer_token.key);
+            if(t) op.set_field("oauth_token",t->key);
+            op.set_field("oauth_signature_method",sm);
+            time_t now;
+            op.set_field("oauth_timestamp",
+                    util::long_to_string(time(&now)));
+            op.set_field("oauth_nonce",allocate_nonce(now));
+            op.set_field("oauth_version","1.0");
+            /* TODO: normalize and strip down url */
+            {
+                fields_t af; /* TODO: optimize, I don't want it to be copied */
+                qf.copy_to(af); pf.append_to(af); op.append_to(af);
+                op.set_field("oauth_signature", signature(
+                            req.method,req.url,af,t) );
+            }
+            req.authorize_header.clear();
+            if(om==oauth_auth_header) {
+                req.authorize_header = "OAuth ";
+                req.authorize_header += "realm=\"";
+                req.authorize_header += util::url_encode(realm);
+                req.authorize_header += '\"';
+                for(basic_fields::fields_iterator
+                        i=op.fields_begin(),ie=op.fields_end();
+                        i!=ie;++i) {
+                    req.authorize_header += ", ";
+                    req.authorize_header += *i;
+                    req.authorize_header += "=\"";
+                    req.authorize_header += util::url_encode(op.get_field(*i));
+                    req.authorize_header += "\"";
+                }
+                req.url = qf.append_query(req.url);
+                req.body = pf.query_string();
+            }else if(om==oauth_post_body) {
+                assert(req.method=="POST");
+                /* TODO: optimize, don't copy it over and over */
+                fields_t p;
+                pf.append_to(p); op.append_to(p);
+                req.url = qf.append_query(req.url);
+                req.body = p.query_string();
+            }else if(om==oauth_url_query) {
+                fields_t q;
+                qf.append_to(q); op.append_to(q);
+                req.url = q.append_query(req.url);
+                req.body = pf.query_string();
+            }else
+                throw opkele::exception(OPKELE_CP_ /* TODO: specialize */
+                        "Unknown oauth method");
+        }
+        void basic_consumer::prepare_request(
+                http_request_t& req,
+                const basic_fields& qf,const basic_fields& pf,
+                const service_endpoint_t& sep,
+                const token_t *t,const string& realm) {
+            prepare_request(
+                    req, qf, pf,
+                    sep.oauth_method,sep.signature_method,
+                    t,realm);
+        }
+        const basic_provider_endpoints& simple_consumer::get_endpoints() const {
+            return peps; }
+        const string simple_consumer::allocate_nonce(time_t ts) {
+#           ifndef HAVE_LIBUUID
+                throw opkele::not_implemented(OPKELE_CP_
+                        "not implemented consumer's allocate_nonce()");
+#           else /* HAVE_LIBUUID */
+                uuid_t uuid; uuid_generate(uuid);
+                return util::encode_base64(uuid,sizeof(uuid));
+#           endif /* HAVE_LIBUUID */
+        }
+    }
+}

diff --git a/lib/oauth-consumer.cc b/lib/oauth-consumer.cc new file mode 100644 index 0000000..d717ed3 --- a/dev/null +++ b/lib/oauth-consumer.cc
@@ -0,0 +1,240 @@
	1	#include <openssl/sha.h>
	2	#include <openssl/evp.h>
	3	#include <openssl/hmac.h>
	4	#include <opkele/oauth/consumer.h>
	5	#include <opkele/exception.h>
	6	#include <opkele/util.h>
	7	#include <opkele/curl.h>
	8	#include <opkele/debug.h>
	9
	10	#include "config.h"
	11	#ifdef HAVE_LIBUUID
	12	# include <uuid/uuid.h>
	13	#endif
	14
	15	namespace opkele {
	16	namespace oauth {
	17
	18	const service_endpoint_t&
	19	simple_provider_endpoints::get_request_token_endpoint() const {
	20	return sep_request_token; }
	21	const service_endpoint_t&
	22	simple_provider_endpoints::get_authorize_user_endpoint() const {
	23	return sep_authorize_user; }
	24	const service_endpoint_t&
	25	simple_provider_endpoints::get_access_token_endpoint() const {
	26	return sep_access_token; }
	27	service_endpoint_t&
	28	simple_provider_endpoints::get_url_endpoint(service_endpoint_t& sep,
	29	const string& url) const {
	30	sep = sep_generic;
	31	sep.url = url;
	32	return sep; }
	33
	34	token_t basic_consumer::get_request_token() {
	35	return acquire_token(get_endpoints().get_request_token_endpoint());
	36	}
	37
	38	const string basic_consumer::get_authorize_url(const token_t& rt,const string& callback) {
	39	fields_t f;
	40	f.set_field("oauth_token",rt.key);
	41	if(!callback.empty())
	42	f.set_field("oauth_callback",callback);
	43	return f.append_query(
	44	get_endpoints().get_authorize_user_endpoint().url );
	45	}
	46
	47	token_t basic_consumer::get_access_token(const token_t& rt) {
	48	return acquire_token(get_endpoints().get_access_token_endpoint(),&rt);
	49	}
	50
	51	const string basic_consumer::signature(
	52	const string& method, const string& url,
	53	const basic_fields& fields,
	54	const token_t* at) {
	55	if(fields.get_field("oauth_signature_method")!="HMAC-SHA1")
	56	throw opkele::not_implemented(OPKELE_CP_
	57	"only HMAC-SHA1 signature is implemented");
	58	string key = util::url_encode(consumer_token.secret);
	59	key += '&';
	60	if(at)
	61	key += util::url_encode(at->secret);
	62	/* TODO: do not build the whole subject */
	63	string subject = method;
	64	subject += '&';
	65	string u = util::rfc_3986_normalize_uri(url);
	66	string::size_type uco = u.find_first_of("#?");
	67	if(uco!=string::npos) u.erase(uco);
	68	subject += util::url_encode(u);
	69	subject += '&';
	70	subject += util::url_encode( fields.query_string() );
	71	unsigned char md[SHA_DIGEST_LENGTH];
	72	unsigned int md_len = 0;
	73	HMAC( EVP_sha1(),
	74	key.c_str(),key.size(),
	75	(const unsigned char *)subject.c_str(),subject.size(),
	76	md,&md_len );
	77	assert(md_len==sizeof(md));
	78	return util::encode_base64(md,md_len);
	79	}
	80
	81	static void noquerize_url(string& url,const string& sepurl,basic_fields& f) {
	82	string::size_type q = sepurl.find('?'),
	83	p = sepurl.find('#');
	84	if(q==string::npos) {
	85	url = sepurl.substr(0,p);
	86	}else{
	87	fields_t tmp;
	88	tmp.from_query(sepurl.substr(
	89	q+1,
	90	(p==string::npos)?string::npos:(p-q-q)));
	91	tmp.append_to(f);
	92	url = sepurl.substr(0,(p==string::npos)?q:min(p,q));
	93	}
	94	}
	95
	96	token_t basic_consumer::acquire_token(
	97	const service_endpoint_t& sep,
	98	const token_t* rt) {
	99	util::curl_pick_t curl = util::curl_t::easy_init();
	100	CURLcode r;
	101	(r=curl.misc_sets())
	102	\|\| (r=curl.set_write());
	103	if(r)
	104	throw exception_curl(OPKELE_CP_ "failed to set basic curly options",r);
	105	http_request_t hr(
	106	(sep.oauth_method==oauth_post_body)?"POST":"GET",
	107	"");
	108	fields_t uq;
	109	noquerize_url(hr.url,sep.url,uq);
	110	prepare_request(hr,uq,fields_t(),sep,rt);
	111	switch(sep.oauth_method) {
	112	case oauth_auth_header:
	113	throw opkele::not_implemented(OPKELE_CP_
	114	"auth header for token acquisition isn't (yet?) supported");
	115	break;
	116	case oauth_post_body:
	117	(r=curl.easy_setopt(CURLOPT_POST,1))
	118	\|\| (r=curl.easy_setopt(CURLOPT_POSTFIELDS,hr.body.c_str()))
	119	\|\| (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,hr.body.size()));
	120	break;
	121	case oauth_url_query:
	122	break;
	123	default:
	124	throw opkele::exception(OPKELE_CP_ /* TODO: specialize */
	125	"invalid oauth_method for request_token endpoint");
	126	};
	127	if(r)
	128	throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
	129	if( (r=curl.easy_setopt(CURLOPT_URL,hr.url.c_str())) )
	130	throw exception_curl(OPKELE_CP_ "failed to set curly urlie",r);
	131	if( (r=curl.easy_perform()) )
	132	throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
	133	token_t rv;
	134	string::size_type p=0;
	135	while(p!=string::npos) {
	136	string::size_type np = curl.response.find('&',p);
	137	string part;
	138	if(np==string::npos) {
	139	part.assign(curl.response.c_str()+p); p = string::npos;
	140	}else{
	141	part.assign(curl.response,p,np-p); p = np+1;
	142	}
	143	string::size_type eq = part.find('=');
	144	if(eq==string::npos) continue;
	145	string n(part,0,eq);
	146	if(n=="oauth_token") {
	147	if(!rv.key.empty()) /* TODO: specialize */
	148	throw opkele::exception(OPKELE_CP_ "found oauth_token twice");
	149	rv.key = util::url_decode(part.substr(eq+1));
	150	}else if(n=="oauth_token_secret") {
	151	if(!rv.secret.empty()) /* TODO: specialize */
	152	throw opkele::exception(OPKELE_CP_ "found oauth_secret twice");
	153	rv.secret = util::url_decode(part.substr(eq+1));
	154	}
	155	}
	156	return rv;
	157	}
	158
	159	void basic_consumer::prepare_request(
	160	http_request_t& req,
	161	const basic_fields& qf,const basic_fields& pf,
	162	oauth_method_t om,const string& sm,
	163	const token_t *t,const string& realm) {
	164	fields_t op;
	165	op.set_field("oauth_consumer_key",consumer_token.key);
	166	if(t) op.set_field("oauth_token",t->key);
	167	op.set_field("oauth_signature_method",sm);
	168	time_t now;
	169	op.set_field("oauth_timestamp",
	170	util::long_to_string(time(&now)));
	171	op.set_field("oauth_nonce",allocate_nonce(now));
	172	op.set_field("oauth_version","1.0");
	173	/* TODO: normalize and strip down url */
	174	{
	175	fields_t af; /* TODO: optimize, I don't want it to be copied */
	176	qf.copy_to(af); pf.append_to(af); op.append_to(af);
	177	op.set_field("oauth_signature", signature(
	178	req.method,req.url,af,t) );
	179	}
	180	req.authorize_header.clear();
	181	if(om==oauth_auth_header) {
	182	req.authorize_header = "OAuth ";
	183	req.authorize_header += "realm=\"";
	184	req.authorize_header += util::url_encode(realm);
	185	req.authorize_header += '\"';
	186	for(basic_fields::fields_iterator
	187	i=op.fields_begin(),ie=op.fields_end();
	188	i!=ie;++i) {
	189	req.authorize_header += ", ";
	190	req.authorize_header += *i;
	191	req.authorize_header += "=\"";
	192	req.authorize_header += util::url_encode(op.get_field(*i));
	193	req.authorize_header += "\"";
	194	}
	195	req.url = qf.append_query(req.url);
	196	req.body = pf.query_string();
	197	}else if(om==oauth_post_body) {
	198	assert(req.method=="POST");
	199	/* TODO: optimize, don't copy it over and over */
	200	fields_t p;
	201	pf.append_to(p); op.append_to(p);
	202	req.url = qf.append_query(req.url);
	203	req.body = p.query_string();
	204	}else if(om==oauth_url_query) {
	205	fields_t q;
	206	qf.append_to(q); op.append_to(q);
	207	req.url = q.append_query(req.url);
	208	req.body = pf.query_string();
	209	}else
	210	throw opkele::exception(OPKELE_CP_ /* TODO: specialize */
	211	"Unknown oauth method");
	212	}
	213
	214	void basic_consumer::prepare_request(
	215	http_request_t& req,
	216	const basic_fields& qf,const basic_fields& pf,
	217	const service_endpoint_t& sep,
	218	const token_t *t,const string& realm) {
	219	prepare_request(
	220	req, qf, pf,
	221	sep.oauth_method,sep.signature_method,
	222	t,realm);
	223	}
	224
	225
	226	const basic_provider_endpoints& simple_consumer::get_endpoints() const {
	227	return peps; }
	228
	229	const string simple_consumer::allocate_nonce(time_t ts) {
	230	# ifndef HAVE_LIBUUID
	231	throw opkele::not_implemented(OPKELE_CP_
	232	"not implemented consumer's allocate_nonce()");
	233	# else /* HAVE_LIBUUID */
	234	uuid_t uuid; uuid_generate(uuid);
	235	return util::encode_base64(uuid,sizeof(uuid));
	236	# endif /* HAVE_LIBUUID */
	237	}
	238
	239	}
	240	}