From 748a2a29a5667f372bf355ed737208a952ff79f0 Mon Sep 17 00:00:00 2001 From: Michael Krelin Date: Tue, 04 Mar 2008 21:30:28 +0000 Subject: comitting perliminary oauth consumer api * added the said consumer api and test consumer * added trivial map-based opkele::fields_t container * added UUID flags to libopkele.la build * fixed query_append so that it doesn't append '?' in absence of query parameters * added basic_fields::from_query() Signed-off-by: Michael Krelin --- diff --git a/include/Makefile.am b/include/Makefile.am index f842bb9..b41e6cc 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -20,6 +20,7 @@ nobase_include_HEADERS = \ opkele/iterator.h \ opkele/basic_op.h opkele/verify_op.h \ opkele/util.h \ + opkele/oauth.h opkele/oauth/consumer.h \ ${NODIST_HEADERS_} noinst_HEADERS = \ diff --git a/include/opkele/oauth.h b/include/opkele/oauth.h new file mode 100644 index 0000000..14d0586 --- a/dev/null +++ b/include/opkele/oauth.h @@ -0,0 +1,22 @@ +#ifndef __OPKELE_OAUTH_H +#define __OPKELE_OAUTH_H + +#include + +namespace opkele { + namespace oauth { + using std::string; + + struct token_t { + string key; + string secret; + + token_t() { } + token_t(const string& k,const string& s) + : key(k), secret(s) { } + }; + + } +} + +#endif /* __OPKELE_OAUTH_H */ diff --git a/include/opkele/oauth/consumer.h b/include/opkele/oauth/consumer.h new file mode 100644 index 0000000..1e2784c --- a/dev/null +++ b/include/opkele/oauth/consumer.h @@ -0,0 +1,124 @@ +#ifndef __OPKELE_OAUTH_CONSUMER_H +#define __OPKELE_OAUTH_CONSUMER_H + +#include +#include +#include + +namespace opkele { + namespace oauth { + using std::string; + + enum oauth_method_t { + oauth_auth_header, oauth_post_body, oauth_url_query + }; + + struct service_endpoint_t { + string url; + string signature_method; + oauth_method_t oauth_method; + + service_endpoint_t(const string& u,const string& sm,oauth_method_t om) + : url(u), signature_method(sm), oauth_method(om) { } + }; + + class basic_provider_endpoints { + public: + + virtual ~basic_provider_endpoints() { } + + virtual const service_endpoint_t& get_request_token_endpoint() const = 0; + virtual const service_endpoint_t& get_authorize_user_endpoint() const = 0; + virtual const service_endpoint_t& get_access_token_endpoint() const = 0; + + virtual service_endpoint_t& get_url_endpoint(service_endpoint_t& sep, + const string& url) const = 0; + }; + + struct http_request_t { + string authorize_header; + string method; + string url; + string body; + + http_request_t(const string& m,const string& u) + : method(m), url(u) { } + }; + + class basic_consumer { + public: + token_t consumer_token; + + basic_consumer(const token_t& ct) + : consumer_token(ct) { } + virtual ~basic_consumer() { } + + virtual const basic_provider_endpoints& get_endpoints() const = 0; + virtual const string allocate_nonce(time_t ts) = 0; + + token_t get_request_token(); + const string get_authorize_url(const token_t& rt,const string& callback=""); + token_t get_access_token(const token_t& rt); + + void prepare_request( + http_request_t& req, + const basic_fields& qf,const basic_fields& pf, + oauth_method_t om,const string& sm, + const token_t *t=0,const string& realm=""); + void prepare_request( + http_request_t& req, + const basic_fields& qf,const basic_fields& pf, + const service_endpoint_t& sep, + const token_t *t=0,const string& realm=""); + + const string signature( + const string& method, + const string& url, + const basic_fields& fields, + const token_t* rt=0); + + token_t acquire_token( + const service_endpoint_t& sep, + const token_t* rt=0); + }; + + class simple_provider_endpoints : public basic_provider_endpoints { + public: + service_endpoint_t sep_request_token; + service_endpoint_t sep_authorize_user; + service_endpoint_t sep_access_token; + service_endpoint_t sep_generic; + + simple_provider_endpoints( + const string& rt,const string& au,const string& at, + const string& sm, + oauth_method_t ams=oauth_post_body, + oauth_method_t amr=oauth_auth_header ) + : sep_request_token(rt,sm,ams), + sep_authorize_user(au,sm,oauth_url_query), + sep_access_token(at,sm,ams), + sep_generic("",sm,amr) { } + + const service_endpoint_t& get_request_token_endpoint() const; + const service_endpoint_t& get_authorize_user_endpoint() const; + const service_endpoint_t& get_access_token_endpoint() const; + service_endpoint_t& get_url_endpoint(service_endpoint_t& sep, + const string& url) const; + }; + + class simple_consumer : public basic_consumer { + public: + simple_provider_endpoints peps; + + simple_consumer(const simple_provider_endpoints& eps, + const token_t& ct) + : basic_consumer(ct), peps(eps) { } + + const basic_provider_endpoints& get_endpoints() const; + const string allocate_nonce(time_t ts); + }; + + } +} + +#endif /* __OPKELE_OAUTH_CONSUMER_H */ diff --git a/include/opkele/types.h b/include/opkele/types.h index f63bf5d..4471e6a 100644 --- a/include/opkele/types.h +++ b/include/opkele/types.h @@ -143,6 +143,24 @@ namespace opkele { virtual void set_field(const string& n,const string& v); virtual void reset_field(const string& n); + void from_query(const string& qs); + }; + + class fields_t : public basic_fields, public map { + public: + fields_t() { } + fields_t(const basic_fields& x) + : basic_fields(x) { } + + bool has_field(const string& n) const; + const string& get_field(const string& n) const; + + virtual fields_iterator fields_begin() const; + virtual fields_iterator fields_end() const; + + virtual void reset_fields(); + virtual void set_field(const string& n,const string& v); + virtual void reset_field(const string& n); }; class basic_openid_message : public basic_fields { diff --git a/lib/Makefile.am b/lib/Makefile.am index 20d15b8..6b1fad6 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -7,12 +7,14 @@ INCLUDES = \ ${KONFORKA_CFLAGS} \ ${OPENSSL_CFLAGS} \ ${LIBCURL_CPPFLAGS} \ - ${PCRE_CFLAGS} ${EXPAT_CFLAGS} ${TIDY_CFLAGS} + ${PCRE_CFLAGS} ${EXPAT_CFLAGS} ${TIDY_CFLAGS} \ + ${UUID_CFLAGS} libopkele_la_LIBADD = \ ${LIBCURL} \ ${PCRE_LIBS} ${EXPAT_LIBS} \ ${OPENSSL_LIBS} \ - ${KONFORKA_LIBS} ${TIDY_LIBS} + ${KONFORKA_LIBS} ${TIDY_LIBS} \ + ${UUID_LIBS} libopkele_la_SOURCES = \ params.cc \ @@ -29,6 +31,7 @@ libopkele_la_SOURCES = \ discovery.cc \ basic_rp.cc prequeue_rp.cc \ fields.cc message.cc \ - basic_op.cc verify_op.cc + basic_op.cc verify_op.cc \ + oauth-consumer.cc libopkele_la_LDFLAGS = \ -version-info 2:0:0 diff --git a/lib/fields.cc b/lib/fields.cc index d494098..916b603 100644 --- a/lib/fields.cc +++ b/lib/fields.cc @@ -43,12 +43,16 @@ namespace opkele { } __om_query_builder(const char *p,string& r,const basic_fields& m,const string& u) : om(m), first(true), rv(r), pfx(p) { + basic_fields::fields_iterator i=om.fields_begin(), + ie=om.fields_end(); rv = u; - if(rv.find('?')==string::npos) - rv += '?'; - else - first = false; - for_each(om.fields_begin(),om.fields_end(),*this); + if(i!=ie) { + if(rv.find('?')==string::npos) + rv += '?'; + else + first = false; + for_each(i,ie,*this); + } } result_type operator()(argument_type f) { @@ -82,5 +86,50 @@ namespace opkele { throw not_implemented(OPKELE_CP_ "reset_field() not implemented"); } + void basic_fields::from_query(const string& qs) { + for(string::size_type p=0,np;;p=np+1) { + np = qs.find('&',p); + string::size_type eq = qs.find('=',p); + if(eq==string::npos) break; + if(np==string::npos) { + set_field( + util::url_decode(qs.substr(p,eq-p)), + util::url_decode(qs.substr(eq+1)) ); + break; + }else if(eqsecond; + } + + fields_t::fields_iterator fields_t::fields_begin() const { + return util::map_keys_iterator(begin(),end()); + } + fields_t::fields_iterator fields_t::fields_end() const { + return util::map_keys_iterator(end(),end()); + } + + void fields_t::reset_fields() { + clear(); + } + void fields_t::set_field(const string& n,const string& v) { + (*this)[n]=v; + } + void fields_t::reset_field(const string& n) { + erase(n); + } } diff --git a/lib/oauth-consumer.cc b/lib/oauth-consumer.cc new file mode 100644 index 0000000..d717ed3 --- a/dev/null +++ b/lib/oauth-consumer.cc @@ -0,0 +1,240 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +#include "config.h" +#ifdef HAVE_LIBUUID +# include +#endif + +namespace opkele { + namespace oauth { + + const service_endpoint_t& + simple_provider_endpoints::get_request_token_endpoint() const { + return sep_request_token; } + const service_endpoint_t& + simple_provider_endpoints::get_authorize_user_endpoint() const { + return sep_authorize_user; } + const service_endpoint_t& + simple_provider_endpoints::get_access_token_endpoint() const { + return sep_access_token; } + service_endpoint_t& + simple_provider_endpoints::get_url_endpoint(service_endpoint_t& sep, + const string& url) const { + sep = sep_generic; + sep.url = url; + return sep; } + + token_t basic_consumer::get_request_token() { + return acquire_token(get_endpoints().get_request_token_endpoint()); + } + + const string basic_consumer::get_authorize_url(const token_t& rt,const string& callback) { + fields_t f; + f.set_field("oauth_token",rt.key); + if(!callback.empty()) + f.set_field("oauth_callback",callback); + return f.append_query( + get_endpoints().get_authorize_user_endpoint().url ); + } + + token_t basic_consumer::get_access_token(const token_t& rt) { + return acquire_token(get_endpoints().get_access_token_endpoint(),&rt); + } + + const string basic_consumer::signature( + const string& method, const string& url, + const basic_fields& fields, + const token_t* at) { + if(fields.get_field("oauth_signature_method")!="HMAC-SHA1") + throw opkele::not_implemented(OPKELE_CP_ + "only HMAC-SHA1 signature is implemented"); + string key = util::url_encode(consumer_token.secret); + key += '&'; + if(at) + key += util::url_encode(at->secret); + /* TODO: do not build the whole subject */ + string subject = method; + subject += '&'; + string u = util::rfc_3986_normalize_uri(url); + string::size_type uco = u.find_first_of("#?"); + if(uco!=string::npos) u.erase(uco); + subject += util::url_encode(u); + subject += '&'; + subject += util::url_encode( fields.query_string() ); + unsigned char md[SHA_DIGEST_LENGTH]; + unsigned int md_len = 0; + HMAC( EVP_sha1(), + key.c_str(),key.size(), + (const unsigned char *)subject.c_str(),subject.size(), + md,&md_len ); + assert(md_len==sizeof(md)); + return util::encode_base64(md,md_len); + } + + static void noquerize_url(string& url,const string& sepurl,basic_fields& f) { + string::size_type q = sepurl.find('?'), + p = sepurl.find('#'); + if(q==string::npos) { + url = sepurl.substr(0,p); + }else{ + fields_t tmp; + tmp.from_query(sepurl.substr( + q+1, + (p==string::npos)?string::npos:(p-q-q))); + tmp.append_to(f); + url = sepurl.substr(0,(p==string::npos)?q:min(p,q)); + } + } + + token_t basic_consumer::acquire_token( + const service_endpoint_t& sep, + const token_t* rt) { + util::curl_pick_t curl = util::curl_t::easy_init(); + CURLcode r; + (r=curl.misc_sets()) + || (r=curl.set_write()); + if(r) + throw exception_curl(OPKELE_CP_ "failed to set basic curly options",r); + http_request_t hr( + (sep.oauth_method==oauth_post_body)?"POST":"GET", + ""); + fields_t uq; + noquerize_url(hr.url,sep.url,uq); + prepare_request(hr,uq,fields_t(),sep,rt); + switch(sep.oauth_method) { + case oauth_auth_header: + throw opkele::not_implemented(OPKELE_CP_ + "auth header for token acquisition isn't (yet?) supported"); + break; + case oauth_post_body: + (r=curl.easy_setopt(CURLOPT_POST,1)) + || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,hr.body.c_str())) + || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,hr.body.size())); + break; + case oauth_url_query: + break; + default: + throw opkele::exception(OPKELE_CP_ /* TODO: specialize */ + "invalid oauth_method for request_token endpoint"); + }; + if(r) + throw exception_curl(OPKELE_CP_ "failed to set curly options",r); + if( (r=curl.easy_setopt(CURLOPT_URL,hr.url.c_str())) ) + throw exception_curl(OPKELE_CP_ "failed to set curly urlie",r); + if( (r=curl.easy_perform()) ) + throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); + token_t rv; + string::size_type p=0; + while(p!=string::npos) { + string::size_type np = curl.response.find('&',p); + string part; + if(np==string::npos) { + part.assign(curl.response.c_str()+p); p = string::npos; + }else{ + part.assign(curl.response,p,np-p); p = np+1; + } + string::size_type eq = part.find('='); + if(eq==string::npos) continue; + string n(part,0,eq); + if(n=="oauth_token") { + if(!rv.key.empty()) /* TODO: specialize */ + throw opkele::exception(OPKELE_CP_ "found oauth_token twice"); + rv.key = util::url_decode(part.substr(eq+1)); + }else if(n=="oauth_token_secret") { + if(!rv.secret.empty()) /* TODO: specialize */ + throw opkele::exception(OPKELE_CP_ "found oauth_secret twice"); + rv.secret = util::url_decode(part.substr(eq+1)); + } + } + return rv; + } + + void basic_consumer::prepare_request( + http_request_t& req, + const basic_fields& qf,const basic_fields& pf, + oauth_method_t om,const string& sm, + const token_t *t,const string& realm) { + fields_t op; + op.set_field("oauth_consumer_key",consumer_token.key); + if(t) op.set_field("oauth_token",t->key); + op.set_field("oauth_signature_method",sm); + time_t now; + op.set_field("oauth_timestamp", + util::long_to_string(time(&now))); + op.set_field("oauth_nonce",allocate_nonce(now)); + op.set_field("oauth_version","1.0"); + /* TODO: normalize and strip down url */ + { + fields_t af; /* TODO: optimize, I don't want it to be copied */ + qf.copy_to(af); pf.append_to(af); op.append_to(af); + op.set_field("oauth_signature", signature( + req.method,req.url,af,t) ); + } + req.authorize_header.clear(); + if(om==oauth_auth_header) { + req.authorize_header = "OAuth "; + req.authorize_header += "realm=\""; + req.authorize_header += util::url_encode(realm); + req.authorize_header += '\"'; + for(basic_fields::fields_iterator + i=op.fields_begin(),ie=op.fields_end(); + i!=ie;++i) { + req.authorize_header += ", "; + req.authorize_header += *i; + req.authorize_header += "=\""; + req.authorize_header += util::url_encode(op.get_field(*i)); + req.authorize_header += "\""; + } + req.url = qf.append_query(req.url); + req.body = pf.query_string(); + }else if(om==oauth_post_body) { + assert(req.method=="POST"); + /* TODO: optimize, don't copy it over and over */ + fields_t p; + pf.append_to(p); op.append_to(p); + req.url = qf.append_query(req.url); + req.body = p.query_string(); + }else if(om==oauth_url_query) { + fields_t q; + qf.append_to(q); op.append_to(q); + req.url = q.append_query(req.url); + req.body = pf.query_string(); + }else + throw opkele::exception(OPKELE_CP_ /* TODO: specialize */ + "Unknown oauth method"); + } + + void basic_consumer::prepare_request( + http_request_t& req, + const basic_fields& qf,const basic_fields& pf, + const service_endpoint_t& sep, + const token_t *t,const string& realm) { + prepare_request( + req, qf, pf, + sep.oauth_method,sep.signature_method, + t,realm); + } + + + const basic_provider_endpoints& simple_consumer::get_endpoints() const { + return peps; } + + const string simple_consumer::allocate_nonce(time_t ts) { +# ifndef HAVE_LIBUUID + throw opkele::not_implemented(OPKELE_CP_ + "not implemented consumer's allocate_nonce()"); +# else /* HAVE_LIBUUID */ + uuid_t uuid; uuid_generate(uuid); + return util::encode_base64(uuid,sizeof(uuid)); +# endif /* HAVE_LIBUUID */ + } + + } +} diff --git a/test/.gitignore b/test/.gitignore index 3d88495..7b234bd 100644 --- a/test/.gitignore +++ b/test/.gitignore @@ -7,3 +7,4 @@ /RP-db.cc /OP.cgi /OP-db.cc +/test-oauth-consumer diff --git a/test/Makefile.am b/test/Makefile.am index 8fedf48..f0c0ea8 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -1,4 +1,4 @@ -noinst_PROGRAMS = test idiscover RP.cgi OP.cgi +noinst_PROGRAMS = test idiscover RP.cgi OP.cgi test-oauth-consumer AM_CPPFLAGS=${CPPFLAGS_DEBUG} DEFAULT_INCLUDES = -I${top_builddir} @@ -14,15 +14,18 @@ EXTRA_DIST= \ idiscover_SOURCES = idiscover.cc idiscover_LDADD = ${top_builddir}/lib/libopkele.la +test_oauth_consumer_SOURCES = test-oauth-consumer.cc +test_oauth_consumer_LDADD = ${top_builddir}/lib/libopkele.la + if HAVE_SQLITE3 -if HAVE_KINGATE -if HAVE_UUID +if HAVE_UUID +if HAVE_KINGATE RP_cgi_SOURCES = RP.cc nodist_RP_cgi_SOURCES = RP-db.cc RP_cgi_LDADD = ${top_builddir}/lib/libopkele.la \ - ${SQLITE3_LIBS} ${KINGATE_LIBS} ${UUID_LIBS} -RP_cgi_CFLAGS = ${SQLITE3_CFLAGS} ${KINGATE_CFLAGS} ${UUID_CFLAGS} + ${SQLITE3_LIBS} ${KINGATE_LIBS} +RP_cgi_CFLAGS = ${SQLITE3_CFLAGS} ${KINGATE_CFLAGS} RP-db.cc: RP-db.sql ( \ @@ -46,6 +49,6 @@ OP-db.cc: OP-db.sql clean-local: rm -f RP-db.cc OP-db.cc -endif #HAVE_UUID -endif #HAVE_KINGATE +endif #HAVE_KINGATE +endif #HAVE_UUID endif #HAVE_SQLITE3 diff --git a/test/test-oauth-consumer.cc b/test/test-oauth-consumer.cc new file mode 100644 index 0000000..3b3ca70 --- a/dev/null +++ b/test/test-oauth-consumer.cc @@ -0,0 +1,83 @@ +#include +#include +#include +using namespace std; +#include +#include +#include +#include +#include +#include +#include +#include +#include + +ostream& operator<<(ostream& o,const opkele::oauth::token_t& t) { + o << "{ key: \"" << t.key << "\", secret: \"" << t.secret <<"\" }"; + return o; +} + +int main(int,char**) { + try { + opkele::oauth::simple_consumer sc( + opkele::oauth::simple_provider_endpoints( + "http://term.ie/oauth/example/request_token.php", + "http://term.ie/oauth/example/user_authorization.php", + "http://term.ie/oauth/example/access_token.php", + "HMAC-SHA1", opkele::oauth::oauth_post_body, + opkele::oauth::oauth_auth_header), + opkele::oauth::token_t( "key","secret" ) ); + opkele::oauth::token_t rt = sc.get_request_token(); + cout << "Request token: " << rt << endl; + cout << "Authorize URL: " << sc.get_authorize_url(rt) << endl; + opkele::oauth::token_t at = sc.get_access_token(rt); + cout << "Access token: " << at << endl; + + opkele::fields_t test; + test.set_field("foo","bar"); + opkele::util::curl_pick_t curl = opkele::util::curl_t::easy_init(); + opkele::oauth::http_request_t hr("POST", + "http://term.ie/oauth/example/echo_api.php"); + sc.prepare_request(hr, + opkele::fields_t(),test, + opkele::oauth::oauth_auth_header,"HMAC-SHA1", + &at,"realm"); + DOUT_("url: " << hr.url << endl + << "body: " << hr.body << endl + << "header: " << hr.authorize_header); + opkele::util::curl_slist_t rh; + rh.append("Authorization: "+hr.authorize_header); + CURLcode r; + (r=curl.misc_sets()) + || (r=curl.set_write()) + || (r=curl.easy_setopt(CURLOPT_HTTPHEADER,rh) ) + || (r=curl.easy_setopt(CURLOPT_URL,hr.url.c_str())) + || (r=curl.easy_setopt(CURLOPT_POST,1)) + || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,hr.body.c_str())) + || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,hr.body.size())); + if(r) + throw opkele::exception_curl(OPKELE_CP_ "failed to set curly options",r); + if( (r=curl.easy_perform()) ) + throw opkele::exception_curl(OPKELE_CP_ "failed to perform curly request",r); + DOUT_("Response: " << endl << curl.response); + +#ifdef OPKELE_HAVE_KONFORKA + }catch(konforka::exception& e) { + cerr + << "oops, caught " << opkele::util::abi_demangle(typeid(e).name()) << endl + << " what: " << e.what() << endl + << " where: " << e.where() << endl; + if(!e._seen.empty()) { + cerr << " seen:" << endl; + for(list::const_iterator + i=e._seen.begin();i!=e._seen.end();++i) { + cerr << " " << i->c_str() << endl; + } + } +#endif + }catch(std::exception& e){ + cerr + << "oops, caught " << opkele::util::abi_demangle(typeid(e).name()) << endl + << " what: " << e.what() << endl; + } +} -- cgit v0.9.0.2