/*
* Start with an HttpRequest.
* Throw if there are any attacks in the query.
* Throw if there are any attacks in the post body.
* Build up OAuth parameter list
* Sign it.
* Add OAuth parameters to new request
* Send it.
*/
public sRequest sanitizeAndSign(sRequest basereq, List <OAuth.Parameter> parameters)
{
if (parameters == null)
{
parameters = new List <OAuth.Parameter>();
}
UriBuilder target = new UriBuilder(basereq.getUri());
String query = target.getQuery();
target.setQuery(null);
parameters.AddRange(sanitize(OAuth.decodeForm(query)));
if (OAuth.isFormEncoded(basereq.ContentType))
{
parameters.AddRange(sanitize(OAuth.decodeForm(basereq.getPostBodyAsString())));
}
addIdentityParams(parameters);
addSignatureParams(parameters);
try
{
OAuthMessage signed = accessorInfo.getAccessor().newRequestMessage(
basereq.getMethod(), target.ToString(), parameters);
sRequest oauthHttpRequest = createHttpRequest(basereq, selectOAuthParams(signed));
// Following 302s on OAuth responses is unlikely to be productive.
oauthHttpRequest.FollowRedirects = false;
return(oauthHttpRequest);
}
catch (Exception e)
{
throw responseParams.oauthRequestException(OAuthError.UNKNOWN_PROBLEM,
"Error signing message", e);
}
}
public virtual RewriterResults rewrite(sRequest request, sResponse original, MutableContent content)
{
ByteArrayOutputStream baos = new ByteArrayOutputStream((content.getContent().Length * 110) / 100);
OutputStreamWriter output = new OutputStreamWriter(baos);
String mimeType = original.getHeader("Content-Type");
if (request.RewriteMimeType != null)
{
mimeType = request.RewriteMimeType;
}
GadgetSpec spec = null;
if (request.Gadget != null)
{
spec = _specFactory.getGadgetSpec(request.Gadget.toJavaUri(), false);
}
if (rewrite(spec, request.getUri(),
content,
mimeType,
output))
{
content.setContent(Encoding.Default.GetString(baos.toByteArray()));
return(RewriterResults.cacheableIndefinitely());
}
return(null);
}
private sRequest createHttpRequest(sRequest basereq, List <OAuth.Parameter> oauthParams)
{
AccessorInfo.OAuthParamLocation?paramLocation = accessorInfo.getParamLocation();
// paramLocation could be overriden by a run-time parameter to fetchRequest
sRequest result = new sRequest(basereq);
// If someone specifies that OAuth parameters go in the body, but then sends a request for
// data using GET, we've got a choice. We can throw some type of error, since a GET request
// can't have a body, or we can stick the parameters somewhere else, like, say, the header.
// We opt to put them in the header, since that stands some chance of working with some
// OAuth service providers.
if (paramLocation == AccessorInfo.OAuthParamLocation.POST_BODY &&
!result.getMethod().Equals("POST"))
{
paramLocation = AccessorInfo.OAuthParamLocation.AUTH_HEADER;
}
switch (paramLocation)
{
case AccessorInfo.OAuthParamLocation.AUTH_HEADER:
result.addHeader("Authorization", getAuthorizationHeader(oauthParams));
break;
case AccessorInfo.OAuthParamLocation.POST_BODY:
if (!OAuth.isFormEncoded(result.ContentType))
{
throw responseParams.oauthRequestException(OAuthError.INVALID_REQUEST,
"OAuth param location can only be post_body if post body is of " +
"type x-www-form-urlencoded");
}
String oauthData = OAuth.formEncode(oauthParams);
if (result.getPostBodyLength() == 0)
{
result.setPostBody(Encoding.UTF8.GetBytes(oauthData));
}
else
{
result.setPostBody(Encoding.UTF8.GetBytes(result.getPostBodyAsString() + '&' + oauthData));
}
break;
case AccessorInfo.OAuthParamLocation.URI_QUERY:
result.setUri(Uri.parse(OAuth.addParameters(result.getUri().ToString(), oauthParams)));
break;
}
return(result);
}
/**
* Implements section 6.3 of the OAuth spec.
* @throws OAuthProtocolException
*/
private void exchangeRequestToken()
{
if (accessorInfo.getAccessor().accessToken != null)
{
// session extension per
// http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html
accessorInfo.getAccessor().requestToken = accessorInfo.getAccessor().accessToken;
accessorInfo.getAccessor().accessToken = null;
}
OAuthAccessor accessor = accessorInfo.getAccessor();
Uri accessTokenUri = Uri.parse(accessor.consumer.serviceProvider.accessTokenURL);
sRequest request = new sRequest(accessTokenUri);
request.setMethod(accessorInfo.getHttpMethod().ToString());
if (accessorInfo.getHttpMethod() == AccessorInfo.HttpMethod.POST)
{
request.setContentType(OAuth.FORM_ENCODED);
}
List <OAuth.Parameter> msgParams = new List <OAuth.Parameter>
{
new OAuth.Parameter(OAuth.OAUTH_TOKEN, accessor.requestToken)
};
if (accessorInfo.getSessionHandle() != null)
{
msgParams.Add(new OAuth.Parameter(OAUTH_SESSION_HANDLE, accessorInfo.getSessionHandle()));
}
sRequest signed = sanitizeAndSign(request, msgParams);
OAuthMessage reply = sendOAuthMessage(signed);
accessor.accessToken = OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN);
accessor.TokenSecret = OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN_SECRET);
accessorInfo.setSessionHandle(OAuthUtil.getParameter(reply, OAUTH_SESSION_HANDLE));
accessorInfo.setTokenExpireMillis(ACCESS_TOKEN_EXPIRE_UNKNOWN);
if (OAuthUtil.getParameter(reply, OAUTH_EXPIRES_IN) != null)
{
try
{
int expireSecs = int.Parse(OAuthUtil.getParameter(reply, OAUTH_EXPIRES_IN));
long expireMillis = DateTime.UtcNow.AddSeconds(expireSecs).Ticks;
accessorInfo.setTokenExpireMillis(expireMillis);
}
catch (FormatException)
{
// Hrm. Bogus server. We can safely ignore this, we'll just wait for the server to
// tell us when the access token has expired.
responseParams.logDetailedWarning("server returned bogus expiration");
}
}
// Clients may want to retrieve extra information returned with the access token. Several
// OAuth service providers (e.g. Yahoo, NetFlix) return a user id along with the access
// token, and the user id is required to use their APIs. Clients signal that they need this
// extra data by sending a fetch request for the access token URL.
//
// We don't return oauth* parameters from the response, because we know how to handle those
// ourselves and some of them (such as oauthToken_secret) aren't supposed to be sent to the
// client.
//
// Note that this data is not stored server-side. Clients need to cache these user-ids or
// other data themselves, probably in user prefs, if they expect to need the data in the
// future.
if (accessTokenUri.Equals(realRequest.getUri()))
{
accessTokenData = new Dictionary <string, string>();
foreach (var param in OAuthUtil.getParameters(reply))
{
if (!param.Key.StartsWith("oauth"))
{
accessTokenData.Add(param.Key, param.Value);
}
}
}
}