// helper extension method to sign each JSON request with OAuth
public static void SetAccessToken(this JsonServiceClient client, IToken access_token)
{
// we use a request filter to add the required OAuth header
client.LocalHttpWebRequestFilter += webservice_request => {
OAuthConsumerContext consumer_context = new OAuthConsumerContext ();
consumer_context.SignatureMethod = "HMAC-SHA1";
consumer_context.ConsumerKey = access_token.ConsumerKey;
consumer_context.ConsumerSecret = "anyone";
consumer_context.UseHeaderForOAuthParameters = true;
// the OAuth process creates a signature, which uses several data from
// the web request like method, hostname, headers etc.
OAuthContext request_context = new OAuthContext ();
request_context.Headers = webservice_request.Headers;
request_context.RequestMethod = webservice_request.Method;
request_context.RawUri = webservice_request.RequestUri;
// now create the signature for that context
consumer_context.SignContextWithToken (request_context, access_token);
// BUG TODO the oauth_token is not included when generating the header,
// this is a bug ing DevDefined.OAuth. We add it manually as a workaround
request_context.AuthorizationHeaderParameters.Add ("oauth_token", access_token.Token);
string oauth_header = request_context.GenerateOAuthParametersForHeader ();
webservice_request.Headers.Add ("Authorization", oauth_header);
};
}
public IOAuthContext FromHttpRequest(HttpRequestBase request)
{
var context = new OAuthContext
{
RawUri = CleanUri(request.Url),
Cookies = CollectCookies(request),
Headers = GetCleanedNameValueCollection(request.Headers),
RequestMethod = request.HttpMethod,
FormEncodedParameters = GetCleanedNameValueCollection(request.Form),
QueryParameters = GetCleanedNameValueCollection(request.QueryString),
};
if (request.InputStream.Length > 0)
{
context.RawContent = new byte[request.InputStream.Length];
request.InputStream.Read(context.RawContent, 0, context.RawContent.Length);
request.InputStream.Position = 0;
}
if (request.Headers.AllKeys.Contains("Authorization"))
{
context.AuthorizationHeaderParameters = UriUtility.GetHeaderParameters(request.Headers["Authorization"]).ToNameValueCollection();
context.UseAuthorizationHeader = true;
}
return context;
}
public void AuthenticationPasses()
{
var context = new OAuthContext { XAuthMode = "client_auth", XAuthUsername = "******", XAuthPassword = "******" };
var inspector = new XAuthValidationInspector(ValidateXAuthMode, this.AuthenticateXAuthUsernameAndPassword);
Assert.DoesNotThrow(() => inspector.InspectContext(ProviderPhase.CreateAccessToken, context));
}
public void it_can_parse_valid_IfModifiedSince_date()
{
var consumerRequest = NewConsumerRequest();
var headers = new NameValueCollection { { "If-Modified-Since", "2012-04-01 23:45:00" } };
var oauthContext = new OAuthContext { Headers = headers };
Assert.AreEqual(new DateTime(2012, 04, 01, 23, 45, 0), consumerRequest.ParseIfModifiedSince(oauthContext));
}
public void it_can_parse_null_IfModifiedSince_date()
{
var consumerRequest = NewConsumerRequest();
var headers = new NameValueCollection { { "If-Modified-Since", null } };
var oauthContext = new OAuthContext { Headers = headers };
Assert.AreEqual(null, consumerRequest.ParseIfModifiedSince(oauthContext));
}
public void it_can_parse_unset_IfModifiedSince_date()
{
ConsumerRequest consumerRequest = new ConsumerRequest(null, null, null, null);
NameValueCollection headers = new NameValueCollection();
OAuthContext oauthContext = new OAuthContext {Headers = headers};
Assert.AreEqual(null, consumerRequest.ParseIfModifiedSince(oauthContext));
}
public void InvalidModeThrows()
{
var context = new OAuthContext { XAuthMode = "test_mode" };
var inspector = new XAuthValidationInspector(ValidateXAuthMode, this.AuthenticateXAuthUsernameAndPassword);
var ex = Assert.Throws<OAuthException>(() => inspector.InspectContext(ProviderPhase.CreateAccessToken, context));
Assert.Equal("The x_auth_mode parameter is invalid", ex.Message);
}
public void EmptyPasswordThrows()
{
var context = new OAuthContext { XAuthMode = "client_auth", XAuthUsername = "******" };
var inspector = new XAuthValidationInspector(ValidateXAuthMode, this.AuthenticateXAuthUsernameAndPassword);
var ex = Assert.Throws<OAuthException>(() => inspector.InspectContext(ProviderPhase.CreateAccessToken, context));
Assert.Equal("The x_auth_password parameter must be present", ex.Message);
}
public void AuthenticationFailureThrows()
{
var context = new OAuthContext { XAuthMode = "client_auth", XAuthUsername = "******", XAuthPassword = "******" };
var inspector = new XAuthValidationInspector(ValidateXAuthMode, this.AuthenticateXAuthUsernameAndPassword);
var ex = Assert.Throws<OAuthException>(() => inspector.InspectContext(ProviderPhase.CreateAccessToken, context));
Assert.Equal("Authentication failed with the specified username and password", ex.Message);
}
public void inspect_body_for_plainttext_signature_does_nothing()
{
var context = new OAuthContext
{
UseAuthorizationHeader = true,
BodyHash = "wrong",
SignatureMethod = SignatureMethod.PlainText
};
Assert.DoesNotThrow(() => inspector.InspectContext(ProviderPhase.AccessProtectedResourceRequest, context));
}
public void inspect_body_for_hmac_sha1_signature_does_not_throw_when_hash_matches()
{
var context = new OAuthContext
{
UseAuthorizationHeader = true,
BodyHash = EmptyBodyHash,
SignatureMethod = SignatureMethod.HmacSha1
};
Assert.DoesNotThrow(() => inspector.InspectContext(ProviderPhase.AccessProtectedResourceRequest, context));
}
public void WithAfterRange()
{
var inspector = new TimestampRangeInspector(new TimeSpan(0, 0, 0), new TimeSpan(1, 0, 0),
() => new DateTime(2008, 1, 1, 12, 0, 0));
var context = new OAuthContext
{
Timestamp = new DateTime(2008, 1, 1, 13, 0, 0).Epoch().ToString()
};
inspector.InspectContext(ProviderPhase.GrantRequestToken, context);
}
public void InspectContextForUniqueNoncePasses()
{
var nonceStore = MockRepository.GenerateStub<INonceStore>();
var context = new OAuthContext {Nonce = "2"};
nonceStore.Stub(stub=>stub.RecordNonceAndCheckIsUnique(context, "2")).Return(true);
var inspector = new NonceStoreInspector(nonceStore);
Assert.DoesNotThrow(() => inspector.InspectContext(ProviderPhase.GrantRequestToken, context));
}
public void inspect_body_for_hmac_sha1_signature_throws_when_hash_does_not_match()
{
var context = new OAuthContext
{
UseAuthorizationHeader = true,
BodyHash = "wrong",
SignatureMethod = SignatureMethod.HmacSha1
};
var ex = Assert.Throws<OAuthException>(() => inspector.InspectContext(ProviderPhase.AccessProtectedResourceRequest, context));
Assert.Equal("Failed to validate body hash", ex.Message);
}
public void InValidConsumerThrows()
{
var consumerStore = MockRepository.GenerateStub<IConsumerStore>();
var context = new OAuthContext {ConsumerKey = "key"};
consumerStore.Stub(stub => stub.IsConsumer(context)).Return(false);
var inspector = new OAuth.Provider.Inspectors.ConsumerValidationInspector(consumerStore);
var ex = Assert.Throws<OAuthException>(() => inspector.InspectContext(ProviderPhase.GrantRequestToken, context));
Assert.Equal("Unknown Consumer (Realm: , Key: key)", ex.Message);
}
public void OutsideBeforeRange()
{
var inspector = new TimestampRangeInspector(new TimeSpan(1, 0, 0), new TimeSpan(0, 0, 0),
() => new DateTime(2008, 1, 1, 12, 0, 0));
var context = new OAuthContext
{
Timestamp = new DateTime(2008, 1, 1, 10, 59, 59).Epoch().ToString()
};
var ex = Assert.Throws<OAuthException>(() => inspector.InspectContext(ProviderPhase.GrantRequestToken, context));
Assert.Equal("The timestamp is to old, it must be at most 3600 seconds before the servers current date and time", ex.Message);
}
public void InspectContextForRepeatedNonceThrows()
{
var nonceStore = MockRepository.GenerateStub<INonceStore>();
var context = new OAuthContext {Nonce = "1"};
nonceStore.Stub(stub => stub.RecordNonceAndCheckIsUnique(context, "1")).Return(false);
var inspector = new NonceStoreInspector(nonceStore);
var ex = Assert.Throws<OAuthException>(() => inspector.InspectContext(ProviderPhase.GrantRequestToken, context));
Assert.Equal("The nonce value \"1\" has already been used", ex.Message);
}
public void to_consumer_response_with_current_date_string_should_pass_validation()
{
const string recentDateString = "2012-04-01T00:00:00";
var oAuthContext = new OAuthContext
{
RequestMethod = "GET",
RawUri = new Uri("http://any.uri/"),
Headers = new WebHeaderCollection { { "If-Modified-Since", recentDateString } }
};
var consumerRequest = NewConsumerRequest(oAuthContext);
Assert.DoesNotThrow(() => consumerRequest.ToWebRequest());
}
public void InspectContextForUniqueNoncePasses()
{
var repository = new MockRepository();
var nonceStore = repository.StrictMock<INonceStore>();
var context = new OAuthContext {Nonce = "2"};
using (repository.Record())
{
Expect.Call(nonceStore.RecordNonceAndCheckIsUnique(context, "2")).Return(true);
}
using (repository.Playback())
{
var inspector = new NonceStoreInspector(nonceStore);
inspector.InspectContext(ProviderPhase.GrantRequestToken, context);
}
}
public void ValidConsumerPassesThrough()
{
var repository = new MockRepository();
var consumerStore = repository.StrictMock<IConsumerStore>();
var context = new OAuthContext {ConsumerKey = "key"};
using (repository.Record())
{
Expect.Call(consumerStore.IsConsumer(context)).Return(true);
}
using (repository.Playback())
{
var inspector = new OAuth.Provider.Inspectors.ConsumerValidationInspector(consumerStore);
inspector.InspectContext(ProviderPhase.GrantRequestToken, context);
}
}
public void to_consumer_response_with_really_old_date_string_should_fail_validation()
{
const string reallyOldDateString = "1000-01-01T00:00:00";
var oAuthContext = new OAuthContext
{
RequestMethod = "GET",
RawUri = new Uri("http://any.uri/"),
Headers = new WebHeaderCollection { { "If-Modified-Since", reallyOldDateString } }
};
var consumerRequest = NewConsumerRequest(oAuthContext);
var ex = Assert.Throws<ArgumentOutOfRangeException>(() => consumerRequest.ToWebRequest());
const string expectedMessage = "Supplied value of If-Modified-Since header is too small";
Assert.IsTrue(ex.Message.Contains(expectedMessage), string.Format("Exception message <{0}> is not as expected <{1}>", ex.Message, expectedMessage));
}
public void TestSignRequestToken()
{
var cert = new X509Certificate2("XeroApiNet-Sample.pfx", "password");
var consumerContext = new OAuthConsumerContext
{
// Partner and Private apps use RSA-SHA1 signing method
SignatureMethod = SignatureMethod.RsaSha1,
UseHeaderForOAuthParameters = true,
// Urls
RequestTokenUri = null,
UserAuthorizeUri = null,
AccessTokenUri = XeroApiEndpoints.PublicAccessTokenUri,
BaseEndpointUri = XeroApiEndpoints.PublicBaseEndpointUri,
Key = cert.PrivateKey,
ConsumerKey = ConsumerKey,
ConsumerSecret = string.Empty,
UserAgent = UserAgent,
};
var oauthContext = new OAuthContext
{
RequestMethod = "POST",
RawUri = new Uri("https://photos.example.net/request_token"),
ConsumerKey = "dpf43f3p2l4k3l03",
SignatureMethod = SignatureMethod.RsaSha1,
Timestamp = "1191242090",
Nonce = "hsu94j3884jdopsl",
Version = "1.0"
};
var signatureBase = oauthContext.GenerateSignatureBase();
consumerContext.Signer.SignContext(oauthContext,
new SigningContext
{
Algorithm = consumerContext.Key,
ConsumerSecret = null,
SignatureBase = signatureBase
});
Assert.That(oauthContext.Signature, Is.EqualTo("aIIAFPjD0uavubFeL/Hz4LSV6NsvAbrvfnPF6OcgGfhML5ezO0+E+tofLgp1SHbLyNFM7D1p/SJN1J4MY7T3HzvM8HX+3u5Q+Ui+en0/ewHZ+3ar6BA7r3zOYqDn8rfCGSnweia3fFYmjkeS8NvKShnewUu0jUFbnG4RXw8BiEk="));
}
public void PlainTextSignatureMethodDoesNotFetchCertificate()
{
var repository = new MockRepository();
var consumerStore = repository.DynamicMock<IConsumerStore>();
var signer = repository.StrictMock<IOAuthContextSigner>();
var context = new OAuthContext {ConsumerKey = "key", SignatureMethod = SignatureMethod.PlainText};
using (repository.Record())
{
Expect.Call(signer.ValidateSignature(null, null)).IgnoreArguments().Return(true);
}
using (repository.Playback())
{
var inspector = new SignatureValidationInspector(consumerStore, signer);
inspector.InspectContext(ProviderPhase.GrantRequestToken, context);
}
}
public void generate_signature_when_token_is_url_encoded()
{
var context = new OAuthContext
{
RequestMethod = "GET",
RawUri = new Uri("https://www.google.com/m8/feeds/contacts/default/base"),
Token = "1/2",
ConsumerKey = "context",
SignatureMethod = SignatureMethod.RsaSha1
};
Assert.Equal(
"GET&https%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds%2Fcontacts%2Fdefault%2Fbase&oauth_consumer_key%3Dcontext%26oauth_signature_method%3DRSA-SHA1%26oauth_token%3D1%252F2",
context.GenerateSignatureBase());
Assert.Equal(
"https://www.google.com/m8/feeds/contacts/default/base?oauth_token=1%2F2&oauth_consumer_key=context&oauth_signature_method=RSA-SHA1",
context.GenerateUrl());
}
public void InvalidSignatureThrows()
{
var repository = new MockRepository();
var consumerStore = repository.DynamicMock<IConsumerStore>();
var signer = repository.StrictMock<IOAuthContextSigner>();
var context = new OAuthContext {ConsumerKey = "key", SignatureMethod = SignatureMethod.PlainText};
using (repository.Record())
{
Expect.Call(signer.ValidateSignature(null, null)).IgnoreArguments().Return(false);
}
using (repository.Playback())
{
var inspector = new SignatureValidationInspector(consumerStore, signer);
var ex = Assert.Throws<OAuthException>(() => inspector.InspectContext(ProviderPhase.GrantRequestToken, context));
Assert.Equal("Failed to validate signature", ex.Message);
}
}
public IOAuthContext FromHttpRequest(HttpRequestBase request)
{
var context = new OAuthContext
{
RawUri = CleanUri(request.Url),
Cookies = CollectCookies(request),
Headers = new NameValueCollection(request.Headers),
RequestMethod = request.HttpMethod,
FormEncodedParameters = new NameValueCollection(request.Form),
QueryParameters = new NameValueCollection(request.QueryString),
};
if (request.Headers.AllKeys.Contains("Authorization"))
{
context.AuthorizationHeaderParameters = UriUtility.GetHeaderParameters(request.Headers["Authorization"]).ToNameValueCollection();
context.UseAuthorizationHeader = true;
}
return context;
}
public IOAuthContext FromMessage(Message request)
{
var requestProperty = (HttpRequestMessageProperty)request.Properties[HttpRequestMessageProperty.Name];
var context = new OAuthContext
{
RawUri = CleanUri(request.Headers.To),
Headers = new NameValueCollection(requestProperty.Headers),
RequestMethod = requestProperty.Method,
QueryParameters = HttpUtility.ParseQueryString(requestProperty.QueryString),
};
string authHeader = requestProperty.Headers["Authorization"];
if (!string.IsNullOrEmpty(authHeader))
{
context.AuthorizationHeaderParameters = UriUtility.GetHeaderParameters(authHeader).ToNameValueCollection();
context.UseAuthorizationHeader = true;
}
return context;
}
public IOAuthContext FromHttpRequest(HttpRequestBase request)
{
var context = new OAuthContext
{
RawUri = CleanUri(request.Url),
Cookies = CollectCookies(request),
Headers = GetCleanedNameValueCollection(request.Headers),
RequestMethod = request.HttpMethod,
FormEncodedParameters = GetCleanedNameValueCollection(request.Form),
QueryParameters = GetCleanedNameValueCollection(request.QueryString),
};
if (request.InputStream.Length > 0)
{
context.RawContent = new byte[request.InputStream.Length];
request.InputStream.Read(context.RawContent, 0, context.RawContent.Length);
request.InputStream.Position = 0;
}
ParseAuthorizationHeader(request.Headers, context);
return context;
}
public void generate_signature_with_hello_world_body()
{
// generate a signature base, as per the oauth body hash spec example
// http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html
var context = new OAuthContext
{
RequestMethod = "POST",
RawUri = new Uri("http://www.example.com/resource"),
RawContentType = "text/plain",
RawContent = Encoding.UTF8.GetBytes("Hello World!"),
ConsumerKey = "consumer",
SignatureMethod = "HMAC-SHA1",
Timestamp = "1236874236",
Version = "1.0",
IncludeOAuthRequestBodyHashInSignature = true,
Nonce = "10369470270925",
Token = "token"
};
Assert.Equal(
"POST&http%3A%2F%2Fwww.example.com%2Fresource&oauth_body_hash%3DLve95gjOVATpfV8EL5X4nxwjKHE%253D%26oauth_consumer_key%3Dconsumer%26oauth_nonce%3D10369470270925%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1236874236%26oauth_token%3Dtoken%26oauth_version%3D1.0",
context.GenerateSignatureBase());
}
public IConsumerRequest Request(IToken accessToken)
{
var context = new OAuthContext
{
UseAuthorizationHeader = ConsumerContext.UseHeaderForOAuthParameters
};
context.Cookies.Add(_cookies);
context.FormEncodedParameters.Add(_formParameters);
context.Headers.Add(_headers);
context.QueryParameters.Add(_queryParameters);
IConsumerRequest consumerRequest = _consumerRequestFactory.CreateConsumerRequest(context, ConsumerContext, accessToken);
consumerRequest.ProxyServerUri = ProxyServerUri;
consumerRequest.ResponseBodyAction = ResponseBodyAction;
return consumerRequest;
}
/// <summary>
/// Initializes a new instance of the <see cref="BoundParameter"/> class.
/// </summary>
/// <param name="name">The name.</param>
/// <param name="context">The context.</param>
public BoundParameter(string name, OAuthContext context)
{
_name = name;
_context = context;
}
