private static bool hasValidSignature(OAuthMessage message, String appUrl, String appId)
{
String sharedSecret = sampleContainerSharedSecrets[appId];
if (sharedSecret == null)
{
return false;
}
OAuthServiceProvider provider = new OAuthServiceProvider(null, null, null);
OAuthConsumer consumer = new OAuthConsumer(null, appUrl, sharedSecret, provider);
OAuthAccessor accessor = new OAuthAccessor(consumer);
SimpleOAuthValidator validator = new SimpleOAuthValidator();
try
{
validator.validateMessage(message, accessor);
}
catch (OAuthException)
{
return false;
}
catch (IOException)
{
return false;
}
catch (UriFormatException)
{
return false;
}
return true;
}
public OAuthMessage newRequestMessage(String method, String url,
List<OAuth.Parameter> parameters)
{
if (method == null)
{
method = (String)getProperty("httpMethod") ?? ((String)consumer.getProperty("httpMethod") ?? "GET");
}
OAuthMessage message = new OAuthMessage(method, url, parameters);
message.addRequiredParameters(this);
return message;
}
private String getParameter(OAuthMessage requestMessage, String key)
{
try
{
return requestMessage.getParameter(key);
}
catch
{
return null;
}
}
public OAuthMessage newRequestMessage(String method, String url,
List <OAuth.Parameter> parameters)
{
if (method == null)
{
method = (String)getProperty("httpMethod") ?? ((String)consumer.getProperty("httpMethod") ?? "GET");
}
OAuthMessage message = new OAuthMessage(method, url, parameters);
message.addRequiredParameters(this);
return(message);
}
protected void validateVersion(OAuthMessage message)
{
String versionString = message.getParameter(OAuth.OAUTH_VERSION);
if (versionString != null)
{
double version = double.Parse(versionString);
if (version < minVersion || maxVersion < version)
{
OAuthProblemException problem = new OAuthProblemException("version_rejected");
problem.setParameter("oauth_acceptable_versions", minVersion + "-" + maxVersion);
throw problem;
}
}
}
/** This implementation doesn't check the nonce value. */
protected void validateTimestampAndNonce(OAuthMessage message)
{
message.requireParameters(new[] { OAuth.OAUTH_TIMESTAMP, OAuth.OAUTH_NONCE });
DateTime timestamp = UnixTime.ToDateTime(double.Parse(message.getParameter(OAuth.OAUTH_TIMESTAMP)));
DateTime now = DateTime.UtcNow;
DateTime min = now.AddSeconds(0 - timestampWindow);
DateTime max = now.AddSeconds(timestampWindow);
if (timestamp < min || max < timestamp)
{
OAuthProblemException problem = new OAuthProblemException("timestamp_refused");
problem.setParameter("oauth_acceptable_timestamps", min + "-" + max);
throw problem;
}
}
/** This implementation doesn't check the nonce value. */
protected void validateTimestampAndNonce(OAuthMessage message)
{
message.requireParameters(new[] { OAuth.OAUTH_TIMESTAMP, OAuth.OAUTH_NONCE });
DateTime timestamp = UnixTime.ToDateTime(double.Parse(message.getParameter(OAuth.OAUTH_TIMESTAMP)));
DateTime now = DateTime.UtcNow;
DateTime min = now.AddSeconds(0 - timestampWindow);
DateTime max = now.AddSeconds(timestampWindow);
if (timestamp < min || max < timestamp)
{
OAuthProblemException problem = new OAuthProblemException("timestamp_refused");
problem.setParameter("oauth_acceptable_timestamps", min + "-" + max);
throw problem;
}
}
protected void validateVersion(OAuthMessage message)
{
String versionString = message.getParameter(OAuth.OAUTH_VERSION);
if (versionString != null)
{
double version = double.Parse(versionString);
if (version < minVersion || maxVersion < version)
{
OAuthProblemException problem = new OAuthProblemException("version_rejected");
problem.setParameter("oauth_acceptable_versions", minVersion + "-" + maxVersion);
throw problem;
}
}
}
/**
* Validates the passed request by reconstructing the original URL and
* parameters and generating a signature following the OAuth HMAC-SHA1
* specification and using the passed secret key.
*
* @param request Servlet request containing required information for
* reconstructing the signature such as the request's URL
* components and parameters
* @param consumerSecret Secret key shared between application owner and
* container. Used by containers when issuing signed makeRequests
* and by client applications to verify the source of these
* requests and the authenticity of its parameters.
* @return {@code true} if the signature generated in this function matches
* the signature in the passed request, {@code false} otherwise
* @throws IOException
* @throws URISyntaxException
*/
public static bool verifyHmacSignature(
HttpWebRequest request, String consumerSecret)
{
String method = request.Method;
String requestUrl = getRequestUrl(request);
List<OAuth.Parameter> requestParameters = getRequestParameters(request);
OAuthMessage message =
new OAuthMessage(method, requestUrl, requestParameters);
OAuthConsumer consumer =
new OAuthConsumer(null, null, consumerSecret, null);
OAuthAccessor accessor = new OAuthAccessor(consumer);
try {
message.validateMessage(accessor, new SimpleOAuthValidator());
} catch (OAuthException e) {
return false;
}
return true;
}
/** {@inherit}
* @throws URISyntaxException */
public void validateMessage(OAuthMessage message, OAuthAccessor accessor)
{
validateVersion(message);
validateTimestampAndNonce(message);
validateSignature(message, accessor);
}
public OAuthProtocolException(OAuthMessage reply)
{
String problem = reply.getParameter(OAuthProblemException.OAUTH_PROBLEM);
if (problem == null)
{
throw new ArgumentException(
"No problem reported for OAuthProtocolException");
}
problemCode = problem;
if (fatalProblems.Contains(problem))
{
startFromScratch = true;
canRetry = false;
canExtend = false;
}
else if (temporaryProblems.Contains(problem))
{
startFromScratch = false;
canRetry = false;
canExtend = false;
}
else if (extensionProblems.Contains(problem))
{
startFromScratch = false;
canRetry = true;
canExtend = true;
}
else
{
startFromScratch = true;
canRetry = true;
canExtend = false;
}
}
/**
* Signs the URL associated with the passed request object using the passed
* consumer key and secret in accordance with the OAuth specification and
* appends signature and other required parameters to the URL as query
* string parameters.
*
* @param request OpenSocialHttpRequest object which contains both the URL
* to sign as well as the POST body which must be included as a
* parameter when signing POST requests
* @param consumerKey Application key assigned and used by containers to
* uniquely identify applications
* @param consumerSecret Secret key shared between application owner and
* container. Used to generate the signature which is attached to
* the request so containers can verify the authenticity of the
* requests made by the client application.
* @throws OAuthException
* @throws IOException
* @throws URISyntaxException
*/
public static void signRequest(
OpenSocialHttpRequest request, String consumerKey, String consumerSecret)
{
String postBody = request.getPostBody();
String requestMethod = request.getMethod();
OpenSocialUrl requestUrl = request.getUrl();
if (!String.IsNullOrEmpty(consumerKey) && !String.IsNullOrEmpty(consumerSecret))
{
OAuthMessage message =
new OAuthMessage(requestMethod, requestUrl.ToString(), null);
if (!String.IsNullOrEmpty(postBody))
{
message.addParameter(postBody, "");
}
OAuthConsumer consumer =
new OAuthConsumer(null, consumerKey, consumerSecret, null);
consumer.setProperty(OAuth.OAUTH_SIGNATURE_METHOD, OAuth.HMAC_SHA1);
OAuthAccessor accessor = new OAuthAccessor(consumer);
accessor.accessToken = "";
message.addRequiredParameters(accessor);
foreach(var p in message.getParameters()) {
if (!p.Key.Equals(postBody)) {
requestUrl.addQueryStringParameter(
OAuth.percentEncode(new List<string> { p.Key }),
OAuth.percentEncode(new List<string> {p.Value}));
}
}
}
}
/** {@inherit}
* @throws URISyntaxException */
public void validateMessage(OAuthMessage message, OAuthAccessor accessor)
{
validateVersion(message);
validateTimestampAndNonce(message);
validateSignature(message, accessor);
}
public static String getParameter(OAuthMessage message, String name)
{
return message.getParameter(name);
}
protected void validateSignature(OAuthMessage message, OAuthAccessor accessor)
{
message.requireParameters(new[] { OAuth.OAUTH_CONSUMER_KEY,
OAuth.OAUTH_SIGNATURE_METHOD, OAuth.OAUTH_SIGNATURE });
OAuthSignatureMethod.newSigner(message, accessor).validate(message);
}
/**
* Extracts only those parameters from an OAuthMessage that are OAuth-related.
* An OAuthMessage may hold a whole bunch of non-OAuth-related parameters
* because they were all needed for signing. But when constructing a request
* we need to be able to extract just the OAuth-related parameters because
* they, and only they, may have to be put into an Authorization: header or
* some such thing.
*
* @param message the OAuthMessage object, which holds non-OAuth parameters
* such as foo=bar (which may have been in the original URI query part, or
* perhaps in the POST body), as well as OAuth-related parameters (such as
* oauth_timestamp or oauth_signature).
*
* @return a list that contains only the oauth_related parameters.
*
* @throws IOException
*/
private static List<OAuth.Parameter> selectOAuthParams(OAuthMessage message)
{
List<OAuth.Parameter> result = new List<OAuth.Parameter>();
foreach (var param in OAuthUtil.getParameters(message))
{
if (isContainerInjectedParameter(param.Key))
{
result.Add(param);
}
}
return result;
}
/**
* Parse OAuth WWW-Authenticate header and either add them to an existing
* message or create a new message.
*
* @param msg
* @param resp
* @return the updated message.
*/
private static OAuthMessage parseAuthHeader(OAuthMessage msg, sResponse resp)
{
if (msg == null)
{
msg = new OAuthMessage(null, null, null);
}
foreach (String auth in resp.getHeaders("WWW-Authenticate"))
{
msg.addParameters(OAuthMessage.decodeAuthorization(auth));
}
return msg;
}
public static List<OAuth.Parameter> getParameters(OAuthMessage message)
{
return message.getParameters();
}
protected void validateSignature(OAuthMessage message, OAuthAccessor accessor)
{
message.requireParameters(new[]{OAuth.OAUTH_CONSUMER_KEY,
OAuth.OAUTH_SIGNATURE_METHOD, OAuth.OAUTH_SIGNATURE});
OAuthSignatureMethod.newSigner(message, accessor).validate(message);
}
public static void requireParameters(OAuthMessage message, string[] names)
{
message.requireParameters(names);
}
/**
* Sends OAuth request token and access token messages.
* @throws GadgetException
* @throws IOException
* @throws OAuthProtocolException
*/
private OAuthMessage sendOAuthMessage(sRequest request)
{
sResponse response = fetchFromServer(request);
checkForProtocolProblem(response);
OAuthMessage reply = new OAuthMessage(null, null, null);
reply.addParameters(OAuth.decodeForm(response.responseString));
reply = parseAuthHeader(reply, response);
if (OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN) == null)
{
throw responseParams.oauthRequestException(OAuthError.UNKNOWN_PROBLEM,
"No oauthToken returned from service provider");
}
if (OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN_SECRET) == null)
{
throw responseParams.oauthRequestException(OAuthError.UNKNOWN_PROBLEM,
"No oauthToken_secret returned from service provider");
}
return reply;
}
public bool thirdPartyHasAccessToUser(OAuthMessage message, String appUrl, String userId)
{
String appId = getAppId(appUrl);
return hasValidSignature(message, appUrl, appId)
&& userHasAppInstalled(userId, appId);
}