Author: beaton
Date: Tue Apr 20 05:32:51 2010
New Revision: 935807
URL: http://svn.apache.org/viewvc?rev=935807&view=rev
Log:
Submit jcai's patch for
https://issues.apache.org/jira/browse/SHINDIG-1317.
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthRequest.java
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthRequestTest.java
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthRequest.java
URL:
http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthRequest.java?rev=935807&r1=935806&r2=935807&view=diff
==============================================================================
---
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthRequest.java
(original)
+++
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthRequest.java
Tue Apr 20 05:32:51 2010
@@ -48,6 +48,7 @@ import org.json.JSONObject;
import java.io.IOException;
import java.util.ArrayList;
+import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
@@ -399,6 +400,37 @@ public class OAuthRequest {
canonParamName.startsWith("opensocial")) &&
ALLOWED_PARAM_NAME.matcher(canonParamName).matches());
}
+
+ /**
+ * This gives a chance to override parameters by passing trusted parameters.
+ *
+ */
+ private void overrideParameters(List<Parameter> authParams)
+ throws OAuthRequestException {
+ if (trustedParams == null) {
+ return;
+ }
+
+ Map<String, String> paramMap = Maps.newLinkedHashMap();
+ for (Parameter param : authParams) {
+ paramMap.put(param.getKey(), param.getValue());
+ }
+ for (Parameter param : trustedParams) {
+ if (!isContainerInjectedParameter(param.getKey())) {
+ throw responseParams.oauthRequestException(
+ OAuthError.INVALID_REQUEST,
+ "invalid trusted parameter name "
+ + param.getKey()
+ + ", trusted parameter must start with 'oauth' 'xoauth'or
'opensocial' ");
+ }
+ paramMap.put(param.getKey(), param.getValue());
+ }
+
+ authParams.clear();
+ for (String key : paramMap.keySet()) {
+ authParams.add(new Parameter(key, paramMap.get(key)));
+ }
+ }
/**
* Add identity information, such as owner/viewer/gadget.
@@ -431,10 +463,6 @@ public class OAuthRequest {
if (appUrl != null) {
params.add(new Parameter(OPENSOCIAL_APPURL, appUrl));
}
-
- if (trustedParams != null) {
- params.addAll(trustedParams);
- }
if (realRequest.getOAuthArguments().isProxiedContentRequest()) {
params.add(new Parameter(OPENSOCIAL_PROXIED_CONTENT, "1"));
@@ -521,9 +549,17 @@ public class OAuthRequest {
break;
}
- addIdentityParams(params);
+ // authParams are parameters prefixed with 'xoauth' 'oauth' or
'opensocial',
+ // trusted parameters have ability to override these parameters.
+ List<Parameter> authParams = Lists.newArrayList();
+
+ addIdentityParams(authParams);
- addSignatureParams(params);
+ addSignatureParams(authParams);
+
+ overrideParameters(authParams);
+
+ params.addAll(authParams);
try {
OAuthMessage signed =
OAuthUtil.newRequestMessage(accessorInfo.getAccessor(),
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java
URL:
http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java?rev=935807&r1=935806&r2=935807&view=diff
==============================================================================
---
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java
(original)
+++
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java
Tue Apr 20 05:32:51 2010
@@ -431,7 +431,11 @@ public class FakeOAuthServiceProvider im
if (!"quux".equals(OAuthUtil.getParameter(info.message,
"xoauth_magic"))) {
throw new RuntimeException("no xoauth_magic=quux parameter");
}
- trustedParamCount += 3;
+ if (!"overridden_opensocial_owner_id".equals(
+ OAuthUtil.getParameter(info.message, "opensocial_owner_id"))) {
+ throw new RuntimeException("opensocial_owner_id should be overridden");
+ }
+ trustedParamCount += 4;
}
return info;
Modified:
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthRequestTest.java
URL:
http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthRequestTest.java?rev=935807&r1=935806&r2=935807&view=diff
==============================================================================
---
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthRequestTest.java
(original)
+++
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthRequestTest.java
Tue Apr 20 05:32:51 2010
@@ -1926,6 +1926,8 @@ public class OAuthRequestTest {
client.setTrustedParam("oauth_magic", "foo");
client.setTrustedParam("opensocial_magic", "bar");
client.setTrustedParam("xoauth_magic", "quux");
+
+ client.setTrustedParam("opensocial_owner_id",
"overridden_opensocial_owner_id");
HttpResponse response =
client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
assertEquals("", response.getResponseAsString());
@@ -1933,8 +1935,77 @@ public class OAuthRequestTest {
response = client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
assertEquals("User data is hello-oauth", response.getResponseAsString());
- assertEquals(9, serviceProvider.getTrustedParamCount());
+ assertEquals(12, serviceProvider.getTrustedParamCount());
}
+
+ /**
+ * Test different behaviors of trusted parameters.
+ * 1) pass two parameters with same name, the latter will win.
+ * 2) parameter name starting with 'oauth' 'oauth' or 'opensocial'.
+ * 3) trusted parameter can override existing parameter.
+ */
+ @Test
+ public void testTrustedParamsMisc() throws Exception {
+ serviceProvider.setCheckTrustedParams(true);
+ MakeRequestClient client = makeNonSocialClient("owner", "owner",
GADGET_URL);
+ client.setTrustedParam("oauth_magic", "foo");
+ client.setTrustedParam("opensocial_magic", "bar");
+
+ client.setTrustedParam("xoauth_magic", "quux_overridden");
+ client.setTrustedParam("xoauth_magic", "quux");
+
+ client.setTrustedParam("opensocial_owner_id",
"overridden_opensocial_owner_id");
+
+ HttpResponse response =
client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
+ assertEquals("", response.getResponseAsString());
+ client.approveToken("user_data=hello-oauth");
+
+ response = client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
+ assertEquals("User data is hello-oauth", response.getResponseAsString());
+ assertEquals(12, serviceProvider.getTrustedParamCount());
+ }
+
+ /**
+ * Test trusted parameters will always be sent when signOwner and signViewer
+ * are false.
+ */
+ @Test
+ public void testAlwaysAppendTrustedParams() throws Exception {
+ serviceProvider.setCheckTrustedParams(true);
+ MakeRequestClient client = makeStrictNonSocialClient("owner", "owner",
GADGET_URL);
+ client.setTrustedParam("oauth_magic", "foo");
+ client.setTrustedParam("opensocial_magic", "bar");
+ client.setTrustedParam("xoauth_magic", "quux");
+
+ client.setTrustedParam("opensocial_owner_id",
"overridden_opensocial_owner_id");
+
+ HttpResponse response =
client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
+ assertEquals("", response.getResponseAsString());
+ client.approveToken("user_data=hello-oauth");
+
+ response = client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
+ assertEquals("User data is hello-oauth", response.getResponseAsString());
+ assertEquals(12, serviceProvider.getTrustedParamCount());
+ }
+
+ /**
+ * Test invalid trusted parameters which are not prefixed with 'oauth'
'xoauth' or 'opensocial'.
+ */
+ @Test
+ public void testTrustedParamsInvalidParameter() throws Exception {
+ serviceProvider.setCheckTrustedParams(true);
+ MakeRequestClient client = makeNonSocialClient("owner", "owner",
GADGET_URL);
+ client.setTrustedParam("oauth_magic", "foo");
+ client.setTrustedParam("opensocial_magic", "bar");
+ client.setTrustedParam("xoauth_magic", "quux");
+ client.setTrustedParam("opensocial_owner_id",
"overridden_opensocial_owner_id");
+ client.setTrustedParam("invalid_trusted_parameter", "invalid");
+
+ HttpResponse response =
client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
+ assertEquals(HttpResponse.SC_FORBIDDEN, response.getHttpStatusCode());
+ }
+
+
// Checks whether the given parameter list contains the specified
// key/value pair
