implemented computation of body hash as per OAuth Request Body Hash 1.0 Draft 4

Author: Michael Reinsch

History.txt

@@ -1,4 +1,6 @@
 == 0.3.7
+* Added computation of oauth_body_hash as per OAuth Request Body Hash 1.0
+  Draft 4 (Michael Reinsch)
 * Better marshalling implementation (Yoan Blanc)
 * Added optional block to OAuth::Consumer.get_*_token (Neill Pearman)
 * Exclude `oauth_callback` with :exclude_callback (Neill Pearman)

lib/oauth/client/helper.rb

@@ -29,6 +29,7 @@ def timestamp
 
     def oauth_parameters
       {
+        'oauth_body_hash'        => options[:body_hash],
         'oauth_callback'         => options[:oauth_callback],
         'oauth_consumer_key'     => options[:consumer].key,
         'oauth_token'            => options[:token] ? options[:token].token : '',
@@ -55,6 +56,10 @@ def signature_base_string(extra_options = {})
                                                          :parameters => oauth_parameters}.merge(extra_options) )
     end
 
+    def hash_body
+      @options[:body_hash] = OAuth::Signature.body_hash(@request, :parameters => oauth_parameters)
+    end
+
     def amend_user_agent_header(headers)
       @oauth_ua_string ||= "OAuth gem v#{OAuth::VERSION}"
       # Net::HTTP in 1.9 appends Ruby

lib/oauth/client/net_http.rb

@@ -20,19 +20,14 @@ class Net::HTTPRequest
   #
   # This method also modifies the <tt>User-Agent</tt> header to add the OAuth gem version.
   #
-  # See Also: {OAuth core spec version 1.0, section 5.4.1}[http://oauth.net/core/1.0#rfc.section.5.4.1]
+  # See Also: {OAuth core spec version 1.0, section 5.4.1}[http://oauth.net/core/1.0#rfc.section.5.4.1],
+  #           {OAuth Request Body Hash 1.0 Draft 4}[http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.html]
   def oauth!(http, consumer = nil, token = nil, options = {})
-    options = { :request_uri      => oauth_full_request_uri(http),
-                :consumer         => consumer,
-                :token            => token,
-                :scheme           => 'header',
-                :signature_method => nil,
-                :nonce            => nil,
-                :timestamp        => nil }.merge(options)
-
-    @oauth_helper = OAuth::Client::Helper.new(self, options)
+    helper_options = oauth_helper_options(http, consumer, token, options)
+    @oauth_helper = OAuth::Client::Helper.new(self, helper_options)
     @oauth_helper.amend_user_agent_header(self)
-    self.send("set_oauth_#{options[:scheme]}")
+    @oauth_helper.hash_body if oauth_body_hash_required?
+    self.send("set_oauth_#{helper_options[:scheme]}")
   end
 
   # Create a string suitable for signing for an HTTP request. This process involves parameter
@@ -47,21 +42,27 @@ def oauth!(http, consumer = nil, token = nil, options = {})
   # * options - Request-specific options (e.g. +request_uri+, +consumer+, +token+, +scheme+,
   #   +signature_method+, +nonce+, +timestamp+)
   # 
-  # See Also: {OAuth core spec version 1.0, section 9.1.1}[http://oauth.net/core/1.0#rfc.section.9.1.1]
+  # See Also: {OAuth core spec version 1.0, section 9.1.1}[http://oauth.net/core/1.0#rfc.section.9.1.1],
+  #           {OAuth Request Body Hash 1.0 Draft 4}[http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.html]
   def signature_base_string(http, consumer = nil, token = nil, options = {})
-    options = { :request_uri      => oauth_full_request_uri(http),
-                :consumer         => consumer,
-                :token            => token,
-                :scheme           => 'header',
-                :signature_method => nil,
-                :nonce            => nil,
-                :timestamp        => nil }.merge(options)
-
-    OAuth::Client::Helper.new(self, options).signature_base_string
+    helper_options = oauth_helper_options(http, consumer, token, options)
+    oauth_helper = OAuth::Client::Helper.new(self, helper_options)
+    oauth_helper.hash_body if oauth_body_hash_required?
+    oauth_helper.signature_base_string
   end
 
 private
 
+  def oauth_helper_options(http, consumer, token, options)
+    { :request_uri      => oauth_full_request_uri(http),
+      :consumer         => consumer,
+      :token            => token,
+      :scheme           => 'header',
+      :signature_method => nil,
+      :nonce            => nil,
+      :timestamp        => nil }.merge(options)
+  end
+
   def oauth_full_request_uri(http)
     uri = URI.parse(self.path)
     uri.host = http.address
@@ -76,6 +77,10 @@ def oauth_full_request_uri(http)
     uri.to_s
   end
 
+  def oauth_body_hash_required?
+    request_body_permitted? && content_type != "application/x-www-form-urlencoded"
+  end
+
   def set_oauth_header
     self['Authorization'] = @oauth_helper.header
   end

lib/oauth/oauth.rb

@@ -4,7 +4,9 @@ module OAuth
   OUT_OF_BAND = "oob"
 
   # required parameters, per sections 6.1.1, 6.3.1, and 7
-  PARAMETERS = %w(oauth_callback oauth_consumer_key oauth_token oauth_signature_method oauth_timestamp oauth_nonce oauth_verifier oauth_version oauth_signature)
+  PARAMETERS = %w(oauth_callback oauth_consumer_key oauth_token 
+    oauth_signature_method oauth_timestamp oauth_nonce oauth_verifier
+    oauth_version oauth_signature oauth_body_hash)
 
   # reserved character regexp, per section 5.1
   RESERVED_CHARACTERS = /[^a-zA-Z0-9\-\.\_\~]/

lib/oauth/request_proxy/net_http.rb

@@ -24,6 +24,10 @@ def parameters
         end
       end
 
+      def body
+        request.body
+      end
+
     private
 
       def all_parameters

lib/oauth/signature.rb

@@ -35,6 +35,11 @@ def self.signature_base_string(request, options = {}, &block)
       self.build(request, options, &block).signature_base_string
     end
 
+    # Create the body hash for a request
+    def self.body_hash(request, options = {}, &block)
+      self.build(request, options, &block).body_hash
+    end
+
     class UnknownSignatureMethod < Exception; end
   end
 end

lib/oauth/signature/base.rb

@@ -26,6 +26,11 @@ def self.digest_klass(digest_klass = nil)
       @digest_klass = digest_klass
     end
 
+    def self.hash_class(hash_class = nil)
+      return @hash_class if hash_class.nil?
+      @hash_class = hash_class
+    end
+
     def initialize(request, options = {}, &block)
       raise TypeError unless request.kind_of?(OAuth::RequestProxy::Base)
       @request = request
@@ -72,6 +77,14 @@ def signature_base_string
       request.signature_base_string
     end
 
+    def body_hash
+      if self.class.hash_class
+        Base64.encode64(self.class.hash_class.digest(request.body || '')).chomp.gsub(/\n/,'')
+      else
+        nil # no body hash algorithm defined, so don't generate one
+      end
+    end
+
   private
 
     def token

lib/oauth/signature/hmac/sha1.rb

@@ -4,5 +4,6 @@ module OAuth::Signature::HMAC
   class SHA1 < Base    
     implements 'hmac-sha1'
     digest_klass 'SHA1'
+    hash_class ::Digest::SHA1
   end
 end

lib/oauth/signature/rsa/sha1.rb

@@ -4,6 +4,7 @@
 module OAuth::Signature::RSA
   class SHA1 < OAuth::Signature::Base
     implements 'rsa-sha1'
+    hash_class ::Digest::SHA1
 
     def ==(cmp_signature)
       public_key.verify(OpenSSL::Digest::SHA1.new, Base64.decode64(cmp_signature.is_a?(Array) ? cmp_signature.first : cmp_signature), signature_base_string)

test/test_net_http_client.rb

@@ -62,6 +62,32 @@ def test_that_using_auth_headers_on_post_requests_works
     assert_matching_headers correct_sorted_params, request['authorization']
   end
 
+  def test_that_using_auth_headers_on_post_requests_with_data_works
+    request = Net::HTTP::Post.new(@request_uri.path)
+    request.body = "data"
+    request.content_type = 'text/ascii'
+    request.oauth!(@http, @consumer, @token, {:nonce => @nonce, :timestamp => @timestamp})
+
+    assert_equal 'POST', request.method
+    assert_equal '/test', request.path
+    assert_equal 'data', request.body
+    assert_equal 'text/ascii', request.content_type
+    assert_matching_headers "oauth_nonce=\"225579211881198842005988698334675835446\", oauth_body_hash=\"oXyaqmHoChv3HQ2FCvTluqmAC70%3D\", oauth_signature_method=\"HMAC-SHA1\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"0DA6pGTapdHSqC15RZelY5rNLDw%3D\", oauth_version=\"1.0\"", request['authorization']
+  end
+
+  def test_that_body_hash_is_obmitted_when_no_algorithm_is_defined
+    request = Net::HTTP::Post.new(@request_uri.path)
+    request.body = "data"
+    request.content_type = 'text/ascii'
+    request.oauth!(@http, @consumer, @token, {:nonce => @nonce, :timestamp => @timestamp, :signature_method => 'plaintext'})
+
+    assert_equal 'POST', request.method
+    assert_equal '/test', request.path
+    assert_equal 'data', request.body
+    assert_equal 'text/ascii', request.content_type
+    assert_matching_headers "oauth_nonce=\"225579211881198842005988698334675835446\", oauth_signature_method=\"plaintext\", oauth_token=\"token_411a7f\", oauth_timestamp=\"1199645624\", oauth_consumer_key=\"consumer_key_86cad9\", oauth_signature=\"5888bf0345e5d237%263196ffd991c8ebdb\", oauth_version=\"1.0\"", request['authorization']
+  end
+
   def test_that_version_is_added_to_existing_user_agent
     request = Net::HTTP::Post.new(@request_uri.path)
     request['User-Agent'] = "MyApp"
@@ -127,14 +153,15 @@ def test_that_using_post_params_works_with_plaintext
 
   def test_that_using_post_with_uri_params_works
     request = Net::HTTP::Post.new(@request_uri.path + "?" + request_parameters_to_s)
+    request.set_form_data( {} ) # just to make sure we have a correct mime type and thus no body hash
     request.oauth!(@http, @consumer, @token, {:scheme => 'query_string', :nonce => @nonce, :timestamp => @timestamp})
 
     assert_equal 'POST', request.method
     uri = URI.parse(request.path)
     assert_equal '/test', uri.path
     assert_equal nil, uri.fragment
     assert_equal "key=value&oauth_consumer_key=consumer_key_86cad9&oauth_nonce=225579211881198842005988698334675835446&oauth_signature=26g7wHTtNO6ZWJaLltcueppHYiI%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1199645624&oauth_token=token_411a7f&oauth_version=1.0", uri.query.split("&").sort.join('&')
-    assert_equal nil, request.body
+    assert_equal "", request.body
     assert_equal nil, request['authorization']
   end
 
@@ -152,6 +179,22 @@ def test_that_using_post_with_uri_and_form_params_works
     assert_equal nil, request['authorization']
   end
 
+  def test_that_using_post_with_uri_and_data_works
+    request = Net::HTTP::Post.new(@request_uri.path + "?" + request_parameters_to_s)
+    request.body = "data"
+    request.content_type = 'text/ascii'
+    request.oauth!(@http, @consumer, @token, {:scheme => :query_string, :nonce => @nonce, :timestamp => @timestamp})
+
+    assert_equal 'POST', request.method
+    uri = URI.parse(request.path)
+    assert_equal '/test', uri.path
+    assert_equal nil, uri.fragment
+    assert_equal "data", request.body
+    assert_equal 'text/ascii', request.content_type
+    assert_equal "key=value&oauth_body_hash=oXyaqmHoChv3HQ2FCvTluqmAC70%3D&oauth_consumer_key=consumer_key_86cad9&oauth_nonce=225579211881198842005988698334675835446&oauth_signature=MHRKU42iVHU4Ke9kBUDa9Zw6IAM%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1199645624&oauth_token=token_411a7f&oauth_version=1.0", uri.query.split("&").sort.join('&')
+    assert_equal nil, request['authorization']
+  end
+
 
   def test_example_from_specs
     consumer=OAuth::Consumer.new("dpf43f3p2l4k3l03","kd94hf93k423kf44")
@@ -200,12 +243,12 @@ def test_step_by_step_token_request
     assert_equal "oauth_token=requestkey&oauth_token_secret=requestsecret",response.body
   end
 
-  def test_that_put_bodies_not_signed
+  def test_that_put_bodies_signed
     request = Net::HTTP::Put.new(@request_uri.path)
     request.body = "<?xml version=\"1.0\"?><foo><bar>baz</bar></foo>"
     request["Content-Type"] = "application/xml"
     signature_base_string=request.signature_base_string(@http, @consumer, nil, { :nonce => @nonce, :timestamp => @timestamp })
-    assert_equal "PUT&http%3A%2F%2Fexample.com%2Ftest&oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_version%3D1.0", signature_base_string
+    assert_equal "PUT&http%3A%2F%2Fexample.com%2Ftest&oauth_body_hash%3DDvAa1AWdFoH9K%252B%252F2AHm3f6wH27k%253D%26oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_version%3D1.0", signature_base_string
   end
 
   def test_that_put_bodies_not_signed_even_if_form_urlencoded
@@ -222,12 +265,12 @@ def test_that_post_bodies_signed_if_form_urlencoded
     assert_equal "POST&http%3A%2F%2Fexample.com%2Ftest&key2%3Dvalue2%26oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_version%3D1.0", signature_base_string
   end
 
-  def test_that_post_bodies_not_signed_if_other_content_type
+  def test_that_post_bodies_signed_if_other_content_type
     request = Net::HTTP::Post.new(@request_uri.path)
     request.body = "<?xml version=\"1.0\"?><foo><bar>baz</bar></foo>"
     request["Content-Type"] = "application/xml"
     signature_base_string=request.signature_base_string(@http, @consumer, nil, { :nonce => @nonce, :timestamp => @timestamp })
-    assert_equal "POST&http%3A%2F%2Fexample.com%2Ftest&oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_version%3D1.0", signature_base_string
+    assert_equal "POST&http%3A%2F%2Fexample.com%2Ftest&oauth_body_hash%3DDvAa1AWdFoH9K%252B%252F2AHm3f6wH27k%253D%26oauth_consumer_key%3Dconsumer_key_86cad9%26oauth_nonce%3D225579211881198842005988698334675835446%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1199645624%26oauth_version%3D1.0", signature_base_string
   end
 
   protected