public function signRequest($url, $method)
{
try {
// Parse the request into parameters for OAuth signing, stripping out
// any OAuth or OpenSocial parameters injected by the client
$parsedUri = parse_url($url);
$resource = $url;
$queryParams = $this->sanitize($_GET);
$postParams = $this->sanitize($_POST);
// The data that is supposed to be posted to the target page is contained in the postData field
// in the $_POST to the Shindig proxy server
// Here we parse it and put it into the $postDataParams array which then is merged into the postParams
// to be used for the GET/POST request and the building of the signature
$postDataParams = array();
if (isset($_POST['postData']) && count($postDataParts = split('&', urldecode($_POST['postData']))) > 0) {
foreach ($postDataParts as $postDataPart) {
$position = strpos($postDataPart, '=');
$key = substr($postDataPart, 0, $position);
$value = substr($postDataPart, $position + 1);
$postDataParams[$key] = $value;
}
}
$postParams = array_merge($postParams, $this->sanitize($postDataParams));
$msgParams = array();
$msgParams = array_merge($msgParams, $queryParams);
$msgParams = array_merge($msgParams, $postParams);
$this->addOpenSocialParams($msgParams);
$this->addOAuthParams($msgParams);
$consumer = new OAuthConsumer(NULL, NULL, NULL);
$consumer->setProperty(OAuthSignatureMethod_RSA_SHA1::$PRIVATE_KEY, $this->privateKeyObject);
$signatureMethod = new OAuthSignatureMethod_RSA_SHA1();
$req_req = OAuthRequest::from_consumer_and_token($consumer, NULL, $method, $resource, $msgParams);
$req_req->sign_request($signatureMethod, $consumer, NULL);
// Rebuild the query string, including all of the parameters we added.
// We have to be careful not to copy POST parameters into the query.
// If post and query parameters share a name, they end up being removed
// from the query.
$forPost = array();
$postData = false;
if ($method == 'POST') {
foreach ($postParams as $key => $param) {
$forPost[$key] = $param;
if ($postData === false) {
$postData = array();
}
$postData[] = OAuthUtil::urlencodeRFC3986($key) . "=" . OAuthUtil::urlencodeRFC3986($param);
}
if ($postData !== false) {
$postData = implode("&", $postData);
}
}
$newQuery = '';
foreach ($req_req->get_parameters() as $key => $param) {
if (!isset($forPost[$key])) {
$newQuery .= urlencode($key) . '=' . urlencode($param) . '&';
}
}
// and stick on the original query params too
if (isset($parsedUri['query']) && !empty($parsedUri['query'])) {
$oldQuery = array();
parse_str($parsedUri['query'], $oldQuery);
foreach ($oldQuery as $key => $val) {
$newQuery .= urlencode($key) . '=' . urlencode($val) . '&';
}
}
// Careful here; the OAuth form encoding scheme is slightly different than
// the normal form encoding scheme, so we have to use the OAuth library
// formEncode method.
$url = $parsedUri['scheme'] . '://' . $parsedUri['host'] . (isset($parsedUri['port']) ? ':' . $parsedUri['port'] : '') . $parsedUri['path'] . '?' . $newQuery;
// The headers are transmitted in the POST-data array in the field 'headers'
// if no post should be made, the value should be false for this parameter
$postHeaders = isset($_POST['headers']) && $method == 'POST' ? $_POST['headers'] : false;
return new RemoteContentRequest($url, $postHeaders, $postData);
} catch (Exception $e) {
throw new GadgetException($e);
}
}
private function signRequest(RemoteContentRequest $request)
{
$url = $request->getUrl();
$method = $request->getMethod();
try {
// Parse the request into parameters for OAuth signing, stripping out
// any OAuth or OpenSocial parameters injected by the client
$parsedUri = parse_url($url);
$resource = $url;
$queryParams = array();
if (isset($parsedUri['query'])) {
parse_str($parsedUri['query'], $queryParams);
// strip out all opensocial_* and oauth_* params so they can't be spoofed by the client
foreach ($queryParams as $key => $val) {
if (strtolower(substr($key, 0, strlen('opensocial_'))) == 'opensocial_' || strtolower(substr($key, 0, strlen('oauth_'))) == 'oauth_') {
unset($queryParams[$key]);
}
}
$queryParams = $this->sanitize($queryParams);
}
$contentType = $request->getHeader('Content-Type');
$signBody = stripos($contentType, 'application/x-www-form-urlencoded') !== false || $contentType == null;
if ($request->getPostBody()) {
if ($signBody) {
$postParams = array();
// on normal application/x-www-form-urlencoded type post's encode and parse the post vars
parse_str($request->getPostBody(), $postParams);
$postParams = $this->sanitize($postParams);
} else {
// on any other content-type of post (application/{json,xml,xml+atom}) use the body signing hash
// see http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.html for details
$queryParams['oauth_body_hash'] = base64_encode(sha1($request->getPostBody(), true));
}
}
$msgParams = array();
$msgParams = array_merge($msgParams, $queryParams);
if ($signBody && isset($postParams)) {
$msgParams = array_merge($msgParams, $postParams);
}
$this->addOpenSocialParams($msgParams, $request->getToken(), $request->getOptions()->ownerSigned, $request->getOptions()->viewerSigned);
$this->addOAuthParams($msgParams, $request->getToken());
$consumer = new OAuthConsumer(NULL, NULL, NULL);
$consumer->setProperty(OAuthSignatureMethod_RSA_SHA1::$PRIVATE_KEY, $this->privateKeyObject);
$signatureMethod = new OAuthSignatureMethod_RSA_SHA1();
$req_req = OAuthRequest::from_consumer_and_token($consumer, NULL, $method, $resource, $msgParams);
$req_req->sign_request($signatureMethod, $consumer, NULL);
// Rebuild the query string, including all of the parameters we added.
// We have to be careful not to copy POST parameters into the query.
// If post and query parameters share a name, they end up being removed
// from the query.
$forPost = array();
$postData = false;
if ($method == 'POST' && $signBody) {
foreach ($postParams as $key => $param) {
$forPost[$key] = $param;
if ($postData === false) {
$postData = array();
}
$postData[] = OAuthUtil::urlencodeRFC3986($key) . "=" . OAuthUtil::urlencodeRFC3986($param);
}
if ($postData !== false) {
$postData = implode("&", $postData);
}
}
$newQuery = '';
foreach ($req_req->get_parameters() as $key => $param) {
if (!isset($forPost[$key])) {
$newQuery .= urlencode($key) . '=' . urlencode($param) . '&';
}
}
// and stick on the original query params too
if (isset($parsedUri['query']) && !empty($parsedUri['query'])) {
$oldQuery = array();
parse_str($parsedUri['query'], $oldQuery);
foreach ($oldQuery as $key => $val) {
$newQuery .= urlencode($key) . '=' . urlencode($val) . '&';
}
}
// Careful here; the OAuth form encoding scheme is slightly different than
// the normal form encoding scheme, so we have to use the OAuth library
// formEncode method.
$url = $parsedUri['scheme'] . '://' . $parsedUri['host'] . (isset($parsedUri['port']) ? ':' . $parsedUri['port'] : '') . (isset($parsedUri['path']) ? $parsedUri['path'] : '') . '?' . $newQuery;
$request->setUri($url);
if ($signBody) {
$request->setPostBody($postData);
}
} catch (Exception $e) {
throw new GadgetException($e);
}
}
