/** * Validate signature based on the signature method used. * * @param array $params * @param string $consumerSecret * @param string $httpMethod * @param string $requestUrl * @param string $tokenSecret * @return void * @throws Exception|OauthInputException */ protected function _validateSignature($params, $consumerSecret, $httpMethod, $requestUrl, $tokenSecret = null) { if (!in_array($params['oauth_signature_method'], self::getSupportedSignatureMethods())) { throw new OauthInputException('Signature method %1 is not supported', [$params['oauth_signature_method']]); } $allowedSignParams = $params; unset($allowedSignParams['oauth_signature']); $calculatedSign = $this->_httpUtility->sign($allowedSignParams, $params['oauth_signature_method'], $consumerSecret, $tokenSecret, $httpMethod, $requestUrl); if ($calculatedSign != $params['oauth_signature']) { throw new Exception('Invalid signature'); } }
/** * Test two legged authentication */ public function testAuthenticateTwoLegged() { $testUserKey = 'foo_user'; $testUserSecret = 'bar_secret'; $testUrl = 'http://foo.bar/api/rest/v1/baz'; // Prepare signature and oAuth parameters $utility = new Zend_Oauth_Http_Utility(); $params = array('oauth_consumer_key' => $testUserKey, 'oauth_nonce' => $utility->generateNonce(), 'oauth_timestamp' => $utility->generateTimestamp(), 'oauth_version' => '1.0', 'oauth_signature_method' => Mage_Oauth_Model_Server::SIGNATURE_PLAIN); $params['oauth_signature'] = $utility->sign($params, Mage_Oauth_Model_Server::SIGNATURE_PLAIN, $testUserSecret, '', 'GET', $testUrl); $authHeader = $utility->toAuthorizationHeader($params); $this->_requestMock->expects($this->at(0))->method('getHeader')->with('Authorization')->will($this->returnValue($authHeader)); $this->_requestMock->expects($this->at(1))->method('getHeader')->with(Zend_Http_Client::CONTENT_TYPE)->will($this->returnValue('application/json')); $this->_requestMock->expects($this->any())->method('getScheme')->with()->will($this->returnValue(Zend_Controller_Request_Http::SCHEME_HTTP)); $this->_requestMock->expects($this->any())->method('getHttpHost')->with()->will($this->returnValue('foo.bar')); $this->_requestMock->expects($this->any())->method('getRequestUri')->with()->will($this->returnValue('/api/rest/v1/baz')); $userMock = $this->getMockBuilder('Mage_Webapi_Model_Acl_User')->setMethods(array('loadByKey', 'getId', 'getSecret'))->disableOriginalConstructor()->getMock(); $this->_consumerFactoryMock->expects($this->once())->method('create')->will($this->returnValue($userMock)); $userMock->expects($this->once())->method('loadByKey')->with($testUserKey)->will($this->returnSelf()); $userMock->expects($this->once())->method('getId')->with()->will($this->returnValue(1)); $userMock->expects($this->once())->method('getSecret')->with()->will($this->returnValue($testUserSecret)); $this->assertEquals($userMock, $this->_server->authenticateTwoLegged()); }
/** * Validate signature * * @throws Mage_Oauth_Exception */ protected function _validateSignature() { $util = new Zend_Oauth_Http_Utility(); $calculatedSign = $util->sign(array_merge($this->_params, $this->_protocolParams), $this->_protocolParams['oauth_signature_method'], $this->_consumer->getSecret(), $this->_token->getSecret(), $this->_request->getMethod(), $this->_request->getScheme() . '://' . $this->_request->getHttpHost() . $this->_request->getRequestUri()); if ($calculatedSign != $this->_protocolParams['oauth_signature']) { $this->_throwException('', self::ERR_SIGNATURE_INVALID); } }
/** * Validate OAuth request * @param Zend_Uri_Http $url Request URL, will use current if null * @param array $params Additional parameters * @return bool * @throws Zend_Oauth_Exception */ public function checkOAuthRequest(Zend_Uri_Http $url = null, $params = array()) { if (empty($url)) { $this->url = $this->getRequestUrl(); } else { $this->url = clone $url; } // We'll ignore query for the pruposes of URL matching $this->url->setQuery(''); if (isset($_SERVER['REQUEST_METHOD'])) { $method = $_SERVER['REQUEST_METHOD']; } elseif (isset($_SERVER['HTTP_METHOD'])) { $method = $_SERVER['HTTP_METHOD']; } else { $method = 'GET'; } $params = $this->assembleParams($method, $params); $this->checkSignatureMethod($params['oauth_signature_method']); $this->checkRequiredParams($params); $this->timestamp = $params['oauth_timestamp']; $this->nonce = $params['oauth_nonce']; $this->consumer_key = $params['oauth_consumer_key']; if (!is_callable($this->nonceHandler)) { throw new Zend_Oauth_Exception("Nonce handler not callable", self::BAD_NONCE); } $res = call_user_func($this->nonceHandler, $this); if ($res != self::OK) { throw new Zend_Oauth_Exception("Invalid request", $res); } if (!is_callable($this->consumerHandler)) { throw new Zend_Oauth_Exception("Consumer handler not callable", self::CONSUMER_KEY_UNKNOWN); } $res = call_user_func($this->consumerHandler, $this); // this will set $this->consumer_secret if OK if ($res != self::OK) { throw new Zend_Oauth_Exception("Consumer key invalid", $res); } if ($this->needsToken()) { $this->token = $params['oauth_token']; $this->verifier = $params['oauth_verifier']; if (!is_callable($this->tokenHandler)) { throw new Zend_Oauth_Exception("Token handler not callable", self::TOKEN_REJECTED); } $res = call_user_func($this->tokenHandler, $this); // this will set $this->token_secret if OK if ($res != self::OK) { throw new Zend_Oauth_Exception("Token invalid", $res); } } $util = new Zend_Oauth_Http_Utility(); $req_sign = $params['oauth_signature']; unset($params['oauth_signature']); $our_sign = $util->sign($params, $params['oauth_signature_method'], $this->consumer_secret, $this->token_secret, $method, $this->url->getUri()); if ($req_sign != $our_sign) { // TODO: think how to extract signature base string $this->problem = $our_sign; throw new Zend_Oauth_Exception("Invalid signature", self::INVALID_SIGNATURE); } return true; }
/** * Send a request * @param String $method Methodname * @param Array $queryParams GET parameters * @return Array */ public function request($method, array $queryParams) { $queryParams['format'] = self::RESPONSE_FORMAT; if (!substr($method, 0, 5) != 'vimeo') { $method = 'vimeo.' . $method; } $queryParams['method'] = $method; $queryString = http_build_query($queryParams); $url = self::VIMEO_API_URL . '?' . $queryString; $oAuthHttpUtility = new Zend_Oauth_Http_Utility(); $params = array('oauth_consumer_key' => $this->getConsumerKey(), 'oauth_nonce' => $oAuthHttpUtility->generateNonce(), 'oauth_timestamp' => $oAuthHttpUtility->generateTimestamp(), 'oauth_signature_method' => 'HMAC-SHA1', 'oauth_version' => '1.0'); if ($this->getAccessToken()) { $params['oauth_token'] = $this->getAccessToken(); } $params['oauth_signature'] = $oAuthHttpUtility->sign(array_merge($queryParams, $params), 'HMAC-SHA1', $this->getConsumerSecret(), $this->getAccessTokenSecret(), Zend_Oauth::GET, self::VIMEO_API_URL); $httpClient = $this->getHttpClient()->setHeaders('Authorization', $oAuthHttpUtility->toAuthorizationHeader($params))->setMethod(Zend_Http_Client::GET)->setUri($url); $response = $httpClient->request()->getBody(); $response = json_decode($response, true); if ($response['stat'] == 'fail') { $error = 'An unknown error occurred at Vimeo.'; if (!empty($response['err']['expl'])) { $error = $response['err']['expl']; } throw new Garp_Service_Vimeo_Exception($response['err']['expl']); } return $response; }