def test_signature_base_string(self): # This is the example used in Section 3.4.1.1 of RFC-5849. req = ""\ 'POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1\r\n'\ 'Host: example.com\r\n'\ 'Content-Type: application/x-www-form-urlencoded\r\n'\ 'Authorization: OAuth realm="Example", '\ 'oauth_consumer_key="9djdj82h48djs9d2", '\ 'oauth_token="kkk9d7dh3k39sjv7", '\ 'oauth_signature_method="HMAC-SHA1", '\ 'oauth_timestamp="137131201", '\ 'oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D", '\ 'oauth_nonce="7d8f3e4a"\r\n'\ '\r\n'\ 'c2&a3=2+q' sigstr = 'POST&http%3A%2F%2Fexample.com%2Frequest&a2%3Dr%2520b%26a'\ '3%3D2%2520q%26a3%3Da%26b5%3D%253D%25253D%26c%2540%3D%26c'\ '2%3D%26oauth_consumer_key%3D9djdj82h48djs9d2%26oauth_non'\ 'ce%3D7d8f3e4a%26oauth_signature_method%3DHMAC-SHA1%26oau'\ 'th_timestamp%3D137131201%26oauth_token%3Dkkk9d7dh3k39sjv7' # IanB, *thank you* for Request.from_string! mysigstr = get_signature_base_string(Request.from_string(req)) self.assertEquals(sigstr, mysigstr)
def _authenticate_oauth(self, request, identity): # We can only authenticate if it has a valid oauth token. token = identity.get("oauth_consumer_key") if not token: return None try: data, secret = self.token_manager.parse_token(token) except ValueError: msg = "invalid oauth_consumer_key" return self._respond_unauthorized(request, msg) # Check the two-legged OAuth signature. sigdata = get_signature_base_string(request, identity) expected_sig = get_signature(sigdata, secret) if strings_differ(identity["oauth_signature"], expected_sig): msg = "invalid oauth_signature" return self._respond_unauthorized(request, msg) # Cache the nonce to avoid re-use. # We do this *after* successul auth to avoid DOS attacks. nonce = identity["oauth_nonce"] timestamp = int(identity["oauth_timestamp"]) self.nonce_cache.add(nonce, timestamp) # Update the identity with the data from the token. identity.update(data) return identity["repoze.who.userid"]