private void validateMessage(OAuthAccessor accessor, MessageInfo info, boolean tokenEndpoint)
throws OAuthException, IOException, URISyntaxException {
info.message.validateMessage(accessor, new FakeTimeOAuthValidator());
String bodyHash = info.message.getParameter("oauth_body_hash");
if (tokenEndpoint && bodyHash != null) {
throw new RuntimeException("Can't have body hash on token endpoints");
}
SignatureType sigType =
OAuthUtil.getSignatureType(tokenEndpoint, info.request.getHeader("Content-Type"));
switch (sigType) {
case URL_ONLY:
break;
case URL_AND_FORM_PARAMS:
if (bodyHash != null) {
throw new RuntimeException("Can't have body hash in form-encoded request");
}
break;
case URL_AND_BODY_HASH:
if (bodyHash == null) {
throw new RuntimeException("Requiring oauth_body_hash parameter");
}
byte[] received = Base64.decodeBase64(CharsetUtil.getUtf8Bytes(bodyHash));
byte[] expected = DigestUtils.sha(info.rawBody);
if (!Arrays.equals(received, expected)) {
throw new RuntimeException("oauth_body_hash mismatch");
}
}
}
private String hasExtraParams(OAuthMessage message) {
for (Entry<String, String> param : OAuthUtil.getParameters(message)) {
// Our request token URL allows "param" as a query param, and also oauth params of course.
if (!param.getKey().startsWith("oauth") && !param.getKey().equals("param")) {
return param.getKey();
}
}
return null;
}
// Loosely based off net.oauth.OAuthServlet, and even more loosely related
// to the OAuth specification
private MessageInfo parseMessage(HttpRequest request) {
MessageInfo info = new MessageInfo();
info.request = request;
String method = request.getMethod();
ParsedUrl parsed = new ParsedUrl(request.getUri().toString());
List<OAuth.Parameter> params = Lists.newArrayList();
params.addAll(parsed.getParsedQuery());
if (!validParamLocations.contains(OAuthParamLocation.URI_QUERY)) {
// Make sure nothing OAuth related ended up in the query string
for (OAuth.Parameter p : params) {
if (p.getKey().contains("oauth_")) {
throw new RuntimeException("Found unexpected query param " + p.getKey());
}
}
}
// Parse authorization header
if (validParamLocations.contains(OAuthParamLocation.AUTH_HEADER)) {
String aznHeader = request.getHeader("Authorization");
if (aznHeader != null) {
info.aznHeader = aznHeader;
for (OAuth.Parameter p : OAuthMessage.decodeAuthorization(aznHeader)) {
if (!p.getKey().equalsIgnoreCase("realm")) {
params.add(p);
}
}
}
}
// Parse body
info.body = request.getPostBodyAsString();
try {
info.rawBody = IOUtils.toByteArray(request.getPostBody());
} catch (IOException e) {
throw new RuntimeException("Can't read post body bytes", e);
}
if (OAuth.isFormEncoded(request.getHeader("Content-Type"))) {
params.addAll(OAuth.decodeForm(request.getPostBodyAsString()));
// If we're not configured to pass oauth parameters in the post body, double check
// that they didn't end up there.
if (!validParamLocations.contains(OAuthParamLocation.POST_BODY)) {
if (info.body.contains("oauth_")) {
throw new RuntimeException("Found unexpected post body data" + info.body);
}
}
}
// Return the lot
info.message = new OAuthMessage(method, parsed.getLocation(), params);
// Check for trusted parameters
if (checkTrustedParams) {
if (!"foo".equals(OAuthUtil.getParameter(info.message, "oauth_magic"))) {
throw new RuntimeException("no oauth_trusted=foo parameter");
}
if (!"bar".equals(OAuthUtil.getParameter(info.message, "opensocial_magic"))) {
throw new RuntimeException("no opensocial_trusted=foo parameter");
}
if (!"quux".equals(OAuthUtil.getParameter(info.message, "xoauth_magic"))) {
throw new RuntimeException("no xoauth_magic=quux parameter");
}
trustedParamCount += 3;
}
return info;
}