@Before
public void setUp() throws Exception {
ContextFix context = new ContextFix();
clientFix = context.newClient();
signatureMethodProvider = clientFix.getSignatureMethodProvider();
SignatureMethod signatureMethod = mock(SignatureMethod.class);
signatureMethodProvider.register("SIGNATURE-METHOD", signatureMethod);
clientCredentials = new ClientCredentialsImpl("CLIENT-IDENTIFIER", "CLIENT-SHARED-SECRET");
tokenCredentials = new TokenCredentialsImpl("TOKEN-IDENTIFIER", "TOKEN-SHARED-SECRET");
when(signatureMethod.generateSignature(
any(Request.class), eq(clientCredentials), eq(tokenCredentials))) //
.thenReturn("SIGNATURE");
client = clientFix.unpack();
client.store(clientCredentials);
client.store(tokenCredentials);
client.setDefaultSignatureMethod("SIGNATURE-METHOD");
request = client.newRequest();
}
// FIXME URGH
@Ignore
@Test
public void nominalCase() throws Exception {
/**
*
*
* <pre>
* OAuth-authenticated requests can have two sets of credentials: those
* passed via the "oauth_consumer_key" parameter and those in the
* "oauth_token" parameter. In order for the server to verify the
* authenticity of the request and prevent unauthorized access, the
* client needs to prove that it is the rightful owner of the
* credentials. This is accomplished using the shared-secret (or RSA
* key) part of each set of credentials.
* </pre>
*/
assertThat(client.getClientCredentials(), is(notNullValue()));
assertThat(client.getTokenCredentials(), is(notNullValue()));
request = client.newRequest();
Parameters parameters = request.getParameters();
assertThat(parameters.get(oauth_consumer_key), is("CLIENT-IDENTIFIER"));
assertThat(parameters.get(oauth_token), is("TOKEN-IDENTIFIER"));
/**
*
*
* <pre>
* OAuth provides three methods for the client to prove its rightful
* ownership of the credentials: "HMAC-SHA1", "RSA-SHA1", and
* "PLAINTEXT". These methods are generally referred to as signature
* methods, even though "PLAINTEXT" does not involve a signature. In
* addition, "RSA-SHA1" utilizes an RSA key instead of the shared-
* secrets associated with the client credentials.
*
* OAuth does not mandate a particular signature method, as each
* implementation can have its own unique requirements. Servers are
* free to implement and document their own custom methods.
* Recommending any particular method is beyond the scope of this
* specification. Implementers should review the Security
* Considerations section (Section 4) before deciding on which method to
* support.
* </pre>
*/
assertTrue(signatureMethodProvider.supports("SIGNATURE-METHOD"));
assertThat(client.getDefaultSignatureMethod(), is("SIGNATURE-METHOD"));
/**
*
*
* <pre>
* The client declares which signature method is used via the
* "oauth_signature_method" parameter. It then generates a signature
* (or a string of an equivalent value), and includes it in the
* "oauth_signature" parameter. The server verifies the signature as
* specified for each method.
* </pre>
*/
assertThat(parameters.get(oauth_signature_method), is("SIGNATURE-METHOD"));
/**
*
*
* <pre>
* The signature process does not change the request or its parameters,
* with the exception of the "oauth_signature" parameter.
* </pre>
*/
parameters = spy(parameters);
request.setParameters(parameters);
client.sign(request);
verify(parameters, atLeastOnce()).get(oauth_consumer_key);
verify(parameters, atLeastOnce()).get(oauth_token);
verify(parameters).get(oauth_signature_method);
verify(parameters).set(oauth_signature, "SIGNATURE");
}
