Exemplo n.º 1
0
  @Before
  public void setUp() throws Exception {
    ContextFix context = new ContextFix();

    clientFix = context.newClient();

    signatureMethodProvider = clientFix.getSignatureMethodProvider();
    SignatureMethod signatureMethod = mock(SignatureMethod.class);
    signatureMethodProvider.register("SIGNATURE-METHOD", signatureMethod);

    clientCredentials = new ClientCredentialsImpl("CLIENT-IDENTIFIER", "CLIENT-SHARED-SECRET");
    tokenCredentials = new TokenCredentialsImpl("TOKEN-IDENTIFIER", "TOKEN-SHARED-SECRET");
    when(signatureMethod.generateSignature(
            any(Request.class), eq(clientCredentials), eq(tokenCredentials))) //
        .thenReturn("SIGNATURE");

    client = clientFix.unpack();
    client.store(clientCredentials);
    client.store(tokenCredentials);
    client.setDefaultSignatureMethod("SIGNATURE-METHOD");
    request = client.newRequest();
  }
Exemplo n.º 2
0
  // FIXME URGH
  @Ignore
  @Test
  public void nominalCase() throws Exception {
    /**
     *
     *
     * <pre>
     * OAuth-authenticated requests can have two sets of credentials: those
     * passed via the "oauth_consumer_key" parameter and those in the
     * "oauth_token" parameter.  In order for the server to verify the
     * authenticity of the request and prevent unauthorized access, the
     * client needs to prove that it is the rightful owner of the
     * credentials.  This is accomplished using the shared-secret (or RSA
     * key) part of each set of credentials.
     * </pre>
     */
    assertThat(client.getClientCredentials(), is(notNullValue()));
    assertThat(client.getTokenCredentials(), is(notNullValue()));

    request = client.newRequest();
    Parameters parameters = request.getParameters();

    assertThat(parameters.get(oauth_consumer_key), is("CLIENT-IDENTIFIER"));
    assertThat(parameters.get(oauth_token), is("TOKEN-IDENTIFIER"));

    /**
     *
     *
     * <pre>
     * OAuth provides three methods for the client to prove its rightful
     * ownership of the credentials: "HMAC-SHA1", "RSA-SHA1", and
     * "PLAINTEXT".  These methods are generally referred to as signature
     * methods, even though "PLAINTEXT" does not involve a signature.  In
     * addition, "RSA-SHA1" utilizes an RSA key instead of the shared-
     * secrets associated with the client credentials.
     *
     * OAuth does not mandate a particular signature method, as each
     * implementation can have its own unique requirements.  Servers are
     * free to implement and document their own custom methods.
     * Recommending any particular method is beyond the scope of this
     * specification.  Implementers should review the Security
     * Considerations section (Section 4) before deciding on which method to
     * support.
     * </pre>
     */
    assertTrue(signatureMethodProvider.supports("SIGNATURE-METHOD"));
    assertThat(client.getDefaultSignatureMethod(), is("SIGNATURE-METHOD"));

    /**
     *
     *
     * <pre>
     * The client declares which signature method is used via the
     * "oauth_signature_method" parameter.  It then generates a signature
     * (or a string of an equivalent value), and includes it in the
     * "oauth_signature" parameter.  The server verifies the signature as
     * specified for each method.
     * </pre>
     */
    assertThat(parameters.get(oauth_signature_method), is("SIGNATURE-METHOD"));

    /**
     *
     *
     * <pre>
     * The signature process does not change the request or its parameters,
     * with the exception of the "oauth_signature" parameter.
     * </pre>
     */
    parameters = spy(parameters);
    request.setParameters(parameters);

    client.sign(request);

    verify(parameters, atLeastOnce()).get(oauth_consumer_key);
    verify(parameters, atLeastOnce()).get(oauth_token);
    verify(parameters).get(oauth_signature_method);
    verify(parameters).set(oauth_signature, "SIGNATURE");
  }