Search in sources :

Example 1 with UriBuilder

use of org.apache.shindig.common.uri.UriBuilder in project liferay-ide by liferay.

the class OAuthRequest method sanitizeAndSign.

/**
 * Start with an HttpRequest.
 * Throw if there are any attacks in the query.
 * Throw if there are any attacks in the post body.
 * Build up OAuth parameter list.
 * Sign it.
 * Add OAuth parameters to new request.
 * Send it.
 */
public HttpRequest sanitizeAndSign(HttpRequest base, List<Parameter> params, boolean tokenEndpoint) throws OAuthRequestException {
    if (params == null) {
        params = Lists.newArrayList();
    }
    UriBuilder target = new UriBuilder(base.getUri());
    String query = target.getQuery();
    target.setQuery(null);
    params.addAll(sanitize(OAuth.decodeForm(query)));
    switch(OAuthUtil.getSignatureType(tokenEndpoint, base.getHeader("Content-Type"))) {
        case URL_ONLY:
            break;
        case URL_AND_FORM_PARAMS:
            try {
                params.addAll(sanitize(OAuth.decodeForm(base.getPostBodyAsString())));
            } catch (IllegalArgumentException e) {
                // Occurs if OAuth.decodeForm finds an invalid URL to decode.
                throw new OAuthRequestException(OAuthError.INVALID_REQUEST, "Could not decode body", e);
            }
            break;
        case URL_AND_BODY_HASH:
            try {
                byte[] body = IOUtils.toByteArray(base.getPostBody());
                byte[] hash = DigestUtils.sha(body);
                String b64 = new String(Base64.encodeBase64(hash), Charsets.UTF_8.name());
                params.add(new Parameter(OAuthConstants.OAUTH_BODY_HASH, b64));
            } catch (IOException e) {
                throw new OAuthRequestException(OAuthError.UNKNOWN_PROBLEM, "Error taking body hash", e);
            }
            break;
    }
    // authParams are parameters prefixed with 'xoauth' 'oauth' or 'opensocial',
    // trusted parameters have ability to override these parameters.
    List<Parameter> authParams = Lists.newArrayList();
    addIdentityParams(authParams);
    addSignatureParams(authParams);
    overrideParameters(authParams);
    params.addAll(authParams);
    try {
        OAuthMessage signed = OAuthUtil.newRequestMessage(accessorInfo.getAccessor(), base.getMethod(), target.toString(), params);
        HttpRequest oauthHttpRequest = createHttpRequest(base, selectOAuthParams(signed));
        // Following 302s on OAuth responses is unlikely to be productive.
        oauthHttpRequest.setFollowRedirects(false);
        return oauthHttpRequest;
    } catch (OAuthException e) {
        throw new OAuthRequestException(OAuthError.UNKNOWN_PROBLEM, "Error signing message", e);
    }
}
Also used : HttpRequest(org.apache.shindig.gadgets.http.HttpRequest) OAuthMessage(net.oauth.OAuthMessage) OAuthException(net.oauth.OAuthException) Parameter(net.oauth.OAuth.Parameter) IOException(java.io.IOException) UriBuilder(org.apache.shindig.common.uri.UriBuilder)

Aggregations

IOException (java.io.IOException)1 Parameter (net.oauth.OAuth.Parameter)1 OAuthException (net.oauth.OAuthException)1 OAuthMessage (net.oauth.OAuthMessage)1 UriBuilder (org.apache.shindig.common.uri.UriBuilder)1 HttpRequest (org.apache.shindig.gadgets.http.HttpRequest)1