// OAuth 1.0 consumer implementation. // See http://www.oauth.net and RFC 5849 // // There are typically three parties involved in an OAuth exchange: // (1) The "Service Provider" (e.g. Google, Twitter, NetFlix) who operates the // service where the data resides. // (2) The "End User" who owns that data, and wants to grant access to a third-party. // (3) That third-party who wants access to the data (after first being authorized by // the user). This third-party is referred to as the "Consumer" in OAuth // terminology. // // This library is designed to help implement the third-party consumer by handling the // low-level authentication tasks, and allowing for authenticated requests to the // service provider on behalf of the user. // // Caveats: // - Currently only supports HMAC and RSA signatures. // - Currently only supports SHA1 and SHA256 hashes. // - Currently only supports OAuth 1.0 // // Overview of how to use this library: // (1) First create a new Consumer instance with the NewConsumer function // (2) Get a RequestToken, and "authorization url" from GetRequestTokenAndUrl() // (3) Save the RequestToken, you will need it again in step 6. // (4) Redirect the user to the "authorization url" from step 2, where they will // authorize your access to the service provider. // (5) Wait. You will be called back on the CallbackUrl that you provide, and you // will recieve a "verification code". // (6) Call AuthorizeToken() with the RequestToken from step 2 and the // "verification code" from step 5. // (7) You will get back an AccessToken. Save this for as long as you need access // to the user's data, and treat it like a password; it is a secret. // (8) You can now throw away the RequestToken from step 2, it is no longer // necessary. // (9) Call "MakeHttpClient" using the AccessToken from step 7 to get an // HTTP client which can access protected resources. package oauth import ( "bytes" "crypto" "crypto/hmac" cryptoRand "crypto/rand" "crypto/rsa" "encoding/base64" "errors" "fmt" "io" "io/ioutil" "math/rand" "mime/multipart" "net/http" "net/url" "sort" "strconv" "strings" "sync" "time" ) const ( OAUTH_VERSION = "1.0" SIGNATURE_METHOD_HMAC = "HMAC-" SIGNATURE_METHOD_RSA = "RSA-" HTTP_AUTH_HEADER = "Authorization" OAUTH_HEADER = "OAuth " BODY_HASH_PARAM = "oauth_body_hash" CALLBACK_PARAM = "oauth_callback" CONSUMER_KEY_PARAM = "oauth_consumer_key" NONCE_PARAM = "oauth_nonce" SESSION_HANDLE_PARAM = "oauth_session_handle" SIGNATURE_METHOD_PARAM = "oauth_signature_method" SIGNATURE_PARAM = "oauth_signature" TIMESTAMP_PARAM = "oauth_timestamp" TOKEN_PARAM = "oauth_token" TOKEN_SECRET_PARAM = "oauth_token_secret" VERIFIER_PARAM = "oauth_verifier" VERSION_PARAM = "oauth_version" ) var HASH_METHOD_MAP = map[crypto.Hash]string{ crypto.SHA1: "SHA1", crypto.SHA256: "SHA256", } // TODO(mrjones) Do we definitely want separate "Request" and "Access" token classes? // They're identical structurally, but used for different purposes. type RequestToken struct { Token string Secret string } type AccessToken struct { Token string Secret string AdditionalData map[string]string } type DataLocation int const ( LOC_BODY DataLocation = iota + 1 LOC_URL LOC_MULTIPART LOC_JSON LOC_XML ) // Information about how to contact the service provider (see #1 above). // You usually find all of these URLs by reading the documentation for the service // that you're trying to connect to. // Some common examples are: // (1) Google, standard APIs: // http://code.google.com/apis/accounts/docs/OAuth_ref.html // - RequestTokenUrl: https://www.google.com/accounts/OAuthGetRequestToken // - AuthorizeTokenUrl: https://www.google.com/accounts/OAuthAuthorizeToken // - AccessTokenUrl: https://www.google.com/accounts/OAuthGetAccessToken // Note: Some Google APIs (for example, Google Latitude) use different values for // one or more of those URLs. // (2) Twitter API: // http://dev.twitter.com/pages/auth // - RequestTokenUrl: http://api.twitter.com/oauth/request_token // - AuthorizeTokenUrl: https://api.twitter.com/oauth/authorize // - AccessTokenUrl: https://api.twitter.com/oauth/access_token // (3) NetFlix API: // http://developer.netflix.com/docs/Security // - RequestTokenUrl: http://api.netflix.com/oauth/request_token // - AuthroizeTokenUrl: https://api-user.netflix.com/oauth/login // - AccessTokenUrl: http://api.netflix.com/oauth/access_token // Set HttpMethod if the service provider requires a different HTTP method // to be used for OAuth token requests type ServiceProvider struct { RequestTokenUrl string AuthorizeTokenUrl string AccessTokenUrl string HttpMethod string BodyHash bool IgnoreTimestamp bool // Enables non spec-compliant behavior: // Allow parameters to be passed in the query string rather // than the body. // See https://github.com/mrjones/oauth/pull/63 SignQueryParams bool } func (sp *ServiceProvider) httpMethod() string { if sp.HttpMethod != "" { return sp.HttpMethod } return "GET" } // lockedNonceGenerator wraps a non-reentrant random number generator with a // lock type lockedNonceGenerator struct { nonceGenerator nonceGenerator lock sync.Mutex } func newLockedNonceGenerator(c clock) *lockedNonceGenerator { return &lockedNonceGenerator{ nonceGenerator: rand.New(rand.NewSource(c.Nanos())), } } func (n *lockedNonceGenerator) Int63() int64 { n.lock.Lock() r := n.nonceGenerator.Int63() n.lock.Unlock() return r } // Consumers are stateless, you can call the various methods (GetRequestTokenAndUrl, // AuthorizeToken, and Get) on various different instances of Consumers *as long as // they were set up in the same way.* It is up to you, as the caller to persist the // necessary state (RequestTokens and AccessTokens). type Consumer struct { // Some ServiceProviders require extra parameters to be passed for various reasons. // For example Google APIs require you to set a scope= parameter to specify how much // access is being granted. The proper values for scope= depend on the service: // For more, see: http://code.google.com/apis/accounts/docs/OAuth.html#prepScope AdditionalParams map[string]string // The rest of this class is configured via the NewConsumer function. consumerKey string serviceProvider ServiceProvider // Some APIs (e.g. Netflix) aren't quite standard OAuth, and require passing // additional parameters when authorizing the request token. For most APIs // this field can be ignored. For Netflix, do something like: // consumer.AdditionalAuthorizationUrlParams = map[string]string{ // "application_name": "YourAppName", // "oauth_consumer_key": "YourConsumerKey", // } AdditionalAuthorizationUrlParams map[string]string debug bool // Defaults to http.Client{}, can be overridden (e.g. for testing) as necessary HttpClient HttpClient // Some APIs (e.g. Intuit/Quickbooks) require sending additional headers along with // requests. (like "Accept" to specify the response type as XML or JSON) Note that this // will only *add* headers, not set existing ones. AdditionalHeaders map[string][]string // Private seams for mocking dependencies when testing clock clock // Seeded generators are not reentrant nonceGenerator nonceGenerator signer signer } func newConsumer(consumerKey string, serviceProvider ServiceProvider, httpClient *http.Client) *Consumer { clock := &defaultClock{} if httpClient == nil { httpClient = &http.Client{} } return &Consumer{ consumerKey: consumerKey, serviceProvider: serviceProvider, clock: clock, HttpClient: httpClient, nonceGenerator: newLockedNonceGenerator(clock), AdditionalParams: make(map[string]string), AdditionalAuthorizationUrlParams: make(map[string]string), } } // Creates a new Consumer instance, with a HMAC-SHA1 signer // - consumerKey and consumerSecret: // values you should obtain from the ServiceProvider when you register your // application. // // - serviceProvider: // see the documentation for ServiceProvider for how to create this. // func NewConsumer(consumerKey string, consumerSecret string, serviceProvider ServiceProvider) *Consumer { consumer := newConsumer(consumerKey, serviceProvider, nil) consumer.signer = &HMACSigner{ consumerSecret: consumerSecret, hashFunc: crypto.SHA1, } return consumer } // Creates a new Consumer instance, with a HMAC-SHA1 signer // - consumerKey and consumerSecret: // values you should obtain from the ServiceProvider when you register your // application. // // - serviceProvider: // see the documentation for ServiceProvider for how to create this. // // - httpClient: // Provides a custom implementation of the httpClient used under the hood // to make the request. This is especially useful if you want to use // Google App Engine. // func NewCustomHttpClientConsumer(consumerKey string, consumerSecret string, serviceProvider ServiceProvider, httpClient *http.Client) *Consumer { consumer := newConsumer(consumerKey, serviceProvider, httpClient) consumer.signer = &HMACSigner{ consumerSecret: consumerSecret, hashFunc: crypto.SHA1, } return consumer } // Creates a new Consumer instance, with a HMAC signer // - consumerKey and consumerSecret: // values you should obtain from the ServiceProvider when you register your // application. // // - hashFunc: // the crypto.Hash to use for signatures // // - serviceProvider: // see the documentation for ServiceProvider for how to create this. // // - httpClient: // Provides a custom implementation of the httpClient used under the hood // to make the request. This is especially useful if you want to use // Google App Engine. Can be nil for default. // func NewCustomConsumer(consumerKey string, consumerSecret string, hashFunc crypto.Hash, serviceProvider ServiceProvider, httpClient *http.Client) *Consumer { consumer := newConsumer(consumerKey, serviceProvider, httpClient) consumer.signer = &HMACSigner{ consumerSecret: consumerSecret, hashFunc: hashFunc, } return consumer } // Creates a new Consumer instance, with a RSA-SHA1 signer // - consumerKey: // value you should obtain from the ServiceProvider when you register your // application. // // - privateKey: // the private key to use for signatures // // - serviceProvider: // see the documentation for ServiceProvider for how to create this. // func NewRSAConsumer(consumerKey string, privateKey *rsa.PrivateKey, serviceProvider ServiceProvider) *Consumer { consumer := newConsumer(consumerKey, serviceProvider, nil) consumer.signer = &RSASigner{ privateKey: privateKey, hashFunc: crypto.SHA1, rand: cryptoRand.Reader, } return consumer } // Creates a new Consumer instance, with a RSA signer // - consumerKey: // value you should obtain from the ServiceProvider when you register your // application. // // - privateKey: // the private key to use for signatures // // - hashFunc: // the crypto.Hash to use for signatures // // - serviceProvider: // see the documentation for ServiceProvider for how to create this. // // - httpClient: // Provides a custom implementation of the httpClient used under the hood // to make the request. This is especially useful if you want to use // Google App Engine. Can be nil for default. // func NewCustomRSAConsumer(consumerKey string, privateKey *rsa.PrivateKey, hashFunc crypto.Hash, serviceProvider ServiceProvider, httpClient *http.Client) *Consumer { consumer := newConsumer(consumerKey, serviceProvider, httpClient) consumer.signer = &RSASigner{ privateKey: privateKey, hashFunc: hashFunc, rand: cryptoRand.Reader, } return consumer } // Kicks off the OAuth authorization process. // - callbackUrl: // Authorizing a token *requires* redirecting to the service provider. This is the // URL which the service provider will redirect the user back to after that // authorization is completed. The service provider will pass back a verification // code which is necessary to complete the rest of the process (in AuthorizeToken). // Notes on callbackUrl: // - Some (all?) service providers allow for setting "oob" (for out-of-band) as a // callback url. If this is set the service provider will present the // verification code directly to the user, and you must provide a place for // them to copy-and-paste it into. // - Otherwise, the user will be redirected to callbackUrl in the browser, and // will append a "oauth_verifier=" parameter. // // This function returns: // - rtoken: // A temporary RequestToken, used during the authorization process. You must save // this since it will be necessary later in the process when calling // AuthorizeToken(). // // - url: // A URL that you should redirect the user to in order that they may authorize you // to the service provider. // // - err: // Set only if there was an error, nil otherwise. func (c *Consumer) GetRequestTokenAndUrl(callbackUrl string) (rtoken *RequestToken, loginUrl string, err error) { return c.GetRequestTokenAndUrlWithParams(callbackUrl, c.AdditionalParams) } func (c *Consumer) GetRequestTokenAndUrlWithParams(callbackUrl string, additionalParams map[string]string) (rtoken *RequestToken, loginUrl string, err error) { params := c.baseParams(c.consumerKey, additionalParams) if callbackUrl != "" { params.Add(CALLBACK_PARAM, callbackUrl) } req := &request{ method: c.serviceProvider.httpMethod(), url: c.serviceProvider.RequestTokenUrl, oauthParams: params, } if _, err := c.signRequest(req, ""); err != nil { // We don't have a token secret for the key yet return nil, "", err } resp, err := c.getBody(c.serviceProvider.httpMethod(), c.serviceProvider.RequestTokenUrl, params) if err != nil { return nil, "", errors.New("getBody: " + err.Error()) } requestToken, err := parseRequestToken(*resp) if err != nil { return nil, "", errors.New("parseRequestToken: " + err.Error()) } loginParams := make(url.Values) for k, v := range c.AdditionalAuthorizationUrlParams { loginParams.Set(k, v) } loginParams.Set(TOKEN_PARAM, requestToken.Token) loginUrl = c.serviceProvider.AuthorizeTokenUrl + "?" + loginParams.Encode() return requestToken, loginUrl, nil } // After the user has authorized you to the service provider, use this method to turn // your temporary RequestToken into a permanent AccessToken. You must pass in two values: // - rtoken: // The RequestToken returned from GetRequestTokenAndUrl() // // - verificationCode: // The string which passed back from the server, either as the oauth_verifier // query param appended to callbackUrl *OR* a string manually entered by the user // if callbackUrl is "oob" // // It will return: // - atoken: // A permanent AccessToken which can be used to access the user's data (until it is // revoked by the user or the service provider). // // - err: // Set only if there was an error, nil otherwise. func (c *Consumer) AuthorizeToken(rtoken *RequestToken, verificationCode string) (atoken *AccessToken, err error) { return c.AuthorizeTokenWithParams(rtoken, verificationCode, c.AdditionalParams) } func (c *Consumer) AuthorizeTokenWithParams(rtoken *RequestToken, verificationCode string, additionalParams map[string]string) (atoken *AccessToken, err error) { params := map[string]string{ TOKEN_PARAM: rtoken.Token, } if verificationCode != "" { params[VERIFIER_PARAM] = verificationCode } return c.makeAccessTokenRequestWithParams(params, rtoken.Secret, additionalParams) } // Use the service provider to refresh the AccessToken for a given session. // Note that this is only supported for service providers that manage an // authorization session (e.g. Yahoo). // // Most providers do not return the SESSION_HANDLE_PARAM needed to refresh // the token. // // See http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html // for more information. // - accessToken: // The AccessToken returned from AuthorizeToken() // // It will return: // - atoken: // An AccessToken which can be used to access the user's data (until it is // revoked by the user or the service provider). // // - err: // Set if accessToken does not contain the SESSION_HANDLE_PARAM needed to // refresh the token, or if an error occurred when making the request. func (c *Consumer) RefreshToken(accessToken *AccessToken) (atoken *AccessToken, err error) { params := make(map[string]string) sessionHandle, ok := accessToken.AdditionalData[SESSION_HANDLE_PARAM] if !ok { return nil, errors.New("Missing " + SESSION_HANDLE_PARAM + " in access token.") } params[SESSION_HANDLE_PARAM] = sessionHandle params[TOKEN_PARAM] = accessToken.Token return c.makeAccessTokenRequest(params, accessToken.Secret) } // Use the service provider to obtain an AccessToken for a given session // - params: // The access token request paramters. // // - secret: // Secret key to use when signing the access token request. // // It will return: // - atoken // An AccessToken which can be used to access the user's data (until it is // revoked by the user or the service provider). // // - err: // Set only if there was an error, nil otherwise. func (c *Consumer) makeAccessTokenRequest(params map[string]string, secret string) (atoken *AccessToken, err error) { return c.makeAccessTokenRequestWithParams(params, secret, c.AdditionalParams) } func (c *Consumer) makeAccessTokenRequestWithParams(params map[string]string, secret string, additionalParams map[string]string) (atoken *AccessToken, err error) { orderedParams := c.baseParams(c.consumerKey, additionalParams) for key, value := range params { orderedParams.Add(key, value) } req := &request{ method: c.serviceProvider.httpMethod(), url: c.serviceProvider.AccessTokenUrl, oauthParams: orderedParams, } if _, err := c.signRequest(req, secret); err != nil { return nil, err } resp, err := c.getBody(c.serviceProvider.httpMethod(), c.serviceProvider.AccessTokenUrl, orderedParams) if err != nil { return nil, err } return parseAccessToken(*resp) } type RoundTripper struct { consumer *Consumer token *AccessToken } func (c *Consumer) MakeRoundTripper(token *AccessToken) (*RoundTripper, error) { return &RoundTripper{consumer: c, token: token}, nil } func (c *Consumer) MakeHttpClient(token *AccessToken) (*http.Client, error) { return &http.Client{ Transport: &RoundTripper{consumer: c, token: token}, }, nil } // ** DEPRECATED ** // Please call Get on the http client returned by MakeHttpClient instead! // // Executes an HTTP Get, authorized via the AccessToken. // - url: // The base url, without any query params, which is being accessed // // - userParams: // Any key=value params to be included in the query string // // - token: // The AccessToken returned by AuthorizeToken() // // This method returns: // - resp: // The HTTP Response resulting from making this request. // // - err: // Set only if there was an error, nil otherwise. func (c *Consumer) Get(url string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { return c.makeAuthorizedRequest("GET", url, LOC_URL, "", userParams, token) } func encodeUserParams(userParams map[string]string) string { data := url.Values{} for k, v := range userParams { data.Add(k, v) } return data.Encode() } // ** DEPRECATED ** // Please call "Post" on the http client returned by MakeHttpClient instead func (c *Consumer) PostForm(url string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { return c.PostWithBody(url, "", userParams, token) } // ** DEPRECATED ** // Please call "Post" on the http client returned by MakeHttpClient instead func (c *Consumer) Post(url string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { return c.PostWithBody(url, "", userParams, token) } // ** DEPRECATED ** // Please call "Post" on the http client returned by MakeHttpClient instead func (c *Consumer) PostWithBody(url string, body string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { return c.makeAuthorizedRequest("POST", url, LOC_BODY, body, userParams, token) } // ** DEPRECATED ** // Please call "Do" on the http client returned by MakeHttpClient instead // (and set the "Content-Type" header explicitly in the http.Request) func (c *Consumer) PostJson(url string, body string, token *AccessToken) (resp *http.Response, err error) { return c.makeAuthorizedRequest("POST", url, LOC_JSON, body, nil, token) } // ** DEPRECATED ** // Please call "Do" on the http client returned by MakeHttpClient instead // (and set the "Content-Type" header explicitly in the http.Request) func (c *Consumer) PostXML(url string, body string, token *AccessToken) (resp *http.Response, err error) { return c.makeAuthorizedRequest("POST", url, LOC_XML, body, nil, token) } // ** DEPRECATED ** // Please call "Do" on the http client returned by MakeHttpClient instead // (and setup the multipart data explicitly in the http.Request) func (c *Consumer) PostMultipart(url, multipartName string, multipartData io.ReadCloser, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { return c.makeAuthorizedRequestReader("POST", url, LOC_MULTIPART, 0, multipartName, multipartData, userParams, token) } // ** DEPRECATED ** // Please call "Delete" on the http client returned by MakeHttpClient instead func (c *Consumer) Delete(url string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { return c.makeAuthorizedRequest("DELETE", url, LOC_URL, "", userParams, token) } // ** DEPRECATED ** // Please call "Put" on the http client returned by MakeHttpClient instead func (c *Consumer) Put(url string, body string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { return c.makeAuthorizedRequest("PUT", url, LOC_URL, body, userParams, token) } func (c *Consumer) Debug(enabled bool) { c.debug = enabled c.signer.Debug(enabled) } type pair struct { key string value string } type pairs []pair func (p pairs) Len() int { return len(p) } func (p pairs) Less(i, j int) bool { return p[i].key < p[j].key } func (p pairs) Swap(i, j int) { p[i], p[j] = p[j], p[i] } // This function has basically turned into a backwards compatibility layer // between the old API (where clients explicitly called consumer.Get() // consumer.Post() etc), and the new API (which takes actual http.Requests) // // So, here we construct the appropriate HTTP request for the inputs. func (c *Consumer) makeAuthorizedRequestReader(method string, urlString string, dataLocation DataLocation, contentLength int, multipartName string, body io.ReadCloser, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { urlObject, err := url.Parse(urlString) if err != nil { return nil, err } request := &http.Request{ Method: method, URL: urlObject, Header: http.Header{}, Body: body, ContentLength: int64(contentLength), } vals := url.Values{} for k, v := range userParams { vals.Add(k, v) } if dataLocation != LOC_BODY { request.URL.RawQuery = vals.Encode() request.URL.RawQuery = strings.Replace( request.URL.RawQuery, ";", "%3B", -1) } else { // TODO(mrjones): validate that we're not overrideing an exising body? request.ContentLength = int64(len(vals.Encode())) if request.ContentLength == 0 { request.Body = nil } else { request.Body = ioutil.NopCloser(strings.NewReader(vals.Encode())) } } for k, vs := range c.AdditionalHeaders { for _, v := range vs { request.Header.Set(k, v) } } if dataLocation == LOC_BODY { request.Header.Set("Content-Type", "application/x-www-form-urlencoded") } if dataLocation == LOC_JSON { request.Header.Set("Content-Type", "application/json") } if dataLocation == LOC_XML { request.Header.Set("Content-Type", "application/xml") } if dataLocation == LOC_MULTIPART { pipeReader, pipeWriter := io.Pipe() writer := multipart.NewWriter(pipeWriter) if request.URL.Host == "www.mrjon.es" && request.URL.Path == "/unittest" { writer.SetBoundary("UNITTESTBOUNDARY") } go func(body io.Reader) { part, err := writer.CreateFormFile(multipartName, "/no/matter") if err != nil { writer.Close() pipeWriter.CloseWithError(err) return } _, err = io.Copy(part, body) if err != nil { writer.Close() pipeWriter.CloseWithError(err) return } writer.Close() pipeWriter.Close() }(body) request.Body = pipeReader request.Header.Set("Content-Type", writer.FormDataContentType()) } rt := RoundTripper{consumer: c, token: token} resp, err = rt.RoundTrip(request) if err != nil { return resp, err } if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices { defer resp.Body.Close() bytes, _ := ioutil.ReadAll(resp.Body) return resp, HTTPExecuteError{ RequestHeaders: "", ResponseBodyBytes: bytes, Status: resp.Status, StatusCode: resp.StatusCode, } } return resp, nil } // cloneReq clones the src http.Request, making deep copies of the Header and // the URL but shallow copies of everything else func cloneReq(src *http.Request) *http.Request { dst := &http.Request{} *dst = *src dst.Header = make(http.Header, len(src.Header)) for k, s := range src.Header { dst.Header[k] = append([]string(nil), s...) } if src.URL != nil { dst.URL = cloneURL(src.URL) } return dst } // cloneURL shallow clones the src *url.URL func cloneURL(src *url.URL) *url.URL { dst := &url.URL{} *dst = *src return dst } func canonicalizeUrl(u *url.URL) string { var buf bytes.Buffer buf.WriteString(u.Scheme) buf.WriteString("://") buf.WriteString(u.Host) buf.WriteString(u.Path) return buf.String() } func getBody(request *http.Request) ([]byte, error) { if request.Body == nil { return nil, nil } defer request.Body.Close() originalBody, err := ioutil.ReadAll(request.Body) if err != nil { return nil, err } // We have to re-install the body (because we've ruined it by reading it). if len(originalBody) > 0 { request.Body = ioutil.NopCloser(bytes.NewReader(originalBody)) } else { request.Body = nil } return originalBody, nil } func parseBody(request *http.Request) (map[string]string, error) { userParams := map[string]string{} // TODO(mrjones): factor parameter extraction into a separate method if request.Header.Get("Content-Type") != "application/x-www-form-urlencoded" { // Most of the time we get parameters from the query string: for k, vs := range request.URL.Query() { if len(vs) != 1 { return nil, fmt.Errorf("Must have exactly one value per param") } userParams[k] = vs[0] } } else { // x-www-form-urlencoded parameters come from the body instead: body, err := getBody(request) if err != nil { return nil, err } params, err := url.ParseQuery(string(body)) if err != nil { return nil, err } for k, vs := range params { if len(vs) != 1 { return nil, fmt.Errorf("Must have exactly one value per param") } userParams[k] = vs[0] } } return userParams, nil } func paramsToSortedPairs(params map[string]string) pairs { // Sort parameters alphabetically paramPairs := make(pairs, len(params)) i := 0 for key, value := range params { paramPairs[i] = pair{key: key, value: value} i++ } sort.Sort(paramPairs) return paramPairs } func calculateBodyHash(request *http.Request, s signer) (string, error) { if request.Header.Get("Content-Type") == "application/x-www-form-urlencoded" { return "", nil } var body []byte if request.Body != nil { var err error body, err = getBody(request) if err != nil { return "", err } } h := s.HashFunc().New() h.Write(body) rawSignature := h.Sum(nil) return base64.StdEncoding.EncodeToString(rawSignature), nil } func (rt *RoundTripper) RoundTrip(userRequest *http.Request) (*http.Response, error) { serverRequest := cloneReq(userRequest) allParams := rt.consumer.baseParams( rt.consumer.consumerKey, rt.consumer.AdditionalParams) // Do not add the "oauth_token" parameter, if the access token has not been // specified. By omitting this parameter when it is not specified, allows // two-legged OAuth calls. if len(rt.token.Token) > 0 { allParams.Add(TOKEN_PARAM, rt.token.Token) } if rt.consumer.serviceProvider.BodyHash { bodyHash, err := calculateBodyHash(serverRequest, rt.consumer.signer) if err != nil { return nil, err } if bodyHash != "" { allParams.Add(BODY_HASH_PARAM, bodyHash) } } authParams := allParams.Clone() // TODO(mrjones): put these directly into the paramPairs below? userParams, err := parseBody(serverRequest) if err != nil { return nil, err } paramPairs := paramsToSortedPairs(userParams) for i := range paramPairs { allParams.Add(paramPairs[i].key, paramPairs[i].value) } signingURL := cloneURL(serverRequest.URL) if host := serverRequest.Host; host != "" { signingURL.Host = host } baseString := rt.consumer.requestString(serverRequest.Method, canonicalizeUrl(signingURL), allParams) signature, err := rt.consumer.signer.Sign(baseString, rt.token.Secret) if err != nil { return nil, err } authParams.Add(SIGNATURE_PARAM, signature) // Set auth header. oauthHdr := OAUTH_HEADER for pos, key := range authParams.Keys() { for innerPos, value := range authParams.Get(key) { if pos+innerPos > 0 { oauthHdr += "," } oauthHdr += key + "=\"" + value + "\"" } } serverRequest.Header.Add(HTTP_AUTH_HEADER, oauthHdr) if rt.consumer.debug { fmt.Printf("Request: %v\n", serverRequest) } resp, err := rt.consumer.HttpClient.Do(serverRequest) if err != nil { return resp, err } return resp, nil } func (c *Consumer) makeAuthorizedRequest(method string, url string, dataLocation DataLocation, body string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) { return c.makeAuthorizedRequestReader(method, url, dataLocation, len(body), "", ioutil.NopCloser(strings.NewReader(body)), userParams, token) } type request struct { method string url string oauthParams *OrderedParams userParams map[string]string } type HttpClient interface { Do(req *http.Request) (resp *http.Response, err error) } type clock interface { Seconds() int64 Nanos() int64 } type nonceGenerator interface { Int63() int64 } type key interface { String() string } type signer interface { Sign(message string, tokenSecret string) (string, error) Verify(message string, signature string) error SignatureMethod() string HashFunc() crypto.Hash Debug(enabled bool) } type defaultClock struct{} func (*defaultClock) Seconds() int64 { return time.Now().Unix() } func (*defaultClock) Nanos() int64 { return time.Now().UnixNano() } func (c *Consumer) signRequest(req *request, tokenSecret string) (*request, error) { baseString := c.requestString(req.method, req.url, req.oauthParams) signature, err := c.signer.Sign(baseString, tokenSecret) if err != nil { return nil, err } req.oauthParams.Add(SIGNATURE_PARAM, signature) return req, nil } // Obtains an AccessToken from the response of a service provider. // - data: // The response body. // // This method returns: // - atoken: // The AccessToken generated from the response body. // // - err: // Set if an AccessToken could not be parsed from the given input. func parseAccessToken(data string) (atoken *AccessToken, err error) { parts, err := url.ParseQuery(data) if err != nil { return nil, err } tokenParam := parts[TOKEN_PARAM] parts.Del(TOKEN_PARAM) if len(tokenParam) < 1 { return nil, errors.New("Missing " + TOKEN_PARAM + " in response. " + "Full response body: '" + data + "'") } tokenSecretParam := parts[TOKEN_SECRET_PARAM] parts.Del(TOKEN_SECRET_PARAM) if len(tokenSecretParam) < 1 { return nil, errors.New("Missing " + TOKEN_SECRET_PARAM + " in response." + "Full response body: '" + data + "'") } additionalData := parseAdditionalData(parts) return &AccessToken{tokenParam[0], tokenSecretParam[0], additionalData}, nil } func parseRequestToken(data string) (*RequestToken, error) { parts, err := url.ParseQuery(data) if err != nil { return nil, err } tokenParam := parts[TOKEN_PARAM] if len(tokenParam) < 1 { return nil, errors.New("Missing " + TOKEN_PARAM + " in response. " + "Full response body: '" + data + "'") } tokenSecretParam := parts[TOKEN_SECRET_PARAM] if len(tokenSecretParam) < 1 { return nil, errors.New("Missing " + TOKEN_SECRET_PARAM + " in response." + "Full response body: '" + data + "'") } return &RequestToken{tokenParam[0], tokenSecretParam[0]}, nil } func (c *Consumer) baseParams(consumerKey string, additionalParams map[string]string) *OrderedParams { params := NewOrderedParams() params.Add(VERSION_PARAM, OAUTH_VERSION) params.Add(SIGNATURE_METHOD_PARAM, c.signer.SignatureMethod()) params.Add(TIMESTAMP_PARAM, strconv.FormatInt(c.clock.Seconds(), 10)) params.Add(NONCE_PARAM, strconv.FormatInt(c.nonceGenerator.Int63(), 10)) params.Add(CONSUMER_KEY_PARAM, consumerKey) for key, value := range additionalParams { params.Add(key, value) } return params } func parseAdditionalData(parts url.Values) map[string]string { params := make(map[string]string) for key, value := range parts { if len(value) > 0 { params[key] = value[0] } } return params } type HMACSigner struct { consumerSecret string hashFunc crypto.Hash debug bool } func (s *HMACSigner) Debug(enabled bool) { s.debug = enabled } func (s *HMACSigner) Sign(message string, tokenSecret string) (string, error) { key := escape(s.consumerSecret) + "&" + escape(tokenSecret) if s.debug { fmt.Println("Signing:", message) fmt.Println("Key:", key) } h := hmac.New(s.HashFunc().New, []byte(key)) h.Write([]byte(message)) rawSignature := h.Sum(nil) base64signature := base64.StdEncoding.EncodeToString(rawSignature) if s.debug { fmt.Println("Base64 signature:", base64signature) } return base64signature, nil } func (s *HMACSigner) Verify(message string, signature string) error { if s.debug { fmt.Println("Verifying Base64 signature:", signature) } validSignature, err := s.Sign(message, "") if err != nil { return err } if validSignature != signature { decodedSigniture, _ := url.QueryUnescape(signature) if validSignature != decodedSigniture { return fmt.Errorf("signature did not match") } } return nil } func (s *HMACSigner) SignatureMethod() string { return SIGNATURE_METHOD_HMAC + HASH_METHOD_MAP[s.HashFunc()] } func (s *HMACSigner) HashFunc() crypto.Hash { return s.hashFunc } type RSASigner struct { debug bool rand io.Reader privateKey *rsa.PrivateKey hashFunc crypto.Hash } func (s *RSASigner) Debug(enabled bool) { s.debug = enabled } func (s *RSASigner) Sign(message string, tokenSecret string) (string, error) { if s.debug { fmt.Println("Signing:", message) } h := s.HashFunc().New() h.Write([]byte(message)) digest := h.Sum(nil) signature, err := rsa.SignPKCS1v15(s.rand, s.privateKey, s.HashFunc(), digest) if err != nil { return "", nil } base64signature := base64.StdEncoding.EncodeToString(signature) if s.debug { fmt.Println("Base64 signature:", base64signature) } return base64signature, nil } func (s *RSASigner) Verify(message string, base64signature string) error { if s.debug { fmt.Println("Verifying:", message) fmt.Println("Verifying Base64 signature:", base64signature) } h := s.HashFunc().New() h.Write([]byte(message)) digest := h.Sum(nil) signature, err := base64.StdEncoding.DecodeString(base64signature) if err != nil { return err } return rsa.VerifyPKCS1v15(&s.privateKey.PublicKey, s.HashFunc(), digest, signature) } func (s *RSASigner) SignatureMethod() string { return SIGNATURE_METHOD_RSA + HASH_METHOD_MAP[s.HashFunc()] } func (s *RSASigner) HashFunc() crypto.Hash { return s.hashFunc } func escape(s string) string { t := make([]byte, 0, 3*len(s)) for i := 0; i < len(s); i++ { c := s[i] if isEscapable(c) { t = append(t, '%') t = append(t, "0123456789ABCDEF"[c>>4]) t = append(t, "0123456789ABCDEF"[c&15]) } else { t = append(t, s[i]) } } return string(t) } func isEscapable(b byte) bool { return !('A' <= b && b <= 'Z' || 'a' <= b && b <= 'z' || '0' <= b && b <= '9' || b == '-' || b == '.' || b == '_' || b == '~') } func (c *Consumer) requestString(method string, url string, params *OrderedParams) string { result := method + "&" + escape(url) for pos, key := range params.Keys() { for innerPos, value := range params.Get(key) { if pos+innerPos == 0 { result += "&" } else { result += escape("&") } result += escape(fmt.Sprintf("%s=%s", key, value)) } } return result } func (c *Consumer) getBody(method, url string, oauthParams *OrderedParams) (*string, error) { resp, err := c.httpExecute(method, url, "", 0, nil, oauthParams) if err != nil { return nil, errors.New("httpExecute: " + err.Error()) } bodyBytes, err := ioutil.ReadAll(resp.Body) resp.Body.Close() if err != nil { return nil, errors.New("ReadAll: " + err.Error()) } bodyStr := string(bodyBytes) if c.debug { fmt.Printf("STATUS: %d %s\n", resp.StatusCode, resp.Status) fmt.Println("BODY RESPONSE: " + bodyStr) } return &bodyStr, nil } // HTTPExecuteError signals that a call to httpExecute failed. type HTTPExecuteError struct { // RequestHeaders provides a stringified listing of request headers. RequestHeaders string // ResponseBodyBytes is the response read into a byte slice. ResponseBodyBytes []byte // Status is the status code string response. Status string // StatusCode is the parsed status code. StatusCode int } // Error provides a printable string description of an HTTPExecuteError. func (e HTTPExecuteError) Error() string { return "HTTP response is not 200/OK as expected. Actual response: \n" + "\tResponse Status: '" + e.Status + "'\n" + "\tResponse Code: " + strconv.Itoa(e.StatusCode) + "\n" + "\tResponse Body: " + string(e.ResponseBodyBytes) + "\n" + "\tRequest Headers: " + e.RequestHeaders } func (c *Consumer) httpExecute( method string, urlStr string, contentType string, contentLength int, body io.Reader, oauthParams *OrderedParams) (*http.Response, error) { // Create base request. req, err := http.NewRequest(method, urlStr, body) if err != nil { return nil, errors.New("NewRequest failed: " + err.Error()) } // Set auth header. req.Header = http.Header{} oauthHdr := "OAuth " for pos, key := range oauthParams.Keys() { for innerPos, value := range oauthParams.Get(key) { if pos+innerPos > 0 { oauthHdr += "," } oauthHdr += key + "=\"" + value + "\"" } } req.Header.Add("Authorization", oauthHdr) // Add additional custom headers for key, vals := range c.AdditionalHeaders { for _, val := range vals { req.Header.Add(key, val) } } // Set contentType if passed. if contentType != "" { req.Header.Set("Content-Type", contentType) } // Set contentLength if passed. if contentLength > 0 { req.Header.Set("Content-Length", strconv.Itoa(contentLength)) } if c.debug { fmt.Printf("Request: %v\n", req) } resp, err := c.HttpClient.Do(req) if err != nil { return nil, errors.New("Do: " + err.Error()) } debugHeader := "" for k, vals := range req.Header { for _, val := range vals { debugHeader += "[key: " + k + ", val: " + val + "]" } } // StatusMultipleChoices is 300, any 2xx response should be treated as success if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices { defer resp.Body.Close() bytes, _ := ioutil.ReadAll(resp.Body) return resp, HTTPExecuteError{ RequestHeaders: debugHeader, ResponseBodyBytes: bytes, Status: resp.Status, StatusCode: resp.StatusCode, } } return resp, err } // // String Sorting helpers // type ByValue []string func (a ByValue) Len() int { return len(a) } func (a ByValue) Swap(i, j int) { a[i], a[j] = a[j], a[i] } func (a ByValue) Less(i, j int) bool { return a[i] < a[j] } // // ORDERED PARAMS // type OrderedParams struct { allParams map[string][]string keyOrdering []string } func NewOrderedParams() *OrderedParams { return &OrderedParams{ allParams: make(map[string][]string), keyOrdering: make([]string, 0), } } func (o *OrderedParams) Get(key string) []string { sort.Sort(ByValue(o.allParams[key])) return o.allParams[key] } func (o *OrderedParams) Keys() []string { sort.Sort(o) return o.keyOrdering } func (o *OrderedParams) Add(key, value string) { o.AddUnescaped(key, escape(value)) } func (o *OrderedParams) AddUnescaped(key, value string) { if _, exists := o.allParams[key]; !exists { o.keyOrdering = append(o.keyOrdering, key) o.allParams[key] = make([]string, 1) o.allParams[key][0] = value } else { o.allParams[key] = append(o.allParams[key], value) } } func (o *OrderedParams) Len() int { return len(o.keyOrdering) } func (o *OrderedParams) Less(i int, j int) bool { return o.keyOrdering[i] < o.keyOrdering[j] } func (o *OrderedParams) Swap(i int, j int) { o.keyOrdering[i], o.keyOrdering[j] = o.keyOrdering[j], o.keyOrdering[i] } func (o *OrderedParams) Clone() *OrderedParams { clone := NewOrderedParams() for _, key := range o.Keys() { for _, value := range o.Get(key) { clone.AddUnescaped(key, value) } } return clone }