Properly sign query string parameters included in request URI.

Author: mmalone

oauth2/__init__.py

@@ -250,35 +250,33 @@ class Request(dict):
  
     """
 
-    http_method = HTTP_METHOD
-    http_url = None
     version = VERSION
 
     def __init__(self, method=HTTP_METHOD, url=None, parameters=None):
-        if method is not None:
-            self.method = method
- 
-        if url is not None:
-            self.url = url
- 
+        self.method = method
+        self.url = url
         if parameters is not None:
             self.update(parameters)
 
     @setter
     def url(self, value):
-        scheme, netloc, path, params, query, fragment = urlparse.urlparse(value)
-
-        # Exclude default port numbers.
-        if scheme == 'http' and netloc[-3:] == ':80':
-            netloc = netloc[:-3]
-        elif scheme == 'https' and netloc[-4:] == ':443':
-            netloc = netloc[:-4]
-
-        if scheme != 'http' and scheme != 'https':
-            raise ValueError("Unsupported URL %s (%s)." % (value, scheme))
-
-        value = urlparse.urlunparse((scheme, netloc, path, params, query, fragment))
         self.__dict__['url'] = value
+        if value is not None:
+            scheme, netloc, path, params, query, fragment = urlparse.urlparse(value)
+
+            # Exclude default port numbers.
+            if scheme == 'http' and netloc[-3:] == ':80':
+                netloc = netloc[:-3]
+            elif scheme == 'https' and netloc[-4:] == ':443':
+                netloc = netloc[:-4]
+            if scheme not in ('http', 'https'):
+                raise ValueError("Unsupported URL %s (%s)." % (value, scheme))
+
+            # Normalized URL excludes params, query, and fragment.
+            self.normalized_url = urlparse.urlunparse((scheme, netloc, path, None, None, None))
+        else:
+            self.normalized_url = None
+            self.__dict__['url'] = None
 
     @setter
     def method(self, value):
@@ -342,6 +340,11 @@ def get_normalized_parameters(self):
                 items.extend((key, item) for item in value)
             else:
                 items.append((key, value))
+
+        # Include any query string parameters from the provided URL
+        query = urlparse.urlparse(self.url)[4]
+        items.extend(self._split_url_string(query).items())
+
         encoded_str = urllib.urlencode(sorted(items))
         # Encode signature parameters per Oauth Core 1.0 protocol
         # spec draft 7, section 3.6
@@ -600,15 +603,6 @@ def request(self, uri, method="GET", body=None, headers=None,
 
         if body and method == "POST" and not is_multipart:
             parameters = dict(parse_qsl(body))
-        elif method == "GET":
-            parsed = urlparse.urlparse(uri)
-
-            try:
-                query = parsed.query
-            except AttributeError:
-                query = parsed[4]
-
-            parameters = parse_qsl(query)     
         else:
             parameters = None
 
@@ -676,14 +670,15 @@ class SignatureMethod_HMAC_SHA1(SignatureMethod):
     def signing_base(self, request, consumer, token):
         sig = (
             escape(request.method),
-            escape(request.url),
+            escape(request.normalized_url),
             escape(request.get_normalized_parameters()),
         )
 
         key = '%s&' % escape(consumer.secret)
         if token:
             key += escape(token.secret)
         raw = '&'.join(sig)
+        print key, raw
         return key, raw
 
     def sign(self, request, consumer, token):

tests/test_oauth.py

@@ -222,14 +222,8 @@ def test_setter(self):
         url = "http://example.com"
         method = "GET"
         req = oauth.Request(method)
-
-        try:
-            url = req.url
-            self.fail("AttributeError should have been raised on empty url.")
-        except AttributeError:
-            pass
-        except Exception, e:
-            self.fail(str(e))
+        self.assertTrue(req.url is None)
+        self.assertTrue(req.normalized_url is None)
 
     def test_deleter(self):
         url = "http://example.com"
@@ -253,17 +247,21 @@ def test_url(self):
         method = "GET"
 
         req = oauth.Request(method, url1)
-        self.assertEquals(req.url, exp1)
+        self.assertEquals(req.normalized_url, exp1)
+        self.assertEquals(req.url, url1)
 
         req = oauth.Request(method, url2)
-        self.assertEquals(req.url, exp2)
+        self.assertEquals(req.normalized_url, exp2)
+        self.assertEquals(req.url, url2)
 
     def test_url_query(self):
         url = "https://www.google.com/m8/feeds/contacts/default/full/?alt=json&max-contacts=10"
+        normalized_url = urlparse.urlunparse(urlparse.urlparse(url)[:3] + (None, None, None))
         method = "GET"
 
         req = oauth.Request(method, url)
         self.assertEquals(req.url, url)
+        self.assertEquals(req.normalized_url, normalized_url)
 
     def test_get_parameter(self):
         url = "http://example.com"
@@ -400,6 +398,30 @@ def test_to_url_with_query(self):
         self.assertEquals(b['max-contacts'], ['10'])
         self.assertEquals(a, b)
 
+    def test_signature_base_string_with_query(self):
+        url = "https://www.google.com/m8/feeds/contacts/default/full/?alt=json&max-contacts=10"
+        params = {
+            'oauth_version': "1.0",
+            'oauth_nonce': "4572616e48616d6d65724c61686176",
+            'oauth_timestamp': "137131200",
+            'oauth_consumer_key': "0685bd9184jfhq22",
+            'oauth_signature_method': "HMAC-SHA1",
+            'oauth_token': "ad180jjd733klru7",
+            'oauth_signature': "wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
+        }
+        req = oauth.Request("GET", url, params)
+        self.assertEquals(req.normalized_url, 'https://www.google.com/m8/feeds/contacts/default/full/')
+        self.assertEquals(req.url, 'https://www.google.com/m8/feeds/contacts/default/full/?alt=json&max-contacts=10')
+        normalized_params = parse_qsl(req.get_normalized_parameters())
+        self.assertTrue(len(normalized_params), len(params) + 2)
+        normalized_params = dict(normalized_params)
+        for key, value in params.iteritems():
+            if key == 'oauth_signature':
+                continue
+            self.assertEquals(value, normalized_params[key])
+        self.assertEquals(normalized_params['alt'], 'json')
+        self.assertEquals(normalized_params['max-contacts'], '10')
+
     def test_get_normalized_parameters(self):
         url = "http://sp.example.com/"
 
@@ -871,6 +893,36 @@ def test_multipart_post_does_not_alter_body(self):
         self.assertEqual(result, random_result)
         self.mox.VerifyAll()
 
+    def test_url_with_query_string(self):
+        self.mox.StubOutWithMock(httplib2.Http, 'request')
+        uri = 'http://example.com/foo/bar/?show=thundercats&character=snarf'
+        client = oauth.Client(self.consumer, None)
+        expected_kwargs = {
+            'method': 'GET',
+            'body': None,
+            'redirections': httplib2.DEFAULT_MAX_REDIRECTS,
+            'connection_type': None,
+            'headers': mox.IsA(dict),
+        }
+        def oauth_verifier(url):
+            req = oauth.Request.from_consumer_and_token(self.consumer, None,
+                    http_method='GET', http_url=uri, parameters={})
+            req.sign_request(oauth.SignatureMethod_HMAC_SHA1(), self.consumer, None)
+            expected = parse_qsl(urlparse.urlparse(req.to_url()).query)
+            actual = parse_qsl(urlparse.urlparse(url).query)
+            if len(expected) != len(actual):
+                return False
+            actual = dict(actual)
+            for key, value in expected:
+                if key not in ('oauth_signature', 'oauth_nonce', 'oauth_timestamp'):
+                    if actual[key] != value:
+                        return False
+            return True
+        httplib2.Http.request(client, mox.Func(oauth_verifier), **expected_kwargs)
+        self.mox.ReplayAll()
+        client.request(uri, 'GET')
+        self.mox.VerifyAll()
+
 if __name__ == "__main__":
     unittest.main()