PageRenderTime 54ms CodeModel.GetById 20ms RepoModel.GetById 1ms app.codeStats 0ms

/trunk/lib/twitter/oauth.php

https://bitbucket.org/pooshonk/esw
PHP | 875 lines | 509 code | 138 blank | 228 comment | 64 complexity | 147b7b8d1dd76558c94ec5beb717c258 MD5 | raw file
Possible License(s): LGPL-2.1 
    

  1. <?php

    2. 

  2. // vim: foldmethod=marker

    3. 

  3. 

    4. 

  4. /* Generic exception class

    5. 

  5.  */

    6. 

  6. class OAuthException extends Exception {

    7. 

  7.   // pass

    8. 

  8. }

    9. 

  9. 

    10. 

  10. class OAuthConsumer {

    11. 

  11.   public $key;

    12. 

  12.   public $secret;

    13. 

  13. 

    14. 

  14.   function __construct($key, $secret, $callback_url=NULL) {

    15. 

  15.     $this->key = $key;

    16. 

  16.     $this->secret = $secret;

    17. 

  17.     $this->callback_url = $callback_url;

    18. 

  18.   }

    19. 

  19. 

    20. 

  20.   function __toString() {

    21. 

  21.     return "OAuthConsumer[key=$this->key,secret=$this->secret]";

    22. 

  22.   }

    23. 

  23. }

    24. 

  24. 

    25. 

  25. class OAuthToken {

    26. 

  26.   // access tokens and request tokens

    27. 

  27.   public $key;

    28. 

  28.   public $secret;

    29. 

  29. 

    30. 

  30.   /**

    31. 

  31.    * key = the token

    32. 

  32.    * secret = the token secret

    33. 

  33.    */

    34. 

  34.   function __construct($key, $secret) {

    35. 

  35.     $this->key = $key;

    36. 

  36.     $this->secret = $secret;

    37. 

  37.   }

    38. 

  38. 

    39. 

  39.   /**

    40. 

  40.    * generates the basic string serialization of a token that a server

    41. 

  41.    * would respond to request_token and access_token calls with

    42. 

  42.    */

    43. 

  43.   function to_string() {

    44. 

  44.     return "oauth_token=" .

    45. 

  45.            OAuthUtil::urlencode_rfc3986($this->key) .

    46. 

  46.            "&oauth_token_secret=" .

    47. 

  47.            OAuthUtil::urlencode_rfc3986($this->secret);

    48. 

  48.   }

    49. 

  49. 

    50. 

  50.   function __toString() {

    51. 

  51.     return $this->to_string();

    52. 

  52.   }

    53. 

  53. }

    54. 

  54. 

    55. 

  55. /**

    56. 

  56.  * A class for implementing a Signature Method

    57. 

  57.  * See section 9 ("Signing Requests") in the spec

    58. 

  58.  */

    59. 

  59. abstract class OAuthSignatureMethod {

    60. 

  60.   /**

    61. 

  61.    * Needs to return the name of the Signature Method (ie HMAC-SHA1)

    62. 

  62.    * @return string

    63. 

  63.    */

    64. 

  64.   abstract public function get_name();

    65. 

  65. 

    66. 

  66.   /**

    67. 

  67.    * Build up the signature

    68. 

  68.    * NOTE: The output of this function MUST NOT be urlencoded.

    69. 

  69.    * the encoding is handled in OAuthRequest when the final

    70. 

  70.    * request is serialized

    71. 

  71.    * @param OAuthRequest $request

    72. 

  72.    * @param OAuthConsumer $consumer

    73. 

  73.    * @param OAuthToken $token

    74. 

  74.    * @return string

    75. 

  75.    */

    76. 

  76.   abstract public function build_signature($request, $consumer, $token);

    77. 

  77. 

    78. 

  78.   /**

    79. 

  79.    * Verifies that a given signature is correct

    80. 

  80.    * @param OAuthRequest $request

    81. 

  81.    * @param OAuthConsumer $consumer

    82. 

  82.    * @param OAuthToken $token

    83. 

  83.    * @param string $signature

    84. 

  84.    * @return bool

    85. 

  85.    */

    86. 

  86.   public function check_signature($request, $consumer, $token, $signature) {

    87. 

  87.     $built = $this->build_signature($request, $consumer, $token);

    88. 

  88.     return $built == $signature;

    89. 

  89.   }

    90. 

  90. }

    91. 

  91. 

    92. 

  92. /**

    93. 

  93.  * The HMAC-SHA1 signature method uses the HMAC-SHA1 signature algorithm as defined in [RFC2104] 

    94. 

  94.  * where the Signature Base String is the text and the key is the concatenated values (each first 

    95. 

  95.  * encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an '&' 

    96. 

  96.  * character (ASCII code 38) even if empty.

    97. 

  97.  *   - Chapter 9.2 ("HMAC-SHA1")

    98. 

  98.  */

    99. 

  99. class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod {

    100. 

  100.   function get_name() {

    101. 

  101.     return "HMAC-SHA1";

    102. 

  102.   }

    103. 

  103. 

    104. 

  104.   public function build_signature($request, $consumer, $token) {

    105. 

  105.     $base_string = $request->get_signature_base_string();

    106. 

  106.     $request->base_string = $base_string;

    107. 

  107. 

    108. 

  108.     $key_parts = array(

    109. 

  109.       $consumer->secret,

    110. 

  110.       ($token) ? $token->secret : ""

    111. 

  111.     );

    112. 

  112. 

    113. 

  113.     $key_parts = OAuthUtil::urlencode_rfc3986($key_parts);

    114. 

  114.     $key = implode('&', $key_parts);

    115. 

  115. 

    116. 

  116.     return base64_encode(hash_hmac('sha1', $base_string, $key, true));

    117. 

  117.   }

    118. 

  118. }

    119. 

  119. 

    120. 

  120. /**

    121. 

  121.  * The PLAINTEXT method does not provide any security protection and SHOULD only be used 

    122. 

  122.  * over a secure channel such as HTTPS. It does not use the Signature Base String.

    123. 

  123.  *   - Chapter 9.4 ("PLAINTEXT")

    124. 

  124.  */

    125. 

  125. class OAuthSignatureMethod_PLAINTEXT extends OAuthSignatureMethod {

    126. 

  126.   public function get_name() {

    127. 

  127.     return "PLAINTEXT";

    128. 

  128.   }

    129. 

  129. 

    130. 

  130.   /**

    131. 

  131.    * oauth_signature is set to the concatenated encoded values of the Consumer Secret and 

    132. 

  132.    * Token Secret, separated by a '&' character (ASCII code 38), even if either secret is 

    133. 

  133.    * empty. The result MUST be encoded again.

    134. 

  134.    *   - Chapter 9.4.1 ("Generating Signatures")

    135. 

  135.    *

    136. 

  136.    * Please note that the second encoding MUST NOT happen in the SignatureMethod, as

    137. 

  137.    * OAuthRequest handles this!

    138. 

  138.    */

    139. 

  139.   public function build_signature($request, $consumer, $token) {

    140. 

  140.     $key_parts = array(

    141. 

  141.       $consumer->secret,

    142. 

  142.       ($token) ? $token->secret : ""

    143. 

  143.     );

    144. 

  144. 

    145. 

  145.     $key_parts = OAuthUtil::urlencode_rfc3986($key_parts);

    146. 

  146.     $key = implode('&', $key_parts);

    147. 

  147.     $request->base_string = $key;

    148. 

  148. 

    149. 

  149.     return $key;

    150. 

  150.   }

    151. 

  151. }

    152. 

  152. 

    153. 

  153. /**

    154. 

  154.  * The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in 

    155. 

  155.  * [RFC3447] section 8.2 (more simply known as PKCS#1), using SHA-1 as the hash function for 

    156. 

  156.  * EMSA-PKCS1-v1_5. It is assumed that the Consumer has provided its RSA public key in a 

    157. 

  157.  * verified way to the Service Provider, in a manner which is beyond the scope of this 

    158. 

  158.  * specification.

    159. 

  159.  *   - Chapter 9.3 ("RSA-SHA1")

    160. 

  160.  */

    161. 

  161. abstract class OAuthSignatureMethod_RSA_SHA1 extends OAuthSignatureMethod {

    162. 

  162.   public function get_name() {

    163. 

  163.     return "RSA-SHA1";

    164. 

  164.   }

    165. 

  165. 

    166. 

  166.   // Up to the SP to implement this lookup of keys. Possible ideas are:

    167. 

  167.   // (1) do a lookup in a table of trusted certs keyed off of consumer

    168. 

  168.   // (2) fetch via http using a url provided by the requester

    169. 

  169.   // (3) some sort of specific discovery code based on request

    170. 

  170.   //

    171. 

  171.   // Either way should return a string representation of the certificate

    172. 

  172.   protected abstract function fetch_public_cert(&$request);

    173. 

  173. 

    174. 

  174.   // Up to the SP to implement this lookup of keys. Possible ideas are:

    175. 

  175.   // (1) do a lookup in a table of trusted certs keyed off of consumer

    176. 

  176.   //

    177. 

  177.   // Either way should return a string representation of the certificate

    178. 

  178.   protected abstract function fetch_private_cert(&$request);

    179. 

  179. 

    180. 

  180.   public function build_signature($request, $consumer, $token) {

    181. 

  181.     $base_string = $request->get_signature_base_string();

    182. 

  182.     $request->base_string = $base_string;

    183. 

  183. 

    184. 

  184.     // Fetch the private key cert based on the request

    185. 

  185.     $cert = $this->fetch_private_cert($request);

    186. 

  186. 

    187. 

  187.     // Pull the private key ID from the certificate

    188. 

  188.     $privatekeyid = openssl_get_privatekey($cert);

    189. 

  189. 

    190. 

  190.     // Sign using the key

    191. 

  191.     $signature = null;

    192. 

  192.     $ok = openssl_sign($base_string, $signature, $privatekeyid);

    193. 

  193. 

    194. 

  194.     // Release the key resource

    195. 

  195.     openssl_free_key($privatekeyid);

    196. 

  196. 

    197. 

  197.     return base64_encode($signature);

    198. 

  198.   }

    199. 

  199. 

    200. 

  200.   public function check_signature($request, $consumer, $token, $signature) {

    201. 

  201.     $decoded_sig = base64_decode($signature);

    202. 

  202. 

    203. 

  203.     $base_string = $request->get_signature_base_string();

    204. 

  204. 

    205. 

  205.     // Fetch the public key cert based on the request

    206. 

  206.     $cert = $this->fetch_public_cert($request);

    207. 

  207. 

    208. 

  208.     // Pull the public key ID from the certificate

    209. 

  209.     $publickeyid = openssl_get_publickey($cert);

    210. 

  210. 

    211. 

  211.     // Check the computed signature against the one passed in the query

    212. 

  212.     $ok = openssl_verify($base_string, $decoded_sig, $publickeyid);

    213. 

  213. 

    214. 

  214.     // Release the key resource

    215. 

  215.     openssl_free_key($publickeyid);

    216. 

  216. 

    217. 

  217.     return $ok == 1;

    218. 

  218.   }

    219. 

  219. }

    220. 

  220. 

    221. 

  221. class OAuthRequest {

    222. 

  222.   private $parameters;

    223. 

  223.   private $http_method;

    224. 

  224.   private $http_url;

    225. 

  225.   // for debug purposes

    226. 

  226.   public $base_string;

    227. 

  227.   public static $version = '1.0';

    228. 

  228.   public static $POST_INPUT = 'php://input';

    229. 

  229. 

    230. 

  230.   function __construct($http_method, $http_url, $parameters=NULL) {

    231. 

  231.     @$parameters or $parameters = array();

    232. 

  232.     $parameters = array_merge( OAuthUtil::parse_parameters(parse_url($http_url, PHP_URL_QUERY)), $parameters);

    233. 

  233.     $this->parameters = $parameters;

    234. 

  234.     $this->http_method = $http_method;

    235. 

  235.     $this->http_url = $http_url;

    236. 

  236.   }

    237. 

  237. 

    238. 

  238. 

    239. 

  239.   /**

    240. 

  240.    * attempt to build up a request from what was passed to the server

    241. 

  241.    */

    242. 

  242.   public static function from_request($http_method=NULL, $http_url=NULL, $parameters=NULL) {

    243. 

  243.     $scheme = (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on")

    244. 

  244.               ? 'http'

    245. 

  245.               : 'https';

    246. 

  246.     @$http_url or $http_url = $scheme .

    247. 

  247.                               '://' . $_SERVER['HTTP_HOST'] .

    248. 

  248.                               ':' .

    249. 

  249.                               $_SERVER['SERVER_PORT'] .

    250. 

  250.                               $_SERVER['REQUEST_URI'];

    251. 

  251.     @$http_method or $http_method = $_SERVER['REQUEST_METHOD'];

    252. 

  252. 

    253. 

  253.     // We weren't handed any parameters, so let's find the ones relevant to

    254. 

  254.     // this request.

    255. 

  255.     // If you run XML-RPC or similar you should use this to provide your own

    256. 

  256.     // parsed parameter-list

    257. 

  257.     if (!$parameters) {

    258. 

  258.       // Find request headers

    259. 

  259.       $request_headers = OAuthUtil::get_headers();

    260. 

  260. 

    261. 

  261.       // Parse the query-string to find GET parameters

    262. 

  262.       $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']);

    263. 

  263. 

    264. 

  264.       // It's a POST request of the proper content-type, so parse POST

    265. 

  265.       // parameters and add those overriding any duplicates from GET

    266. 

  266.       if ($http_method == "POST"

    267. 

  267.           && @strstr($request_headers["Content-Type"],

    268. 

  268.                      "application/x-www-form-urlencoded")

    269. 

  269.           ) {

    270. 

  270.         $post_data = OAuthUtil::parse_parameters(

    271. 

  271.           file_get_contents(self::$POST_INPUT)

    272. 

  272.         );

    273. 

  273.         $parameters = array_merge($parameters, $post_data);

    274. 

  274.       }

    275. 

  275. 

    276. 

  276.       // We have a Authorization-header with OAuth data. Parse the header

    277. 

  277.       // and add those overriding any duplicates from GET or POST

    278. 

  278.       if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") {

    279. 

  279.         $header_parameters = OAuthUtil::split_header(

    280. 

  280.           $request_headers['Authorization']

    281. 

  281.         );

    282. 

  282.         $parameters = array_merge($parameters, $header_parameters);

    283. 

  283.       }

    284. 

  284. 

    285. 

  285.     }

    286. 

  286. 

    287. 

  287.     return new OAuthRequest($http_method, $http_url, $parameters);

    288. 

  288.   }

    289. 

  289. 

    290. 

  290.   /**

    291. 

  291.    * pretty much a helper function to set up the request

    292. 

  292.    */

    293. 

  293.   public static function from_consumer_and_token($consumer, $token, $http_method, $http_url, $parameters=NULL) {

    294. 

  294.     @$parameters or $parameters = array();

    295. 

  295.     $defaults = array("oauth_version" => OAuthRequest::$version,

    296. 

  296.                       "oauth_nonce" => OAuthRequest::generate_nonce(),

    297. 

  297.                       "oauth_timestamp" => OAuthRequest::generate_timestamp(),

    298. 

  298.                       "oauth_consumer_key" => $consumer->key);

    299. 

  299.     if ($token)

    300. 

  300.       $defaults['oauth_token'] = $token->key;

    301. 

  301. 

    302. 

  302.     $parameters = array_merge($defaults, $parameters);

    303. 

  303. 

    304. 

  304.     return new OAuthRequest($http_method, $http_url, $parameters);

    305. 

  305.   }

    306. 

  306. 

    307. 

  307.   public function set_parameter($name, $value, $allow_duplicates = true) {

    308. 

  308.     if ($allow_duplicates && isset($this->parameters[$name])) {

    309. 

  309.       // We have already added parameter(s) with this name, so add to the list

    310. 

  310.       if (is_scalar($this->parameters[$name])) {

    311. 

  311.         // This is the first duplicate, so transform scalar (string)

    312. 

  312.         // into an array so we can add the duplicates

    313. 

  313.         $this->parameters[$name] = array($this->parameters[$name]);

    314. 

  314.       }

    315. 

  315. 

    316. 

  316.       $this->parameters[$name][] = $value;

    317. 

  317.     } else {

    318. 

  318.       $this->parameters[$name] = $value;

    319. 

  319.     }

    320. 

  320.   }

    321. 

  321. 

    322. 

  322.   public function get_parameter($name) {

    323. 

  323.     return isset($this->parameters[$name]) ? $this->parameters[$name] : null;

    324. 

  324.   }

    325. 

  325. 

    326. 

  326.   public function get_parameters() {

    327. 

  327.     return $this->parameters;

    328. 

  328.   }

    329. 

  329. 

    330. 

  330.   public function unset_parameter($name) {

    331. 

  331.     unset($this->parameters[$name]);

    332. 

  332.   }

    333. 

  333. 

    334. 

  334.   /**

    335. 

  335.    * The request parameters, sorted and concatenated into a normalized string.

    336. 

  336.    * @return string

    337. 

  337.    */

    338. 

  338.   public function get_signable_parameters() {

    339. 

  339.     // Grab all parameters

    340. 

  340.     $params = $this->parameters;

    341. 

  341. 

    342. 

  342.     // Remove oauth_signature if present

    343. 

  343.     // Ref: Spec: 9.1.1 ("The oauth_signature parameter MUST be excluded.")

    344. 

  344.     if (isset($params['oauth_signature'])) {

    345. 

  345.       unset($params['oauth_signature']);

    346. 

  346.     }

    347. 

  347. 

    348. 

  348.     return OAuthUtil::build_http_query($params);

    349. 

  349.   }

    350. 

  350. 

    351. 

  351.   /**

    352. 

  352.    * Returns the base string of this request

    353. 

  353.    *

    354. 

  354.    * The base string defined as the method, the url

    355. 

  355.    * and the parameters (normalized), each urlencoded

    356. 

  356.    * and the concated with &.

    357. 

  357.    */

    358. 

  358.   public function get_signature_base_string() {

    359. 

  359.     $parts = array(

    360. 

  360.       $this->get_normalized_http_method(),

    361. 

  361.       $this->get_normalized_http_url(),

    362. 

  362.       $this->get_signable_parameters()

    363. 

  363.     );

    364. 

  364. 

    365. 

  365.     $parts = OAuthUtil::urlencode_rfc3986($parts);

    366. 

  366. 

    367. 

  367.     return implode('&', $parts);

    368. 

  368.   }

    369. 

  369. 

    370. 

  370.   /**

    371. 

  371.    * just uppercases the http method

    372. 

  372.    */

    373. 

  373.   public function get_normalized_http_method() {

    374. 

  374.     return strtoupper($this->http_method);

    375. 

  375.   }

    376. 

  376. 

    377. 

  377.   /**

    378. 

  378.    * parses the url and rebuilds it to be

    379. 

  379.    * scheme://host/path

    380. 

  380.    */

    381. 

  381.   public function get_normalized_http_url() {

    382. 

  382.     $parts = parse_url($this->http_url);

    383. 

  383. 

    384. 

  384.     $port = @$parts['port'];

    385. 

  385.     $scheme = $parts['scheme'];

    386. 

  386.     $host = $parts['host'];

    387. 

  387.     $path = @$parts['path'];

    388. 

  388. 

    389. 

  389.     $port or $port = ($scheme == 'https') ? '443' : '80';

    390. 

  390. 

    391. 

  391.     if (($scheme == 'https' && $port != '443')

    392. 

  392.         || ($scheme == 'http' && $port != '80')) {

    393. 

  393.       $host = "$host:$port";

    394. 

  394.     }

    395. 

  395.     return "$scheme://$host$path";

    396. 

  396.   }

    397. 

  397. 

    398. 

  398.   /**

    399. 

  399.    * builds a url usable for a GET request

    400. 

  400.    */

    401. 

  401.   public function to_url() {

    402. 

  402.     $post_data = $this->to_postdata();

    403. 

  403.     $out = $this->get_normalized_http_url();

    404. 

  404.     if ($post_data) {

    405. 

  405.       $out .= '?'.$post_data;

    406. 

  406.     }

    407. 

  407.     return $out;

    408. 

  408.   }

    409. 

  409. 

    410. 

  410.   /**

    411. 

  411.    * builds the data one would send in a POST request

    412. 

  412.    */

    413. 

  413.   public function to_postdata() {

    414. 

  414.     return OAuthUtil::build_http_query($this->parameters);

    415. 

  415.   }

    416. 

  416. 

    417. 

  417.   /**

    418. 

  418.    * builds the Authorization: header

    419. 

  419.    */

    420. 

  420.   public function to_header($realm=null) {

    421. 

  421.     $first = true;

    422. 

  422. 	if($realm) {

    423. 

  423.       $out = 'Authorization: OAuth realm="' . OAuthUtil::urlencode_rfc3986($realm) . '"';

    424. 

  424.       $first = false;

    425. 

  425.     } else

    426. 

  426.       $out = 'Authorization: OAuth';

    427. 

  427. 

    428. 

  428.     $total = array();

    429. 

  429.     foreach ($this->parameters as $k => $v) {

    430. 

  430.       if (substr($k, 0, 5) != "oauth") continue;

    431. 

  431.       if (is_array($v)) {

    432. 

  432.         throw new OAuthException('Arrays not supported in headers');

    433. 

  433.       }

    434. 

  434.       $out .= ($first) ? ' ' : ',';

    435. 

  435.       $out .= OAuthUtil::urlencode_rfc3986($k) .

    436. 

  436.               '="' .

    437. 

  437.               OAuthUtil::urlencode_rfc3986($v) .

    438. 

  438.               '"';

    439. 

  439.       $first = false;

    440. 

  440.     }

    441. 

  441.     return $out;

    442. 

  442.   }

    443. 

  443. 

    444. 

  444.   public function __toString() {

    445. 

  445.     return $this->to_url();

    446. 

  446.   }

    447. 

  447. 

    448. 

  448. 

    449. 

  449.   public function sign_request($signature_method, $consumer, $token) {

    450. 

  450.     $this->set_parameter(

    451. 

  451.       "oauth_signature_method",

    452. 

  452.       $signature_method->get_name(),

    453. 

  453.       false

    454. 

  454.     );

    455. 

  455.     $signature = $this->build_signature($signature_method, $consumer, $token);

    456. 

  456.     $this->set_parameter("oauth_signature", $signature, false);

    457. 

  457.   }

    458. 

  458. 

    459. 

  459.   public function build_signature($signature_method, $consumer, $token) {

    460. 

  460.     $signature = $signature_method->build_signature($this, $consumer, $token);

    461. 

  461.     return $signature;

    462. 

  462.   }

    463. 

  463. 

    464. 

  464.   /**

    465. 

  465.    * util function: current timestamp

    466. 

  466.    */

    467. 

  467.   private static function generate_timestamp() {

    468. 

  468.     return time();

    469. 

  469.   }

    470. 

  470. 

    471. 

  471.   /**

    472. 

  472.    * util function: current nonce

    473. 

  473.    */

    474. 

  474.   private static function generate_nonce() {

    475. 

  475.     $mt = microtime();

    476. 

  476.     $rand = mt_rand();

    477. 

  477. 

    478. 

  478.     return md5($mt . $rand); // md5s look nicer than numbers

    479. 

  479.   }

    480. 

  480. }

    481. 

  481. 

    482. 

  482. class OAuthServer {

    483. 

  483.   protected $timestamp_threshold = 300; // in seconds, five minutes

    484. 

  484.   protected $version = '1.0';             // hi blaine

    485. 

  485.   protected $signature_methods = array();

    486. 

  486. 

    487. 

  487.   protected $data_store;

    488. 

  488. 

    489. 

  489.   function __construct($data_store) {

    490. 

  490.     $this->data_store = $data_store;

    491. 

  491.   }

    492. 

  492. 

    493. 

  493.   public function add_signature_method($signature_method) {

    494. 

  494.     $this->signature_methods[$signature_method->get_name()] =

    495. 

  495.       $signature_method;

    496. 

  496.   }

    497. 

  497. 

    498. 

  498.   // high level functions

    499. 

  499. 

    500. 

  500.   /**

    501. 

  501.    * process a request_token request

    502. 

  502.    * returns the request token on success

    503. 

  503.    */

    504. 

  504.   public function fetch_request_token(&$request) {

    505. 

  505.     $this->get_version($request);

    506. 

  506. 

    507. 

  507.     $consumer = $this->get_consumer($request);

    508. 

  508. 

    509. 

  509.     // no token required for the initial token request

    510. 

  510.     $token = NULL;

    511. 

  511. 

    512. 

  512.     $this->check_signature($request, $consumer, $token);

    513. 

  513. 

    514. 

  514.     // Rev A change

    515. 

  515.     $callback = $request->get_parameter('oauth_callback');

    516. 

  516.     $new_token = $this->data_store->new_request_token($consumer, $callback);

    517. 

  517. 

    518. 

  518.     return $new_token;

    519. 

  519.   }

    520. 

  520. 

    521. 

  521.   /**

    522. 

  522.    * process an access_token request

    523. 

  523.    * returns the access token on success

    524. 

  524.    */

    525. 

  525.   public function fetch_access_token(&$request) {

    526. 

  526.     $this->get_version($request);

    527. 

  527. 

    528. 

  528.     $consumer = $this->get_consumer($request);

    529. 

  529. 

    530. 

  530.     // requires authorized request token

    531. 

  531.     $token = $this->get_token($request, $consumer, "request");

    532. 

  532. 

    533. 

  533.     $this->check_signature($request, $consumer, $token);

    534. 

  534. 

    535. 

  535.     // Rev A change

    536. 

  536.     $verifier = $request->get_parameter('oauth_verifier');

    537. 

  537.     $new_token = $this->data_store->new_access_token($token, $consumer, $verifier);

    538. 

  538. 

    539. 

  539.     return $new_token;

    540. 

  540.   }

    541. 

  541. 

    542. 

  542.   /**

    543. 

  543.    * verify an api call, checks all the parameters

    544. 

  544.    */

    545. 

  545.   public function verify_request(&$request) {

    546. 

  546.     $this->get_version($request);

    547. 

  547.     $consumer = $this->get_consumer($request);

    548. 

  548.     $token = $this->get_token($request, $consumer, "access");

    549. 

  549.     $this->check_signature($request, $consumer, $token);

    550. 

  550.     return array($consumer, $token);

    551. 

  551.   }

    552. 

  552. 

    553. 

  553.   // Internals from here

    554. 

  554.   /**

    555. 

  555.    * version 1

    556. 

  556.    */

    557. 

  557.   private function get_version(&$request) {

    558. 

  558.     $version = $request->get_parameter("oauth_version");

    559. 

  559.     if (!$version) {

    560. 

  560.       // Service Providers MUST assume the protocol version to be 1.0 if this parameter is not present. 

    561. 

  561.       // Chapter 7.0 ("Accessing Protected Ressources")

    562. 

  562.       $version = '1.0';

    563. 

  563.     }

    564. 

  564.     if ($version !== $this->version) {

    565. 

  565.       throw new OAuthException("OAuth version '$version' not supported");

    566. 

  566.     }

    567. 

  567.     return $version;

    568. 

  568.   }

    569. 

  569. 

    570. 

  570.   /**

    571. 

  571.    * figure out the signature with some defaults

    572. 

  572.    */

    573. 

  573.   private function get_signature_method(&$request) {

    574. 

  574.     $signature_method =

    575. 

  575.         @$request->get_parameter("oauth_signature_method");

    576. 

  576. 

    577. 

  577.     if (!$signature_method) {

    578. 

  578.       // According to chapter 7 ("Accessing Protected Ressources") the signature-method

    579. 

  579.       // parameter is required, and we can't just fallback to PLAINTEXT

    580. 

  580.       throw new OAuthException('No signature method parameter. This parameter is required');

    581. 

  581.     }

    582. 

  582. 

    583. 

  583.     if (!in_array($signature_method,

    584. 

  584.                   array_keys($this->signature_methods))) {

    585. 

  585.       throw new OAuthException(

    586. 

  586.         "Signature method '$signature_method' not supported " .

    587. 

  587.         "try one of the following: " .

    588. 

  588.         implode(", ", array_keys($this->signature_methods))

    589. 

  589.       );

    590. 

  590.     }

    591. 

  591.     return $this->signature_methods[$signature_method];

    592. 

  592.   }

    593. 

  593. 

    594. 

  594.   /**

    595. 

  595.    * try to find the consumer for the provided request's consumer key

    596. 

  596.    */

    597. 

  597.   private function get_consumer(&$request) {

    598. 

  598.     $consumer_key = @$request->get_parameter("oauth_consumer_key");

    599. 

  599.     if (!$consumer_key) {

    600. 

  600.       throw new OAuthException("Invalid consumer key");

    601. 

  601.     }

    602. 

  602. 

    603. 

  603.     $consumer = $this->data_store->lookup_consumer($consumer_key);

    604. 

  604.     if (!$consumer) {

    605. 

  605.       throw new OAuthException("Invalid consumer");

    606. 

  606.     }

    607. 

  607. 

    608. 

  608.     return $consumer;

    609. 

  609.   }

    610. 

  610. 

    611. 

  611.   /**

    612. 

  612.    * try to find the token for the provided request's token key

    613. 

  613.    */

    614. 

  614.   private function get_token(&$request, $consumer, $token_type="access") {

    615. 

  615.     $token_field = @$request->get_parameter('oauth_token');

    616. 

  616.     $token = $this->data_store->lookup_token(

    617. 

  617.       $consumer, $token_type, $token_field

    618. 

  618.     );

    619. 

  619.     if (!$token) {

    620. 

  620.       throw new OAuthException("Invalid $token_type token: $token_field");

    621. 

  621.     }

    622. 

  622.     return $token;

    623. 

  623.   }

    624. 

  624. 

    625. 

  625.   /**

    626. 

  626.    * all-in-one function to check the signature on a request

    627. 

  627.    * should guess the signature method appropriately

    628. 

  628.    */

    629. 

  629.   private function check_signature(&$request, $consumer, $token) {

    630. 

  630.     // this should probably be in a different method

    631. 

  631.     $timestamp = @$request->get_parameter('oauth_timestamp');

    632. 

  632.     $nonce = @$request->get_parameter('oauth_nonce');

    633. 

  633. 

    634. 

  634.     $this->check_timestamp($timestamp);

    635. 

  635.     $this->check_nonce($consumer, $token, $nonce, $timestamp);

    636. 

  636. 

    637. 

  637.     $signature_method = $this->get_signature_method($request);

    638. 

  638. 

    639. 

  639.     $signature = $request->get_parameter('oauth_signature');

    640. 

  640.     $valid_sig = $signature_method->check_signature(

    641. 

  641.       $request,

    642. 

  642.       $consumer,

    643. 

  643.       $token,

    644. 

  644.       $signature

    645. 

  645.     );

    646. 

  646. 

    647. 

  647.     if (!$valid_sig) {

    648. 

  648.       throw new OAuthException("Invalid signature");

    649. 

  649.     }

    650. 

  650.   }

    651. 

  651. 

    652. 

  652.   /**

    653. 

  653.    * check that the timestamp is new enough

    654. 

  654.    */

    655. 

  655.   private function check_timestamp($timestamp) {

    656. 

  656.     if( ! $timestamp )

    657. 

  657.       throw new OAuthException(

    658. 

  658.         'Missing timestamp parameter. The parameter is required'

    659. 

  659.       );

    660. 

  660.     

    661. 

  661.     // verify that timestamp is recentish

    662. 

  662.     $now = time();

    663. 

  663.     if (abs($now - $timestamp) > $this->timestamp_threshold) {

    664. 

  664.       throw new OAuthException(

    665. 

  665.         "Expired timestamp, yours $timestamp, ours $now"

    666. 

  666.       );

    667. 

  667.     }

    668. 

  668.   }

    669. 

  669. 

    670. 

  670.   /**

    671. 

  671.    * check that the nonce is not repeated

    672. 

  672.    */

    673. 

  673.   private function check_nonce($consumer, $token, $nonce, $timestamp) {

    674. 

  674.     if( ! $nonce )

    675. 

  675.       throw new OAuthException(

    676. 

  676.         'Missing nonce parameter. The parameter is required'

    677. 

  677.       );

    678. 

  678. 

    679. 

  679.     // verify that the nonce is uniqueish

    680. 

  680.     $found = $this->data_store->lookup_nonce(

    681. 

  681.       $consumer,

    682. 

  682.       $token,

    683. 

  683.       $nonce,

    684. 

  684.       $timestamp

    685. 

  685.     );

    686. 

  686.     if ($found) {

    687. 

  687.       throw new OAuthException("Nonce already used: $nonce");

    688. 

  688.     }

    689. 

  689.   }

    690. 

  690. 

    691. 

  691. }

    692. 

  692. 

    693. 

  693. class OAuthDataStore {

    694. 

  694.   function lookup_consumer($consumer_key) {

    695. 

  695.     // implement me

    696. 

  696.   }

    697. 

  697. 

    698. 

  698.   function lookup_token($consumer, $token_type, $token) {

    699. 

  699.     // implement me

    700. 

  700.   }

    701. 

  701. 

    702. 

  702.   function lookup_nonce($consumer, $token, $nonce, $timestamp) {

    703. 

  703.     // implement me

    704. 

  704.   }

    705. 

  705. 

    706. 

  706.   function new_request_token($consumer, $callback = null) {

    707. 

  707.     // return a new token attached to this consumer

    708. 

  708.   }

    709. 

  709. 

    710. 

  710.   function new_access_token($token, $consumer, $verifier = null) {

    711. 

  711.     // return a new access token attached to this consumer

    712. 

  712.     // for the user associated with this token if the request token

    713. 

  713.     // is authorized

    714. 

  714.     // should also invalidate the request token

    715. 

  715.   }

    716. 

  716. 

    717. 

  717. }

    718. 

  718. 

    719. 

  719. class OAuthUtil {

    720. 

  720.   public static function urlencode_rfc3986($input) {

    721. 

  721.   if (is_array($input)) {

    722. 

  722.     return array_map(array('OAuthUtil', 'urlencode_rfc3986'), $input);

    723. 

  723.   } else if (is_scalar($input)) {

    724. 

  724.     return str_replace(

    725. 

  725.       '+',

    726. 

  726.       ' ',

    727. 

  727.       str_replace('%7E', '~', rawurlencode($input))

    728. 

  728.     );

    729. 

  729.   } else {

    730. 

  730.     return '';

    731. 

  731.   }

    732. 

  732. }

    733. 

  733. 

    734. 

  734. 

    735. 

  735.   // This decode function isn't taking into consideration the above

    736. 

  736.   // modifications to the encoding process. However, this method doesn't

    737. 

  737.   // seem to be used anywhere so leaving it as is.

    738. 

  738.   public static function urldecode_rfc3986($string) {

    739. 

  739.     return urldecode($string);

    740. 

  740.   }

    741. 

  741. 

    742. 

  742.   // Utility function for turning the Authorization: header into

    743. 

  743.   // parameters, has to do some unescaping

    744. 

  744.   // Can filter out any non-oauth parameters if needed (default behaviour)

    745. 

  745.   public static function split_header($header, $only_allow_oauth_parameters = true) {

    746. 

  746.     $pattern = '/(([-_a-z]*)=("([^"]*)"|([^,]*)),?)/';

    747. 

  747.     $offset = 0;

    748. 

  748.     $params = array();

    749. 

  749.     while (preg_match($pattern, $header, $matches, PREG_OFFSET_CAPTURE, $offset) > 0) {

    750. 

  750.       $match = $matches[0];

    751. 

  751.       $header_name = $matches[2][0];

    752. 

  752.       $header_content = (isset($matches[5])) ? $matches[5][0] : $matches[4][0];

    753. 

  753.       if (preg_match('/^oauth_/', $header_name) || !$only_allow_oauth_parameters) {

    754. 

  754.         $params[$header_name] = OAuthUtil::urldecode_rfc3986($header_content);

    755. 

  755.       }

    756. 

  756.       $offset = $match[1] + strlen($match[0]);

    757. 

  757.     }

    758. 

  758. 

    759. 

  759.     if (isset($params['realm'])) {

    760. 

  760.       unset($params['realm']);

    761. 

  761.     }

    762. 

  762. 

    763. 

  763.     return $params;

    764. 

  764.   }

    765. 

  765. 

    766. 

  766.   // helper to try to sort out headers for people who aren't running apache

    767. 

  767.   public static function get_headers() {

    768. 

  768.     if (function_exists('apache_request_headers')) {

    769. 

  769.       // we need this to get the actual Authorization: header

    770. 

  770.       // because apache tends to tell us it doesn't exist

    771. 

  771.       $headers = apache_request_headers();

    772. 

  772. 

    773. 

  773.       // sanitize the output of apache_request_headers because

    774. 

  774.       // we always want the keys to be Cased-Like-This and arh()

    775. 

  775.       // returns the headers in the same case as they are in the

    776. 

  776.       // request

    777. 

  777.       $out = array();

    778. 

  778.       foreach( $headers AS $key => $value ) {

    779. 

  779.         $key = str_replace(

    780. 

  780.             " ",

    781. 

  781.             "-",

    782. 

  782.             ucwords(strtolower(str_replace("-", " ", $key)))

    783. 

  783.           );

    784. 

  784.         $out[$key] = $value;

    785. 

  785.       }

    786. 

  786.     } else {

    787. 

  787.       // otherwise we don't have apache and are just going to have to hope

    788. 

  788.       // that $_SERVER actually contains what we need

    789. 

  789.       $out = array();

    790. 

  790.       if( isset($_SERVER['CONTENT_TYPE']) )

    791. 

  791.         $out['Content-Type'] = $_SERVER['CONTENT_TYPE'];

    792. 

  792.       if( isset($_ENV['CONTENT_TYPE']) )

    793. 

  793.         $out['Content-Type'] = $_ENV['CONTENT_TYPE'];

    794. 

  794. 

    795. 

  795.       foreach ($_SERVER as $key => $value) {

    796. 

  796.         if (substr($key, 0, 5) == "HTTP_") {

    797. 

  797.           // this is chaos, basically it is just there to capitalize the first

    798. 

  798.           // letter of every word that is not an initial HTTP and strip HTTP

    799. 

  799.           // code from przemek

    800. 

  800.           $key = str_replace(

    801. 

  801.             " ",

    802. 

  802.             "-",

    803. 

  803.             ucwords(strtolower(str_replace("_", " ", substr($key, 5))))

    804. 

  804.           );

    805. 

  805.           $out[$key] = $value;

    806. 

  806.         }

    807. 

  807.       }

    808. 

  808.     }

    809. 

  809.     return $out;

    810. 

  810.   }

    811. 

  811. 

    812. 

  812.   // This function takes a input like a=b&a=c&d=e and returns the parsed

    813. 

  813.   // parameters like this

    814. 

  814.   // array('a' => array('b','c'), 'd' => 'e')

    815. 

  815.   public static function parse_parameters( $input ) {

    816. 

  816.     if (!isset($input) || !$input) return array();

    817. 

  817. 

    818. 

  818.     $pairs = explode('&', $input);

    819. 

  819. 

    820. 

  820.     $parsed_parameters = array();

    821. 

  821.     foreach ($pairs as $pair) {

    822. 

  822.       $split = explode('=', $pair, 2);

    823. 

  823.       $parameter = OAuthUtil::urldecode_rfc3986($split[0]);

    824. 

  824.       $value = isset($split[1]) ? OAuthUtil::urldecode_rfc3986($split[1]) : '';

    825. 

  825. 

    826. 

  826.       if (isset($parsed_parameters[$parameter])) {

    827. 

  827.         // We have already recieved parameter(s) with this name, so add to the list

    828. 

  828.         // of parameters with this name

    829. 

  829. 

    830. 

  830.         if (is_scalar($parsed_parameters[$parameter])) {

    831. 

  831.           // This is the first duplicate, so transform scalar (string) into an array

    832. 

  832.           // so we can add the duplicates

    833. 

  833.           $parsed_parameters[$parameter] = array($parsed_parameters[$parameter]);

    834. 

  834.         }

    835. 

  835. 

    836. 

  836.         $parsed_parameters[$parameter][] = $value;

    837. 

  837.       } else {

    838. 

  838.         $parsed_parameters[$parameter] = $value;

    839. 

  839.       }

    840. 

  840.     }

    841. 

  841.     return $parsed_parameters;

    842. 

  842.   }

    843. 

  843. 

    844. 

  844.   public static function build_http_query($params) {

    845. 

  845.     if (!$params) return '';

    846. 

  846. 

    847. 

  847.     // Urlencode both keys and values

    848. 

  848.     $keys = OAuthUtil::urlencode_rfc3986(array_keys($params));

    849. 

  849.     $values = OAuthUtil::urlencode_rfc3986(array_values($params));

    850. 

  850.     $params = array_combine($keys, $values);

    851. 

  851. 

    852. 

  852.     // Parameters are sorted by name, using lexicographical byte value ordering.

    853. 

  853.     // Ref: Spec: 9.1.1 (1)

    854. 

  854.     uksort($params, 'strcmp');

    855. 

  855. 

    856. 

  856.     $pairs = array();

    857. 

  857.     foreach ($params as $parameter => $value) {

    858. 

  858.       if (is_array($value)) {

    859. 

  859.         // If two or more parameters share the same name, they are sorted by their value

    860. 

  860.         // Ref: Spec: 9.1.1 (1)

    861. 

  861.         natsort($value);

    862. 

  862.         foreach ($value as $duplicate_value) {

    863. 

  863.           $pairs[] = $parameter . '=' . $duplicate_value;

    864. 

  864.         }

    865. 

  865.       } else {

    866. 

  866.         $pairs[] = $parameter . '=' . $value;

    867. 

  867.       }

    868. 

  868.     }

    869. 

  869.     // For each parameter, the name is separated from the corresponding value by an '=' character (ASCII code 61)

    870. 

  870.     // Each name-value pair is separated by an '&' character (ASCII code 38)

    871. 

  871.     return implode('&', $pairs);

    872. 

  872.   }

    873. 

  873. }

    874. 

  874. 

    875. 

  875. ?>
    876.