1:   2:   3:   4:   5:   6:   7:   8:   9:  10:  11:  12:  13:  14:  15:  16:  17:  18:  19:  20:  21:  22:  23:  24:  25:  26:  27:  28:  29:  30:  31:  32:  33:  34:  35:  36:  37:  38:  39:  40:  41:  42:  43:  44:  45:  46:  47:  48:  49:  50:  51:  52:  53:  54:  55:  56:  57:  58:  59:  60:  61:  62:  63:  64:  65:  66:  67:  68:  69:  70:  71:  72:  73:  74:  75:  76:  77:  78:  79:  80:  81:  82:  83:  84:  85:  86:  87:  88:  89:  90:  91:  92:  93:  94:  95:  96:  97:  98:  99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268: 269: 270: 271: 272: 273: 274: 275: 276: 277: 278: 279: 280: 281: 282: 283: 284: 285: 286: 287: 288: 289: 290: 291: 292: 293: 294: 295: 296: 297: 298: 299: 300: 301: 302: 303: 304: 305: 306: 307: 308: 309: 310: 311: 312: 313: 314: 315: 316: 317: 318: 319: 320: 321: 322: 323: 324: 325: 326: 327: 328: 329: 330: 331: 332: 333: 334: 335: 336: 337: 338: 339: 340: 341: 342: 343: 344: 345: 346: 

<?php

namespace Guzzle\Tests\Plugin\Oauth;

use Guzzle\Http\Message\RequestFactory;
use Guzzle\Http\QueryAggregator\CommaAggregator;
use Guzzle\Plugin\Oauth\OauthPlugin;
use Guzzle\Common\Event;

/**
 * @covers Guzzle\Plugin\Oauth\OauthPlugin
 */
class OauthPluginTest extends \Guzzle\Tests\GuzzleTestCase
{
    const TIMESTAMP = '1327274290';
    const NONCE = 'e7aa11195ca58349bec8b5ebe351d3497eb9e603';

    protected $config = array(
        'consumer_key'    => 'foo',
        'consumer_secret' => 'bar',
        'token'           => 'count',
        'token_secret'    => 'dracula'
    );

    protected function getRequest()
    {
        return RequestFactory::getInstance()->create('POST', 'http://www.test.com/path?a=b&c=d', null, array(
            'e' => 'f'
        ));
    }

    public function testSubscribesToEvents()
    {
        $events = OauthPlugin::getSubscribedEvents();
        $this->assertArrayHasKey('request.before_send', $events);
    }

    public function testAcceptsConfigurationData()
    {
        $p = new OauthPlugin($this->config);

        // Access the config object
        $class = new \ReflectionClass($p);
        $property = $class->getProperty('config');
        $property->setAccessible(true);
        $config = $property->getValue($p);

        $this->assertEquals('foo', $config['consumer_key']);
        $this->assertEquals('bar', $config['consumer_secret']);
        $this->assertEquals('count', $config['token']);
        $this->assertEquals('dracula', $config['token_secret']);
        $this->assertEquals('1.0', $config['version']);
        $this->assertEquals('HMAC-SHA1', $config['signature_method']);
        $this->assertEquals('header', $config['request_method']);
    }

    public function testCreatesStringToSignFromPostRequest()
    {
        $p = new OauthPlugin($this->config);
        $request = $this->getRequest();
        $signString = $p->getStringToSign($request, self::TIMESTAMP, self::NONCE);

        $this->assertContains('&e=f', rawurldecode($signString));

        $expectedSignString =
            // Method and URL
            'POST&http%3A%2F%2Fwww.test.com%2Fpath' .
            // Sorted parameters from query string and body
            '&a%3Db%26c%3Dd%26e%3Df%26oauth_consumer_key%3Dfoo' .
            '%26oauth_nonce%3De7aa11195ca58349bec8b5ebe351d3497eb9e603%26' .
            'oauth_signature_method%3DHMAC-SHA1' .
            '%26oauth_timestamp%3D' . self::TIMESTAMP . '%26oauth_token%3Dcount%26oauth_version%3D1.0';

        $this->assertEquals($expectedSignString, $signString);
    }

    public function testCreatesStringToSignIgnoringPostFields()
    {
        $config = $this->config;
        $config['disable_post_params'] = true;
        $p = new OauthPlugin($config);
        $request = $this->getRequest();
        $sts = rawurldecode($p->getStringToSign($request, self::TIMESTAMP, self::NONCE));
        $this->assertNotContains('&e=f', $sts);
    }

    public function testCreatesStringToSignFromPostRequestWithCustomContentType()
    {
        $p = new OauthPlugin($this->config);
        $request = $this->getRequest();
        $request->setHeader('Content-Type', 'Foo');
        $this->assertEquals(
            // Method and URL
            'POST&http%3A%2F%2Fwww.test.com%2Fpath' .
            // Sorted parameters from query string and body
            '&a%3Db%26c%3Dd%26oauth_consumer_key%3Dfoo' .
            '%26oauth_nonce%3D'. self::NONCE .'%26' .
            'oauth_signature_method%3DHMAC-SHA1' .
            '%26oauth_timestamp%3D' . self::TIMESTAMP . '%26oauth_token%3Dcount%26oauth_version%3D1.0',
            $p->getStringToSign($request, self::TIMESTAMP, self::NONCE)
        );
    }

    /**
     * @depends testCreatesStringToSignFromPostRequest
     */
    public function testConvertsBooleansToStrings()
    {
        $p = new OauthPlugin($this->config);
        $request = $this->getRequest();
        $request->getQuery()->set('a', true);
        $request->getQuery()->set('c', false);
        $this->assertContains('&a%3Dtrue%26c%3Dfalse', $p->getStringToSign($request, self::TIMESTAMP, self::NONCE));
    }

    public function testCreatesStringToSignFromPostRequestWithNullValues()
    {
        $config = array(
            'consumer_key'    => 'foo',
            'consumer_secret' => 'bar',
            'token'           => null,
            'token_secret'    => 'dracula'
        );

        $p          = new OauthPlugin($config);
        $request    = $this->getRequest();
        $signString = $p->getStringToSign($request, self::TIMESTAMP, self::NONCE);

        $this->assertContains('&e=f', rawurldecode($signString));

        $expectedSignString = // Method and URL
                'POST&http%3A%2F%2Fwww.test.com%2Fpath' .
                // Sorted parameters from query string and body
                '&a%3Db%26c%3Dd%26e%3Df%26oauth_consumer_key%3Dfoo' .
                '%26oauth_nonce%3De7aa11195ca58349bec8b5ebe351d3497eb9e603%26' .
                'oauth_signature_method%3DHMAC-SHA1' .
                '%26oauth_timestamp%3D' . self::TIMESTAMP . '%26oauth_version%3D1.0';

        $this->assertEquals($expectedSignString, $signString);
    }

    /**
     * @depends testCreatesStringToSignFromPostRequest
     */
    public function testMultiDimensionalArray()
    {
        $p = new OauthPlugin($this->config);
        $request = $this->getRequest();
        $request->getQuery()->set('a', array('b' => array('e' => 'f', 'c' => 'd')));
        $this->assertContains('a%255Bb%255D%255Bc%255D%3Dd%26a%255Bb%255D%255Be%255D%3Df%26c%3Dd%26e%3Df%26', $p->getStringToSign($request, self::TIMESTAMP, self::NONCE));
    }

    /**
     * @depends testMultiDimensionalArray
     */
    public function testMultiDimensionalArrayWithNonDefaultQueryAggregator()
    {
        $p = new OauthPlugin($this->config);
        $request = $this->getRequest();
        $aggregator = new CommaAggregator();
        $query = $request->getQuery()->setAggregator($aggregator)
            ->set('g', array('h', 'i', 'j'))
            ->set('k', array('l'))
            ->set('m', array('n', 'o'));
        $this->assertContains('a%3Db%26c%3Dd%26e%3Df%26g%3Dh%2Ci%2Cj%26k%3Dl%26m%3Dn%2Co', $p->getStringToSign($request, self::TIMESTAMP, self::NONCE));
    }

    /**
     * @depends testCreatesStringToSignFromPostRequest
     */
    public function testSignsStrings()
    {
        $p = new OauthPlugin(array_merge($this->config, array(
            'signature_callback' => function($string, $key) {
                return "_{$string}|{$key}_";
            }
        )));
        $request = $this->getRequest();
        $sig = $p->getSignature($request, self::TIMESTAMP, self::NONCE);
        $this->assertEquals(
            '_POST&http%3A%2F%2Fwww.test.com%2Fpath&a%3Db%26c%3Dd%26e%3Df%26oauth_consumer_key%3Dfoo' .
            '%26oauth_nonce%3D'. self::NONCE .'%26oauth_signature_method%3DHMAC-SHA1' .
            '%26oauth_timestamp%3D' . self::TIMESTAMP . '%26oauth_token%3Dcount%26oauth_version%3D1.0|' .
            'bar&dracula_',
            base64_decode($sig)
        );
    }

    /**
     * Test that the Oauth is signed correctly and that extra strings haven't been added
     * to the authorization header.
     */
    public function testSignsOauthRequests()
    {
        $p = new OauthPlugin($this->config);
        $event = new Event(array(
            'request' => $this->getRequest(),
            'timestamp' => self::TIMESTAMP
        ));
        $params = $p->onRequestBeforeSend($event);

        $this->assertTrue($event['request']->hasHeader('Authorization'));

        $authorizationHeader = (string)$event['request']->getHeader('Authorization');

        $this->assertStringStartsWith('OAuth ', $authorizationHeader);

        $stringsToCheck = array(
            'oauth_consumer_key="foo"',
            'oauth_nonce="'.urlencode($params['oauth_nonce']).'"',
            'oauth_signature="'.urlencode($params['oauth_signature']).'"',
            'oauth_signature_method="HMAC-SHA1"',
            'oauth_timestamp="' . self::TIMESTAMP . '"',
            'oauth_token="count"',
            'oauth_version="1.0"',
        );

        $totalLength = strlen('OAuth ');

        //Separator is not used before first parameter.
        $separator = '';

        foreach ($stringsToCheck as $stringToCheck) {
            $this->assertContains($stringToCheck, $authorizationHeader);
            $totalLength += strlen($separator);
            $totalLength += strlen($stringToCheck);
            $separator = ', ';
        }

        // Technically this test is not universally valid. It would be allowable to have extra \n characters
        // in the Authorization header. However Guzzle does not do this, so we just perform a simple check
        // on length to validate the Authorization header is composed of only the strings above.
        $this->assertEquals($totalLength, strlen($authorizationHeader), 'Authorization has extra characters i.e. contains extra elements compared to stringsToCheck.');
    }

    public function testSignsOauthQueryStringRequest()
    {
        $config = array_merge(
            $this->config,
            array('request_method' => OauthPlugin::REQUEST_METHOD_QUERY)
        );

        $p = new OauthPlugin($config);
        $event = new Event(array(
            'request' => $this->getRequest(),
            'timestamp' => self::TIMESTAMP
        ));
        $params = $p->onRequestBeforeSend($event);

        $this->assertFalse($event['request']->hasHeader('Authorization'));

        $stringsToCheck = array(
            'a=b',
            'c=d',
            'oauth_consumer_key=foo',
            'oauth_nonce='.urlencode($params['oauth_nonce']),
            'oauth_signature='.urlencode($params['oauth_signature']),
            'oauth_signature_method=HMAC-SHA1',
            'oauth_timestamp='.self::TIMESTAMP,
            'oauth_token=count',
            'oauth_version=1.0',
        );

        $queryString = (string) $event['request']->getQuery();

        $totalLength = strlen('?');

        //Separator is not used before first parameter.
        $separator = '';

        foreach ($stringsToCheck as $stringToCheck) {
            $this->assertContains($stringToCheck, $queryString);
            $totalLength += strlen($separator);
            $totalLength += strlen($stringToCheck);
            $separator = '&';
        }

        // Removes the last query string separator '&'
        $totalLength -= 1;

        $this->assertEquals($totalLength, strlen($queryString), 'Query string has extra characters i.e. contains extra elements compared to stringsToCheck.');
    }

    /**
     * @expectedException \InvalidArgumentException
     */
    public function testInvalidArgumentExceptionOnMethodError()
    {
        $config = array_merge(
            $this->config,
            array('request_method' => 'FakeMethod')
        );

        $p = new OauthPlugin($config);
        $event = new Event(array(
            'request' => $this->getRequest(),
            'timestamp' => self::TIMESTAMP
        ));

        $p->onRequestBeforeSend($event);
    }

    public function testDoesNotAddFalseyValuesToAuthorization()
    {
        unset($this->config['token']);
        $p = new OauthPlugin($this->config);
        $event = new Event(array('request' => $this->getRequest(), 'timestamp' => self::TIMESTAMP));
        $p->onRequestBeforeSend($event);
        $this->assertTrue($event['request']->hasHeader('Authorization'));
        $this->assertNotContains('oauth_token=', (string) $event['request']->getHeader('Authorization'));
    }

    public function testOptionalOauthParametersAreNotAutomaticallyAdded()
    {
        // The only required Oauth parameters are the consumer key and secret. That is enough credentials
        // for signing oauth requests.
         $config = array(
            'consumer_key'    => 'foo',
            'consumer_secret' => 'bar',
        );

        $plugin = new OauthPlugin($config);
        $event = new Event(array(
            'request' => $this->getRequest(),
            'timestamp' => self::TIMESTAMP
        ));

        $timestamp = $plugin->getTimestamp($event);
        $request = $event['request'];
        $nonce = $plugin->generateNonce($request);

        $paramsToSign = $plugin->getParamsToSign($request, $timestamp, $nonce);

        $optionalParams = array(
            'callback'      => 'oauth_callback',
            'token'         => 'oauth_token',
            'verifier'      => 'oauth_verifier',
            'token_secret'  => 'token_secret'
        );

        foreach ($optionalParams as $optionName => $oauthName) {
            $this->assertArrayNotHasKey($oauthName, $paramsToSign, "Optional Oauth param '$oauthName' was not set via config variable '$optionName', but it is listed in getParamsToSign().");
        }
    }
}