php/test/gadgets/SigningFetcherTest.php

   1 <?php
   2 /**
   3  * Licensed to the Apache Software Foundation (ASF) under one
   4  * or more contributor license agreements.  See the NOTICE file
   5  * distributed with this work for additional information
   6  * regarding copyright ownership.  The ASF licenses this file
   7  * to you under the Apache License, Version 2.0 (the
   8  * "License"); you may not use this file except in compliance
   9  * with the License.  You may obtain a copy of the License at
  10  *
  11  *     http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing,
  14  * software distributed under the License is distributed on an
  15  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  16  * KIND, either express or implied.  See the License for the
  17  * specific language governing permissions and limitations
  18  * under the License.
  19  */
  20
  21 require_once 'src/gadgets/oauth/OAuth.php';
  22
  23 class MockSignatureMethod extends OAuthSignatureMethod_RSA_SHA1 {
  24   protected function fetch_public_cert(&$request) {
  25     return <<<EOD
  26 -----BEGIN CERTIFICATE-----
  27 MIICsDCCAhmgAwIBAgIJALlpyqPEjwvvMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
  28 BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
  29 aWRnaXRzIFB0eSBMdGQwHhcNMDkwNDAxMDgzMzQzWhcNMTIwMzMxMDgzMzQzWjBF
  30 MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
  31 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
  32 gQD8pipiScqep1T8e531ieuseKR1GPaVWmduMBXzrIhMYfD2x+hWy6ocGkcNxVIE
  33 dopIo238YtSde/T3JiSE/Ho5uQ/os4mzVM+uZSkNyknZkzEmCkIg+kz6P91SMF5j
  34 ioxdRcT0rg7d+DvsUd2Gt3UPdMf1GtcBGd8bxfjuNQQtyQIDAQABo4GnMIGkMB0G
  35 A1UdDgQWBBQNTYnsqvzJ192fs03xJhjwlIVOQTB1BgNVHSMEbjBsgBQNTYnsqvzJ
  36 192fs03xJhjwlIVOQaFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
  37 U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALlpyqPE
  38 jwvvMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA2HUzlfAvZ1ELSa1V
  39 k1QBQQWEnXI7ST7jtsqflyErJW2SekMu0ReLAeVqYkVfeJG/7FZ18i7/LMOEV6uY
  40 3k3kOKRcgbfa/k1j3siRbpNdyD3qzGxo3ggtE32P7l8IdWLkWcMvkAqfROXhay5W
  41 nbpJMipy62GBW7yBbG+ypSasgI0=
  42 -----END CERTIFICATE-----
  43 EOD;
  44   }
  45 }
  46
  47 /**
  48  * SigningFetcher test case.
  49  */
  50 class SigningFetcherTest extends PHPUnit_Framework_TestCase {
  51
  52   /**
  53    * @var SigningFetcher
  54    */
  55   private $signingFetcher;
  56
  57   /**
  58    * Prepares the environment before running a test.
  59    */
  60   protected function setUp() {
  61     parent::setUp();
  62     $private_key = <<<EOD
  63 -----BEGIN RSA PRIVATE KEY-----
  64 Proc-Type: 4,ENCRYPTED
  65 DEK-Info: DES-EDE3-CBC,2BB1348F45867303
  66
  67 9+e/kJCKUTnJLrNYY1iSjX+e6IVPo31dN20ab3O1BknT5c28PLjJbQkJz479VCX8
  68 zJen/OyugesHXiQe5skPaG6+xwWGnztIxjHCLT5WtRE755UT3K83IeDde1zsK9xy
  69 Iy8aRZbfBKCkgriIRNgD496gaVgEOGljEhCCIBLWERNZntcGmaBmN6CUdg75uuTI
  70 HMX+2cA68yzRx31cU6EYdzB2vN93aLNuPI1u2ebFe7kuNYhW3d9Bc5MJh7iQdOfO
  71 Yf94Xuic+2vIvwxi30Htz0wTBmTdEolDsSWzuyj7pjtUa0zZqaawCwLMYJFtz8lm
  72 M2c5PXv8VvLBFIsTXWdy5+qDWMeROl1PaSDQ7HfAq8BtwNqV2yMKLE6cwHIWbYr/
  73 lyIcBEhAZ8jfM81AWCgyAyeGSi4xGoCljxptExEwVzBJGjH93Ly6M7tjLBLmEQJM
  74 nGmcY/3lmSMQIbxHV4ktXukPMrYYaTu5DW9jE+sNUHj+iUN/jJMTdOGh8zUtOQTs
  75 qGuZBJbmjxdfSogCBL3f+JqOtRYUIIsZWEgb/AC10PC4pBit+9Cs9Z1LDMynFjKH
  76 kGX/qgro2rPLiqR8o2dI/wCIa5sJhUT5vFC5N+Jn0jyhROK+eom4yEF0xX3DxSZY
  77 iiclKgIOL/iB7FYEYFO17kUjFj8g53QWKh4tML/UG4GTIetNjD2u8wbobE7SxzZf
  78 HHJXc4OblK/6GVpLn7yxZ5/EG7vtX/R4aPA70VFSkJYUd0xHWjUihss+9/TSIj/K
  79 Cgpm3sdinamuC5b40tVhFhrfZyfUlqmssjU1nOsbnS+EqFgQJimbDg==
  80 -----END RSA PRIVATE KEY-----
  81 EOD;
  82     $rsa_private_key = @openssl_pkey_get_private($private_key, 'shindig');
  83     $basicFetcher = $this->getMock('RemoteContentFetcher');
  84     $this->signingFetcher = SigningFetcher::makeFromPrivateKey($basicFetcher, 'http://shindig/public.cer', $rsa_private_key);
  85   }
  86
  87   /**
  88    * Cleans up the environment after running a test.
  89    */
  90   protected function tearDown() {
  91     $this->Substitutions = null;
  92     parent::tearDown();
  93   }
  94
  95   /**
  96    * Tests SigningFetcher->fetchRequest
  97    */
  98   public function testFetchRequest() {
  99     $request = new RemoteContentRequest('http://example.org/signed');
 100     $request->setAuthType(RemoteContentRequest::$AUTH_SIGNED);
 101     $request->setToken(BasicSecurityToken::createFromValues('owner', 'viewer', 'app', 'domain', 'appUrl', '1', 'default'));
 102     $request->setPostBody('key=value&anotherkey=value');
 103     $this->signingFetcher->fetchRequest($request);
 104     $this->verifySignedRequest($request);
 105   }
 106
 107   /**
 108    * Tests SigningFetcher->fetchRequest
 109    */
 110   public function testFetchRequestForBodyHash() {
 111     $request = new RemoteContentRequest('http://example.org/signed');
 112     $request->setAuthType(RemoteContentRequest::$AUTH_SIGNED);
 113     $request->setToken(BasicSecurityToken::createFromValues('owner', 'viewer', 'app', 'domain', 'appUrl', '1', 'default'));
 114     $request->setPostBody('Hello World!');
 115     $request->setHeaders('Content-Type: text/plain');
 116     $this->signingFetcher->fetchRequest($request);
 117     $this->verifySignedRequest($request);
 118     $url = parse_url($request->getUrl());
 119     $query = array();
 120     parse_str($url['query'], $query);
 121     // test example 'Hello World!' and 'Lve95gjOVATpfV8EL5X4nxwjKHE=' are from
 122     // OAuth Request Body Hash 1.0 Draft 4 Example
 123     $this->assertEquals('Lve95gjOVATpfV8EL5X4nxwjKHE=', $query['oauth_body_hash']);
 124   }
 125
 126   /**
 127    * Tests SigningFetcher->fetchRequest
 128    */
 129   public function testFetchRequestWithEmptyPath() {
 130     $request = new RemoteContentRequest('http://example.org');
 131     $request->setAuthType(RemoteContentRequest::$AUTH_SIGNED);
 132     $request->setToken(BasicSecurityToken::createFromValues('owner', 'viewer', 'app', 'domain', 'appUrl', '1', 'default'));
 133     $request->setPostBody('key=value&anotherkey=value');
 134     $this->signingFetcher->fetchRequest($request);
 135     $this->verifySignedRequest($request);
 136   }
 137
 138   private function verifySignedRequest(RemoteContentRequest $request) {
 139     $url = parse_url($request->getUrl());
 140     $query = array();
 141     parse_str($url['query'], $query);
 142     $post = array();
 143     $contentType = $request->getHeader('Content-Type');
 144     if ((stripos($contentType, 'application/x-www-form-urlencoded') !== false || $contentType == null)) {
 145       parse_str($request->getPostBody(), $post);
 146     } else {
 147       $this->assertEquals(base64_encode(sha1($request->getPostBody(), true)), $query['oauth_body_hash']);
 148     }
 149     $oauthRequest = OAuthRequest::from_request($request->getMethod(), $request->getUrl(), array_merge($query, $post));
 150     $signature_method = new MockSignatureMethod();
 151     $signature_valid = $signature_method->check_signature($oauthRequest, null, null, $query['oauth_signature']);
 152     $this->assertTrue($signature_valid);
 153   }
 154 }
 155