You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by be...@apache.org on 2008/09/12 01:43:31 UTC
svn commit: r694546 - in /incubator/shindig/trunk/java/gadgets/src:
main/java/org/apache/shindig/gadgets/oauth/
test/java/org/apache/shindig/gadgets/oauth/
Author: beaton
Date: Thu Sep 11 16:43:31 2008
New Revision: 694546
URL: http://svn.apache.org/viewvc?rev=694546&view=rev
Log:
Avoid attempting to revoke tokens on signed fetch failure.
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/BasicOAuthStore.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthFetcher.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/FakeOAuthServiceProvider.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthFetcherTest.java
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/BasicOAuthStore.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/BasicOAuthStore.java?rev=694546&r1=694545&r2=694546&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/BasicOAuthStore.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/BasicOAuthStore.java Thu Sep 11 16:43:31 2008
@@ -67,6 +67,18 @@
* Key to use when no other key is found.
*/
private BasicOAuthStoreConsumerKeyAndSecret defaultKey;
+
+ /** Number of times we looked up a consumer key */
+ private int consumerKeyLookupCount = 0;
+
+ /** Number of times we looked up an access token */
+ private int accessTokenLookupCount = 0;
+
+ /** Number of times we added an access token */
+ private int accessTokenAddCount = 0;
+
+ /** Number of times we removed an access token */
+ private int accessTokenRemoveCount = 0;
public BasicOAuthStore() {
consumerInfos = new HashMap<BasicOAuthStoreConsumerIndex, BasicOAuthStoreConsumerKeyAndSecret>();
@@ -141,6 +153,7 @@
public ConsumerInfo getConsumerKeyAndSecret(
SecurityToken securityToken, String serviceName, OAuthServiceProvider provider)
throws GadgetException {
+ ++consumerKeyLookupCount;
BasicOAuthStoreConsumerIndex pk = new BasicOAuthStoreConsumerIndex();
pk.setGadgetUri(securityToken.getAppUrl());
pk.setServiceName(serviceName);
@@ -180,6 +193,7 @@
public TokenInfo getTokenInfo(SecurityToken securityToken, ConsumerInfo consumerInfo,
String serviceName, String tokenName) {
+ ++accessTokenLookupCount;
BasicOAuthStoreTokenIndex tokenKey =
makeBasicOAuthStoreTokenIndex(securityToken, serviceName, tokenName);
return tokens.get(tokenKey);
@@ -187,6 +201,7 @@
public void setTokenInfo(SecurityToken securityToken, ConsumerInfo consumerInfo,
String serviceName, String tokenName, TokenInfo tokenInfo) {
+ ++accessTokenAddCount;
BasicOAuthStoreTokenIndex tokenKey =
makeBasicOAuthStoreTokenIndex(securityToken, serviceName, tokenName);
tokens.put(tokenKey, tokenInfo);
@@ -194,8 +209,25 @@
public void removeToken(SecurityToken securityToken, ConsumerInfo consumerInfo,
String serviceName, String tokenName) {
+ ++accessTokenRemoveCount;
BasicOAuthStoreTokenIndex tokenKey =
makeBasicOAuthStoreTokenIndex(securityToken, serviceName, tokenName);
tokens.remove(tokenKey);
}
+
+ public int getConsumerKeyLookupCount() {
+ return consumerKeyLookupCount;
+ }
+
+ public int getAccessTokenLookupCount() {
+ return accessTokenLookupCount;
+ }
+
+ public int getAccessTokenAddCount() {
+ return accessTokenAddCount;
+ }
+
+ public int getAccessTokenRemoveCount() {
+ return accessTokenRemoveCount;
+ }
}
Modified: incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthFetcher.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthFetcher.java?rev=694546&r1=694545&r2=694546&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthFetcher.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthFetcher.java Thu Sep 11 16:43:31 2008
@@ -263,7 +263,7 @@
&& accessorInfo.getAccessor().requestToken == null
&& accessorInfo.getAccessor().accessToken == null);
}
-
+
/**
* Make sure the user is authorized to approve access tokens. At the moment
* we restrict this to page owner's viewing their own pages.
@@ -648,18 +648,45 @@
}
}
+ /**
+ * Look for an OAuth protocol problem. For cases where no access token is in play
+ * @param response
+ * @throws OAuthProtocolException
+ * @throws IOException
+ */
private void checkForProtocolProblem(HttpResponse response)
throws OAuthProtocolException, IOException {
- int status = response.getHttpStatusCode();
- if (status >= 400 && status < 500) {
+ if (isFullOAuthError(response)) {
OAuthMessage message = parseAuthHeader(null, response);
if (message.getParameter(OAuthProblemException.OAUTH_PROBLEM) != null) {
// SP reported extended error information
throw new OAuthProtocolException(message);
}
// No extended information, guess based on HTTP response code.
- throw new OAuthProtocolException(status);
+ throw new OAuthProtocolException(response.getHttpStatusCode());
+ }
+ }
+
+ /**
+ * Check if a response might be due to an OAuth protocol error. We don't want to intercept
+ * errors for signed fetch, we only care about places where we are dealing with OAuth request
+ * and/or access tokens.
+ */
+ private boolean isFullOAuthError(HttpResponse response) {
+ // Is this an error in the 4xx range? If so, it might be OAuth related.
+ if (response.getHttpStatusCode() < 400 || response.getHttpStatusCode() >= 500) {
+ return false;
+ }
+ // If the client forced us to use full OAuth, this might be OAuth related.
+ if (realRequest.getOAuthArguments().mustUseToken()) {
+ return true;
+ }
+ // If we're using an access token, this might be OAuth related.
+ if (accessorInfo.getAccessor().accessToken != null) {
+ return true;
}
+ // Not OAuth related.
+ return false;
}
/**
Modified: incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/FakeOAuthServiceProvider.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/FakeOAuthServiceProvider.java?rev=694546&r1=694545&r2=694546&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/FakeOAuthServiceProvider.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/FakeOAuthServiceProvider.java Thu Sep 11 16:43:31 2008
@@ -452,14 +452,14 @@
}
OAuthAccessor accessor = new OAuthAccessor(consumer);
String responseBody = null;
+ if (throttled) {
+ return makeOAuthProblemReport(
+ "consumer_key_refused", "exceeded quota");
+ }
if (consumer == oauthConsumer) {
// for OAuth, check the access token. We skip this for signed fetch
String accessToken = info.message.getParameter("oauth_token");
TokenState state = tokenState.get(accessToken);
- if (throttled) {
- return makeOAuthProblemReport(
- "consumer_key_refused", "exceeded quota");
- }
if (state == null) {
return makeOAuthProblemReport(
"token_rejected", "Access token unknown");
Modified: incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthFetcherTest.java
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthFetcherTest.java?rev=694546&r1=694545&r2=694546&view=diff
==============================================================================
--- incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthFetcherTest.java (original)
+++ incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth/OAuthFetcherTest.java Thu Sep 11 16:43:31 2008
@@ -39,6 +39,7 @@
import org.apache.shindig.gadgets.oauth.AccessorInfo.OAuthParamLocation;
import org.apache.shindig.gadgets.oauth.BasicOAuthStoreConsumerKeyAndSecret.KeyType;
import org.apache.shindig.gadgets.oauth.FakeOAuthServiceProvider.TokenPair;
+import org.apache.shindig.gadgets.oauth.OAuthArguments.UseToken;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -218,6 +219,15 @@
FakeGadgetSpecFactory.SERVICE_NAME);
}
+ private MakeRequestClient makeSocialOAuthClient(String owner, String viewer, String gadget)
+ throws Exception {
+ SecurityToken securityToken = getSecurityToken(owner, viewer, gadget);
+ MakeRequestClient client = new MakeRequestClient(securityToken, fetcherConfig, serviceProvider,
+ FakeGadgetSpecFactory.SERVICE_NAME);
+ client.getBaseArgs().setUseToken(UseToken.IF_AVAILABLE);
+ return client;
+ }
+
private MakeRequestClient makeSignedFetchClient(String owner, String viewer, String gadget)
throws Exception {
SecurityToken securityToken = getSecurityToken(owner, viewer, gadget);
@@ -492,6 +502,26 @@
}
@Test
+ public void testSocialOAuth_tokenRevoked() throws Exception {
+ MakeRequestClient client = makeNonSocialClient("owner", "owner", GADGET_URL);
+
+ HttpResponse response = client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
+ assertEquals("", response.getResponseAsString());
+
+ client.approveToken("user_data=hello-oauth");
+ response = client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
+ assertEquals("User data is hello-oauth", response.getResponseAsString());
+
+ serviceProvider.revokeAllAccessTokens();
+
+ assertEquals(0, base.getAccessTokenRemoveCount());
+ client = makeSocialOAuthClient("owner", "owner", GADGET_URL);
+ response = client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL + "?cb=1");
+ assertEquals("", response.getResponseAsString());
+ assertEquals(1, base.getAccessTokenRemoveCount());
+ }
+
+ @Test
public void testWrongServiceName() throws Exception {
SecurityToken securityToken = getSecurityToken("owner", "owner", GADGET_URL);
MakeRequestClient client = new MakeRequestClient(securityToken, fetcherConfig, serviceProvider,
@@ -621,6 +651,17 @@
}
@Test
+ public void testSignedFetch_error401() throws Exception {
+ assertEquals(0, base.getAccessTokenRemoveCount());
+ serviceProvider.setConsumersThrottled(true);
+ serviceProvider.setVagueErrors(true);
+ MakeRequestClient client = makeSignedFetchClient("o", "v", "http://www.example.com/app");
+
+ HttpResponse response = client.sendGet(FakeOAuthServiceProvider.RESOURCE_URL);
+ assertEquals(0, base.getAccessTokenRemoveCount());
+ }
+
+ @Test
public void testSignedFetch_unnamedConsumerKey() throws Exception {
BasicOAuthStoreConsumerKeyAndSecret defaultKey = new BasicOAuthStoreConsumerKeyAndSecret(
null, PRIVATE_KEY_TEXT, KeyType.RSA_PRIVATE, "foo");