File Coverage

lib/OAuthomatic/Caller.pm

Criterion	Covered	Total	%
statement	1	3	33.3
branch			n/a
condition			n/a
subroutine	1	1	100.0
pod			n/a
total	2	4	50.0

line	stmt	sub	time	code
1				package OAuthomatic::Caller;
2				# ABSTRACT: actually make OAuth-signed calls
3
4
5	2	2	1670	use Moose;
	0
	0
6
7				use version;
8				use feature 'state';
9				use Const::Fast;
10				use LWP::UserAgent;
11				use URI;
12				use URI::QueryParam;
13				use HTTP::Request;
14				use HTTP::Headers;
15				use Net::OAuth;
16				use OAuthomatic::Error;
17				use OAuthomatic::Internal::Util qw/fill_httpmsg_text fill_httpmsg_form parse_http_msg_form/;
18				use namespace::sweep;
19
20				const my $OAUTH_REALM => "OAuthomatic";
21
22				const my $FORM_CONTENT_TYPE => "application/x-www-form-urlencoded";
23				const my $DEFAULT_FORM_CONTENT_TYPE => "application/x-www-form-urlencoded; charset=utf-8";
24				const my $DEFAULT_CONTENT_TYPE => "text/plain; charset=utf-8";
25
26				const my $_HAS_BUGGY_PROXY_IN_LWP => (
27				version->parse($LWP::UserAgent::VERSION) < version->parse("6.06") );
28
29
30				has 'config' => (
31				is => 'ro', isa => 'OAuthomatic::Config', required => 1,
32				handles => ['debug']);
33
34
35				has 'server' => (
36				is => 'ro', isa => 'OAuthomatic::Server', required => 1,
37				handles => [
38				'oauth_authorize_page', 'oauth_temporary_url', 'oauth_token_url',
39				'protocol_version', 'signature_method'
40				]);
41
42				# Object responsible for executing calls.
43				has 'user_agent' => (
44				is => 'ro', isa => 'LWP::UserAgent', default => sub {
45				# Workaround for SSL-over-proxy problems. Disables buggy proxy behaviour in
46				# LWP (proxy should be handled by Crypt::SSLeay below thanks to env variable).
47				# https://rt.cpan.org/Public/Bug/Display.html?id=1894
48				# http://www.perlmonks.org/?node_id=994683
49				# FIXME: when LWP 6.06 turns popular, drop it and just depend on 6.06
50				my $ua;
51				if($_HAS_BUGGY_PROXY_IN_LWP && $ENV{https_proxy}) {
52				require Net::SSL;
53				local $Net::HTTPS::SSL_SOCKET_CLASS = "Net::SSL"; # Force use of Net::SSL
54				$ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
55				$ua->proxy(https => undef);
56				} else {
57				$ua = LWP::UserAgent->new;
58				}
59				return $ua;
60				});
61
62				# Application identity
63				has 'client_cred' => (
64				is => 'rw', isa => 'Maybe[OAuthomatic::Types::ClientCred]', required => 1,
65				trigger => sub {
66				my ($self, $cred, $old_cred) = @_;
67				return if @_ == 2; # Don't act during object build
68				return if OAuthomatic::Types::ClientCred->equal($cred, $old_cred);
69				# Changed client_cred means access creds are no longer valid.
70				$self->token_cred(undef);
71				});
72
73				# Current access credentials, for use in normal calls
74				has 'token_cred' => (
75				is => 'rw', isa => 'Maybe[OAuthomatic::Types::TokenCred]', required => 1);
76
77
78				sub create_authorization_url {
79				my ($self, $callback_url) = @_;
80
81				# Make temporary credentials
82				my $temporary_cred = $self->_create_temporary_cred($callback_url);
83
84				# Calculate authorization url
85				my $url = URI->new($self->oauth_authorize_page);
86				$url->query_param(oauth_token => $temporary_cred->token);
87
88				$temporary_cred->authorize_page($url);
89
90				return $temporary_cred;
91				}
92
93				# Create request token
94				sub _create_temporary_cred {
95				my ($self, $callback_url) = @_;
96
97				unless ($self->_using_legacy_oauth10) {
98				unless($callback_url) {
99				OAuthomatic::Error::Generic->throw(
100				ident => "missing required argument",
101				extra => "callback_url is required");
102				}
103				}
104
105				my $response = $self->_execute_oauth_request_ext(
106				class => 'RequestToken', # No token
107				callback => $callback_url,
108				method => 'POST', url => $self->oauth_temporary_url,
109				auth_in_post => 1);
110
111				my $response_params = _parse_form_reply(
112				$response, ['oauth_token', 'oauth_token_secret']);
113
114				unless($response_params->{oauth_callback_confirmed}
115				\|\| $self->_using_legacy_oauth10) {
116				OAuthomatic::Error::Protocol->throw(
117				ident => "Bad OAuth reply",
118				extra => "Missing oauth_callback_confirmed (is site using OAuth 1.0?)");
119				}
120
121				return OAuthomatic::Types::TemporaryCred->new(
122				data => $response_params,
123				remap => {'oauth_token' => 'token', 'oauth_token_secret' => 'secret'});
124				}
125
126
127				sub create_token_cred {
128				my ($self, $temporary_cred, $verifier_cred) = @_;
129
130				unless ($verifier_cred \|\| $self->_using_legacy_oauth10) { # FIXME maybe drop support for it?
131				OAuthomatic::Error::Generic->throw(
132				ident => "Missing parameter",
133				extra => "For OAuth 1.0a verifier is required");
134				}
135
136				my $response = $self->_execute_oauth_request_ext(
137				class => 'AccessToken',
138				token => $temporary_cred, verifier => $verifier_cred,
139				method => 'POST', url => $self->oauth_token_url,
140				auth_in_post => 1);
141
142				my $response_params = _parse_form_reply(
143				$response, ['oauth_token', 'oauth_token_secret']);
144
145				my $cred = OAuthomatic::Types::TokenCred->new(
146				data => $response_params,
147				remap => {'oauth_token' => 'token', 'oauth_token_secret' => 'secret'});
148
149				$self->token_cred($cred);
150
151				return $cred;
152				}
153
154				###########################################################################
155				# Call-making
156				###########################################################################
157
158
159				## no critic (RequireArgUnpacking)
160				sub build_oauth_request {
161				my $self = shift;
162
163				unless($self->token_cred) {
164				OAuthomatic::Error::Generic->throw(
165				ident => "Unauthorized",
166				extra => "Missing token.");
167				}
168
169				return $self->_build_oauth_request_ext(
170				class => 'ProtectedResource',
171				token => $self->token_cred,
172				@_);
173				}
174				## use critic
175
176
177				## no critic (RequireArgUnpacking)
178				sub execute_oauth_request {
179				my $self = shift;
180
181				unless($self->token_cred) {
182				OAuthomatic::Error::Generic->throw(
183				ident => "Unauthorized",
184				extra => "Missing token.");
185				}
186
187				return $self->_execute_oauth_request_ext(
188				class => 'ProtectedResource',
189				token => $self->token_cred,
190				@_);
191				}
192				## use critic
193
194
195				sub _build_oauth_request_ext {
196				my ($self, %args) = @_;
197
198				foreach my $req_arg (qw(class method url)) {
199				unless($args{$req_arg}) {
200				OAuthomatic::Error::Generic->throw(
201				ident => "Bad parameter",
202				extra => "Missing required parameter '$req_arg'");
203				}
204				}
205
206				my $class = $args{class};
207				my $token = $args{token};
208				my $verifier = $args{verifier};
209				my $callback = $args{callback};
210				my $method = $args{method};
211				my $url = $args{url};
212				my $url_args = $args{url_args};
213				my $body_form = $args{body_form};
214				my $body = $args{body};
215				my $content_type = $args{content_type};
216				my $auth_in_post = $args{auth_in_post};
217
218				# Sanity checks
219
220				if($method =~ /^(?:POST\|PUT)$/x) {
221				$body_form = {} unless ($body \|\| $body_form);
222				OAuthomatic::Error::Generic->throw(
223				ident => "Bad parameter",
224				extra => "Can not specify both body and body_form")
225				if $body && $body_form;
226				OAuthomatic::Error::Generic->throw(
227				ident => "Bad parameter",
228				extra => "Can't use plain body with auth_in_post")
229				if $auth_in_post && $body;
230				}
231				elsif($method =~ /^(?:GET\|DELETE)$/x) {
232				OAuthomatic::Error::Generic->throw(
233				ident => "Bad parameter",
234				extra => "Can not specify body* for $method request")
235				if ($body \|\| $body_form);
236				OAuthomatic::Error::Generic->throw(
237				ident => "Bad parameter",
238				extra => "Can't use auth_in_post for $method request")
239				if $auth_in_post;
240				}
241				else {
242				OAuthomatic::Error::Generic->throw(
243				ident => "Bad parameter",
244				extra => "Unknown method: $method (expected GET, POST, PUT or DELETE)");
245				}
246
247				if($url_args) {
248				unless(ref($url_args) eq 'HASH') {
249				OAuthomatic::Error::Generic->throw(
250				ident => "Bad parameter",
251				extra => "url_args should be specified as hash reference, but are given as " . (ref($url_args) \|\| "scalar value $url_args"));
252				}
253				}
254
255				if($body_form) {
256				$content_type \|\|= $DEFAULT_FORM_CONTENT_TYPE;
257				OAuthomatic::Error::Generic->throw(
258				ident => "Bad parameter",
259				extra => "With body_form, the only allowed content_type is $FORM_CONTENT_TYPE (plus coding), but $content_type was given")
260				unless $content_type =~ /^$FORM_CONTENT_TYPE(;.*)?$/;
261				} else {
262				$content_type \|\|= $DEFAULT_CONTENT_TYPE;
263				OAuthomatic::Error::Generic->throw(
264				ident => "Bad parameter",
265				extra => "Can not specify content_type=$content_type and plain body, use body_form!")
266				if $content_type =~ /^$FORM_CONTENT_TYPE(;.*)?$/;
267				}
268
269				if($verifier) {
270				OAuthomatic::Error::Generic->throw(
271				ident => "Bad parameter",
272				extra => "Attempt to specify verifier without token")
273				unless $token;
274				OAuthomatic::Error::Generic->throw(
275				ident => "Token mismatch",
276				extra => "Obtained verifier is for token " . $verifier->token
277				. " while (temporary) token is " . $token->token)
278				unless $verifier->token eq $token->token;
279				}
280
281				# Calculate final URL
282
283				# FIXME: URI encodes as utf-8 true strings or as Latin-1 binary strings. Consider
284				# using default encoding if non-utf8
285				my $uri = URI->new($url);
286				# Append additional params, if given
287				if($url_args) {
288				foreach my $key (keys %$url_args) {
289				$uri->query_param($key, $url_args->{$key});
290				}
291				}
292
293				# Net::OAuth is used to
294				# (a) calculate signature
295				# and
296				# (b) render authorization header
297				my $oauth_request = Net::OAuth->request($class)->new(
298				request_method => $method,
299				request_url => $uri,
300				$self->client_cred->as_hash("consumer"), # consumer_key, consumer_secret
301				($token
302				? ($token->as_hash()) # token, token_secret
303				: ()),
304				signature_method => $self->signature_method,
305				protocol_version => $self->_net_oauth_version_constant(), # FIXME: isn't it version?
306				# version => $self->protocol_version, # changes oauth_version but better not, bb fails
307				timestamp => time,
308				nonce => $self->_nonce,
309				($verifier
310				? (verifier => $verifier->verifier)
311				: ()),
312				($callback
313				? (callback => $callback)
314				: ()),
315				($body_form
316				? (extra_params => $body_form) # body parts used in signature
317				: ()),
318				);
319				$oauth_request->sign;
320				OAuthomatic::Error::Generic->throw(
321				ident => "OAuth signature verification failed.")
322				unless $oauth_request->verify;
323
324				my $headers = HTTP::Headers->new();
325				# FIXME: handle custom headers (Accept?)
326
327				if($auth_in_post) {
328				my $oauth_par = $oauth_request->to_hash();
329				if($body_form && %$body_form) {
330				# Merge OAuth with other post oauth_par
331				@{$body_form}{keys %$oauth_par} = values %$oauth_par;
332				} else {
333				$body_form = $oauth_par;
334				}
335				} else {
336				# This builds "OAuth realm=... oauth_consumer_key=.. ..." text
337				my $oauth_header_text = $oauth_request->to_authorization_header($OAUTH_REALM);
338				$headers->header('Authorization' => $oauth_header_text);
339				}
340
341				my $http_request = HTTP::Request->new($method, $uri, $headers);
342				if($body) {
343				fill_httpmsg_text($http_request, $body, $content_type);
344				} elsif($body_form) {
345				fill_httpmsg_form($http_request, $body_form);
346				}
347
348				return $http_request;
349				}
350
351
352				## no critic (RequireArgUnpacking)
353				sub _execute_oauth_request_ext {
354				my $self = shift;
355				my $request = $self->_build_oauth_request_ext(@_);
356
357				print "[OAuthomatic] Executing request: ", $request->as_string, "\n" if $self->debug;
358
359				my $response = $self->user_agent->request($request);
360
361				print "[OAuthomatic] Obtained response: ", $response->as_string, "\n" if $self->debug;
362
363				OAuthomatic::Error::HTTPFailure->throw(
364				ident => 'OAuth-signed HTTP call failed',
365				request => $request, response => $response)
366				unless $response->is_success;
367
368				return $response;
369				}
370				## use critic
371
372				###########################################################################
373				# Helpers
374				###########################################################################
375
376				sub _net_oauth_version_constant {
377				my $self = shift;
378				my $ver = $self->protocol_version;
379				return Net::OAuth::PROTOCOL_VERSION_1_0A() if $ver eq '1.0a';
380				return Net::OAuth::PROTOCOL_VERSION_1_0() if $ver eq '1.0';
381				return OAuthomatic::Error::Generic->throw(
382				ident => "Invalid parameter",
383				extra => "Invalid protocol version: $ver");
384				}
385
386				sub _using_legacy_oauth10 {
387				my $self = shift;
388				return 1 if $self->protocol_version eq '1.0';
389				return 0;
390				}
391
392				# How many requests per second can reasonably happen, as 2 power
393				const my $_NONCE_UNIQ_BITS => 6;
394				const my $_NONCE_UNIQ_MAX => (2 ** $_NONCE_UNIQ_BITS);
395				const my $_NONCE_RANDOM_MAX => (2 ** (31 - $_NONCE_UNIQ_BITS));
396
397				sub _nonce {
398				# This ensures no collisions in succeessive requests (after all we need no collision within 1s)
399				state $counter = 0;
400				$counter = ($counter + 1) % $_NONCE_UNIQ_MAX;
401				# And this adds general randomness
402				return $counter + $_NONCE_UNIQ_MAX * int(rand($_NONCE_RANDOM_MAX));
403				}
404
405				# Checks response: throws exception on error, parses and returns param hash
406				# Second param, if present, is a list of required parameters
407				sub _parse_form_reply {
408				my ($http_response, $required_params) = @_;
409
410				my $params = parse_http_msg_form($http_response, 1);
411
412				if($required_params) {
413				foreach my $par_name (@$required_params) {
414				# FIXME: bind http_response
415				OAuthomatic::Error::Generic->throw(
416				ident => "Invalid reply obtained",
417				extra => "Missing required item in parsed reply: $par_name\n"
418				. "Reply items: " . join(", ", keys %$params). "\n")
419				unless $params->{$par_name};
420				}
421				}
422
423				return $params;
424				}
425
426				1;
427
428				__END__
429
430				=pod
431
432				=encoding UTF-8
433
434				=head1 NAME
435
436				OAuthomatic::Caller - actually make OAuth-signed calls
437
438				=head1 VERSION
439
440				version 0.02
441
442				=head1 DESCRIPTION
443
444				Sign OAuth calls and execute them.
445
446				This object is mostly used internally by L<OAuthomatic>, but may be useful
447				separately if you want to implement initialization scheme by yourself but
448				prefer it's API and structural exceptions to raw L<Net::OAuth>.
449
450				=head1 METHODS
451
452				=head2 create_authorization_url($callback_url) => TemporaryCred
453
454				Calculates URL which user should visit to authorize app (and
455				associated temporary token).
456
457				=head2 create_token_cred
458
459				Acquires access token, preserves them in the object (so future calls
460				will be authenticated), and return (so it can be saved etc).
461
462				=head2 build_oauth_request(method => ..., ...)
463
464				Prepare properly signed L<HTTP::Request> but do not execute it, just
465				return ready-to-be-sent object.
466
467				Parameters: identical as in L</execute_oauth_request>
468
469				=head2 execute_oauth_request(method => $method, url => $url, url_args => $args,
470				body_form => $body_form, body => $body,
471				content_type => $content_type)
472
473				Make a request to C<url> using the given HTTP method and signing
474				request with OAuth credentials.
475
476				=over 4
477
478				=item method
479
480				One of C<GET>, C<POST>, C<PUT>, C<DELETE>.
481
482				=item url
483
484				Actual URL to call (C<http://some.site.com/api/...>)
485
486				=item url_args (optional)
487
488				Additional arguments to escape and add to the URL. This is simply shortcut,
489				three calls below are equivalent:
490
491				$c->execute_oauth_request(method => "GET",
492				url => "http://some.where/api?x=1&y=2&z=a+b");
493
494				$c->execute_oauth_request(method => "GET",
495				url => "http://some.where/api",
496				url_args => {x => 1, y => 2, z => 'a b'});
497
498				$c->execute_oauth_request(method => "GET",
499				url => "http://some.where/api?x=1",
500				url_args => {y => 2, z => 'a b'});
501
502				=item body_form OR body
503
504				Exactly one of those must be specified for POST and PUT (none for GET or DELETE).
505
506				Specifying C<body_form> means, that we are creating www-urlencoded
507				form. Parameters will be included in OAuth signature. Example:
508
509				$c->execute_oauth_request(method => "POST",
510				url => "http://some.where/api",
511				body_form => {par1 => 'abc', par2 => 'd f'});
512
513				Note that this is not just a shortcut for setting body to already
514				serialized form. Case of urlencoded form is treated in a special way
515				by OAuth (those values impact OAuth signature). To avoid signature
516				verification errors, OAuthomatic will reject such attempts:
517
518				# WRONG AND WILL FAIL. Use body_form if you post form.
519				$c->execute_oauth_request(method => "POST",
520				url => "http://some.where/api",
521				body => 'par1=abc&par2=d+f',
522				content_type => 'application/x-www-form-urlencoded');
523
524				Specifying C<body> means, that we post non-form body (for example
525				JSON, XML or even binary data). Example:
526
527				$c->execute_oauth_request(method => "POST",
528				url => "http://some.where/api",
529				body => "<product><item-no>3434</item-no><price>334.22</price></product>",
530				content_type => "application/xml; charset=utf-8");
531
532				Value of body can be either binary string (which will be posted as-is), or
533				perl unicode string (which will be encoded according to the content type, what by
534				default means utf-8).
535
536				Such content is not covered by OAuth signature, so less secure (at
537				least if it is posted over non-SSL connection).
538
539				For longer bodies, references are supported:
540
541				$c->execute_oauth_request(method => "POST",
542				url => "http://some.where/api",
543				body => \$body_string,
544				content_type => "application/xml; charset=utf-8");
545
546				=item content_type
547
548				Used to set content type of the request. If missing, it is set to
549				C<text/plain; charset=utf-8> if C<body> param is specified and to
550				C<application/x-www-form-urlencoded; charset=utf-8> if C<body_form>
551				param is specified.
552
553				Note that module author does not test behaviour on encodings different
554				than utf-8 (although they may work).
555
556				=back
557
558				=head2 _execute_oauth_request_ext
559
560				Common code for API and OAuth-protocol calls. Uses all parameters
561				described in L</execute_oauth_request> and two additional:
562
563				=over 4
564
565				=item class
566
567				ProtectedResource, UserAuth, RequestToken etc (XXX from
568				Net::Oauth::XXXXRequest)
569
570				=item token
571
572				Actual token to use while signing (skip to use only client token) -
573				either $self->token_cred, or some temporary_cred, depending on task at
574				hand.
575
576				=back
577
578				=head1 ATTRIBUTES
579
580				=head2 config
581
582				L<OAuthomatic::Config> object used to bundle various configuration params.
583
584				=head2 server
585
586				L<OAuthomatic::Server> object used to bundle server-related configuration params.
587
588				=head1 INTERNAL METHODS
589
590				=head2 _build_oauth_request_ext
591
592				Common code for API and OAuth-protocol calls. Uses all parameters
593				described in L</execute_oauth_request> and some additional:
594
595				=over 4
596
597				=item class
598
599				ProtectedResource, UserAuth, RequestToken etc (XXX from Net::Oauth::XXXXRequest)
600
601				=item token
602
603				Actual token to use while signing (skip to use only client token) - either $self->token_cred,
604				or some temporary_cred, depending on task at hand.
605
606				=item verifier
607
608				Verifier to be added to access token creation.
609
610				=item callback
611
612				Callback url for temporary token creation.
613
614				=item auth_in_post
615
616				True if authorization tokens are to be merged into POST body, false if
617				they are to be preserved in Authorize header.
618
619				=back
620
621				=head1 AUTHOR
622
623				Marcin Kasperski <Marcin.Kasperski@mekk.waw.pl>
624
625				=head1 COPYRIGHT AND LICENSE
626
627				This software is copyright (c) 2015 by Marcin Kasperski.
628
629				This is free software; you can redistribute it and/or modify it under
630				the same terms as the Perl 5 programming language system itself.
631
632				=cut