org.apache.shindig.gadgets.oauth.OAuthRequest.java Source code

Java tutorial

Introduction

Here is the source code for org.apache.shindig.gadgets.oauth.OAuthRequest.java

Source

/* @generated */
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements. See the NOTICE file distributed with this
 * work for additional information regarding copyright ownership. The ASF
 * licenses this file to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */
package org.apache.shindig.gadgets.oauth;

import com.google.common.base.Charsets;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;

import net.oauth.OAuth;
import net.oauth.OAuthAccessor;
import net.oauth.OAuthException;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
import net.oauth.OAuth.Parameter;

import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.shindig.auth.OAuthConstants;
import org.apache.shindig.auth.OAuthUtil;
import org.apache.shindig.common.crypto.Crypto;
import org.apache.shindig.common.uri.Uri;
import org.apache.shindig.common.uri.UriBuilder;
import org.apache.shindig.common.util.CharsetUtil;
import org.apache.shindig.gadgets.GadgetException;
import org.apache.shindig.gadgets.http.HttpFetcher;
import org.apache.shindig.gadgets.http.HttpRequest;
import org.apache.shindig.gadgets.http.HttpResponse;
import org.apache.shindig.gadgets.http.HttpResponseBuilder;
import org.apache.shindig.gadgets.oauth.AccessorInfo.HttpMethod;
import org.apache.shindig.gadgets.oauth.AccessorInfo.OAuthParamLocation;
import org.apache.shindig.gadgets.oauth.OAuthStore.TokenInfo;
import org.json.JSONObject;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.regex.Pattern;

/**
 * Implements both signed fetch and full OAuth for gadgets, as well as a combination of the two that
 * is necessary to build OAuth enabled gadgets for social sites.
 *
 * Signed fetch sticks identity information in the query string, signed either with the container's
 * private key, or else with a secret shared between the container and the gadget.
 *
 * Full OAuth redirects the user to the OAuth service provider site to obtain the user's permission
 * to access their data.  Read the example in the appendix to the OAuth spec for a summary of how
 * this works (The spec is at http://oauth.net/core/1.0/).
 *
 * The combination protocol works by sending identity information in all requests, and allows the
 * OAuth dance to happen as well when owner == viewer (by default) or for any viewer when the
 * OAuthFetcherConfig#isViewerAccessTokensEnabled parameter is true. This lets OAuth service providers build up
 * an identity mapping from ids on social network sites to their own local ids.
 */
public class OAuthRequest {

    // Maximum number of attempts at the protocol before giving up.
    private static final int MAX_ATTEMPTS = 2;

    // names of additional OAuth parameters we include in outgoing requests
    // TODO(beaton): can we do away with this bit in favor of the opensocial param?
    public static final String XOAUTH_APP_URL = "xoauth_app_url";

    protected static final String OPENSOCIAL_OWNERID = "opensocial_owner_id";

    protected static final String OPENSOCIAL_VIEWERID = "opensocial_viewer_id";

    protected static final String OPENSOCIAL_APPID = "opensocial_app_id";

    // TODO(beaton): figure out if this is the name in the 0.8 spec.
    protected static final String OPENSOCIAL_APPURL = "opensocial_app_url";

    protected static final String OPENSOCIAL_PROXIED_CONTENT = "opensocial_proxied_content";

    // old and new parameters for the public key
    // TODO remove OLD in a far future release
    protected static final String XOAUTH_PUBLIC_KEY_OLD = "xoauth_signature_publickey";
    protected static final String XOAUTH_PUBLIC_KEY_NEW = "xoauth_public_key";

    protected static final Pattern ALLOWED_PARAM_NAME = Pattern.compile("[-:\\w~!@$*()_\\[\\]:,./ ]+");

    private static final long ACCESS_TOKEN_EXPIRE_UNKNOWN = 0;
    private static final long ACCESS_TOKEN_FORCE_EXPIRE = -1;

    /**
     * Configuration options for the fetcher.
     */
    protected final OAuthFetcherConfig fetcherConfig;

    /**
     * Next fetcher to use in chain.
     */
    private final HttpFetcher fetcher;

    /**
     * Additional trusted parameters to be included in the OAuth request.
     */
    private final List<Parameter> trustedParams;

    /**
     * State information from client
     */
    protected OAuthClientState clientState;

    /**
     * OAuth specific stuff to include in the response.
     */
    protected OAuthResponseParams responseParams;

    /**
     * The accessor we use for signing messages. This also holds metadata about
     * the service provider, such as their URLs and the keys we use to access
     * those URLs.
     */
    protected AccessorInfo accessorInfo;

    /**
     * The request the client really wants to make.
     */
    protected HttpRequest realRequest;

    /**
     * Data returned along with OAuth access token, null if this is not an access token request
     */
    protected Map<String, String> accessTokenData;

    /**
     * @param fetcherConfig configuration options for the fetcher
     * @param fetcher fetcher to use for actually making requests
     */
    public OAuthRequest(OAuthFetcherConfig fetcherConfig, HttpFetcher fetcher) {
        this(fetcherConfig, fetcher, null);
    }

    /**
     * @param fetcherConfig configuration options for the fetcher
     * @param fetcher fetcher to use for actually making requests
     * @param trustedParams additional parameters to include in all outgoing OAuth requests, useful
     *     for client data that can't be pulled from the security token but is still trustworthy.
     */
    public OAuthRequest(OAuthFetcherConfig fetcherConfig, HttpFetcher fetcher, List<Parameter> trustedParams) {
        this.fetcherConfig = fetcherConfig;
        this.fetcher = fetcher;
        this.trustedParams = trustedParams;
    }

    /**
     * OAuth authenticated fetch.
     */
    public HttpResponse fetch(HttpRequest request) {
        realRequest = request;
        clientState = new OAuthClientState(fetcherConfig.getStateCrypter(),
                request.getOAuthArguments().getOrigClientState());
        responseParams = new OAuthResponseParams(request.getSecurityToken(), request,
                fetcherConfig.getStateCrypter());
        try {
            return fetchNoThrow();
        } catch (RuntimeException e) {
            // We log here to record the request/response pairs that created the failure.
            responseParams.logDetailedWarning("OAuth fetch unexpected fatal error", e);
            throw e;
        }
    }

    /**
     * Fetch data and build a response to return to the client.  We try to always return something
     * reasonable to the calling app no matter what kind of madness happens along the way.  If an
     * unchecked exception occurs, well, then the client is out of luck.
     */
    private HttpResponse fetchNoThrow() {
        HttpResponseBuilder response = null;
        try {
            accessorInfo = fetcherConfig.getTokenStore().getOAuthAccessor(realRequest.getSecurityToken(),
                    realRequest.getOAuthArguments(), clientState, responseParams, fetcherConfig);
            response = fetchWithRetry();
        } catch (OAuthRequestException e) {
            // No data for us.
            if (OAuthError.UNAUTHENTICATED.name().equals(e.getError())) {
                responseParams.logDetailedInfo("Unauthenticated OAuth fetch", e);
            } else if (OAuthError.BAD_OAUTH_TOKEN_URL.name().equals(e.getError())) {
                responseParams.logDetailedInfo("Invalid OAuth fetch request", e);
            } else {
                responseParams.logDetailedWarning("OAuth fetch fatal error", e);
            }
            responseParams.setSendTraceToClient(true);
            response = new HttpResponseBuilder().setHttpStatusCode(HttpResponse.SC_FORBIDDEN).setStrictNoCache();
            responseParams.addToResponse(response, e);
            return response.create();
        }

        // OK, got some data back, annotate it as necessary.
        if (response.getHttpStatusCode() >= 400) {
            responseParams.logDetailedWarning("OAuth fetch fatal error");
            responseParams.setSendTraceToClient(true);
        } else if (responseParams.getAznUrl() != null && responseParams.sawErrorResponse()) {
            responseParams.logDetailedWarning("OAuth fetch error, reprompting for user approval");
            responseParams.setSendTraceToClient(true);
        }

        responseParams.addToResponse(response, null);
        return response.create();
    }

    /**
     * Fetch data, retrying in the event that that the service provider returns an error and we think
     * we can recover by restarting the protocol flow.
     */
    private HttpResponseBuilder fetchWithRetry() throws OAuthRequestException {
        int attempts = 0;
        boolean retry;
        HttpResponseBuilder response = null;
        do {
            retry = false;
            ++attempts;
            try {
                response = attemptFetch();
            } catch (OAuthProtocolException pe) {
                retry = handleProtocolException(pe, attempts);
                if (!retry) {
                    if (pe.getProblemCode() != null) {
                        throw new OAuthRequestException(pe.getProblemCode(), "Service provider rejected request",
                                pe);
                    } else {
                        throw new OAuthRequestException(OAuthError.UNKNOWN_PROBLEM,
                                "Service provider rejected request", pe);
                    }
                }
            }
        } while (retry);
        return response;
    }

    private boolean handleProtocolException(OAuthProtocolException pe, int attempts) throws OAuthRequestException {
        if (pe.canExtend()) {
            accessorInfo.setTokenExpireMillis(ACCESS_TOKEN_FORCE_EXPIRE);
        } else if (pe.startFromScratch()) {
            fetcherConfig.getTokenStore().removeToken(realRequest.getSecurityToken(), accessorInfo.getConsumer(),
                    realRequest.getOAuthArguments(), responseParams);
            accessorInfo.getAccessor().accessToken = null;
            accessorInfo.getAccessor().requestToken = null;
            accessorInfo.getAccessor().tokenSecret = null;
            accessorInfo.setSessionHandle(null);
            accessorInfo.setTokenExpireMillis(ACCESS_TOKEN_EXPIRE_UNKNOWN);
        }
        return (attempts < MAX_ATTEMPTS && pe.canRetry());
    }

    /**
     * Does one of the following:
     * 1) Sends a request token request, and returns an approval URL to the calling app.
     * 2) Sends an access token request to swap a request token for an access token, and then asks
     *    for data from the service provider.
     * 3) Asks for data from the service provider.
     */
    private HttpResponseBuilder attemptFetch() throws OAuthRequestException, OAuthProtocolException {
        if (needApproval()) {
            // This is section 6.1 of the OAuth spec.
            checkCanApprove();
            fetchRequestToken();
            // This is section 6.2 of the OAuth spec.
            buildClientApprovalState();
            buildAznUrl();
            // break out of the content fetching chain, we need permission from
            // the user to do this
            return new HttpResponseBuilder().setHttpStatusCode(HttpResponse.SC_OK).setStrictNoCache();
        } else if (needAccessToken()) {
            // This is section 6.3 of the OAuth spec
            checkCanApprove();
            exchangeRequestToken();
            saveAccessToken();
            buildClientAccessState();
        }
        return fetchData();
    }

    /**
     * Do we need to get the user's approval to access the data?
     */
    private boolean needApproval() {
        return (realRequest.getOAuthArguments().mustUseToken() && accessorInfo.getAccessor().requestToken == null
                && accessorInfo.getAccessor().accessToken == null);
    }

    /**
     * Make sure the user is authorized to approve access tokens.  At the moment
     * we restrict this to page owner's viewing their own pages.
     */
    private void checkCanApprove() throws OAuthRequestException {
        String pageOwner = realRequest.getSecurityToken().getOwnerId();
        String pageViewer = realRequest.getSecurityToken().getViewerId();
        String stateOwner = clientState.getOwner();
        if (pageOwner == null || pageViewer == null) {
            throw new OAuthRequestException(OAuthError.UNAUTHENTICATED);
        }
        if (!fetcherConfig.isViewerAccessTokensEnabled() && !pageOwner.equals(pageViewer)) {
            throw new OAuthRequestException(OAuthError.NOT_OWNER);
        }
        // if (stateOwner != null && !stateOwner.equals(pageViewer)) {
        //   throw new OAuthRequestException(OAuthError.UNKNOWN_PROBLEM,
        //       "Client state belongs to a different person " +
        //       "(state owner=" + stateOwner + ", pageViewer=" + pageViewer + ')');
        // }
    }

    private void fetchRequestToken() throws OAuthRequestException, OAuthProtocolException {
        OAuthAccessor accessor = accessorInfo.getAccessor();
        HttpRequest request = createRequestTokenRequest(accessor);

        List<Parameter> requestTokenParams = Lists.newArrayList();

        addCallback(requestTokenParams);

        HttpRequest signed = sanitizeAndSign(request, requestTokenParams, true);

        OAuthMessage reply = sendOAuthMessage(signed);

        accessor.requestToken = OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN);
        accessor.tokenSecret = OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN_SECRET);
    }

    private HttpRequest createRequestTokenRequest(OAuthAccessor accessor) throws OAuthRequestException {
        if (accessor.consumer.serviceProvider.requestTokenURL == null) {
            throw new OAuthRequestException(OAuthError.BAD_OAUTH_TOKEN_URL, "request token");
        }
        HttpRequest request = new HttpRequest(Uri.parse(accessor.consumer.serviceProvider.requestTokenURL));
        request.setMethod(accessorInfo.getHttpMethod().toString());
        if (accessorInfo.getHttpMethod() == HttpMethod.POST) {
            request.setHeader("Content-Type", OAuth.FORM_ENCODED);
        }
        return request;
    }

    private void addCallback(List<Parameter> requestTokenParams) throws OAuthRequestException {
        // This will be either the consumer key callback URL or the global callback URL.
        String baseCallback = StringUtils.trimToNull(accessorInfo.getConsumer().getCallbackUrl());
        if (baseCallback != null) {
            String callbackUrl = fetcherConfig.getOAuthCallbackGenerator().generateCallback(fetcherConfig,
                    baseCallback, realRequest, responseParams);
            if (callbackUrl != null) {
                requestTokenParams.add(new Parameter(OAuth.OAUTH_CALLBACK, callbackUrl));
            }
        }
    }

    /**
     * Strip out any owner or viewer identity information passed by the client.
     */
    private List<Parameter> sanitize(List<Parameter> params) throws OAuthRequestException {
        ArrayList<Parameter> list = Lists.newArrayList();
        for (Parameter p : params) {
            String name = p.getKey();
            if (allowParam(name)) {
                list.add(p);
            } else {
                throw new OAuthRequestException(OAuthError.INVALID_PARAMETER, name);
            }
        }
        return list;
    }

    protected boolean allowParam(String paramName) {
        String canonParamName = paramName.toLowerCase();
        return (!(canonParamName.startsWith("oauth") || canonParamName.startsWith("xoauth")
                || canonParamName.startsWith("opensocial"))
                && ALLOWED_PARAM_NAME.matcher(canonParamName).matches());
    }

    /**
     * This gives a chance to override parameters by passing trusted parameters.
     *
     */
    private void overrideParameters(List<Parameter> authParams) throws OAuthRequestException {
        if (trustedParams == null) {
            return;
        }

        Map<String, String> paramMap = Maps.newLinkedHashMap();
        for (Parameter param : authParams) {
            paramMap.put(param.getKey(), param.getValue());
        }
        for (Parameter param : trustedParams) {
            if (!isContainerInjectedParameter(param.getKey())) {
                throw new OAuthRequestException(OAuthError.INVALID_TRUSTED_PARAMETER, param.getKey());
            }
            paramMap.put(param.getKey(), param.getValue());
        }

        authParams.clear();
        for (Entry<String, String> entry : paramMap.entrySet()) {
            authParams.add(new Parameter(entry.getKey(), entry.getValue()));
        }
    }

    /**
     * Add identity information, such as owner/viewer/gadget.
     */
    private void addIdentityParams(List<Parameter> params) {
        // If no owner or viewer information is required, don't add any identity params.  This lets
        // us be compatible with strict OAuth service providers that reject extra parameters on
        // requests.
        if (!realRequest.getOAuthArguments().getSignOwner() && !realRequest.getOAuthArguments().getSignViewer()) {
            return;
        }

        String owner = realRequest.getSecurityToken().getOwnerId();
        if (owner != null && realRequest.getOAuthArguments().getSignOwner()) {
            params.add(new Parameter(OPENSOCIAL_OWNERID, owner));
        }

        String viewer = realRequest.getSecurityToken().getViewerId();
        if (viewer != null && realRequest.getOAuthArguments().getSignViewer()) {
            params.add(new Parameter(OPENSOCIAL_VIEWERID, viewer));
        }

        String app = realRequest.getSecurityToken().getAppId();
        if (app != null) {
            params.add(new Parameter(OPENSOCIAL_APPID, app));
        }

        String appUrl = realRequest.getSecurityToken().getAppUrl();
        if (appUrl != null) {
            params.add(new Parameter(OPENSOCIAL_APPURL, appUrl));
        }

        if (realRequest.getOAuthArguments().isProxiedContentRequest()) {
            params.add(new Parameter(OPENSOCIAL_PROXIED_CONTENT, "1"));
        }
    }

    /**
     * Add signature type to the message.
     */
    private void addSignatureParams(List<Parameter> params) {
        if (accessorInfo.getConsumer().getConsumer().consumerKey == null) {
            params.add(new Parameter(OAuth.OAUTH_CONSUMER_KEY, realRequest.getSecurityToken().getDomain()));
        }
        if (accessorInfo.getConsumer().getKeyName() != null) {
            params.add(new Parameter(XOAUTH_PUBLIC_KEY_OLD, accessorInfo.getConsumer().getKeyName()));
            params.add(new Parameter(XOAUTH_PUBLIC_KEY_NEW, accessorInfo.getConsumer().getKeyName()));
        }
        params.add(new Parameter(OAuth.OAUTH_VERSION, OAuth.VERSION_1_0));
        params.add(new Parameter(OAuth.OAUTH_TIMESTAMP,
                Long.toString(fetcherConfig.getClock().currentTimeMillis() / 1000L)));
        // the oauth.net java code uses a clock to generate nonces, which causes nonce collisions
        // under heavy load.  A random nonce is more reliable.
        params.add(new Parameter(OAuth.OAUTH_NONCE, String.valueOf(Math.abs(Crypto.RAND.nextLong()))));
    }

    static String getAuthorizationHeader(List<Map.Entry<String, String>> oauthParams) {
        StringBuilder result = new StringBuilder("OAuth ");

        boolean first = true;
        for (Map.Entry<String, String> parameter : oauthParams) {
            if (!first) {
                result.append(", ");
            } else {
                first = false;
            }
            result.append(OAuth.percentEncode(parameter.getKey())).append("=\"")
                    .append(OAuth.percentEncode(parameter.getValue())).append('"');
        }
        return result.toString();
    }

    /**
     * Start with an HttpRequest.
     * Throw if there are any attacks in the query.
     * Throw if there are any attacks in the post body.
     * Build up OAuth parameter list.
     * Sign it.
     * Add OAuth parameters to new request.
     * Send it.
     */
    public HttpRequest sanitizeAndSign(HttpRequest base, List<Parameter> params, boolean tokenEndpoint)
            throws OAuthRequestException {
        if (params == null) {
            params = Lists.newArrayList();
        }
        UriBuilder target = new UriBuilder(base.getUri());
        String query = target.getQuery();
        target.setQuery(null);
        params.addAll(sanitize(OAuth.decodeForm(query)));

        switch (OAuthUtil.getSignatureType(tokenEndpoint, base.getHeader("Content-Type"))) {
        case URL_ONLY:
            break;
        case URL_AND_FORM_PARAMS:
            try {
                params.addAll(sanitize(OAuth.decodeForm(base.getPostBodyAsString())));
            } catch (IllegalArgumentException e) {
                // Occurs if OAuth.decodeForm finds an invalid URL to decode.
                throw new OAuthRequestException(OAuthError.INVALID_REQUEST, "Could not decode body", e);
            }
            break;
        case URL_AND_BODY_HASH:
            try {
                byte[] body = IOUtils.toByteArray(base.getPostBody());
                byte[] hash = DigestUtils.sha(body);
                String b64 = new String(Base64.encodeBase64(hash), Charsets.UTF_8.name());
                params.add(new Parameter(OAuthConstants.OAUTH_BODY_HASH, b64));
            } catch (IOException e) {
                throw new OAuthRequestException(OAuthError.UNKNOWN_PROBLEM, "Error taking body hash", e);
            }
            break;
        }

        // authParams are parameters prefixed with 'xoauth' 'oauth' or 'opensocial',
        // trusted parameters have ability to override these parameters.
        List<Parameter> authParams = Lists.newArrayList();

        addIdentityParams(authParams);

        addSignatureParams(authParams);

        overrideParameters(authParams);

        params.addAll(authParams);

        try {
            OAuthMessage signed = OAuthUtil.newRequestMessage(accessorInfo.getAccessor(), base.getMethod(),
                    target.toString(), params);
            HttpRequest oauthHttpRequest = createHttpRequest(base, selectOAuthParams(signed));
            // Following 302s on OAuth responses is unlikely to be productive.
            oauthHttpRequest.setFollowRedirects(false);
            return oauthHttpRequest;
        } catch (OAuthException e) {
            throw new OAuthRequestException(OAuthError.UNKNOWN_PROBLEM, "Error signing message", e);
        }
    }

    private HttpRequest createHttpRequest(HttpRequest base, List<Map.Entry<String, String>> oauthParams)
            throws OAuthRequestException {

        OAuthParamLocation paramLocation = accessorInfo.getParamLocation();

        // paramLocation could be overriden by a run-time parameter to fetchRequest

        HttpRequest result = new HttpRequest(base);

        // If someone specifies that OAuth parameters go in the body, but then sends a request for
        // data using GET, we've got a choice.  We can throw some type of error, since a GET request
        // can't have a body, or we can stick the parameters somewhere else, like, say, the header.
        // We opt to put them in the header, since that stands some chance of working with some
        // OAuth service providers.
        if (paramLocation == OAuthParamLocation.POST_BODY && !result.getMethod().equals("POST")) {
            paramLocation = OAuthParamLocation.AUTH_HEADER;
        }

        switch (paramLocation) {
        case AUTH_HEADER:
            result.addHeader("Authorization", getAuthorizationHeader(oauthParams));
            break;

        case POST_BODY:
            String contentType = result.getHeader("Content-Type");
            if (!OAuth.isFormEncoded(contentType)) {
                throw new OAuthRequestException(OAuthError.INVALID_REQUEST,
                        "OAuth param location can only be post_body if it is of " + "type x-www-form-urlencoded");
            }
            String oauthData = OAuthUtil.formEncode(oauthParams);
            if (result.getPostBodyLength() == 0) {
                result.setPostBody(CharsetUtil.getUtf8Bytes(oauthData));
            } else {
                StringBuilder postBody = new StringBuilder();
                postBody.append(result.getPostBodyAsString());

                if (!result.getPostBodyAsString().endsWith("&")) {
                    postBody.append('&');
                }

                postBody.append(oauthData);
                result.setPostBody(postBody.toString().getBytes());
            }
            break;

        case URI_QUERY:
            result.setUri(Uri.parse(OAuthUtil.addParameters(result.getUri().toString(), oauthParams)));
            break;
        }

        return result;
    }

    /**
     * Sends OAuth request token and access token messages.
     */
    private OAuthMessage sendOAuthMessage(HttpRequest request)
            throws OAuthRequestException, OAuthProtocolException {
        HttpResponse response = fetchFromServer(request);
        checkForProtocolProblem(response);
        OAuthMessage reply = new OAuthMessage(null, null, null);

        reply.addParameters(OAuth.decodeForm(response.getResponseAsString()));
        reply = parseAuthHeader(reply, response);
        if (OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN) == null) {
            throw new OAuthRequestException(OAuthError.MISSING_OAUTH_PARAMETER, OAuth.OAUTH_TOKEN);
        }
        if (OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN_SECRET) == null) {
            throw new OAuthRequestException(OAuthError.MISSING_OAUTH_PARAMETER, OAuth.OAUTH_TOKEN_SECRET);
        }
        return reply;
    }

    /**
     * Parse OAuth WWW-Authenticate header and either add them to an existing
     * message or create a new message.
     *
     * @param msg
     * @param resp
     * @return the updated message.
     */
    private OAuthMessage parseAuthHeader(OAuthMessage msg, HttpResponse resp) {
        if (msg == null) {
            msg = new OAuthMessage(null, null, null);
        }

        for (String auth : resp.getHeaders("WWW-Authenticate")) {
            msg.addParameters(OAuthMessage.decodeAuthorization(auth));
        }

        return msg;
    }

    /**
     * Builds the data we'll cache on the client while we wait for approval.
     */
    private void buildClientApprovalState() {
        OAuthAccessor accessor = accessorInfo.getAccessor();
        responseParams.getNewClientState().setRequestToken(accessor.requestToken);
        responseParams.getNewClientState().setRequestTokenSecret(accessor.tokenSecret);
        responseParams.getNewClientState().setOwner(realRequest.getSecurityToken().getOwnerId());
    }

    /**
     * Builds the URL the client needs to visit to approve access.
     */
    private void buildAznUrl() throws OAuthRequestException {
        // We add the token, gadget is responsible for the callback URL.
        OAuthAccessor accessor = accessorInfo.getAccessor();
        if (accessor.consumer.serviceProvider.userAuthorizationURL == null) {
            throw new OAuthRequestException(OAuthError.BAD_OAUTH_TOKEN_URL, "authorization");
        }
        StringBuilder azn = new StringBuilder(accessor.consumer.serviceProvider.userAuthorizationURL);
        if (azn.indexOf("?") == -1) {
            azn.append('?');
        } else {
            azn.append('&');
        }
        azn.append(OAuth.OAUTH_TOKEN);
        azn.append('=');
        azn.append(OAuth.percentEncode(accessor.requestToken));
        responseParams.setAznUrl(azn.toString());
    }

    /**
     * Do we need to exchange a request token for an access token?
     */
    private boolean needAccessToken() {
        if (realRequest.getOAuthArguments().mustUseToken() && accessorInfo.getAccessor().requestToken != null
                && accessorInfo.getAccessor().accessToken == null) {
            return true;
        }
        return realRequest.getOAuthArguments().mayUseToken() && accessTokenExpired();
    }

    private boolean accessTokenExpired() {
        return (accessorInfo.getTokenExpireMillis() != ACCESS_TOKEN_EXPIRE_UNKNOWN
                && accessorInfo.getTokenExpireMillis() < fetcherConfig.getClock().currentTimeMillis());
    }

    /**
     * Implements section 6.3 of the OAuth spec.
     */
    private void exchangeRequestToken() throws OAuthRequestException, OAuthProtocolException {
        if (accessorInfo.getAccessor().accessToken != null) {
            // session extension per
            // http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html
            accessorInfo.getAccessor().requestToken = accessorInfo.getAccessor().accessToken;
            accessorInfo.getAccessor().accessToken = null;
        }
        OAuthAccessor accessor = accessorInfo.getAccessor();

        if (accessor.consumer.serviceProvider.accessTokenURL == null) {
            throw new OAuthRequestException(OAuthError.BAD_OAUTH_TOKEN_URL, "access token");
        }
        Uri accessTokenUri = Uri.parse(accessor.consumer.serviceProvider.accessTokenURL);
        HttpRequest request = new HttpRequest(accessTokenUri);
        request.setMethod(accessorInfo.getHttpMethod().toString());
        if (accessorInfo.getHttpMethod() == HttpMethod.POST) {
            request.setHeader("Content-Type", OAuth.FORM_ENCODED);
        }

        List<Parameter> msgParams = Lists.newArrayList();
        msgParams.add(new Parameter(OAuth.OAUTH_TOKEN, accessor.requestToken));
        if (accessorInfo.getSessionHandle() != null) {
            msgParams.add(new Parameter(OAuthConstants.OAUTH_SESSION_HANDLE, accessorInfo.getSessionHandle()));
        }
        String receivedCallback = realRequest.getOAuthArguments().getReceivedCallbackUrl();
        if (!StringUtils.isBlank(receivedCallback)) {
            try {
                Uri parsed = Uri.parse(receivedCallback);
                String verifier = parsed.getQueryParameter(OAuth.OAUTH_VERIFIER);
                if (verifier != null) {
                    msgParams.add(new Parameter(OAuth.OAUTH_VERIFIER, verifier));
                }
            } catch (IllegalArgumentException e) {
                throw new OAuthRequestException(OAuthError.INVALID_REQUEST,
                        "Invalid received callback URL: " + receivedCallback, e);
            }
        }

        HttpRequest signed = sanitizeAndSign(request, msgParams, true);

        OAuthMessage reply = sendOAuthMessage(signed);

        accessor.accessToken = OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN);
        accessor.tokenSecret = OAuthUtil.getParameter(reply, OAuth.OAUTH_TOKEN_SECRET);
        accessorInfo.setSessionHandle(OAuthUtil.getParameter(reply, OAuthConstants.OAUTH_SESSION_HANDLE));
        accessorInfo.setTokenExpireMillis(ACCESS_TOKEN_EXPIRE_UNKNOWN);
        if (OAuthUtil.getParameter(reply, OAuthConstants.OAUTH_EXPIRES_IN) != null) {
            try {
                int expireSecs = Integer.parseInt(OAuthUtil.getParameter(reply, OAuthConstants.OAUTH_EXPIRES_IN));
                long expireMillis = fetcherConfig.getClock().currentTimeMillis() + expireSecs * 1000L;
                accessorInfo.setTokenExpireMillis(expireMillis);
            } catch (NumberFormatException e) {
                // Hrm.  Bogus server.  We can safely ignore this, we'll just wait for the server to
                // tell us when the access token has expired.
                responseParams.logDetailedWarning("server returned bogus expiration");
            }
        }

        // Clients may want to retrieve extra information returned with the access token.  Several
        // OAuth service providers (e.g. Yahoo, NetFlix) return a user id along with the access
        // token, and the user id is required to use their APIs.  Clients signal that they need this
        // extra data by sending a fetch request for the access token URL.
        //
        // We don't return oauth* parameters from the response, because we know how to handle those
        // ourselves and some of them (such as oauth_token_secret) aren't supposed to be sent to the
        // client.
        //
        // Note that this data is not stored server-side.  Clients need to cache these user-ids or
        // other data themselves, probably in user prefs, if they expect to need the data in the
        // future.
        if (accessTokenUri.equals(realRequest.getUri())) {
            accessTokenData = Maps.newHashMap();
            for (Entry<String, String> param : OAuthUtil.getParameters(reply)) {
                if (!param.getKey().startsWith("oauth")) {
                    accessTokenData.put(param.getKey(), param.getValue());
                }
            }
        }
    }

    /**
     * Save off our new token and secret to the persistent store.
     */
    private void saveAccessToken() throws OAuthRequestException {
        OAuthAccessor accessor = accessorInfo.getAccessor();
        TokenInfo tokenInfo = new TokenInfo(accessor.accessToken, accessor.tokenSecret,
                accessorInfo.getSessionHandle(), accessorInfo.getTokenExpireMillis());
        fetcherConfig.getTokenStore().storeTokenKeyAndSecret(realRequest.getSecurityToken(),
                accessorInfo.getConsumer(), realRequest.getOAuthArguments(), tokenInfo, responseParams);
    }

    /**
     * Builds the data we'll cache on the client while we make requests.
     */
    private void buildClientAccessState() {
        OAuthAccessor accessor = accessorInfo.getAccessor();
        responseParams.getNewClientState().setAccessToken(accessor.accessToken);
        responseParams.getNewClientState().setAccessTokenSecret(accessor.tokenSecret);
        responseParams.getNewClientState().setOwner(realRequest.getSecurityToken().getOwnerId());
        responseParams.getNewClientState().setSessionHandle(accessorInfo.getSessionHandle());
        responseParams.getNewClientState().setTokenExpireMillis(accessorInfo.getTokenExpireMillis());
    }

    /**
     * Get honest-to-goodness user data.
     *
     * @throws OAuthProtocolException if the service provider returns an OAuth
     * related error instead of user data.
     */
    private HttpResponseBuilder fetchData() throws OAuthRequestException, OAuthProtocolException {
        HttpResponseBuilder builder = null;
        if (accessTokenData != null) {
            // This is a request for access token data, return it.
            builder = formatAccessTokenData();
        } else {
            HttpRequest signed = sanitizeAndSign(realRequest, null, false);

            HttpResponse response = fetchFromServer(signed);

            checkForProtocolProblem(response);
            builder = new HttpResponseBuilder(response);
        }
        return builder;
    }

    private HttpResponse fetchFromServer(HttpRequest request) throws OAuthRequestException {
        HttpResponse response = null;
        try {
            response = fetcher.fetch(request);
            if (response == null) {
                throw new OAuthRequestException(OAuthError.MISSING_SERVER_RESPONSE);
            }
            return response;
        } catch (GadgetException e) {
            throw new OAuthRequestException(OAuthError.MISSING_SERVER_RESPONSE, "", e);
        } finally {
            responseParams.addRequestTrace(request, response);
        }
    }

    /**
     * Access token data is returned to the gadget as json key/value pairs:
     *
     *    { "user_id": "12345678" }
     */
    private HttpResponseBuilder formatAccessTokenData() {
        HttpResponseBuilder builder = new HttpResponseBuilder();
        builder.addHeader("Content-Type", "application/json; charset=utf-8");
        builder.setHttpStatusCode(HttpResponse.SC_OK);
        // no need to cache this, these requests should be fairly rare, and the results should be
        // cached in gadget.
        builder.setStrictNoCache();
        JSONObject json = new JSONObject(accessTokenData);
        builder.setResponseString(json.toString());
        return builder;
    }

    /**
     * Look for an OAuth protocol problem.  For cases where no access token is in play
     * @param response
     * @throws OAuthProtocolException
     */
    private void checkForProtocolProblem(HttpResponse response) throws OAuthProtocolException {
        if (couldBeFullOAuthError(response)) {
            // OK, might be OAuth related.
            OAuthMessage message = parseAuthHeader(null, response);
            if (OAuthUtil.getParameter(message, OAuthProblemException.OAUTH_PROBLEM) != null) {
                // SP reported extended error information
                throw new OAuthProtocolException(response.getHttpStatusCode(), message);
            }
            // No extended information, guess based on HTTP response code.
            if (response.getHttpStatusCode() == HttpResponse.SC_UNAUTHORIZED) {
                throw new OAuthProtocolException(response.getHttpStatusCode());
            }
        }
    }

    /**
     * Check if a response might be due to an OAuth protocol error.  We don't want to intercept
     * errors for signed fetch, we only care about places where we are dealing with OAuth request
     * and/or access tokens.
     */
    private boolean couldBeFullOAuthError(HttpResponse response) {
        // 400, 401 and 403 are likely to be authentication errors.  Unfortunately there is
        // significant overlap with other types of server errors as well, so we can't just assume
        // that the root cause of these errors is a bad token or a bad consumer key.
        if (response.getHttpStatusCode() != HttpResponse.SC_BAD_REQUEST
                && response.getHttpStatusCode() != HttpResponse.SC_UNAUTHORIZED
                && response.getHttpStatusCode() != HttpResponse.SC_FORBIDDEN) {
            return false;
        }
        // If the client forced us to use full OAuth, this might be OAuth related.
        if (realRequest.getOAuthArguments().mustUseToken()) {
            return true;
        }
        // If we're using an access token, this might be OAuth related.
        if (accessorInfo.getAccessor().accessToken != null) {
            return true;
        }
        // Not OAuth related.
        return false;
    }

    /**
     * Extracts only those parameters from an OAuthMessage that are OAuth-related.
     * An OAuthMessage may hold a whole bunch of non-OAuth-related parameters
     * because they were all needed for signing. But when constructing a request
     * we need to be able to extract just the OAuth-related parameters because
     * they, and only they, may have to be put into an Authorization: header or
     * some such thing.
     *
     * @param message the OAuthMessage object, which holds non-OAuth parameters
     * such as foo=bar (which may have been in the original URI query part, or
     * perhaps in the POST body), as well as OAuth-related parameters (such as
     * oauth_timestamp or oauth_signature).
     *
     * @return a list that contains only the oauth_related parameters.
     */
    static List<Map.Entry<String, String>> selectOAuthParams(OAuthMessage message) {
        List<Map.Entry<String, String>> result = Lists.newArrayList();
        for (Map.Entry<String, String> param : OAuthUtil.getParameters(message)) {
            if (isContainerInjectedParameter(param.getKey())) {
                result.add(param);
            }
        }
        return result;
    }

    protected static boolean isContainerInjectedParameter(String key) {
        key = key.toLowerCase();
        return key.startsWith("oauth") || key.startsWith("xoauth") || key.startsWith("opensocial");
    }
}