diff --git a/0002-Don-t-use-SIGNATURE_RSA.patch b/0002-Don-t-use-SIGNATURE_RSA.patch new file mode 100644 index 0000000..d250208 --- /dev/null +++ b/0002-Don-t-use-SIGNATURE_RSA.patch @@ -0,0 +1,155 @@ +From 289f5bb346318d21ed70f747db0180bdb79a6d5d Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sat, 3 Jul 2021 20:51:17 +0200 +Subject: [PATCH] Don't use SIGNATURE_RSA + +--- + requests_oauthlib/oauth1_session.py | 25 ++++++------- + tests/test_oauth1_session.py | 54 +---------------------------- + 2 files changed, 11 insertions(+), 68 deletions(-) + +diff --git a/requests_oauthlib/oauth1_session.py b/requests_oauthlib/oauth1_session.py +index aa17f28..ea3de69 100644 +--- a/requests_oauthlib/oauth1_session.py ++++ b/requests_oauthlib/oauth1_session.py +@@ -9,7 +9,7 @@ import logging + + from oauthlib.common import add_params_to_uri + from oauthlib.common import urldecode as _urldecode +-from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_RSA, SIGNATURE_TYPE_AUTH_HEADER ++from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_TYPE_AUTH_HEADER + import requests + + from . import OAuth1 +@@ -134,8 +134,7 @@ class OAuth1Session(requests.Session): + authorization. + :param signature_method: Signature methods determine how the OAuth + signature is created. The three options are +- oauthlib.oauth1.SIGNATURE_HMAC (default), +- oauthlib.oauth1.SIGNATURE_RSA and ++ oauthlib.oauth1.SIGNATURE_HMAC (default) and + oauthlib.oauth1.SIGNATURE_PLAIN. + :param signature_type: Signature type decides where the OAuth + parameters are added. Either in the +@@ -145,8 +144,9 @@ class OAuth1Session(requests.Session): + oauthlib.oauth1.SIGNATURE_TYPE_QUERY and + oauthlib.oauth1.SIGNATURE_TYPE_BODY + respectively. +- :param rsa_key: The private RSA key as a string. Can only be used with +- signature_method=oauthlib.oauth1.SIGNATURE_RSA. ++ :param rsa_key: The private RSA key as a string. Because this version ++ does not support signature_method=oauthlib.oauth1.SIGNATURE_RSA. ++ this parameter is unused + :param verifier: A verifier string to prove authorization was granted. + :param client_class: A subclass of `oauthlib.oauth1.Client` to use with + `requests_oauthlib.OAuth1` instead of the default +@@ -200,16 +200,11 @@ class OAuth1Session(requests.Session): + authentication dance before OAuth-protected requests to the resource + will succeed. + """ +- if self._client.client.signature_method == SIGNATURE_RSA: +- # RSA only uses resource_owner_key +- return bool(self._client.client.resource_owner_key) +- else: +- # other methods of authentication use all three pieces +- return ( +- bool(self._client.client.client_secret) +- and bool(self._client.client.resource_owner_key) +- and bool(self._client.client.resource_owner_secret) +- ) ++ return ( ++ bool(self._client.client.client_secret) ++ and bool(self._client.client.resource_owner_key) ++ and bool(self._client.client.resource_owner_secret) ++ ) + + def authorization_url(self, url, request_token=None, **kwargs): + """Create an authorization URL by appending request_token and optional +diff --git a/tests/test_oauth1_session.py b/tests/test_oauth1_session.py +index 1dd2b2f..88928e1 100644 +--- a/tests/test_oauth1_session.py ++++ b/tests/test_oauth1_session.py +@@ -5,7 +5,7 @@ import requests + from io import StringIO + + from oauthlib.oauth1 import SIGNATURE_TYPE_QUERY, SIGNATURE_TYPE_BODY +-from oauthlib.oauth1 import SIGNATURE_RSA, SIGNATURE_PLAINTEXT ++from oauthlib.oauth1 import SIGNATURE_PLAINTEXT + from requests_oauthlib import OAuth1Session + + try: +@@ -117,18 +117,6 @@ class OAuth1SessionTest(unittest.TestCase): + auth.send = self.verify_signature(signature) + auth.post("https://i.b") + +- signature = ( +- "OAuth " +- 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", ' +- 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", ' +- 'oauth_signature="{sig}"' +- ).format(sig=TEST_RSA_OAUTH_SIGNATURE) +- auth = OAuth1Session( +- "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY +- ) +- auth.send = self.verify_signature(signature) +- auth.post("https://i.b") +- + @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp") + @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce") + def test_binary_upload(self, generate_nonce, generate_timestamp): +@@ -279,52 +267,12 @@ class OAuth1SessionTest(unittest.TestCase): + sess = OAuth1Session("foo") + self.assertIs(sess.authorized, False) + +- def test_authorized_false_rsa(self): +- signature = ( +- "OAuth " +- 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", ' +- 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", ' +- 'oauth_signature="{sig}"' +- ).format(sig=TEST_RSA_OAUTH_SIGNATURE) +- sess = OAuth1Session( +- "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY +- ) +- sess.send = self.verify_signature(signature) +- self.assertIs(sess.authorized, False) +- + def test_authorized_true(self): + sess = OAuth1Session("key", "secret", verifier="bar") + sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar") + sess.fetch_access_token("https://example.com/token") + self.assertIs(sess.authorized, True) + +- @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp") +- @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce") +- def test_authorized_true_rsa(self, generate_nonce, generate_timestamp): +- if not cryptography: +- raise unittest.SkipTest("cryptography module is required") +- if not jwt: +- raise unittest.SkipTest("pyjwt module is required") +- +- generate_nonce.return_value = "abc" +- generate_timestamp.return_value = "123" +- signature = ( +- "OAuth " +- 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", ' +- 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", ' +- 'oauth_verifier="bar", oauth_signature="{sig}"' +- ).format(sig=TEST_RSA_OAUTH_SIGNATURE) +- sess = OAuth1Session( +- "key", +- "secret", +- signature_method=SIGNATURE_RSA, +- rsa_key=TEST_RSA_KEY, +- verifier="bar", +- ) +- sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar") +- sess.fetch_access_token("https://example.com/token") +- self.assertIs(sess.authorized, True) +- + def verify_signature(self, signature): + def fake_send(r, **kwargs): + auth_header = r.headers["Authorization"] +-- +2.26.3 + diff --git a/python-requests-oauthlib.spec b/python-requests-oauthlib.spec index c2f31c5..e691b52 100644 --- a/python-requests-oauthlib.spec +++ b/python-requests-oauthlib.spec @@ -3,13 +3,14 @@ Name: python-requests-oauthlib Version: 1.3.0 -Release: 10%{?dist} +Release: 11%{?dist} Summary: OAuthlib authentication support for Requests. License: ISC URL: http://pypi.python.org/pypi/requests-oauthlib Source0: https://github.com/requests/requests-oauthlib/archive/v%{version}.tar.gz Patch0001: 401.patch +Patch0002: 0002-Don-t-use-SIGNATURE_RSA.patch BuildArch: noarch @@ -52,6 +53,11 @@ rm -rf %{distname}.egg-info %{python3_sitelib}/%{modname}-%{version}* %changelog +* Sat Jul 3 2021 Jakub Hrozek - 1.3.0-11 +- Don't use SIGNATURE_RSA +- Related: #1935433 - python-oauthlib implements and/or uses the deprecated + SHA1 algorithm by default + * Fri Apr 16 2021 Mohan Boddu - 1.3.0-10 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937