From 289f5bb346318d21ed70f747db0180bdb79a6d5d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sat, 3 Jul 2021 20:51:17 +0200 Subject: [PATCH] Don't use SIGNATURE_RSA --- requests_oauthlib/oauth1_session.py | 25 ++++++------- tests/test_oauth1_session.py | 54 +---------------------------- 2 files changed, 11 insertions(+), 68 deletions(-) diff --git a/requests_oauthlib/oauth1_session.py b/requests_oauthlib/oauth1_session.py index aa17f28..ea3de69 100644 --- a/requests_oauthlib/oauth1_session.py +++ b/requests_oauthlib/oauth1_session.py @@ -9,7 +9,7 @@ import logging from oauthlib.common import add_params_to_uri from oauthlib.common import urldecode as _urldecode -from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_RSA, SIGNATURE_TYPE_AUTH_HEADER +from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_TYPE_AUTH_HEADER import requests from . import OAuth1 @@ -134,8 +134,7 @@ class OAuth1Session(requests.Session): authorization. :param signature_method: Signature methods determine how the OAuth signature is created. The three options are - oauthlib.oauth1.SIGNATURE_HMAC (default), - oauthlib.oauth1.SIGNATURE_RSA and + oauthlib.oauth1.SIGNATURE_HMAC (default) and oauthlib.oauth1.SIGNATURE_PLAIN. :param signature_type: Signature type decides where the OAuth parameters are added. Either in the @@ -145,8 +144,9 @@ class OAuth1Session(requests.Session): oauthlib.oauth1.SIGNATURE_TYPE_QUERY and oauthlib.oauth1.SIGNATURE_TYPE_BODY respectively. - :param rsa_key: The private RSA key as a string. Can only be used with - signature_method=oauthlib.oauth1.SIGNATURE_RSA. + :param rsa_key: The private RSA key as a string. Because this version + does not support signature_method=oauthlib.oauth1.SIGNATURE_RSA. + this parameter is unused :param verifier: A verifier string to prove authorization was granted. :param client_class: A subclass of `oauthlib.oauth1.Client` to use with `requests_oauthlib.OAuth1` instead of the default @@ -200,16 +200,11 @@ class OAuth1Session(requests.Session): authentication dance before OAuth-protected requests to the resource will succeed. """ - if self._client.client.signature_method == SIGNATURE_RSA: - # RSA only uses resource_owner_key - return bool(self._client.client.resource_owner_key) - else: - # other methods of authentication use all three pieces - return ( - bool(self._client.client.client_secret) - and bool(self._client.client.resource_owner_key) - and bool(self._client.client.resource_owner_secret) - ) + return ( + bool(self._client.client.client_secret) + and bool(self._client.client.resource_owner_key) + and bool(self._client.client.resource_owner_secret) + ) def authorization_url(self, url, request_token=None, **kwargs): """Create an authorization URL by appending request_token and optional diff --git a/tests/test_oauth1_session.py b/tests/test_oauth1_session.py index 1dd2b2f..88928e1 100644 --- a/tests/test_oauth1_session.py +++ b/tests/test_oauth1_session.py @@ -5,7 +5,7 @@ import requests from io import StringIO from oauthlib.oauth1 import SIGNATURE_TYPE_QUERY, SIGNATURE_TYPE_BODY -from oauthlib.oauth1 import SIGNATURE_RSA, SIGNATURE_PLAINTEXT +from oauthlib.oauth1 import SIGNATURE_PLAINTEXT from requests_oauthlib import OAuth1Session try: @@ -117,18 +117,6 @@ class OAuth1SessionTest(unittest.TestCase): auth.send = self.verify_signature(signature) auth.post("https://i.b") - signature = ( - "OAuth " - 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", ' - 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", ' - 'oauth_signature="{sig}"' - ).format(sig=TEST_RSA_OAUTH_SIGNATURE) - auth = OAuth1Session( - "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY - ) - auth.send = self.verify_signature(signature) - auth.post("https://i.b") - @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp") @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce") def test_binary_upload(self, generate_nonce, generate_timestamp): @@ -279,52 +267,12 @@ class OAuth1SessionTest(unittest.TestCase): sess = OAuth1Session("foo") self.assertIs(sess.authorized, False) - def test_authorized_false_rsa(self): - signature = ( - "OAuth " - 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", ' - 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", ' - 'oauth_signature="{sig}"' - ).format(sig=TEST_RSA_OAUTH_SIGNATURE) - sess = OAuth1Session( - "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY - ) - sess.send = self.verify_signature(signature) - self.assertIs(sess.authorized, False) - def test_authorized_true(self): sess = OAuth1Session("key", "secret", verifier="bar") sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar") sess.fetch_access_token("https://example.com/token") self.assertIs(sess.authorized, True) - @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp") - @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce") - def test_authorized_true_rsa(self, generate_nonce, generate_timestamp): - if not cryptography: - raise unittest.SkipTest("cryptography module is required") - if not jwt: - raise unittest.SkipTest("pyjwt module is required") - - generate_nonce.return_value = "abc" - generate_timestamp.return_value = "123" - signature = ( - "OAuth " - 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", ' - 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", ' - 'oauth_verifier="bar", oauth_signature="{sig}"' - ).format(sig=TEST_RSA_OAUTH_SIGNATURE) - sess = OAuth1Session( - "key", - "secret", - signature_method=SIGNATURE_RSA, - rsa_key=TEST_RSA_KEY, - verifier="bar", - ) - sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar") - sess.fetch_access_token("https://example.com/token") - self.assertIs(sess.authorized, True) - def verify_signature(self, signature): def fake_send(r, **kwargs): auth_header = r.headers["Authorization"] -- 2.26.3