From 289f5bb346318d21ed70f747db0180bdb79a6d5d Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Sat, 3 Jul 2021 20:51:17 +0200

Subject: [PATCH] Don't use SIGNATURE_RSA

---

 requests_oauthlib/oauth1_session.py | 25 ++++++-------

 tests/test_oauth1_session.py        | 54 +----------------------------

 2 files changed, 11 insertions(+), 68 deletions(-)

diff --git a/requests_oauthlib/oauth1_session.py b/requests_oauthlib/oauth1_session.py

index aa17f28..ea3de69 100644

--- a/requests_oauthlib/oauth1_session.py

+++ b/requests_oauthlib/oauth1_session.py

@@ -9,7 +9,7 @@ import logging

 from oauthlib.common import add_params_to_uri

 from oauthlib.common import urldecode as _urldecode

-from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_RSA, SIGNATURE_TYPE_AUTH_HEADER

+from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_TYPE_AUTH_HEADER

 import requests

 from . import OAuth1

@@ -134,8 +134,7 @@ class OAuth1Session(requests.Session):

                              authorization.

         :param signature_method: Signature methods determine how the OAuth

                                  signature is created. The three options are

-                                 oauthlib.oauth1.SIGNATURE_HMAC (default),

-                                 oauthlib.oauth1.SIGNATURE_RSA and

+                                 oauthlib.oauth1.SIGNATURE_HMAC (default) and

                                  oauthlib.oauth1.SIGNATURE_PLAIN.

         :param signature_type: Signature type decides where the OAuth

                                parameters are added. Either in the

@@ -145,8 +144,9 @@ class OAuth1Session(requests.Session):

                                oauthlib.oauth1.SIGNATURE_TYPE_QUERY and

                                oauthlib.oauth1.SIGNATURE_TYPE_BODY

                                respectively.

-        :param rsa_key: The private RSA key as a string. Can only be used with

-                        signature_method=oauthlib.oauth1.SIGNATURE_RSA.

+        :param rsa_key: The private RSA key as a string. Because this version

+                        does not support signature_method=oauthlib.oauth1.SIGNATURE_RSA.

+                        this parameter is unused

         :param verifier: A verifier string to prove authorization was granted.

         :param client_class: A subclass of `oauthlib.oauth1.Client` to use with

                              `requests_oauthlib.OAuth1` instead of the default

@@ -200,16 +200,11 @@ class OAuth1Session(requests.Session):

         authentication dance before OAuth-protected requests to the resource

         will succeed.

         """

-        if self._client.client.signature_method == SIGNATURE_RSA:

-            # RSA only uses resource_owner_key

-            return bool(self._client.client.resource_owner_key)

-        else:

-            # other methods of authentication use all three pieces

-            return (

-                bool(self._client.client.client_secret)

-                and bool(self._client.client.resource_owner_key)

-                and bool(self._client.client.resource_owner_secret)

-            )

+        return (

+            bool(self._client.client.client_secret)

+            and bool(self._client.client.resource_owner_key)

+            and bool(self._client.client.resource_owner_secret)

+        )

     def authorization_url(self, url, request_token=None, **kwargs):

         """Create an authorization URL by appending request_token and optional

diff --git a/tests/test_oauth1_session.py b/tests/test_oauth1_session.py

index 1dd2b2f..88928e1 100644

--- a/tests/test_oauth1_session.py

+++ b/tests/test_oauth1_session.py

@@ -5,7 +5,7 @@ import requests

 from io import StringIO

 from oauthlib.oauth1 import SIGNATURE_TYPE_QUERY, SIGNATURE_TYPE_BODY

-from oauthlib.oauth1 import SIGNATURE_RSA, SIGNATURE_PLAINTEXT

+from oauthlib.oauth1 import SIGNATURE_PLAINTEXT

 from requests_oauthlib import OAuth1Session

 try:

@@ -117,18 +117,6 @@ class OAuth1SessionTest(unittest.TestCase):

         auth.send = self.verify_signature(signature)

         auth.post("https://i.b")

-        signature = (

-            "OAuth "

-            'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '

-            'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '

-            'oauth_signature="{sig}"'

-        ).format(sig=TEST_RSA_OAUTH_SIGNATURE)

-        auth = OAuth1Session(

-            "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY

-        )

-        auth.send = self.verify_signature(signature)

-        auth.post("https://i.b")

-

     @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp")

     @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce")

     def test_binary_upload(self, generate_nonce, generate_timestamp):

@@ -279,52 +267,12 @@ class OAuth1SessionTest(unittest.TestCase):

         sess = OAuth1Session("foo")

         self.assertIs(sess.authorized, False)

-    def test_authorized_false_rsa(self):

-        signature = (

-            "OAuth "

-            'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '

-            'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '

-            'oauth_signature="{sig}"'

-        ).format(sig=TEST_RSA_OAUTH_SIGNATURE)

-        sess = OAuth1Session(

-            "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY

-        )

-        sess.send = self.verify_signature(signature)

-        self.assertIs(sess.authorized, False)

-

     def test_authorized_true(self):

         sess = OAuth1Session("key", "secret", verifier="bar")

         sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar")

         sess.fetch_access_token("https://example.com/token")

         self.assertIs(sess.authorized, True)

-    @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp")

-    @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce")

-    def test_authorized_true_rsa(self, generate_nonce, generate_timestamp):

-        if not cryptography:

-            raise unittest.SkipTest("cryptography module is required")

-        if not jwt:

-            raise unittest.SkipTest("pyjwt module is required")

-

-        generate_nonce.return_value = "abc"

-        generate_timestamp.return_value = "123"

-        signature = (

-            "OAuth "

-            'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '

-            'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '

-            'oauth_verifier="bar", oauth_signature="{sig}"'

-        ).format(sig=TEST_RSA_OAUTH_SIGNATURE)

-        sess = OAuth1Session(

-            "key",

-            "secret",

-            signature_method=SIGNATURE_RSA,

-            rsa_key=TEST_RSA_KEY,

-            verifier="bar",

-        )

-        sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar")

-        sess.fetch_access_token("https://example.com/token")

-        self.assertIs(sess.authorized, True)

-

     def verify_signature(self, signature):

         def fake_send(r, **kwargs):

             auth_header = r.headers["Authorization"]

-- 

2.26.3