python-requests-oauthlib/SOURCES/0002-Don-t-use-SIGNATURE_RS...

From 289f5bb346318d21ed70f747db0180bdb79a6d5d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sat, 3 Jul 2021 20:51:17 +0200
Subject: [PATCH] Don't use SIGNATURE_RSA

---
 requests_oauthlib/oauth1_session.py | 25 ++++++-------
 tests/test_oauth1_session.py        | 54 +----------------------------
 2 files changed, 11 insertions(+), 68 deletions(-)

diff --git a/requests_oauthlib/oauth1_session.py b/requests_oauthlib/oauth1_session.py
index aa17f28..ea3de69 100644
--- a/requests_oauthlib/oauth1_session.py
+++ b/requests_oauthlib/oauth1_session.py
@@ -9,7 +9,7 @@ import logging
 
 from oauthlib.common import add_params_to_uri
 from oauthlib.common import urldecode as _urldecode
-from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_RSA, SIGNATURE_TYPE_AUTH_HEADER
+from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_TYPE_AUTH_HEADER
 import requests
 
 from . import OAuth1
@@ -134,8 +134,7 @@ class OAuth1Session(requests.Session):
                              authorization.
         :param signature_method: Signature methods determine how the OAuth
                                  signature is created. The three options are
-                                 oauthlib.oauth1.SIGNATURE_HMAC (default),
-                                 oauthlib.oauth1.SIGNATURE_RSA and
+                                 oauthlib.oauth1.SIGNATURE_HMAC (default) and
                                  oauthlib.oauth1.SIGNATURE_PLAIN.
         :param signature_type: Signature type decides where the OAuth
                                parameters are added. Either in the
@@ -145,8 +144,9 @@ class OAuth1Session(requests.Session):
                                oauthlib.oauth1.SIGNATURE_TYPE_QUERY and
                                oauthlib.oauth1.SIGNATURE_TYPE_BODY
                                respectively.
-        :param rsa_key: The private RSA key as a string. Can only be used with
-                        signature_method=oauthlib.oauth1.SIGNATURE_RSA.
+        :param rsa_key: The private RSA key as a string. Because this version
+                        does not support signature_method=oauthlib.oauth1.SIGNATURE_RSA.
+                        this parameter is unused
         :param verifier: A verifier string to prove authorization was granted.
         :param client_class: A subclass of `oauthlib.oauth1.Client` to use with
                              `requests_oauthlib.OAuth1` instead of the default
@@ -200,16 +200,11 @@ class OAuth1Session(requests.Session):
         authentication dance before OAuth-protected requests to the resource
         will succeed.
         """
-        if self._client.client.signature_method == SIGNATURE_RSA:
-            # RSA only uses resource_owner_key
-            return bool(self._client.client.resource_owner_key)
-        else:
-            # other methods of authentication use all three pieces
-            return (
-                bool(self._client.client.client_secret)
-                and bool(self._client.client.resource_owner_key)
-                and bool(self._client.client.resource_owner_secret)
-            )
+        return (
+            bool(self._client.client.client_secret)
+            and bool(self._client.client.resource_owner_key)
+            and bool(self._client.client.resource_owner_secret)
+        )
 
     def authorization_url(self, url, request_token=None, **kwargs):
         """Create an authorization URL by appending request_token and optional
diff --git a/tests/test_oauth1_session.py b/tests/test_oauth1_session.py
index 1dd2b2f..88928e1 100644
--- a/tests/test_oauth1_session.py
+++ b/tests/test_oauth1_session.py
@@ -5,7 +5,7 @@ import requests
 from io import StringIO
 
 from oauthlib.oauth1 import SIGNATURE_TYPE_QUERY, SIGNATURE_TYPE_BODY
-from oauthlib.oauth1 import SIGNATURE_RSA, SIGNATURE_PLAINTEXT
+from oauthlib.oauth1 import SIGNATURE_PLAINTEXT
 from requests_oauthlib import OAuth1Session
 
 try:
@@ -117,18 +117,6 @@ class OAuth1SessionTest(unittest.TestCase):
         auth.send = self.verify_signature(signature)
         auth.post("https://i.b")
 
-        signature = (
-            "OAuth "
-            'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '
-            'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '
-            'oauth_signature="{sig}"'
-        ).format(sig=TEST_RSA_OAUTH_SIGNATURE)
-        auth = OAuth1Session(
-            "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY
-        )
-        auth.send = self.verify_signature(signature)
-        auth.post("https://i.b")
-
     @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp")
     @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce")
     def test_binary_upload(self, generate_nonce, generate_timestamp):
@@ -279,52 +267,12 @@ class OAuth1SessionTest(unittest.TestCase):
         sess = OAuth1Session("foo")
         self.assertIs(sess.authorized, False)
 
-    def test_authorized_false_rsa(self):
-        signature = (
-            "OAuth "
-            'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '
-            'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '
-            'oauth_signature="{sig}"'
-        ).format(sig=TEST_RSA_OAUTH_SIGNATURE)
-        sess = OAuth1Session(
-            "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY
-        )
-        sess.send = self.verify_signature(signature)
-        self.assertIs(sess.authorized, False)
-
     def test_authorized_true(self):
         sess = OAuth1Session("key", "secret", verifier="bar")
         sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar")
         sess.fetch_access_token("https://example.com/token")
         self.assertIs(sess.authorized, True)
 
-    @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp")
-    @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce")
-    def test_authorized_true_rsa(self, generate_nonce, generate_timestamp):
-        if not cryptography:
-            raise unittest.SkipTest("cryptography module is required")
-        if not jwt:
-            raise unittest.SkipTest("pyjwt module is required")
-
-        generate_nonce.return_value = "abc"
-        generate_timestamp.return_value = "123"
-        signature = (
-            "OAuth "
-            'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '
-            'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '
-            'oauth_verifier="bar", oauth_signature="{sig}"'
-        ).format(sig=TEST_RSA_OAUTH_SIGNATURE)
-        sess = OAuth1Session(
-            "key",
-            "secret",
-            signature_method=SIGNATURE_RSA,
-            rsa_key=TEST_RSA_KEY,
-            verifier="bar",
-        )
-        sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar")
-        sess.fetch_access_token("https://example.com/token")
-        self.assertIs(sess.authorized, True)
-
     def verify_signature(self, signature):
         def fake_send(r, **kwargs):
             auth_header = r.headers["Authorization"]
-- 
2.26.3
import python-requests-oauthlib-1.3.0-12.el9 3 years ago			`From 289f5bb346318d21ed70f747db0180bdb79a6d5d Mon Sep 17 00:00:00 2001`
			`From: Jakub Hrozek <jhrozek@redhat.com>`
			`Date: Sat, 3 Jul 2021 20:51:17 +0200`
			`Subject: [PATCH] Don't use SIGNATURE_RSA`

			`---`
			`requests_oauthlib/oauth1_session.py \| 25 ++++++-------`
			`tests/test_oauth1_session.py \| 54 +----------------------------`
			`2 files changed, 11 insertions(+), 68 deletions(-)`

			`diff --git a/requests_oauthlib/oauth1_session.py b/requests_oauthlib/oauth1_session.py`
			`index aa17f28..ea3de69 100644`
			`--- a/requests_oauthlib/oauth1_session.py`
			`+++ b/requests_oauthlib/oauth1_session.py`
			`@@ -9,7 +9,7 @@ import logging`

			`from oauthlib.common import add_params_to_uri`
			`from oauthlib.common import urldecode as _urldecode`
			`-from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_RSA, SIGNATURE_TYPE_AUTH_HEADER`
			`+from oauthlib.oauth1 import SIGNATURE_HMAC, SIGNATURE_TYPE_AUTH_HEADER`
			`import requests`

			`from . import OAuth1`
			`@@ -134,8 +134,7 @@ class OAuth1Session(requests.Session):`
			`authorization.`
			`:param signature_method: Signature methods determine how the OAuth`
			`signature is created. The three options are`
			`- oauthlib.oauth1.SIGNATURE_HMAC (default),`
			`- oauthlib.oauth1.SIGNATURE_RSA and`
			`+ oauthlib.oauth1.SIGNATURE_HMAC (default) and`
			`oauthlib.oauth1.SIGNATURE_PLAIN.`
			`:param signature_type: Signature type decides where the OAuth`
			`parameters are added. Either in the`
			`@@ -145,8 +144,9 @@ class OAuth1Session(requests.Session):`
			`oauthlib.oauth1.SIGNATURE_TYPE_QUERY and`
			`oauthlib.oauth1.SIGNATURE_TYPE_BODY`
			`respectively.`
			`- :param rsa_key: The private RSA key as a string. Can only be used with`
			`- signature_method=oauthlib.oauth1.SIGNATURE_RSA.`
			`+ :param rsa_key: The private RSA key as a string. Because this version`
			`+ does not support signature_method=oauthlib.oauth1.SIGNATURE_RSA.`
			`+ this parameter is unused`
			`:param verifier: A verifier string to prove authorization was granted.`
			:param client_class: A subclass of `oauthlib.oauth1.Client` to use with
			`requests_oauthlib.OAuth1` instead of the default
			`@@ -200,16 +200,11 @@ class OAuth1Session(requests.Session):`
			`authentication dance before OAuth-protected requests to the resource`
			`will succeed.`
			`"""`
			`- if self._client.client.signature_method == SIGNATURE_RSA:`
			`- # RSA only uses resource_owner_key`
			`- return bool(self._client.client.resource_owner_key)`
			`- else:`
			`- # other methods of authentication use all three pieces`
			`- return (`
			`- bool(self._client.client.client_secret)`
			`- and bool(self._client.client.resource_owner_key)`
			`- and bool(self._client.client.resource_owner_secret)`
			`- )`
			`+ return (`
			`+ bool(self._client.client.client_secret)`
			`+ and bool(self._client.client.resource_owner_key)`
			`+ and bool(self._client.client.resource_owner_secret)`
			`+ )`

			`def authorization_url(self, url, request_token=None, **kwargs):`
			`"""Create an authorization URL by appending request_token and optional`
			`diff --git a/tests/test_oauth1_session.py b/tests/test_oauth1_session.py`
			`index 1dd2b2f..88928e1 100644`
			`--- a/tests/test_oauth1_session.py`
			`+++ b/tests/test_oauth1_session.py`
			`@@ -5,7 +5,7 @@ import requests`
			`from io import StringIO`

			`from oauthlib.oauth1 import SIGNATURE_TYPE_QUERY, SIGNATURE_TYPE_BODY`
			`-from oauthlib.oauth1 import SIGNATURE_RSA, SIGNATURE_PLAINTEXT`
			`+from oauthlib.oauth1 import SIGNATURE_PLAINTEXT`
			`from requests_oauthlib import OAuth1Session`

			`try:`
			`@@ -117,18 +117,6 @@ class OAuth1SessionTest(unittest.TestCase):`
			`auth.send = self.verify_signature(signature)`
			`auth.post("https://i.b")`

			`- signature = (`
			`- "OAuth "`
			`- 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '`
			`- 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '`
			`- 'oauth_signature="{sig}"'`
			`- ).format(sig=TEST_RSA_OAUTH_SIGNATURE)`
			`- auth = OAuth1Session(`
			`- "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY`
			`- )`
			`- auth.send = self.verify_signature(signature)`
			`- auth.post("https://i.b")`
			`-`
			`@mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp")`
			`@mock.patch("oauthlib.oauth1.rfc5849.generate_nonce")`
			`def test_binary_upload(self, generate_nonce, generate_timestamp):`
			`@@ -279,52 +267,12 @@ class OAuth1SessionTest(unittest.TestCase):`
			`sess = OAuth1Session("foo")`
			`self.assertIs(sess.authorized, False)`

			`- def test_authorized_false_rsa(self):`
			`- signature = (`
			`- "OAuth "`
			`- 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '`
			`- 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '`
			`- 'oauth_signature="{sig}"'`
			`- ).format(sig=TEST_RSA_OAUTH_SIGNATURE)`
			`- sess = OAuth1Session(`
			`- "foo", signature_method=SIGNATURE_RSA, rsa_key=TEST_RSA_KEY`
			`- )`
			`- sess.send = self.verify_signature(signature)`
			`- self.assertIs(sess.authorized, False)`
			`-`
			`def test_authorized_true(self):`
			`sess = OAuth1Session("key", "secret", verifier="bar")`
			`sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar")`
			`sess.fetch_access_token("https://example.com/token")`
			`self.assertIs(sess.authorized, True)`

			`- @mock.patch("oauthlib.oauth1.rfc5849.generate_timestamp")`
			`- @mock.patch("oauthlib.oauth1.rfc5849.generate_nonce")`
			`- def test_authorized_true_rsa(self, generate_nonce, generate_timestamp):`
			`- if not cryptography:`
			`- raise unittest.SkipTest("cryptography module is required")`
			`- if not jwt:`
			`- raise unittest.SkipTest("pyjwt module is required")`
			`-`
			`- generate_nonce.return_value = "abc"`
			`- generate_timestamp.return_value = "123"`
			`- signature = (`
			`- "OAuth "`
			`- 'oauth_nonce="abc", oauth_timestamp="123", oauth_version="1.0", '`
			`- 'oauth_signature_method="RSA-SHA1", oauth_consumer_key="foo", '`
			`- 'oauth_verifier="bar", oauth_signature="{sig}"'`
			`- ).format(sig=TEST_RSA_OAUTH_SIGNATURE)`
			`- sess = OAuth1Session(`
			`- "key",`
			`- "secret",`
			`- signature_method=SIGNATURE_RSA,`
			`- rsa_key=TEST_RSA_KEY,`
			`- verifier="bar",`
			`- )`
			`- sess.send = self.fake_body("oauth_token=foo&oauth_token_secret=bar")`
			`- sess.fetch_access_token("https://example.com/token")`
			`- self.assertIs(sess.authorized, True)`
			`-`
			`def verify_signature(self, signature):`
			`def fake_send(r, **kwargs):`
			`auth_header = r.headers["Authorization"]`
			`--`
			`2.26.3`