// OAuth 1.0 consumer implementation.
// See http://www.oauth.net and RFC 5849
//
// There are typically three parties involved in an OAuth exchange:
//      (1) The "Service Provider" (e.g. Google, Twitter, NetFlix) who operates the
//          service where the data resides.
//      (2) The "End User" who owns that data, and wants to grant access to a third-party.
//      (3) That third-party who wants access to the data (after first being authorized by
//          the user). This third-party is referred to as the "Consumer" in OAuth
//          terminology.
//
// This library is designed to help implement the third-party consumer by handling the
// low-level authentication tasks, and allowing for authenticated requests to the
// service provider on behalf of the user.
//
// Caveats:
//      - Currently only supports HMAC and RSA signatures.
//      - Currently only supports SHA1 and SHA256 hashes.
//      - Currently only supports OAuth 1.0
//
// Overview of how to use this library:
//      (1) First create a new Consumer instance with the NewConsumer function
//      (2) Get a RequestToken, and "authorization url" from GetRequestTokenAndUrl()
//      (3) Save the RequestToken, you will need it again in step 6.
//      (4) Redirect the user to the "authorization url" from step 2, where they will
//          authorize your access to the service provider.
//      (5) Wait. You will be called back on the CallbackUrl that you provide, and you
//          will recieve a "verification code".
//      (6) Call AuthorizeToken() with the RequestToken from step 2 and the
//          "verification code" from step 5.
//      (7) You will get back an AccessToken.  Save this for as long as you need access
//          to the user's data, and treat it like a password; it is a secret.
//      (8) You can now throw away the RequestToken from step 2, it is no longer
//          necessary.
//      (9) Call "MakeHttpClient" using the AccessToken from step 7 to get an
//          HTTP client which can access protected resources.
package oauth

import (
	"bytes"
	"crypto"
	"crypto/hmac"
	cryptoRand "crypto/rand"
	"crypto/rsa"
	"encoding/base64"
	"errors"
	"fmt"
	"io"
	"io/ioutil"
	"math/rand"
	"mime/multipart"
	"net/http"
	"net/url"
	"sort"
	"strconv"
	"strings"
	"sync"
	"time"
)

const (
	OAUTH_VERSION         = "1.0"
	SIGNATURE_METHOD_HMAC = "HMAC-"
	SIGNATURE_METHOD_RSA  = "RSA-"

	HTTP_AUTH_HEADER       = "Authorization"
	OAUTH_HEADER           = "OAuth "
	BODY_HASH_PARAM        = "oauth_body_hash"
	CALLBACK_PARAM         = "oauth_callback"
	CONSUMER_KEY_PARAM     = "oauth_consumer_key"
	NONCE_PARAM            = "oauth_nonce"
	SESSION_HANDLE_PARAM   = "oauth_session_handle"
	SIGNATURE_METHOD_PARAM = "oauth_signature_method"
	SIGNATURE_PARAM        = "oauth_signature"
	TIMESTAMP_PARAM        = "oauth_timestamp"
	TOKEN_PARAM            = "oauth_token"
	TOKEN_SECRET_PARAM     = "oauth_token_secret"
	VERIFIER_PARAM         = "oauth_verifier"
	VERSION_PARAM          = "oauth_version"
)

var HASH_METHOD_MAP = map[crypto.Hash]string{
	crypto.SHA1:   "SHA1",
	crypto.SHA256: "SHA256",
}

// TODO(mrjones) Do we definitely want separate "Request" and "Access" token classes?
// They're identical structurally, but used for different purposes.
type RequestToken struct {
	Token  string
	Secret string
}

type AccessToken struct {
	Token          string
	Secret         string
	AdditionalData map[string]string
}

type DataLocation int

const (
	LOC_BODY DataLocation = iota + 1
	LOC_URL
	LOC_MULTIPART
	LOC_JSON
	LOC_XML
)

// Information about how to contact the service provider (see #1 above).
// You usually find all of these URLs by reading the documentation for the service
// that you're trying to connect to.
// Some common examples are:
//      (1) Google, standard APIs:
//          http://code.google.com/apis/accounts/docs/OAuth_ref.html
//          - RequestTokenUrl:   https://www.google.com/accounts/OAuthGetRequestToken
//          - AuthorizeTokenUrl: https://www.google.com/accounts/OAuthAuthorizeToken
//          - AccessTokenUrl:    https://www.google.com/accounts/OAuthGetAccessToken
//          Note: Some Google APIs (for example, Google Latitude) use different values for
//          one or more of those URLs.
//      (2) Twitter API:
//          http://dev.twitter.com/pages/auth
//          - RequestTokenUrl:   http://api.twitter.com/oauth/request_token
//          - AuthorizeTokenUrl: https://api.twitter.com/oauth/authorize
//          - AccessTokenUrl:    https://api.twitter.com/oauth/access_token
//      (3) NetFlix API:
//          http://developer.netflix.com/docs/Security
//          - RequestTokenUrl:   http://api.netflix.com/oauth/request_token
//          - AuthroizeTokenUrl: https://api-user.netflix.com/oauth/login
//          - AccessTokenUrl:    http://api.netflix.com/oauth/access_token
// Set HttpMethod if the service provider requires a different HTTP method
// to be used for OAuth token requests
type ServiceProvider struct {
	RequestTokenUrl   string
	AuthorizeTokenUrl string
	AccessTokenUrl    string
	HttpMethod        string
	BodyHash          bool
	IgnoreTimestamp   bool

	// Enables non spec-compliant behavior:
	// Allow parameters to be passed in the query string rather
	// than the body.
	// See https://github.com/mrjones/oauth/pull/63
	SignQueryParams   bool
}

func (sp *ServiceProvider) httpMethod() string {
	if sp.HttpMethod != "" {
		return sp.HttpMethod
	}

	return "GET"
}

// lockedNonceGenerator wraps a non-reentrant random number generator with a
// lock
type lockedNonceGenerator struct {
	nonceGenerator nonceGenerator
	lock           sync.Mutex
}

func newLockedNonceGenerator(c clock) *lockedNonceGenerator {
	return &lockedNonceGenerator{
		nonceGenerator: rand.New(rand.NewSource(c.Nanos())),
	}
}

func (n *lockedNonceGenerator) Int63() int64 {
	n.lock.Lock()
	r := n.nonceGenerator.Int63()
	n.lock.Unlock()
	return r
}

// Consumers are stateless, you can call the various methods (GetRequestTokenAndUrl,
// AuthorizeToken, and Get) on various different instances of Consumers *as long as
// they were set up in the same way.* It is up to you, as the caller to persist the
// necessary state (RequestTokens and AccessTokens).
type Consumer struct {
	// Some ServiceProviders require extra parameters to be passed for various reasons.
	// For example Google APIs require you to set a scope= parameter to specify how much
	// access is being granted.  The proper values for scope= depend on the service:
	// For more, see: http://code.google.com/apis/accounts/docs/OAuth.html#prepScope
	AdditionalParams map[string]string

	// The rest of this class is configured via the NewConsumer function.
	consumerKey     string
	serviceProvider ServiceProvider

	// Some APIs (e.g. Netflix) aren't quite standard OAuth, and require passing
	// additional parameters when authorizing the request token. For most APIs
	// this field can be ignored.  For Netflix, do something like:
	// 	consumer.AdditionalAuthorizationUrlParams = map[string]string{
	// 		"application_name":   "YourAppName",
	// 		"oauth_consumer_key": "YourConsumerKey",
	// 	}
	AdditionalAuthorizationUrlParams map[string]string

	debug bool

	// Defaults to http.Client{}, can be overridden (e.g. for testing) as necessary
	HttpClient HttpClient

	// Some APIs (e.g. Intuit/Quickbooks) require sending additional headers along with
	// requests. (like "Accept" to specify the response type as XML or JSON) Note that this
	// will only *add* headers, not set existing ones.
	AdditionalHeaders map[string][]string

	// Private seams for mocking dependencies when testing
	clock clock
	// Seeded generators are not reentrant
	nonceGenerator nonceGenerator
	signer         signer
}

func newConsumer(consumerKey string, serviceProvider ServiceProvider, httpClient *http.Client) *Consumer {
	clock := &defaultClock{}
	if httpClient == nil {
		httpClient = &http.Client{}
	}
	return &Consumer{
		consumerKey:     consumerKey,
		serviceProvider: serviceProvider,
		clock:           clock,
		HttpClient:      httpClient,
		nonceGenerator:  newLockedNonceGenerator(clock),

		AdditionalParams:                 make(map[string]string),
		AdditionalAuthorizationUrlParams: make(map[string]string),
	}
}

// Creates a new Consumer instance, with a HMAC-SHA1 signer
//      - consumerKey and consumerSecret:
//        values you should obtain from the ServiceProvider when you register your
//        application.
//
//      - serviceProvider:
//        see the documentation for ServiceProvider for how to create this.
//
func NewConsumer(consumerKey string, consumerSecret string,
	serviceProvider ServiceProvider) *Consumer {
	consumer := newConsumer(consumerKey, serviceProvider, nil)

	consumer.signer = &HMACSigner{
		consumerSecret: consumerSecret,
		hashFunc:       crypto.SHA1,
	}

	return consumer
}

// Creates a new Consumer instance, with a HMAC-SHA1 signer
//      - consumerKey and consumerSecret:
//        values you should obtain from the ServiceProvider when you register your
//        application.
//
//      - serviceProvider:
//        see the documentation for ServiceProvider for how to create this.
//
//		- httpClient:
//		  Provides a custom implementation of the httpClient used under the hood
//		  to make the request.  This is especially useful if you want to use
//		  Google App Engine.
//
func NewCustomHttpClientConsumer(consumerKey string, consumerSecret string,
	serviceProvider ServiceProvider, httpClient *http.Client) *Consumer {
	consumer := newConsumer(consumerKey, serviceProvider, httpClient)

	consumer.signer = &HMACSigner{
		consumerSecret: consumerSecret,
		hashFunc:       crypto.SHA1,
	}

	return consumer
}

// Creates a new Consumer instance, with a HMAC signer
//      - consumerKey and consumerSecret:
//        values you should obtain from the ServiceProvider when you register your
//        application.
//
//      - hashFunc:
//        the crypto.Hash to use for signatures
//
//      - serviceProvider:
//        see the documentation for ServiceProvider for how to create this.
//
//      - httpClient:
//        Provides a custom implementation of the httpClient used under the hood
//        to make the request.  This is especially useful if you want to use
//        Google App Engine. Can be nil for default.
//
func NewCustomConsumer(consumerKey string, consumerSecret string,
	hashFunc crypto.Hash, serviceProvider ServiceProvider,
	httpClient *http.Client) *Consumer {
	consumer := newConsumer(consumerKey, serviceProvider, httpClient)

	consumer.signer = &HMACSigner{
		consumerSecret: consumerSecret,
		hashFunc:       hashFunc,
	}

	return consumer
}

// Creates a new Consumer instance, with a RSA-SHA1 signer
//      - consumerKey:
//        value you should obtain from the ServiceProvider when you register your
//        application.
//
//      - privateKey:
//        the private key to use for signatures
//
//      - serviceProvider:
//        see the documentation for ServiceProvider for how to create this.
//
func NewRSAConsumer(consumerKey string, privateKey *rsa.PrivateKey,
	serviceProvider ServiceProvider) *Consumer {
	consumer := newConsumer(consumerKey, serviceProvider, nil)

	consumer.signer = &RSASigner{
		privateKey: privateKey,
		hashFunc:   crypto.SHA1,
		rand:       cryptoRand.Reader,
	}

	return consumer
}

// Creates a new Consumer instance, with a RSA signer
//      - consumerKey:
//        value you should obtain from the ServiceProvider when you register your
//        application.
//
//      - privateKey:
//        the private key to use for signatures
//
//      - hashFunc:
//        the crypto.Hash to use for signatures
//
//      - serviceProvider:
//        see the documentation for ServiceProvider for how to create this.
//
//      - httpClient:
//        Provides a custom implementation of the httpClient used under the hood
//        to make the request.  This is especially useful if you want to use
//        Google App Engine. Can be nil for default.
//
func NewCustomRSAConsumer(consumerKey string, privateKey *rsa.PrivateKey,
	hashFunc crypto.Hash, serviceProvider ServiceProvider,
	httpClient *http.Client) *Consumer {
	consumer := newConsumer(consumerKey, serviceProvider, httpClient)

	consumer.signer = &RSASigner{
		privateKey: privateKey,
		hashFunc:   hashFunc,
		rand:       cryptoRand.Reader,
	}

	return consumer
}

// Kicks off the OAuth authorization process.
//      - callbackUrl:
//        Authorizing a token *requires* redirecting to the service provider. This is the
//        URL which the service provider will redirect the user back to after that
//        authorization is completed. The service provider will pass back a verification
//        code which is necessary to complete the rest of the process (in AuthorizeToken).
//        Notes on callbackUrl:
//          - Some (all?) service providers allow for setting "oob" (for out-of-band) as a
//            callback url.  If this is set the service provider will present the
//            verification code directly to the user, and you must provide a place for
//            them to copy-and-paste it into.
//          - Otherwise, the user will be redirected to callbackUrl in the browser, and
//            will append a "oauth_verifier=<verifier>" parameter.
//
// This function returns:
//      - rtoken:
//        A temporary RequestToken, used during the authorization process. You must save
//        this since it will be necessary later in the process when calling
//        AuthorizeToken().
//
//      - url:
//        A URL that you should redirect the user to in order that they may authorize you
//        to the service provider.
//
//      - err:
//        Set only if there was an error, nil otherwise.
func (c *Consumer) GetRequestTokenAndUrl(callbackUrl string) (rtoken *RequestToken, loginUrl string, err error) {
	return c.GetRequestTokenAndUrlWithParams(callbackUrl, c.AdditionalParams)
}

func (c *Consumer) GetRequestTokenAndUrlWithParams(callbackUrl string, additionalParams map[string]string) (rtoken *RequestToken, loginUrl string, err error) {
	params := c.baseParams(c.consumerKey, additionalParams)
	if callbackUrl != "" {
		params.Add(CALLBACK_PARAM, callbackUrl)
	}

	req := &request{
		method:      c.serviceProvider.httpMethod(),
		url:         c.serviceProvider.RequestTokenUrl,
		oauthParams: params,
	}
	if _, err := c.signRequest(req, ""); err != nil { // We don't have a token secret for the key yet
		return nil, "", err
	}

	resp, err := c.getBody(c.serviceProvider.httpMethod(), c.serviceProvider.RequestTokenUrl, params)
	if err != nil {
		return nil, "", errors.New("getBody: " + err.Error())
	}

	requestToken, err := parseRequestToken(*resp)
	if err != nil {
		return nil, "", errors.New("parseRequestToken: " + err.Error())
	}

	loginParams := make(url.Values)
	for k, v := range c.AdditionalAuthorizationUrlParams {
		loginParams.Set(k, v)
	}
	loginParams.Set(TOKEN_PARAM, requestToken.Token)

	loginUrl = c.serviceProvider.AuthorizeTokenUrl + "?" + loginParams.Encode()

	return requestToken, loginUrl, nil
}

// After the user has authorized you to the service provider, use this method to turn
// your temporary RequestToken into a permanent AccessToken. You must pass in two values:
//      - rtoken:
//        The RequestToken returned from GetRequestTokenAndUrl()
//
//      - verificationCode:
//        The string which passed back from the server, either as the oauth_verifier
//        query param appended to callbackUrl *OR* a string manually entered by the user
//        if callbackUrl is "oob"
//
// It will return:
//      - atoken:
//        A permanent AccessToken which can be used to access the user's data (until it is
//        revoked by the user or the service provider).
//
//      - err:
//        Set only if there was an error, nil otherwise.
func (c *Consumer) AuthorizeToken(rtoken *RequestToken, verificationCode string) (atoken *AccessToken, err error) {
	return c.AuthorizeTokenWithParams(rtoken, verificationCode, c.AdditionalParams)
}

func (c *Consumer) AuthorizeTokenWithParams(rtoken *RequestToken, verificationCode string, additionalParams map[string]string) (atoken *AccessToken, err error) {
	params := map[string]string{
		VERIFIER_PARAM: verificationCode,
		TOKEN_PARAM:    rtoken.Token,
	}
	return c.makeAccessTokenRequestWithParams(params, rtoken.Secret, additionalParams)
}

// Use the service provider to refresh the AccessToken for a given session.
// Note that this is only supported for service providers that manage an
// authorization session (e.g. Yahoo).
//
// Most providers do not return the SESSION_HANDLE_PARAM needed to refresh
// the token.
//
// See http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html
// for more information.
//      - accessToken:
//        The AccessToken returned from AuthorizeToken()
//
// It will return:
//      - atoken:
//        An AccessToken which can be used to access the user's data (until it is
//        revoked by the user or the service provider).
//
//      - err:
//        Set if accessToken does not contain the SESSION_HANDLE_PARAM needed to
//        refresh the token, or if an error occurred when making the request.
func (c *Consumer) RefreshToken(accessToken *AccessToken) (atoken *AccessToken, err error) {
	params := make(map[string]string)
	sessionHandle, ok := accessToken.AdditionalData[SESSION_HANDLE_PARAM]
	if !ok {
		return nil, errors.New("Missing " + SESSION_HANDLE_PARAM + " in access token.")
	}
	params[SESSION_HANDLE_PARAM] = sessionHandle
	params[TOKEN_PARAM] = accessToken.Token

	return c.makeAccessTokenRequest(params, accessToken.Secret)
}

// Use the service provider to obtain an AccessToken for a given session
//      - params:
//        The access token request paramters.
//
//      - secret:
//        Secret key to use when signing the access token request.
//
// It will return:
//      - atoken
//        An AccessToken which can be used to access the user's data (until it is
//        revoked by the user or the service provider).
//
//      - err:
//        Set only if there was an error, nil otherwise.
func (c *Consumer) makeAccessTokenRequest(params map[string]string, secret string) (atoken *AccessToken, err error) {
	return c.makeAccessTokenRequestWithParams(params, secret, c.AdditionalParams)
}

func (c *Consumer) makeAccessTokenRequestWithParams(params map[string]string, secret string, additionalParams map[string]string) (atoken *AccessToken, err error) {
	orderedParams := c.baseParams(c.consumerKey, additionalParams)
	for key, value := range params {
		orderedParams.Add(key, value)
	}

	req := &request{
		method:      c.serviceProvider.httpMethod(),
		url:         c.serviceProvider.AccessTokenUrl,
		oauthParams: orderedParams,
	}
	if _, err := c.signRequest(req, secret); err != nil {
		return nil, err
	}

	resp, err := c.getBody(c.serviceProvider.httpMethod(), c.serviceProvider.AccessTokenUrl, orderedParams)
	if err != nil {
		return nil, err
	}

	return parseAccessToken(*resp)
}

type RoundTripper struct {
	consumer *Consumer
	token    *AccessToken
}

func (c *Consumer) MakeRoundTripper(token *AccessToken) (*RoundTripper, error) {
	return &RoundTripper{consumer: c, token: token}, nil
}

func (c *Consumer) MakeHttpClient(token *AccessToken) (*http.Client, error) {
	return &http.Client{
		Transport: &RoundTripper{consumer: c, token: token},
	}, nil
}

// ** DEPRECATED **
// Please call Get on the http client returned by MakeHttpClient instead!
//
// Executes an HTTP Get, authorized via the AccessToken.
//      - url:
//        The base url, without any query params, which is being accessed
//
//      - userParams:
//        Any key=value params to be included in the query string
//
//      - token:
//        The AccessToken returned by AuthorizeToken()
//
// This method returns:
//      - resp:
//        The HTTP Response resulting from making this request.
//
//      - err:
//        Set only if there was an error, nil otherwise.
func (c *Consumer) Get(url string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	return c.makeAuthorizedRequest("GET", url, LOC_URL, "", userParams, token)
}

func encodeUserParams(userParams map[string]string) string {
	data := url.Values{}
	for k, v := range userParams {
		data.Add(k, v)
	}
	return data.Encode()
}

// ** DEPRECATED **
// Please call "Post" on the http client returned by MakeHttpClient instead
func (c *Consumer) PostForm(url string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	return c.PostWithBody(url, "", userParams, token)
}

// ** DEPRECATED **
// Please call "Post" on the http client returned by MakeHttpClient instead
func (c *Consumer) Post(url string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	return c.PostWithBody(url, "", userParams, token)
}

// ** DEPRECATED **
// Please call "Post" on the http client returned by MakeHttpClient instead
func (c *Consumer) PostWithBody(url string, body string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	return c.makeAuthorizedRequest("POST", url, LOC_BODY, body, userParams, token)
}

// ** DEPRECATED **
// Please call "Do" on the http client returned by MakeHttpClient instead
// (and set the "Content-Type" header explicitly in the http.Request)
func (c *Consumer) PostJson(url string, body string, token *AccessToken) (resp *http.Response, err error) {
	return c.makeAuthorizedRequest("POST", url, LOC_JSON, body, nil, token)
}

// ** DEPRECATED **
// Please call "Do" on the http client returned by MakeHttpClient instead
// (and set the "Content-Type" header explicitly in the http.Request)
func (c *Consumer) PostXML(url string, body string, token *AccessToken) (resp *http.Response, err error) {
	return c.makeAuthorizedRequest("POST", url, LOC_XML, body, nil, token)
}

// ** DEPRECATED **
// Please call "Do" on the http client returned by MakeHttpClient instead
// (and setup the multipart data explicitly in the http.Request)
func (c *Consumer) PostMultipart(url, multipartName string, multipartData io.ReadCloser, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	return c.makeAuthorizedRequestReader("POST", url, LOC_MULTIPART, 0, multipartName, multipartData, userParams, token)
}

// ** DEPRECATED **
// Please call "Delete" on the http client returned by MakeHttpClient instead
func (c *Consumer) Delete(url string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	return c.makeAuthorizedRequest("DELETE", url, LOC_URL, "", userParams, token)
}

// ** DEPRECATED **
// Please call "Put" on the http client returned by MakeHttpClient instead
func (c *Consumer) Put(url string, body string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	return c.makeAuthorizedRequest("PUT", url, LOC_URL, body, userParams, token)
}

func (c *Consumer) Debug(enabled bool) {
	c.debug = enabled
	c.signer.Debug(enabled)
}

type pair struct {
	key   string
	value string
}

type pairs []pair

func (p pairs) Len() int           { return len(p) }
func (p pairs) Less(i, j int) bool { return p[i].key < p[j].key }
func (p pairs) Swap(i, j int)      { p[i], p[j] = p[j], p[i] }

// This function has basically turned into a backwards compatibility layer
// between the old API (where clients explicitly called consumer.Get()
// consumer.Post() etc), and the new API (which takes actual http.Requests)
//
// So, here we construct the appropriate HTTP request for the inputs.
func (c *Consumer) makeAuthorizedRequestReader(method string, urlString string, dataLocation DataLocation, contentLength int, multipartName string, body io.ReadCloser, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	urlObject, err := url.Parse(urlString)
	if err != nil {
		return nil, err
	}

	request := &http.Request{
		Method:        method,
		URL:           urlObject,
		Header:        http.Header{},
		Body:          body,
		ContentLength: int64(contentLength),
	}

	vals := url.Values{}
	for k, v := range userParams {
		vals.Add(k, v)
	}

	if dataLocation != LOC_BODY {
		request.URL.RawQuery = vals.Encode()
		request.URL.RawQuery = strings.Replace(
			request.URL.RawQuery, ";", "%3B", -1)

	} else {
		// TODO(mrjones): validate that we're not overrideing an exising body?
		request.Body = ioutil.NopCloser(strings.NewReader(vals.Encode()))
		request.ContentLength = int64(len(vals.Encode()))
	}

	for k, vs := range c.AdditionalHeaders {
		for _, v := range vs {
			request.Header.Set(k, v)
		}
	}

	if dataLocation == LOC_BODY {
		request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
	}

	if dataLocation == LOC_JSON {
		request.Header.Set("Content-Type", "application/json")
	}

	if dataLocation == LOC_XML {
		request.Header.Set("Content-Type", "application/xml")
	}

	if dataLocation == LOC_MULTIPART {
		pipeReader, pipeWriter := io.Pipe()
		writer := multipart.NewWriter(pipeWriter)
		if request.URL.Host == "www.mrjon.es" &&
			request.URL.Path == "/unittest" {
			writer.SetBoundary("UNITTESTBOUNDARY")
		}
		go func(body io.Reader) {
			part, err := writer.CreateFormFile(multipartName, "/no/matter")
			if err != nil {
				writer.Close()
				pipeWriter.CloseWithError(err)
				return
			}
			_, err = io.Copy(part, body)
			if err != nil {
				writer.Close()
				pipeWriter.CloseWithError(err)
				return
			}
			writer.Close()
			pipeWriter.Close()
		}(body)
		request.Body = pipeReader
		request.Header.Set("Content-Type", writer.FormDataContentType())
	}

	rt := RoundTripper{consumer: c, token: token}

	resp, err = rt.RoundTrip(request)
	if err != nil {
		return resp, err
	}

	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
		defer resp.Body.Close()
		bytes, _ := ioutil.ReadAll(resp.Body)

		return resp, HTTPExecuteError{
			RequestHeaders:    "",
			ResponseBodyBytes: bytes,
			Status:            resp.Status,
			StatusCode:        resp.StatusCode,
		}
	}

	return resp, nil
}

// cloneReq clones the src http.Request, making deep copies of the Header and
// the URL but shallow copies of everything else
func cloneReq(src *http.Request) *http.Request {
	dst := &http.Request{}
	*dst = *src

	dst.Header = make(http.Header, len(src.Header))
	for k, s := range src.Header {
		dst.Header[k] = append([]string(nil), s...)
	}

	if src.URL != nil {
		dst.URL = cloneURL(src.URL)
	}

	return dst
}

// cloneURL shallow clones the src *url.URL
func cloneURL(src *url.URL) *url.URL {
	dst := &url.URL{}
	*dst = *src

	return dst
}

func canonicalizeUrl(u *url.URL) string {
	var buf bytes.Buffer
	buf.WriteString(u.Scheme)
	buf.WriteString("://")
	buf.WriteString(u.Host)
	buf.WriteString(u.Path)

	return buf.String()
}

func parseBody(request *http.Request) (map[string]string, error) {
	userParams := map[string]string{}

	// TODO(mrjones): factor parameter extraction into a separate method
	if request.Header.Get("Content-Type") !=
		"application/x-www-form-urlencoded" {
		// Most of the time we get parameters from the query string:
		for k, vs := range request.URL.Query() {
			if len(vs) != 1 {
				return nil, fmt.Errorf("Must have exactly one value per param")
			}

			userParams[k] = vs[0]
		}
	} else {
		// x-www-form-urlencoded parameters come from the body instead:
		defer request.Body.Close()
		originalBody, err := ioutil.ReadAll(request.Body)
		if err != nil {
			return nil, err
		}

		// If there was a body, we have to re-install it
		// (because we've ruined it by reading it).
		request.Body = ioutil.NopCloser(bytes.NewReader(originalBody))

		params, err := url.ParseQuery(string(originalBody))
		if err != nil {
			return nil, err
		}

		for k, vs := range params {
			if len(vs) != 1 {
				return nil, fmt.Errorf("Must have exactly one value per param")
			}

			userParams[k] = vs[0]
		}
	}

	return userParams, nil
}

func paramsToSortedPairs(params map[string]string) pairs {
	// Sort parameters alphabetically
	paramPairs := make(pairs, len(params))
	i := 0
	for key, value := range params {
		paramPairs[i] = pair{key: key, value: value}
		i++
	}
	sort.Sort(paramPairs)

	return paramPairs
}

func calculateBodyHash(request *http.Request, s signer) (string, error) {
	if request.Header.Get("Content-Type") ==
		"application/x-www-form-urlencoded" {
		return "", nil
	}

	var originalBody []byte

	if request.Body != nil {
		var err error

		defer request.Body.Close()
		originalBody, err = ioutil.ReadAll(request.Body)
		if err != nil {
			return "", err
		}

		// If there was a body, we have to re-install it
		// (because we've ruined it by reading it).
		request.Body = ioutil.NopCloser(bytes.NewReader(originalBody))
	}

	h := s.HashFunc().New()
	h.Write(originalBody)
	rawSignature := h.Sum(nil)

	return base64.StdEncoding.EncodeToString(rawSignature), nil
}

func (rt *RoundTripper) RoundTrip(userRequest *http.Request) (*http.Response, error) {
	serverRequest := cloneReq(userRequest)

	allParams := rt.consumer.baseParams(
		rt.consumer.consumerKey, rt.consumer.AdditionalParams)

	// Do not add the "oauth_token" parameter, if the access token has not been
	// specified. By omitting this parameter when it is not specified, allows
	// two-legged OAuth calls.
	if len(rt.token.Token) > 0 {
		allParams.Add(TOKEN_PARAM, rt.token.Token)
	}

	if rt.consumer.serviceProvider.BodyHash {
		bodyHash, err := calculateBodyHash(serverRequest, rt.consumer.signer)
		if err != nil {
			return nil, err
		}

		if bodyHash != "" {
			allParams.Add(BODY_HASH_PARAM, bodyHash)
		}
	}

	authParams := allParams.Clone()

	// TODO(mrjones): put these directly into the paramPairs below?
	userParams, err := parseBody(serverRequest)
	if err != nil {
		return nil, err
	}
	paramPairs := paramsToSortedPairs(userParams)

	for i := range paramPairs {
		allParams.Add(paramPairs[i].key, paramPairs[i].value)
	}

	signingURL := cloneURL(serverRequest.URL)
	if host := serverRequest.Host; host != "" {
		signingURL.Host = host
	}
	baseString := rt.consumer.requestString(serverRequest.Method, canonicalizeUrl(signingURL), allParams)

	signature, err := rt.consumer.signer.Sign(baseString, rt.token.Secret)
	if err != nil {
		return nil, err
	}

	authParams.Add(SIGNATURE_PARAM, signature)

	// Set auth header.
	oauthHdr := OAUTH_HEADER
	for pos, key := range authParams.Keys() {
		for innerPos, value := range authParams.Get(key) {
			if pos+innerPos > 0 {
				oauthHdr += ","
			}
			oauthHdr += key + "=\"" + value + "\""
		}
	}
	serverRequest.Header.Add(HTTP_AUTH_HEADER, oauthHdr)

	if rt.consumer.debug {
		fmt.Printf("Request: %v\n", serverRequest)
	}

	resp, err := rt.consumer.HttpClient.Do(serverRequest)

	if err != nil {
		return resp, err
	}

	return resp, nil
}

func (c *Consumer) makeAuthorizedRequest(method string, url string, dataLocation DataLocation, body string, userParams map[string]string, token *AccessToken) (resp *http.Response, err error) {
	return c.makeAuthorizedRequestReader(method, url, dataLocation, len(body), "", ioutil.NopCloser(strings.NewReader(body)), userParams, token)
}

type request struct {
	method      string
	url         string
	oauthParams *OrderedParams
	userParams  map[string]string
}

type HttpClient interface {
	Do(req *http.Request) (resp *http.Response, err error)
}

type clock interface {
	Seconds() int64
	Nanos() int64
}

type nonceGenerator interface {
	Int63() int64
}

type key interface {
	String() string
}

type signer interface {
	Sign(message string, tokenSecret string) (string, error)
	Verify(message string, signature string) error
	SignatureMethod() string
	HashFunc() crypto.Hash
	Debug(enabled bool)
}

type defaultClock struct{}

func (*defaultClock) Seconds() int64 {
	return time.Now().Unix()
}

func (*defaultClock) Nanos() int64 {
	return time.Now().UnixNano()
}

func (c *Consumer) signRequest(req *request, tokenSecret string) (*request, error) {
	baseString := c.requestString(req.method, req.url, req.oauthParams)

	signature, err := c.signer.Sign(baseString, tokenSecret)
	if err != nil {
		return nil, err
	}

	req.oauthParams.Add(SIGNATURE_PARAM, signature)
	return req, nil
}

// Obtains an AccessToken from the response of a service provider.
//      - data:
//        The response body.
//
// This method returns:
//      - atoken:
//        The AccessToken generated from the response body.
//
//      - err:
//        Set if an AccessToken could not be parsed from the given input.
func parseAccessToken(data string) (atoken *AccessToken, err error) {
	parts, err := url.ParseQuery(data)
	if err != nil {
		return nil, err
	}

	tokenParam := parts[TOKEN_PARAM]
	parts.Del(TOKEN_PARAM)
	if len(tokenParam) < 1 {
		return nil, errors.New("Missing " + TOKEN_PARAM + " in response. " +
			"Full response body: '" + data + "'")
	}
	tokenSecretParam := parts[TOKEN_SECRET_PARAM]
	parts.Del(TOKEN_SECRET_PARAM)
	if len(tokenSecretParam) < 1 {
		return nil, errors.New("Missing " + TOKEN_SECRET_PARAM + " in response." +
			"Full response body: '" + data + "'")
	}

	additionalData := parseAdditionalData(parts)

	return &AccessToken{tokenParam[0], tokenSecretParam[0], additionalData}, nil
}

func parseRequestToken(data string) (*RequestToken, error) {
	parts, err := url.ParseQuery(data)
	if err != nil {
		return nil, err
	}

	tokenParam := parts[TOKEN_PARAM]
	if len(tokenParam) < 1 {
		return nil, errors.New("Missing " + TOKEN_PARAM + " in response. " +
			"Full response body: '" + data + "'")
	}
	tokenSecretParam := parts[TOKEN_SECRET_PARAM]
	if len(tokenSecretParam) < 1 {
		return nil, errors.New("Missing " + TOKEN_SECRET_PARAM + " in response." +
			"Full response body: '" + data + "'")
	}
	return &RequestToken{tokenParam[0], tokenSecretParam[0]}, nil
}

func (c *Consumer) baseParams(consumerKey string, additionalParams map[string]string) *OrderedParams {
	params := NewOrderedParams()
	params.Add(VERSION_PARAM, OAUTH_VERSION)
	params.Add(SIGNATURE_METHOD_PARAM, c.signer.SignatureMethod())
	params.Add(TIMESTAMP_PARAM, strconv.FormatInt(c.clock.Seconds(), 10))
	params.Add(NONCE_PARAM, strconv.FormatInt(c.nonceGenerator.Int63(), 10))
	params.Add(CONSUMER_KEY_PARAM, consumerKey)
	for key, value := range additionalParams {
		params.Add(key, value)
	}
	return params
}

func parseAdditionalData(parts url.Values) map[string]string {
	params := make(map[string]string)
	for key, value := range parts {
		if len(value) > 0 {
			params[key] = value[0]
		}
	}
	return params
}

type HMACSigner struct {
	consumerSecret string
	hashFunc       crypto.Hash
	debug          bool
}

func (s *HMACSigner) Debug(enabled bool) {
	s.debug = enabled
}

func (s *HMACSigner) Sign(message string, tokenSecret string) (string, error) {
	key := escape(s.consumerSecret) + "&" + escape(tokenSecret)
	if s.debug {
		fmt.Println("Signing:", message)
		fmt.Println("Key:", key)
	}

	h := hmac.New(s.HashFunc().New, []byte(key))
	h.Write([]byte(message))
	rawSignature := h.Sum(nil)

	base64signature := base64.StdEncoding.EncodeToString(rawSignature)
	if s.debug {
		fmt.Println("Base64 signature:", base64signature)
	}
	return base64signature, nil
}

func (s *HMACSigner) Verify(message string, signature string) error {
	if s.debug {
		fmt.Println("Verifying Base64 signature:", signature)
	}
	validSignature, err := s.Sign(message, "")
	if err != nil {
		return err
	}

	if validSignature != signature {
		decodedSigniture, _ := url.QueryUnescape(signature)
		if validSignature != decodedSigniture {
			return fmt.Errorf("signature did not match")
		}
	}

	return nil
}

func (s *HMACSigner) SignatureMethod() string {
	return SIGNATURE_METHOD_HMAC + HASH_METHOD_MAP[s.HashFunc()]
}

func (s *HMACSigner) HashFunc() crypto.Hash {
	return s.hashFunc
}

type RSASigner struct {
	debug      bool
	rand       io.Reader
	privateKey *rsa.PrivateKey
	hashFunc   crypto.Hash
}

func (s *RSASigner) Debug(enabled bool) {
	s.debug = enabled
}

func (s *RSASigner) Sign(message string, tokenSecret string) (string, error) {
	if s.debug {
		fmt.Println("Signing:", message)
	}

	h := s.HashFunc().New()
	h.Write([]byte(message))
	digest := h.Sum(nil)

	signature, err := rsa.SignPKCS1v15(s.rand, s.privateKey, s.HashFunc(), digest)
	if err != nil {
		return "", nil
	}

	base64signature := base64.StdEncoding.EncodeToString(signature)
	if s.debug {
		fmt.Println("Base64 signature:", base64signature)
	}

	return base64signature, nil
}

func (s *RSASigner) Verify(message string, base64signature string) error {
	if s.debug {
		fmt.Println("Verifying:", message)
		fmt.Println("Verifying Base64 signature:", base64signature)
	}

	h := s.HashFunc().New()
	h.Write([]byte(message))
	digest := h.Sum(nil)

	signature, err := base64.StdEncoding.DecodeString(base64signature)
	if err != nil {
		return err
	}

	return rsa.VerifyPKCS1v15(&s.privateKey.PublicKey, s.HashFunc(), digest, signature)
}

func (s *RSASigner) SignatureMethod() string {
	return SIGNATURE_METHOD_RSA + HASH_METHOD_MAP[s.HashFunc()]
}

func (s *RSASigner) HashFunc() crypto.Hash {
	return s.hashFunc
}

func escape(s string) string {
	t := make([]byte, 0, 3*len(s))
	for i := 0; i < len(s); i++ {
		c := s[i]
		if isEscapable(c) {
			t = append(t, '%')
			t = append(t, "0123456789ABCDEF"[c>>4])
			t = append(t, "0123456789ABCDEF"[c&15])
		} else {
			t = append(t, s[i])
		}
	}
	return string(t)
}

func isEscapable(b byte) bool {
	return !('A' <= b && b <= 'Z' || 'a' <= b && b <= 'z' || '0' <= b && b <= '9' || b == '-' || b == '.' || b == '_' || b == '~')

}

func (c *Consumer) requestString(method string, url string, params *OrderedParams) string {
	result := method + "&" + escape(url)
	for pos, key := range params.Keys() {
		for innerPos, value := range params.Get(key) {
			if pos+innerPos == 0 {
				result += "&"
			} else {
				result += escape("&")
			}
			result += escape(fmt.Sprintf("%s=%s", key, value))
		}
	}
	return result
}

func (c *Consumer) getBody(method, url string, oauthParams *OrderedParams) (*string, error) {
	resp, err := c.httpExecute(method, url, "", 0, nil, oauthParams)
	if err != nil {
		return nil, errors.New("httpExecute: " + err.Error())
	}
	bodyBytes, err := ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	if err != nil {
		return nil, errors.New("ReadAll: " + err.Error())
	}
	bodyStr := string(bodyBytes)
	if c.debug {
		fmt.Printf("STATUS: %d %s\n", resp.StatusCode, resp.Status)
		fmt.Println("BODY RESPONSE: " + bodyStr)
	}
	return &bodyStr, nil
}

// HTTPExecuteError signals that a call to httpExecute failed.
type HTTPExecuteError struct {
	// RequestHeaders provides a stringified listing of request headers.
	RequestHeaders string
	// ResponseBodyBytes is the response read into a byte slice.
	ResponseBodyBytes []byte
	// Status is the status code string response.
	Status string
	// StatusCode is the parsed status code.
	StatusCode int
}

// Error provides a printable string description of an HTTPExecuteError.
func (e HTTPExecuteError) Error() string {
	return "HTTP response is not 200/OK as expected. Actual response: \n" +
		"\tResponse Status: '" + e.Status + "'\n" +
		"\tResponse Code: " + strconv.Itoa(e.StatusCode) + "\n" +
		"\tResponse Body: " + string(e.ResponseBodyBytes) + "\n" +
		"\tRequest Headers: " + e.RequestHeaders
}

func (c *Consumer) httpExecute(
	method string, urlStr string, contentType string, contentLength int, body io.Reader, oauthParams *OrderedParams) (*http.Response, error) {
	// Create base request.
	req, err := http.NewRequest(method, urlStr, body)
	if err != nil {
		return nil, errors.New("NewRequest failed: " + err.Error())
	}

	// Set auth header.
	req.Header = http.Header{}
	oauthHdr := "OAuth "
	for pos, key := range oauthParams.Keys() {
		for innerPos, value := range oauthParams.Get(key) {
			if pos+innerPos > 0 {
				oauthHdr += ","
			}
			oauthHdr += key + "=\"" + value + "\""
		}
	}
	req.Header.Add("Authorization", oauthHdr)

	// Add additional custom headers
	for key, vals := range c.AdditionalHeaders {
		for _, val := range vals {
			req.Header.Add(key, val)
		}
	}

	// Set contentType if passed.
	if contentType != "" {
		req.Header.Set("Content-Type", contentType)
	}

	// Set contentLength if passed.
	if contentLength > 0 {
		req.Header.Set("Content-Length", strconv.Itoa(contentLength))
	}

	if c.debug {
		fmt.Printf("Request: %v\n", req)
	}
	resp, err := c.HttpClient.Do(req)
	if err != nil {
		return nil, errors.New("Do: " + err.Error())
	}

	debugHeader := ""
	for k, vals := range req.Header {
		for _, val := range vals {
			debugHeader += "[key: " + k + ", val: " + val + "]"
		}
	}

	// StatusMultipleChoices is 300, any 2xx response should be treated as success
	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
		defer resp.Body.Close()
		bytes, _ := ioutil.ReadAll(resp.Body)

		return resp, HTTPExecuteError{
			RequestHeaders:    debugHeader,
			ResponseBodyBytes: bytes,
			Status:            resp.Status,
			StatusCode:        resp.StatusCode,
		}
	}
	return resp, err
}

//
// String Sorting helpers
//

type ByValue []string

func (a ByValue) Len() int {
	return len(a)
}

func (a ByValue) Swap(i, j int) {
	a[i], a[j] = a[j], a[i]
}

func (a ByValue) Less(i, j int) bool {
	return a[i] < a[j]
}

//
// ORDERED PARAMS
//

type OrderedParams struct {
	allParams   map[string][]string
	keyOrdering []string
}

func NewOrderedParams() *OrderedParams {
	return &OrderedParams{
		allParams:   make(map[string][]string),
		keyOrdering: make([]string, 0),
	}
}

func (o *OrderedParams) Get(key string) []string {
	sort.Sort(ByValue(o.allParams[key]))
	return o.allParams[key]
}

func (o *OrderedParams) Keys() []string {
	sort.Sort(o)
	return o.keyOrdering
}

func (o *OrderedParams) Add(key, value string) {
	o.AddUnescaped(key, escape(value))
}

func (o *OrderedParams) AddUnescaped(key, value string) {
	if _, exists := o.allParams[key]; !exists {
		o.keyOrdering = append(o.keyOrdering, key)
		o.allParams[key] = make([]string, 1)
		o.allParams[key][0] = value
	} else {
		o.allParams[key] = append(o.allParams[key], value)
	}
}

func (o *OrderedParams) Len() int {
	return len(o.keyOrdering)
}

func (o *OrderedParams) Less(i int, j int) bool {
	return o.keyOrdering[i] < o.keyOrdering[j]
}

func (o *OrderedParams) Swap(i int, j int) {
	o.keyOrdering[i], o.keyOrdering[j] = o.keyOrdering[j], o.keyOrdering[i]
}

func (o *OrderedParams) Clone() *OrderedParams {
	clone := NewOrderedParams()
	for _, key := range o.Keys() {
		for _, value := range o.Get(key) {
			clone.AddUnescaped(key, value)
		}
	}
	return clone
}