ubuntuone-credentials

Merge lp:~mardy/ubuntuone-credentials/signon-plugin into lp:ubuntuone-credentials

signon-plugin
Merge into trunk

Proposed by Alberto Mardegan on 2016-02-25

Status:

Work in progress

Proposed branch:

lp:~mardy/ubuntuone-credentials/signon-plugin

Merge into:

lp:ubuntuone-credentials

Diff against target:

3370 lines (+2886/-118)

23 files modified

data/ubuntuone.provider (+2/-2)
debian/control (+3/-2)
debian/libubuntuoneauth-2.0-0.symbols (+4/-0)
debian/signon-plugin-ubuntuone.install (+1/-1)
libubuntuoneauth/CMakeLists.txt (+13/-3)
libubuntuoneauth/accountmanager.cpp (+44/-0)
libubuntuoneauth/accountmanager.h (+43/-0)
libubuntuoneauth/authenticator.cpp (+176/-0)
libubuntuoneauth/authenticator.h (+71/-0)
libubuntuoneauth/common.h (+30/-0)
libubuntuoneauth/keyring.cpp (+34/-60)
libubuntuoneauth/libubuntuoneauth.symbols (+2/-1)
libubuntuoneauth/ssoservice.cpp (+44/-13)
libubuntuoneauth/token.cpp (+54/-5)
libubuntuoneauth/token.h (+4/-0)
signon-plugin/CMakeLists.txt (+9/-2)
signon-plugin/i18n.cpp (+37/-0)
signon-plugin/i18n.h (+31/-0)
signon-plugin/tests/CMakeLists.txt (+52/-0)
signon-plugin/tests/tst_plugin.cpp (+1840/-0)
signon-plugin/ubuntuone-plugin.cpp (+327/-19)
signon-plugin/ubuntuone-plugin.h (+45/-7)
signon-plugin/ubuntuonedata.h (+20/-3)

To merge this branch:

bzr merge lp:~mardy/ubuntuone-credentials/signon-plugin

Related bugs:

Bug #1248326: Invalidated tokens not handled gracefully	High	Confirmed
Bug #1553150: Ubuntu One account does not stay logged in or does not sign in at all	Undecided	Confirmed

Link a bug report

Reviewer	Review Type	Date Requested	Status
dobey		2016-02-25	Pending
Review via email: mp+287132@code.launchpad.net

Commit message

WIP Implement SignOn authentication plugin, use it libubuntuoneauth.

Description of the change

WIP Implement SignOn authentication plugin, use it libubuntuoneauth.

lp:~mardy/ubuntuone-credentials/signon-plugin updated on 2016-04-22

237. By Alberto Mardegan on 2016-02-26

Force export of symbol

238. By Alberto Mardegan on 2016-02-26

Allow authentication with no account

239. By Alberto Mardegan on 2016-02-29

No undefined symbols

240. By Alberto Mardegan on 2016-02-29

Test plugin loading

241. By Alberto Mardegan on 2016-02-29

Properly export symbols

242. By Alberto Mardegan on 2016-02-29

debugging

243. By Alberto Mardegan on 2016-03-01

Return specific error codes

244. By Alberto Mardegan on 2016-03-01

Tweak on application name

245. By Alberto Mardegan on 2016-03-02

missing include

246. By Alberto Mardegan on 2016-03-02

Explain hack

247. By Alberto Mardegan on 2016-03-02

Never remove accounts

248. By Alberto Mardegan on 2016-03-02

Plugin: don't delete the reply while using it

249. By Alberto Mardegan on 2016-03-02

Handle invalid email error

250. By Alberto Mardegan on 2016-03-02

Allow UI interactions when retrieving token

251. By Alberto Mardegan on 2016-03-03

Fix dialog title and handling of 2fa reply

252. By Alberto Mardegan on 2016-03-09

Avoid double free

253. By Alberto Mardegan on 2016-03-09

Update method name in .provider file

254. By Alberto Mardegan on 2016-04-07

Merge trunk

[ CI Train Bot ]
* Resync trunk.
[ Michael Zanetti ]
* update to uitk 1.3 (LP: #1560621)
[ Rodney Dawes ]
* Disable tests on powerpc as something in xenial is causing a crash.

255. By Alberto Mardegan on 2016-04-22

Use Internal namespace

Unmerged revisions

255. By Alberto Mardegan on 2016-04-22: Use Internal namespace

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Alberto Mardegan

Unity API Team

 === modified file 'data/ubuntuone.provider'
 --- data/ubuntuone.provider	2013-10-16 08:21:08 +0000
 +++ data/ubuntuone.provider	2016-04-22 09:51:32 +0000
@@ -8,8 +8,8 @@
    <template>
      <group name="auth">
--      <setting name="method">password</setting>
--      <setting name="mechanism">password</setting>
++      <setting name="method">ubuntuone</setting>
++      <setting name="mechanism">ubuntuone</setting>
      </group>
    </template>
  </provider>
 === modified file 'debian/control'
 --- debian/control	2015-11-16 20:17:01 +0000
 +++ debian/control	2016-04-22 09:51:32 +0000
@@ -14,7 +14,7 @@
   qtdeclarative5-dev-tools,
   qtdeclarative5-ubuntu-ui-toolkit-plugin,
   python3-all:native,
-- signon-plugins-dev,
++ signon-plugins-dev (>= 8.58),
   ubuntu-ui-toolkit-autopilot:native,
   xvfb,
  Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
@@ -135,7 +135,7 @@
  Package: signon-plugin-ubuntuone
  Architecture: any
--Multi-Arch: foreign
++Multi-Arch: same
  Pre-Depends:
   multiarch-support,
   ${misc:Pre-Depends},
@@ -159,6 +159,7 @@
  Depends:
   libubuntuoneauth-2.0-0 (= ${binary:Version}),
   qml-module-ubuntuone (= ${binary:Version}),
++ signon-plugin-ubuntuone,
   ubuntu-system-settings-online-accounts,
   ${misc:Depends},
   ${shlibs:Depends},
 === modified file 'debian/libubuntuoneauth-2.0-0.symbols'
 --- debian/libubuntuoneauth-2.0-0.symbols	2015-12-07 21:38:01 +0000
 +++ debian/libubuntuoneauth-2.0-0.symbols	2016-04-22 09:51:32 +0000
@@ -111,7 +111,11 @@
   (c++)"UbuntuOne::Token::Token(QString, QString, QString, QString)@Base" 13.08
   (c++)"UbuntuOne::Token::Token(QString, QString, QString, QString, QString, QString)@Base" 14.04+14.10.20140908
   (c++)"UbuntuOne::Token::~Token()@Base" 13.08
++ (c++)"UbuntuOne::Token::name() const@Base" 15.11+16.04.20151207.1
   (c++)"UbuntuOne::Token::consumerKey() const@Base" 15.10+15.10.20150617
++ (c++)"UbuntuOne::Token::consumerSecret() const@Base" 15.11+16.04.20151207.1
++ (c++)"UbuntuOne::Token::tokenKey() const@Base" 15.11+16.04.20151207.1
++ (c++)"UbuntuOne::Token::tokenSecret() const@Base" 15.11+16.04.20151207.1
   (c++)"UbuntuOne::Token::created() const@Base" 14.04+14.10.20140818
   (c++)"UbuntuOne::Token::updated() const@Base" 14.04+14.10.20140818
   (c++)"UbuntuOne::Token::getServerTimestamp() const@Base" 15.11+16.04.20151207.1
 === modified file 'debian/signon-plugin-ubuntuone.install'
 --- debian/signon-plugin-ubuntuone.install	2013-11-27 21:19:44 +0000
 +++ debian/signon-plugin-ubuntuone.install	2016-04-22 09:51:32 +0000
@@ -1,1 +1,1 @@
--usr/lib/signon/*.so
++usr/lib/*/signon/*.so
 === modified file 'libubuntuoneauth/CMakeLists.txt'
 --- libubuntuoneauth/CMakeLists.txt	2013-11-22 19:17:04 +0000
 +++ libubuntuoneauth/CMakeLists.txt	2016-04-22 09:51:32 +0000
@@ -16,7 +16,17 @@
  # The sources for building the library
  FILE (GLOB SOURCES *.cpp)
  # HEADERS only includes the public headers for installation.
--FILE (GLOB HEADERS *.h)
++FILE (GLOB HEADERS
++  errormessages.h
++  identityprovider.h
++  keyring.h
++  logging.h
++  network.h
++  requests.h
++  responses.h
++  ssoservice.h
++  token.h
++)
  pkg_check_modules(OAUTH REQUIRED oauth)
  add_definitions(${OAUTH_CFLAGS} ${OAUTH_CFLAGS_OTHER})
@@ -29,12 +39,12 @@
  target_link_libraries (${AUTH_LIB_NAME}
    ${LIBSIGNON_LDFLAGS}
    ${OAUTH_LDFLAGS}
--  -Wl,--version-script -Wl,${CMAKE_CURRENT_SOURCE_DIR}/libubuntuoneauth.symbols
+ )
  SET_TARGET_PROPERTIES(${AUTH_LIB_NAME} PROPERTIES
    VERSION ${AUTH_LIB_VERSION}
    SOVERSION ${AUTH_LIB_SOVERSION}
++  LINK_FLAGS "-Wl,--version-script -Wl,\"${CMAKE_CURRENT_SOURCE_DIR}/libubuntuoneauth.symbols\""
+ )
  INSTALL (
@@ -64,4 +74,4 @@
+ )
  add_subdirectory(tests)
--add_subdirectory(examples)
 \ No newline at end of file
++add_subdirectory(examples)
 === added file 'libubuntuoneauth/accountmanager.cpp'
 --- libubuntuoneauth/accountmanager.cpp	1970-01-01 00:00:00 +0000
 +++ libubuntuoneauth/accountmanager.cpp	2016-04-22 09:51:32 +0000
@@ -0,0 +1,44 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++
++#include "accountmanager.h"
++
++namespace Internal {
++
++AccountManager *AccountManager::m_instance = 0;
++
++AccountManager::AccountManager(QObject *parent):
++    Accounts::Manager(parent)
++{
++}
++
++AccountManager::~AccountManager()
++{
++    m_instance = 0;
++}
++
++AccountManager *AccountManager::instance()
++{
++    if (!m_instance) {
++        m_instance = new AccountManager;
++    }
++
++    return m_instance;
++}
++
++} // namespace
 === added file 'libubuntuoneauth/accountmanager.h'
 --- libubuntuoneauth/accountmanager.h	1970-01-01 00:00:00 +0000
 +++ libubuntuoneauth/accountmanager.h	2016-04-22 09:51:32 +0000
@@ -0,0 +1,43 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++#ifndef _U1_ACCOUNTMANAGER_H_
++#define _U1_ACCOUNTMANAGER_H_
++
++#include <Accounts/Manager>
++#include <QObject>
++
++namespace Internal {
++
++class AccountManager : public Accounts::Manager
++{
++    Q_OBJECT
++
++public:
++    static AccountManager *instance();
++    ~AccountManager();
++
++protected:
++    explicit AccountManager(QObject *parent = 0);
++
++private:
++    static AccountManager *m_instance;
++};
++
++} /* namespace */
++
++#endif /* _U1_ACCOUNTMANAGER_H_ */
 === added file 'libubuntuoneauth/authenticator.cpp'
 --- libubuntuoneauth/authenticator.cpp	1970-01-01 00:00:00 +0000
 +++ libubuntuoneauth/authenticator.cpp	2016-04-22 09:51:32 +0000
@@ -0,0 +1,176 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++
++#include <Accounts/Account>
++#include <Accounts/Service>
++#include <SignOn/AuthSession>
++#include <SignOn/Identity>
++#include <SignOn/IdentityInfo>
++
++#include <QDebug>
++
++#include "accountmanager.h"
++#include "authenticator.h"
++#include "../signon-plugin/ubuntuonedata.h"
++
++using namespace Internal;
++using namespace UbuntuOne;
++
++Authenticator::Authenticator(QObject *parent):
++    QObject(parent),
++    m_manager(AccountManager::instance()),
++    m_invalidate(false),
++    m_uiAllowed(true)
++{
++}
++
++void Authenticator::handleError(const SignOn::Error &e)
++{
++    qCritical() << "Authentication error:" << e.message();
++    Q_EMIT error(AuthenticationError);
++}
++
++void Authenticator::handleSessionData(const SignOn::SessionData &data)
++{
++    PluginData reply = data.data<PluginData>();
++
++    auto errorCode = PluginData::ErrorCode(reply.U1ErrorCode());
++    if (errorCode != PluginData::NoError) {
++        switch (errorCode) {
++        case PluginData::OneTimePasswordRequired:
++            qDebug() << "Error: OTP required";
++            Q_EMIT error(OneTimePasswordRequired);
++            break;
++        case PluginData::InvalidPassword:
++            qDebug() << "Error: invalid password";
++            Q_EMIT error(InvalidPassword);
++            break;
++        default:
++            qWarning() << "Unknown error code" << errorCode;
++            Q_EMIT error(AuthenticationError);
++        }
++        return;
++    }
++
++    Token token(reply.TokenKey(), reply.TokenSecret(),
++                reply.ConsumerKey(), reply.ConsumerSecret());
++    if (token.isValid()) {
++        Q_EMIT authenticated(token);
++    } else {
++        QString message("Failed to convert result to Token object.");
++        qCritical() << message;
++        Q_EMIT error(AuthenticationError);
++    }
++}
++
++quint32 Authenticator::credentialsId()
++{
++    QString providerId("ubuntuone");
++    Accounts::AccountIdList accountIds = m_manager->accountList(providerId);
++
++    if (accountIds.isEmpty()) {
++        qDebug() << "authenticate(): No UbuntuOne accounts found";
++        Q_EMIT error(AccountNotFound);
++        return 0;
++    }
++
++    if (accountIds.count() > 1) {
++        qWarning() << "authenticate(): Found '" << accountIds.count() <<
++            "' accounts. Using first.";
++    }
++
++    qDebug() << "authenticate(): Using account '" << accountIds[0] << "'.";
++
++    auto account = m_manager->account(accountIds[0]);
++    if (Q_UNLIKELY(!account)) {
++        qDebug() << "Couldn't load account";
++        /* This could either happen because the account was deleted right while
++         * we were loading it, or because the accounts DB was locked by another
++         * app. Let's just return an authentication error here, so the client
++         * can retry.
++         */
++        Q_EMIT error(AuthenticationError);
++        return 0;
++    }
++
++    /* Here we should check that the account service is enabled; but since the
++     * old code was not doing this check, and that from the API there is no way
++     * of knowing which service we are interested in, let's leave it as a TODO.
++     */
++
++    return account->credentialsId();
++}
++
++void Authenticator::authenticate(const QString &tokenName,
++                                 const QString &userName,
++                                 const QString &password,
++                                 const QString &otp)
++{
++    SignOn::Identity *identity;
++    if (userName.isEmpty()) {
++        // Use existing account
++        quint32 id = credentialsId();
++        if (Q_UNLIKELY(!id)) return;
++
++        identity = SignOn::Identity::existingIdentity(id, this);
++        if (Q_UNLIKELY(!identity)) {
++            qCritical() << "authenticate(): unable to load credentials" << id;
++            Q_EMIT error(AccountNotFound);
++            return;
++        }
++    } else {
++        identity = SignOn::Identity::newIdentity(SignOn::IdentityInfo(), this);
++    }
++
++    auto session = identity->createSession(QStringLiteral("ubuntuone"));
++    if (Q_UNLIKELY(!session)) {
++        qCritical() << "Unable to create AuthSession.";
++        Q_EMIT error(AuthenticationError);
++        return;
++    }
++
++    connect(session, SIGNAL(response(const SignOn::SessionData&)),
++            this, SLOT(handleSessionData(const SignOn::SessionData&)));
++    connect(session, SIGNAL(error(const SignOn::Error&)),
++            this, SLOT(handleError(const SignOn::Error&)));
++
++    PluginData data;
++    data.setTokenName(tokenName);
++    data.setUserName(userName);
++    data.setSecret(password);
++    data.setOneTimePassword(otp);
++    int uiPolicy = m_uiAllowed ?
++        SignOn::DefaultPolicy : SignOn::NoUserInteractionPolicy;
++    if (m_invalidate) {
++        uiPolicy |= SignOn::RequestPasswordPolicy;
++        m_invalidate = false;
++    }
++    data.setUiPolicy(uiPolicy);
++
++    session->process(data, QStringLiteral("ubuntuone"));
++}
++
++void Authenticator::invalidateCredentials()
++{
++    m_invalidate = true;
++}
++
++void Authenticator::setUiAllowed(bool allowed)
++{
++    m_uiAllowed = allowed;
++}
 === added file 'libubuntuoneauth/authenticator.h'
 --- libubuntuoneauth/authenticator.h	1970-01-01 00:00:00 +0000
 +++ libubuntuoneauth/authenticator.h	2016-04-22 09:51:32 +0000
@@ -0,0 +1,71 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++#ifndef _U1_AUTHENTICATOR_H_
++#define _U1_AUTHENTICATOR_H_
++
++#include <Accounts/Manager>
++#include <SignOn/Identity>
++
++#include <QObject>
++
++#include "token.h"
++
++namespace Internal {
++
++class Authenticator : public QObject
++{
++    Q_OBJECT
++
++public:
++    enum ErrorCode {
++        NoError = 0,
++        AccountNotFound,
++        OneTimePasswordRequired,
++        InvalidPassword,
++        AuthenticationError, // will create more specific codes if needed
++    };
++
++    explicit Authenticator(QObject *parent = 0);
++
++    void authenticate(const QString &tokenName,
++                      const QString &userName = QString(),
++                      const QString &password = QString(),
++                      const QString &otp = QString());
++    void invalidateCredentials();
++    void setUiAllowed(bool allowed);
++
++Q_SIGNALS:
++    void authenticated(const UbuntuOne::Token& token);
++    void error(Internal::Authenticator::ErrorCode code);
++
++private:
++    quint32 credentialsId();
++
++private Q_SLOTS:
++    void handleError(const SignOn::Error &error);
++    void handleSessionData(const SignOn::SessionData &data);
++
++private:
++    Accounts::Manager *m_manager;
++    bool m_invalidate;
++    bool m_uiAllowed;
++};
++
++} /* namespace */
++
++#endif /* _U1_AUTHENTICATOR_H_ */
 === added file 'libubuntuoneauth/common.h'
 --- libubuntuoneauth/common.h	1970-01-01 00:00:00 +0000
 +++ libubuntuoneauth/common.h	2016-04-22 09:51:32 +0000
@@ -0,0 +1,30 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++
++#ifndef U1_COMMON_H
++#define U1_COMMON_H
++
++#include <QtGlobal>
++
++#if defined(BUILDING_LIBU1AUTH)
++#  define U1_EXPORT Q_DECL_EXPORT
++#else
++#  define U1_EXPORT Q_DECL_IMPORT
++#endif
++
++#endif // U1_COMMON_H
 === modified file 'libubuntuoneauth/keyring.cpp'
 --- libubuntuoneauth/keyring.cpp	2015-03-12 13:13:46 +0000
 +++ libubuntuoneauth/keyring.cpp	2016-04-22 09:51:32 +0000
@@ -23,7 +23,9 @@
  #include <QDebug>
++#include "authenticator.h"
  #include "keyring.h"
++#include "../signon-plugin/ubuntuonedata.h"
  using namespace Accounts;
  using namespace SignOn;
@@ -46,58 +48,41 @@
      void Keyring::handleSessionData(const SignOn::SessionData &data)
+     {
--        QString secret = data.Secret();
--
--        if (secret.length() == 0) {
--            QString msg("Could not read credentials secret value.");
--            qCritical() << msg;
--            emit keyringError(msg);
--            return;
--        }
--
--        Token *token = Token::fromQuery(secret);
--        if (token->isValid()) {
--            emit tokenFound(*token);
++        PluginData reply = data.data<PluginData>();
++
++        Token token(reply.TokenKey(), reply.TokenSecret(),
++                    reply.ConsumerKey(), reply.ConsumerSecret());
++        if (token.isValid()) {
++            emit tokenFound(token);
          } else {
              QString message("Failed to convert result to Token object.");
              qCritical() << message;
              emit keyringError(message);
+         }
--        delete token;
+     }
      void Keyring::findToken()
+     {
--        QString _acctName("ubuntuone");
--        AccountIdList _ids = _manager.accountList(_acctName);
--        Identity *identity;
--        Account *account;
--
--        if (_ids.length() > 0) {
--            if (_ids.length() > 1) {
--                qDebug() << "findToken(): Found '" << _ids.length() << "' accounts. Using first.";
--            }
--            account = _manager.account(_ids[0]);
--            qDebug() << "findToken(): Using Ubuntu One account '" << _ids[0] << "'.";
--            identity = Identity::existingIdentity(account->credentialsId());
--            if (identity == NULL) {
--                qCritical() << "findToken(): disabled account " << _acctName << _ids[0];
--                emit tokenNotFound();
--                return;
--            }
--            AuthSession *session = identity->createSession(QStringLiteral("password"));
--            if (session != NULL) {
--                connect(session, SIGNAL(response(const SignOn::SessionData&)),
--                        this, SLOT(handleSessionData(const SignOn::SessionData&)));
--                connect(session, SIGNAL(error(const SignOn::Error&)),
--                        this, SLOT(handleError(const SignOn::Error&)));
--                session->process(SessionData(), QStringLiteral("password"));
--                return;
--            }
--            qCritical() << "Unable to create AuthSession.";
--        }
--        qDebug() << "findToken(): No accounts found matching " << _acctName;
--        emit tokenNotFound();
++        using namespace Internal;
++
++        auto authenticator = new Authenticator;
++        authenticator->setUiAllowed(true);
++
++        connect(authenticator, &Authenticator::authenticated,
++                [=](const Token &token) {
++            Q_EMIT tokenFound(token);
++            authenticator->deleteLater();
++        });
++        connect(authenticator, &Authenticator::error,
++                [=](Authenticator::ErrorCode code) {
++            if (code == Authenticator::AccountNotFound) {
++                Q_EMIT tokenNotFound();
++            } else {
++                Q_EMIT keyringError("Authentication failed");
++            }
++            authenticator->deleteLater();
++        });
++        authenticator->authenticate(Token::buildTokenName());
+     }
      void Keyring::handleCredentialsStored(const quint32 id)
@@ -167,11 +152,13 @@
      void Keyring::handleAccountRemoved()
+     {
++        /* DEPRECATED, UNUSED */
          emit tokenDeleted();
+     }
      void Keyring::handleDeleteError(const SignOn::Error &error)
+     {
++        /* DEPRECATED, UNUSED */
          // Just log the error here, as we don't want to infinite loop.
          qWarning() << "Error deleting token:" << error.message();
+     }
@@ -180,24 +167,11 @@
+     {
          QString _acctName("ubuntuone");
          AccountIdList _ids = _manager.accountList(_acctName);
--        if (_ids.length() > 0) {
--            if (_ids.length() > 1) {
--                qDebug() << "deleteToken(): Found '" << _ids.length() << "' accounts. Using first.";
--            }
--            Account *account = _manager.account(_ids[0]);
--            qDebug() << "deleteToken(): Using Ubuntu One account '" << _ids[0] << "'.";
--            Identity *identity = Identity::existingIdentity(account->credentialsId());
--            connect(account, SIGNAL(removed()),
--                    this, SLOT(handleAccountRemoved()));
--            connect(identity, SIGNAL(error(const SignOn::Error&)),
--                    this, SLOT(handleDeleteError(const SignOn::Error&)));
--
--            identity->remove();
--            account->remove();
--            account->sync();
--            return;
++        if (_ids.isEmpty()) {
++            emit tokenNotFound();
+         }
--        emit tokenNotFound();
++
++        /* We don't remove accounts anymore */
+     }
  } // namespace UbuntuOne
 === modified file 'libubuntuoneauth/libubuntuoneauth.symbols'
 --- libubuntuoneauth/libubuntuoneauth.symbols	2013-07-22 15:54:02 +0000
 +++ libubuntuoneauth/libubuntuoneauth.symbols	2016-04-22 09:51:32 +0000
@@ -1,7 +1,8 @@
+ {
    global:
      extern "C++" {
--      *UbuntuOne::*;
++      UbuntuOne::*;
++      *for?UbuntuOne::*;
      };
      qt_*;
    local:
 === modified file 'libubuntuoneauth/ssoservice.cpp'
 --- libubuntuoneauth/ssoservice.cpp	2015-01-15 21:12:35 +0000
 +++ libubuntuoneauth/ssoservice.cpp	2016-04-22 09:51:32 +0000
@@ -17,11 +17,13 @@
   */
  #include <sys/utsname.h>
++#include <QCoreApplication>
  #include <QDebug>
  #include <QtGlobal>
  #include <QNetworkRequest>
  #include <QUrlQuery>
++#include "authenticator.h"
  #include "logging.h"
  #include "ssoservice.h"
  #include "requests.h"
@@ -64,9 +66,6 @@
                  this, SLOT(accountPinged(QNetworkReply*)));
          connect(&(_provider),
--                SIGNAL(OAuthTokenGranted(const OAuthTokenResponse&)),
--                this, SLOT(tokenReceived(const OAuthTokenResponse&)));
--        connect(&(_provider),
                  SIGNAL(AccountGranted(const AccountResponse&)),
                  this, SLOT(accountRegistered(const AccountResponse&)));
          connect(&(_provider),
@@ -116,12 +115,40 @@
      void SSOService::login(QString email, QString password, QString twoFactorCode)
+     {
--        OAuthTokenRequest request(getAuthBaseUrl(),
--                                  email, password,
--                                  Token::buildTokenName(), twoFactorCode);
--        _tempEmail = email;
--
--        _provider.GetOAuthToken(request);
++        using namespace Internal;
++
++        auto authenticator = new Authenticator;
++        /* This is a hack: there should be a public API to decide whether UI
++         * interactions are allowed.
++         * For the time being, allow them everywhere except from the account
++         * plugin (which has its own UI to request all the needed info).
++         */
++        if (QCoreApplication::applicationName() == "online-accounts-ui") {
++            qDebug() << "In account plugin: disabling UI interactions";
++            authenticator->setUiAllowed(false);
++        } else {
++            authenticator->setUiAllowed(true);
++        }
++
++        connect(authenticator, &Authenticator::authenticated,
++                [=](const Token &token) {
++            _keyring->storeToken(token, email);
++            authenticator->deleteLater();
++        });
++        connect(authenticator, &Authenticator::error,
++                [=](Authenticator::ErrorCode code) {
++            if (code == Authenticator::AccountNotFound) {
++                Q_EMIT credentialsNotFound();
++            } else if (code == Authenticator::OneTimePasswordRequired) {
++                Q_EMIT twoFactorAuthRequired();
++            } else {
++                /* TODO: deliver a proper error response. */
++                Q_EMIT requestFailed(ErrorResponse());
++            }
++            authenticator->deleteLater();
++        });
++        authenticator->authenticate(Token::buildTokenName(),
++                                    email, password, twoFactorCode);
+     }
      void SSOService::handleTwoFactorAuthRequired()
@@ -147,10 +174,14 @@
      void SSOService::tokenReceived(const OAuthTokenResponse& token)
+     {
--        Token realToken = Token(token.token_key(), token.token_secret(),
--                                token.consumer_key(), token.consumer_secret(),
--                                token.date_created(), token.date_updated());
--        _keyring->storeToken(realToken, _tempEmail);
++        // Not used anymore
++
++        /* The following two lines are needed to ensure that the
++         * OAuthTokenRequest::~OAuthTokenRequest() symbol is exported by the
++         * library.
++         */
++        OAuthTokenRequest request;
++        qDebug() << request.serialize();
+     }
      void SSOService::accountPinged(QNetworkReply*)
 === modified file 'libubuntuoneauth/token.cpp'
 --- libubuntuoneauth/token.cpp	2015-12-07 21:17:00 +0000
 +++ libubuntuoneauth/token.cpp	2016-04-22 09:51:32 +0000
@@ -46,10 +46,18 @@
                   QString consumer_key, QString consumer_secret)
+     {
          _tokenHash[TOKEN_NAME_KEY] = buildTokenName();
--        _tokenHash[TOKEN_TOKEN_KEY] = token_key;
--        _tokenHash[TOKEN_TOKEN_SEC_KEY] = token_secret;
--        _tokenHash[TOKEN_CONSUMER_KEY] = consumer_key;
--        _tokenHash[TOKEN_CONSUMER_SEC_KEY] = consumer_secret;
++        if (!token_key.isEmpty()) {
++            _tokenHash[TOKEN_TOKEN_KEY] = token_key;
++        }
++        if (!token_secret.isEmpty()) {
++            _tokenHash[TOKEN_TOKEN_SEC_KEY] = token_secret;
++        }
++        if (!consumer_key.isEmpty()) {
++            _tokenHash[TOKEN_CONSUMER_KEY] = consumer_key;
++        }
++        if (!consumer_secret.isEmpty()) {
++            _tokenHash[TOKEN_CONSUMER_SEC_KEY] = consumer_secret;
++        }
+     }
      Token::Token(QString token_key, QString token_secret,
@@ -93,9 +101,19 @@
+     }
      /**
++     * \fn QString Token::name()
++     *
++     * Returns the token name, or empty string if not set.
++     */
++    QString Token::name() const
++    {
++        return _tokenHash.value(TOKEN_NAME_KEY, "");
++    }
++
++    /**
       * \fn QString Token::consumerKey()
+      *
--     * Retruns a consumer key for this token, or empty string if consumer key is not set.
++     * Returns a consumer key for this token, or empty string if consumer key is not set.
       */
      QString Token::consumerKey() const
+     {
@@ -103,6 +121,36 @@
+     }
      /**
++     * \fn QString Token::consumerSecret()
++     *
++     * Returns a consumer secret for this token, or empty string if not set.
++     */
++    QString Token::consumerSecret() const
++    {
++        return _tokenHash.value(TOKEN_CONSUMER_SEC_KEY, "");
++    }
++
++    /**
++     * \fn QString Token::tokenKey()
++     *
++     * Returns a token key for this token, or empty string if token key is not set.
++     */
++    QString Token::tokenKey() const
++    {
++        return _tokenHash.value(TOKEN_TOKEN_KEY, "");
++    }
++
++    /**
++     * \fn QString Token::tokenSecret()
++     *
++     * Returns a token secret for this token, or empty string if not set.
++     */
++    QString Token::tokenSecret() const
++    {
++        return _tokenHash.value(TOKEN_TOKEN_SEC_KEY, "");
++    }
++
++    /**
       * \fn bool Token::isValid()
+      *
       * Check that the token is valid.
@@ -291,6 +339,7 @@
          QStringList params = query.split("&");
          for (int i = 0; i < params.size(); ++i) {
              QStringList pair = params.at(i).split("=");
++            if (pair.count() < 2) continue;
              if (pair.at(0) == TOKEN_NAME_KEY) {
                  // TODO: Need to figure out how to actually use the
                  // QUrl::fromPercentEncoding at this point in the code.
 === modified file 'libubuntuoneauth/token.h'
 --- libubuntuoneauth/token.h	2015-12-07 21:17:00 +0000
 +++ libubuntuoneauth/token.h	2016-04-22 09:51:32 +0000
@@ -55,7 +55,11 @@
          static QString dateStringToISO(const QString date);
++        QString name() const;
          QString consumerKey() const;
++        QString consumerSecret() const;
++        QString tokenKey() const;
++        QString tokenSecret() const;
      private:
          QHash<QString, QString> _tokenHash;
 === modified file 'signon-plugin/CMakeLists.txt'
 --- signon-plugin/CMakeLists.txt	2014-07-24 13:30:19 +0000
 +++ signon-plugin/CMakeLists.txt	2016-04-22 09:51:32 +0000
@@ -1,3 +1,8 @@
++project(SignonPlugin)
++
++set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions -fno-rtti")
++set(CMAKE_MODULE_LINKER_FLAGS "-Wl,--no-undefined")
++
  # Qt5 bits
  SET (CMAKE_INCLUDE_CURRENT_DIR ON)
  SET (CMAKE_AUTOMOC ON)
@@ -24,13 +29,15 @@
    -L${CMAKE_BINARY_DIR}/libubuntuoneauth
    ${AUTH_LIB_NAME}
    ${SIGNON_PLUGIN_LDFLAGS}
++  ${SIGNON_LDFLAGS}
++  ${SIGNON_LDFLAGS_OTHER}
+ )
--SET (SIGNON_PLUGIN_INSTALL_DIR lib/signon)
++SET (SIGNON_PLUGIN_INSTALL_DIR ${CMAKE_INSTALL_LIBDIR}/signon)
  INSTALL (
    TARGETS ${SIGNON_PLUGIN_NAME}
    LIBRARY DESTINATION ${SIGNON_PLUGIN_INSTALL_DIR}
+ )
--#add_subdirectory(tests)
++add_subdirectory(tests)
 === added file 'signon-plugin/i18n.cpp'
 --- signon-plugin/i18n.cpp	1970-01-01 00:00:00 +0000
 +++ signon-plugin/i18n.cpp	2016-04-22 09:51:32 +0000
@@ -0,0 +1,37 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++
++#define NO_TR_OVERRIDE
++#include "i18n.h"
++
++#include <libintl.h>
++
++namespace UbuntuOne {
++
++void initTr(const char *domain, const char *localeDir)
++{
++    bindtextdomain(domain, localeDir);
++    textdomain(domain);
++}
++
++QString _(const char *text, const char *domain)
++{
++    return QString::fromUtf8(dgettext(domain, text));
++}
++
++} // namespace
 === added file 'signon-plugin/i18n.h'
 --- signon-plugin/i18n.h	1970-01-01 00:00:00 +0000
 +++ signon-plugin/i18n.h	2016-04-22 09:51:32 +0000
@@ -0,0 +1,31 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++
++#ifndef UBUNTUONE_I18N_H
++#define UBUNTUONE_I18N_H
++
++#include <QString>
++
++namespace UbuntuOne {
++
++void initTr(const char *domain, const char *localeDir);
++QString _(const char *text, const char *domain = 0);
++
++} // namespace
++
++#endif // UBUNTUONE_I18N_H
 === added directory 'signon-plugin/tests'
 === added file 'signon-plugin/tests/CMakeLists.txt'
 --- signon-plugin/tests/CMakeLists.txt	1970-01-01 00:00:00 +0000
 +++ signon-plugin/tests/CMakeLists.txt	2016-04-22 09:51:32 +0000
@@ -0,0 +1,52 @@
++# The thing we're building in here
++SET (TESTS_TARGET test-ubuntuone-plugin)
++
++# Qt5 bits
++SET (CMAKE_INCLUDE_CURRENT_DIR ON)
++SET (CMAKE_AUTOMOC ON)
++find_package(Qt5Core REQUIRED)
++
++pkg_check_modules(SIGNON REQUIRED signon-plugins)
++add_definitions(
++    ${SIGNON_CFLAGS}
++    ${SIGNON_CFLAGS_OTHER}
++    "-DPLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/../libubuntuoneplugin.so\""
++)
++
++# Workaround for cmake not adding these to automoc properly
++SET (CMAKE_AUTOMOC_MOC_OPTIONS "${SIGNON_CFLAGS} ${CMAKE_AUTOMOC_MOC_OPTIONS}")
++
++# The sources for building the tests
++SET (SOURCES
++    ${SignonPlugin_SOURCE_DIR}/i18n.cpp
++    ${SignonPlugin_SOURCE_DIR}/ubuntuone-plugin.cpp
++    tst_plugin.cpp
++)
++
++include_directories(
++    ${SignonPlugin_SOURCE_DIR}
++)
++
++add_executable (${TESTS_TARGET} ${SOURCES})
++qt5_use_modules (${TESTS_TARGET} Test Network)
++target_link_libraries (${TESTS_TARGET}
++    -Wl,-rpath,${CMAKE_BINARY_DIR}/libubuntuoneauth
++    -L${CMAKE_BINARY_DIR}/libubuntuoneauth
++    ${AUTH_LIB_NAME}
++    ${SIGNON_LDFLAGS}
++)
++
++add_custom_target(ubuntuone-plugin-tests
++    COMMAND ${CMAKE_CURRENT_BINARY_DIR}/${TESTS_TARGET}
++    DEPENDS ${TESTS_TARGET}
++)
++
++add_custom_target(ubuntuone-plugin-tests-valgrind
++    COMMAND valgrind --tool=memcheck ${CMAKE_CURRENT_BINARY_DIR}/${TESTS_TARGET}
++    DEPENDS ${TESTS_TARGET}
++)
++
++add_custom_target(ubuntuone-plugin-tests-valgrind-leaks
++    COMMAND valgrind --tool=memcheck --track-origins=yes --num-callers=40 --leak-resolution=high --leak-check=full ${CMAKE_CURRENT_BINARY_DIR}/${TESTS_TARGET}
++    DEPENDS ${TESTS_TARGET}
++)
 === added file 'signon-plugin/tests/tst_plugin.cpp'
 --- signon-plugin/tests/tst_plugin.cpp	1970-01-01 00:00:00 +0000
 +++ signon-plugin/tests/tst_plugin.cpp	2016-04-22 09:51:32 +0000
@@ -0,0 +1,1840 @@
++/*
++ * Copyright 2016 Canonical Ltd.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of version 3 of the GNU Lesser General Public
++ * License as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the
++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
++ * Boston, MA 02110-1301, USA.
++ */
++
++#include <QJsonDocument>
++#include <QJsonObject>
++#include <QNetworkAccessManager>
++#include <QNetworkReply>
++#include <QPointer>
++#include <QRegExp>
++#include <QSignalSpy>
++#include <QTimer>
++#include <QtTest/QtTest>
++
++#include <SignOn/uisessiondata_priv.h>
++
++#include "ubuntuone-plugin.h"
++
++using namespace SignOn;
++
++namespace QTest {
++template<>
++char *toString(const QVariantMap &map)
++{
++    QJsonDocument doc(QJsonObject::fromVariantMap(map));
++    return qstrdup(doc.toJson(QJsonDocument::Compact).data());
++}
++} // QTest namespace
++
++class TestNetworkReply: public QNetworkReply
++{
++    Q_OBJECT
++
++public:
++    TestNetworkReply(QObject *parent = 0):
++        QNetworkReply(parent),
++        m_offset(0)
++    {}
++
++    void setError(NetworkError errorCode, const QString &errorString,
++                  int delay = -1) {
++        QNetworkReply::setError(errorCode, errorString);
++        if (delay > 0) {
++            QTimer::singleShot(delay, this, SLOT(fail()));
++        }
++    }
++
++    void setRawHeader(const QByteArray &headerName, const QByteArray &value) {
++        QNetworkReply::setRawHeader(headerName, value);
++    }
++
++    void setContentType(const QString &contentType) {
++        setRawHeader("Content-Type", contentType.toUtf8());
++    }
++
++    void setStatusCode(int statusCode) {
++        setAttribute(QNetworkRequest::HttpStatusCodeAttribute, statusCode);
++    }
++
++    void setContent(const QByteArray &content) {
++        m_content = content;
++        m_offset = 0;
++
++        open(ReadOnly | Unbuffered);
++        setHeader(QNetworkRequest::ContentLengthHeader, QVariant(content.size()));
++    }
++
++    void start() {
++        QTimer::singleShot(0, this, SIGNAL(readyRead()));
++        QTimer::singleShot(10, this, SLOT(finish()));
++    }
++
++public Q_SLOTS:
++    void finish() { setFinished(true); Q_EMIT finished(); }
++    void fail() { Q_EMIT error(error()); }
++
++protected:
++    void abort() Q_DECL_OVERRIDE {}
++    qint64 bytesAvailable() const Q_DECL_OVERRIDE {
++        return m_content.size() - m_offset + QIODevice::bytesAvailable();
++    }
++
++    bool isSequential() const Q_DECL_OVERRIDE { return true; }
++    qint64 readData(char *data, qint64 maxSize) Q_DECL_OVERRIDE {
++        if (m_offset >= m_content.size())
++            return -1;
++        qint64 number = qMin(maxSize, m_content.size() - m_offset);
++        memcpy(data, m_content.constData() + m_offset, number);
++        m_offset += number;
++        return number;
++    }
++
++private:
++    QByteArray m_content;
++    qint64 m_offset;
++};
++
++class TestNetworkAccessManager: public QNetworkAccessManager
++{
++    Q_OBJECT
++
++public:
++    TestNetworkAccessManager(): QNetworkAccessManager() {}
++
++    void setNextReply(TestNetworkReply *reply) { m_nextReply = reply; }
++
++protected:
++    QNetworkReply *createRequest(Operation op, const QNetworkRequest &request,
++                                 QIODevice *outgoingData = 0) Q_DECL_OVERRIDE {
++        Q_UNUSED(op);
++        m_lastRequest = request;
++        m_lastRequestData = outgoingData->readAll();
++        m_nextReply->start();
++        return m_nextReply;
++    }
++
++public:
++    QPointer<TestNetworkReply> m_nextReply;
++    QNetworkRequest m_lastRequest;
++    QByteArray m_lastRequestData;
++};
++
++class PluginTest: public QObject
++{
++    Q_OBJECT
++
++private Q_SLOTS:
++    void initTestCase();
++    void cleanupTestCase();
++
++    void testLoading();
++    void testInitialization();
++    void testPluginType();
++    void testPluginMechanisms();
++    void testStoredToken_data();
++    void testStoredToken();
++    void testUserInteraction();
++    void testTokenCreation_data();
++    void testTokenCreation();
++
++    void init();
++    void cleanup();
++
++private:
++    UbuntuOne::SignOnPlugin *m_testPlugin;
++};
++
++void PluginTest::initTestCase()
++{
++    qRegisterMetaType<SignOn::SessionData>();
++    qRegisterMetaType<SignOn::UiSessionData>();
++    qRegisterMetaType<SignOn::Error>();
++}
++
++void PluginTest::cleanupTestCase()
++{
++}
++
++// prepare each test by creating new plugin
++void PluginTest::init()
++{
++    m_testPlugin = new UbuntuOne::SignOnPlugin();
++}
++
++// finish each test by deleting plugin
++void PluginTest::cleanup()
++{
++    delete m_testPlugin;
++    m_testPlugin = 0;
++}
++
++void PluginTest::testLoading()
++{
++    QLibrary module(PLUGIN_PATH);
++    if (!module.load()) {
++        qDebug() << "Failed to load module:" << module.errorString();
++    }
++
++    QVERIFY(module.isLoaded());
++    typedef AuthPluginInterface *(*AuthPluginInstanceF)();
++    auto instance =
++        (AuthPluginInstanceF)module.resolve("auth_plugin_instance");
++    QVERIFY(instance);
++
++    auto plugin = qobject_cast<AuthPluginInterface *>(instance());
++    QVERIFY(plugin);
++}
++
++void PluginTest::testInitialization()
++{
++    QVERIFY(m_testPlugin);
++}
++
++void PluginTest::testPluginType()
++{
++    QCOMPARE(m_testPlugin->type(), QString("ubuntuone"));
++}
++
++void PluginTest::testPluginMechanisms()
++{
++    QStringList mechs = m_testPlugin->mechanisms();
++    QCOMPARE(mechs.count(), 1);
++    QCOMPARE(mechs[0], QString("ubuntuone"));
++}
++
++void PluginTest::testStoredToken_data()
++{
++    QTest::addColumn<QVariantMap>("sessionData");
++    QTest::addColumn<int>("networkError");
++    QTest::addColumn<int>("httpStatus");
++    QTest::addColumn<QString>("replyContents");
++    QTest::addColumn<int>("expectedErrorCode");
++    QTest::addColumn<bool>("uiExpected");
++    QTest::addColumn<QVariantMap>("expectedResponse");
++    QTest::addColumn<QVariantMap>("expectedStore");
++
++    UbuntuOne::PluginData sessionData;
++    UbuntuOne::PluginData response;
++    UbuntuOne::PluginData stored;
++
++    QTest::newRow("empty") <<
++        sessionData.toMap() <<
++        -1 << -1 << QString() <<
++        int(Error::MissingData) <<
++        false << QVariantMap() << QVariantMap();
++
++    sessionData.setTokenName("helloworld");
++    sessionData.setSecret("consumer_key=aAa&consumer_secret=bBb&name=helloworld&token=cCc&token_secret=dDd");
++    response.setConsumerKey("aAa");
++    response.setConsumerSecret("bBb");
++    response.setTokenKey("cCc");
++    response.setTokenSecret("dDd");
++    QVariantMap storedData;
++    storedData[sessionData.TokenName()] = response.toMap();
++    stored.setStoredData(storedData);
++    response.setTokenName(sessionData.TokenName());
++    QTest::newRow("in secret, valid") <<
++        sessionData.toMap() <<
++        -1 <<
++        200 << QString("{\n"
++                       "  \"is_valid\": true,\n"
++                       "  \"identifier\": \"64we8bn\",\n"
++                       "  \"account_verified\": true\n"
++                       "}") <<
++        -1 <<
++        false << response.toMap() << stored.toMap();
++    sessionData = UbuntuOne::PluginData();
++    response = UbuntuOne::PluginData();
++    stored = UbuntuOne::PluginData();
++    storedData.clear();
++
++    sessionData.setTokenName("helloworld");
++    sessionData.setSecret("consumer_key=aAa&consumer_secret=bBb&name=helloworld&token=cCc&token_secret=dDd");
++    response.setConsumerKey("aAa");
++    response.setConsumerSecret("bBb");
++    response.setTokenKey("cCc");
++    response.setTokenSecret("dDd");
++    storedData[sessionData.TokenName()] = response.toMap();
++    stored.setStoredData(storedData);
++    response = UbuntuOne::PluginData();
++    QTest::newRow("in secret, invalid") <<
++        sessionData.toMap() <<
++        -1 <<
++        200 << QString("{\n"
++                       "  \"is_valid\": false,\n"
++                       "  \"identifier\": \"64we8bn\",\n"
++                       "  \"account_verified\": true\n"
++                       "}") <<
++        -1 <<
++        true << response.toMap() << stored.toMap();
++    sessionData = UbuntuOne::PluginData();
++    response = UbuntuOne::PluginData();
++    stored = UbuntuOne::PluginData();
++    storedData.clear();
++
++    sessionData.setTokenName("helloworld");
++    sessionData.setSecret("consumer_key=aAa&consumer_secret=bBb&name=helloworld&token=cCc&token_secret=dDd");
++    response.setConsumerKey("aAa");
++    response.setConsumerSecret("bBb");
++    response.setTokenKey("cCc");
++    response.setTokenSecret("dDd");
++    storedData[sessionData.TokenName()] = response.toMap();
++    stored.setStoredData(storedData);
++    response = UbuntuOne::PluginData();
++    QTest::newRow("in secret, network error") <<
++        sessionData.toMap() <<
++        int(QNetworkReply::SslHandshakeFailedError) <<
++        -1 << QString() <<
++        int(SignOn::Error::Ssl) <<
++        true << response.toMap() << stored.toMap();
++    sessionData = UbuntuOne::PluginData();
++    response = UbuntuOne::PluginData();
++    stored = UbuntuOne::PluginData();
++    storedData.clear();
++}
++
++void PluginTest::testStoredToken()
++{
++    QFETCH(QVariantMap, sessionData);
++    QFETCH(int, httpStatus);
++    QFETCH(int, networkError);
++    QFETCH(QString, replyContents);
++    QFETCH(int, expectedErrorCode);
++    QFETCH(bool, uiExpected);
++    QFETCH(QVariantMap, expectedResponse);
++    QFETCH(QVariantMap, expectedStore);
++
++    QSignalSpy result(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++    QSignalSpy store(m_testPlugin, SIGNAL(store(const SignOn::SessionData&)));
++
++    /* Prepare network reply */
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    if (httpStatus > 0) {
++        reply->setStatusCode(httpStatus);
++    } else {
++        reply->setError(QNetworkReply::NetworkError(networkError),
++                        "Network error");
++    }
++    reply->setContent(replyContents.toUtf8());
++    nam->setNextReply(reply);
++
++
++    m_testPlugin->process(sessionData, "ubuntuone");
++    if (expectedErrorCode < 0) {
++        QCOMPARE(error.count(), 0);
++        QTRY_COMPARE(userActionRequired.count(), uiExpected ? 1 : 0);
++        if (!expectedResponse.isEmpty()) {
++            QTRY_COMPARE(result.count(), 1);
++            QVariantMap resp = result.at(0).at(0).value<SessionData>().toMap();
++            QCOMPARE(resp, expectedResponse);
++        } else {
++            QCOMPARE(result.count(), 0);
++        }
++
++        if (!expectedStore.isEmpty()) {
++            QCOMPARE(store.count(), 1);
++            QVariantMap storedData =
++                store.at(0).at(0).value<SessionData>().toMap();
++            QCOMPARE(storedData, expectedStore);
++        } else {
++            QCOMPARE(store.count(), 0);
++        }
++    } else {
++        QTRY_COMPARE(error.count(), 1);
++        Error err = error.at(0).at(0).value<Error>();
++        QCOMPARE(err.type(), expectedErrorCode);
++    }
++}
++
++void PluginTest::testUserInteraction()
++{
++    QSignalSpy result(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++    QSignalSpy store(m_testPlugin, SIGNAL(store(const SignOn::SessionData&)));
++
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++
++    UbuntuOne::PluginData sessionData;
++    sessionData.setTokenName("helloworld");
++    sessionData.setUserName("tom@example.com");
++    m_testPlugin->process(sessionData, "ubuntuone");
++
++    QTRY_COMPARE(userActionRequired.count(), 1);
++    QVariantMap data =
++        userActionRequired.at(0).at(0).value<UiSessionData>().toMap();
++    QVariantMap expectedUserInteraction;
++    expectedUserInteraction[SSOUI_KEY_QUERYUSERNAME] = true;
++    expectedUserInteraction[SSOUI_KEY_USERNAME] = "tom@example.com";
++    expectedUserInteraction[SSOUI_KEY_QUERYPASSWORD] = true;
++    QCOMPARE(data, expectedUserInteraction);
++    userActionRequired.clear();
++
++    /* Prepare network reply */
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    reply->setStatusCode(401);
++    reply->setContent("{\n"
++                      "  \"code\": \"TWOFACTOR_REQUIRED\",\n"
++                      "  \"message\": \"This account requires 2-factor authentication.\",\n"
++                      "  \"extra\": {}\n"
++                      "}");
++    nam->setNextReply(reply);
++
++    QVariantMap userReply;
++    userReply[SSOUI_KEY_USERNAME] = "tom@example.com";
++    userReply[SSOUI_KEY_PASSWORD] = "s3cr3t";
++    m_testPlugin->userActionFinished(userReply);
++
++    /* Again the plugin should request user interaction, as OTP is required */
++    QTRY_COMPARE(userActionRequired.count(), 1);
++    data = userActionRequired.at(0).at(0).value<UiSessionData>().toMap();
++    expectedUserInteraction.clear();
++    expectedUserInteraction[SSOUI_KEY_USERNAME] = "tom@example.com";
++    expectedUserInteraction[SSOUI_KEY_PASSWORD] = "s3cr3t";
++    expectedUserInteraction[SSOUI_KEY_QUERY2FA] = true;
++    /* We want the map to contain the SSOUI_KEY_2FA_TEXT, but we don't care
++     * about the value */
++    QVERIFY(data.contains(SSOUI_KEY_2FA_TEXT));
++    data.remove(SSOUI_KEY_2FA_TEXT);
++    QCOMPARE(data, expectedUserInteraction);
++}
++
++void PluginTest::testTokenCreation_data()
++{
++    QTest::addColumn<QVariantMap>("sessionData");
++    QTest::addColumn<int>("networkError");
++    QTest::addColumn<int>("httpStatus");
++    QTest::addColumn<QString>("replyContents");
++    QTest::addColumn<int>("expectedErrorCode");
++    QTest::addColumn<QVariantMap>("expectedResponse");
++    QTest::addColumn<QVariantMap>("expectedStore");
++    QTest::addColumn<QVariantMap>("expectedUserInteraction");
++
++    UbuntuOne::PluginData sessionData;
++    UbuntuOne::PluginData response;
++    UbuntuOne::PluginData stored;
++    QVariantMap userInteraction;
++
++    // Successful creation, with password only
++    sessionData.setTokenName("helloworld");
++    sessionData.setUserName("jim@example.com");
++    sessionData.setSecret("s3cr3t");
++    response.setConsumerKey("aAa");
++    response.setConsumerSecret("bBb");
++    response.setTokenKey("cCc");
++    response.setTokenSecret("dDd");
++    QVariantMap storedData;
++    storedData[sessionData.TokenName()] = response.toMap();
++    stored.setStoredData(storedData);
++    response.setTokenName(sessionData.TokenName());
++    QTest::newRow("no OTP needed, 201") <<
++        sessionData.toMap() <<
++        -1 <<
++        201 << QString("{\n"
++                       "  \"href\": \"https://login.ubuntu.com/api/v2/tokens/oauth/the-key\",\n"
++                       "  \"token_key\": \"cCc\",\n"
++                       "  \"token_secret\": \"dDd\",\n"
++                       "  \"token_name\": \"helloworld\",\n"
++                       "  \"consumer_key\": \"aAa\",\n"
++                       "  \"consumer_secret\": \"bBb\",\n"
++                       "  \"date_created\": \"2013-01-11 12:43:23\",\n"
++                       "  \"date_updated\": \"2013-01-11 12:43:23\"\n"
++                       "}") <<
++        -1 <<
++        response.toMap() << stored.toMap() << userInteraction;
++    sessionData = UbuntuOne::PluginData();
++    response = UbuntuOne::PluginData();
++    stored = UbuntuOne::PluginData();
++    storedData.clear();
++
++    // Wrong password
++    sessionData.setTokenName("helloworld");
++    sessionData.setUserName("jim@example.com");
++    sessionData.setSecret("s3cr3t");
++    userInteraction[SSOUI_KEY_QUERYUSERNAME] = true;
++    userInteraction[SSOUI_KEY_USERNAME] = "jim@example.com";
++    userInteraction[SSOUI_KEY_QUERYPASSWORD] = true;
++    QTest::newRow("wrong password") <<
++        sessionData.toMap() <<
++        -1 <<
++        401 << QString("{\n"
++                       "  \"code\": \"INVALID_CREDENTIALS\",\n"
++                       "  \"message\": \"Wrong password!\",\n"
++                       "  \"extra\": {}\n"
++                       "}") <<
++        -1 <<
++        response.toMap() << stored.toMap() << userInteraction;
++    sessionData = UbuntuOne::PluginData();
++    userInteraction.clear();
++
++    // Network error while creating token
++    sessionData.setTokenName("helloworld");
++    sessionData.setUserName("jim@example.com");
++    sessionData.setSecret("s3cr3t");
++    QTest::newRow("network error") <<
++        sessionData.toMap() <<
++        int(QNetworkReply::SslHandshakeFailedError) <<
++        -1 << QString() <<
++        int(SignOn::Error::Ssl) <<
++        response.toMap() << stored.toMap() << userInteraction;
++    sessionData = UbuntuOne::PluginData();
++
++    // Account needs reset
++    sessionData.setTokenName("helloworld");
++    sessionData.setUserName("jim@example.com");
++    sessionData.setSecret("s3cr3t");
++    userInteraction[SSOUI_KEY_OPENURL] = "http://www.example.com/reset";
++    QTest::newRow("reset needed") <<
++        sessionData.toMap() <<
++        -1 <<
++        403 << QString("{\n"
++                       "  \"code\": \"PASSWORD_POLICY_ERROR\",\n"
++                       "  \"message\": \"Password too short\",\n"
++                       "  \"extra\": {\n"
++                       "    \"location\": \"http://www.example.com/reset\"\n"
++                       "  }\n"
++                       "}") <<
++        -1 <<
++        response.toMap() << stored.toMap() << userInteraction;
++    sessionData = UbuntuOne::PluginData();
++    userInteraction.clear();
++}
++
++void PluginTest::testTokenCreation()
++{
++    QFETCH(QVariantMap, sessionData);
++    QFETCH(int, httpStatus);
++    QFETCH(int, networkError);
++    QFETCH(QString, replyContents);
++    QFETCH(int, expectedErrorCode);
++    QFETCH(QVariantMap, expectedResponse);
++    QFETCH(QVariantMap, expectedStore);
++    QFETCH(QVariantMap, expectedUserInteraction);
++
++    QSignalSpy result(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++    QSignalSpy store(m_testPlugin, SIGNAL(store(const SignOn::SessionData&)));
++
++    /* Prepare network reply */
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    if (httpStatus > 0) {
++        reply->setStatusCode(httpStatus);
++    } else {
++        reply->setError(QNetworkReply::NetworkError(networkError),
++                        "Network error");
++    }
++    reply->setContent(replyContents.toUtf8());
++    nam->setNextReply(reply);
++
++
++    m_testPlugin->process(sessionData, "ubuntuone");
++    if (expectedErrorCode < 0) {
++        if (!expectedUserInteraction.isEmpty()) {
++            QTRY_COMPARE(userActionRequired.count(), 1);
++            QVariantMap data =
++                userActionRequired.at(0).at(0).value<UiSessionData>().toMap();
++            QCOMPARE(data, expectedUserInteraction);
++        } else {
++            QCOMPARE(userActionRequired.count(), 0);
++        }
++
++        if (!expectedResponse.isEmpty()) {
++            QTRY_COMPARE(result.count(), 1);
++            QVariantMap resp = result.at(0).at(0).value<SessionData>().toMap();
++            QCOMPARE(resp, expectedResponse);
++        } else {
++            QCOMPARE(result.count(), 0);
++        }
++
++        if (!expectedStore.isEmpty()) {
++            QCOMPARE(store.count(), 1);
++            QVariantMap storedData =
++                store.at(0).at(0).value<SessionData>().toMap();
++            QCOMPARE(storedData, expectedStore);
++        } else {
++            QCOMPARE(store.count(), 0);
++        }
++
++        QCOMPARE(error.count(), 0);
++    } else {
++        QTRY_COMPARE(error.count(), 1);
++        Error err = error.at(0).at(0).value<Error>();
++        QCOMPARE(err.type(), expectedErrorCode);
++    }
++}
++
++#if 0
++void PluginTest::testPluginHmacSha1Process_data()
++{
++    QTest::addColumn<QString>("mechanism");
++    QTest::addColumn<QVariantMap>("sessionData");
++    QTest::addColumn<int>("replyStatusCode");
++    QTest::addColumn<QString>("replyContentType");
++    QTest::addColumn<QString>("replyContents");
++    QTest::addColumn<int>("errorCode");
++    QTest::addColumn<bool>("uiExpected");
++    QTest::addColumn<QVariantMap>("response");
++    QTest::addColumn<QVariantMap>("stored");
++
++    OAuth1PluginData hmacSha1Data;
++    hmacSha1Data.setRequestEndpoint("https://localhost/oauth/request_token");
++    hmacSha1Data.setTokenEndpoint("https://localhost/oauth/access_token");
++    hmacSha1Data.setAuthorizationEndpoint("https://localhost/oauth/authorize");
++    hmacSha1Data.setCallback("https://localhost/connect/login_success.html");
++    hmacSha1Data.setConsumerKey("104660106251471");
++    hmacSha1Data.setConsumerSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    hmacSha1Data.setRealm("MyHost");
++
++    QTest::newRow("invalid mechanism") <<
++        "ANONYMOUS" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "" << "" <<
++        int(Error::MechanismNotAvailable) <<
++        false << QVariantMap() << QVariantMap();
++
++    // Try without params
++    hmacSha1Data.setAuthorizationEndpoint(QString());
++    QTest::newRow("without params, HMAC-SHA1") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "" << "" <<
++        int(Error::MissingData) <<
++        false << QVariantMap() << QVariantMap();
++
++    // Check for signon UI request for HMAC-SHA1
++    hmacSha1Data.setAuthorizationEndpoint("https://localhost/oauth/authorize");
++    QTest::newRow("ui-request, HMAC-SHA1") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "text/plain" <<
++        "oauth_token=HiThere&oauth_token_secret=BigSecret" <<
++        -1 <<
++        true << QVariantMap() << QVariantMap();
++
++    QTest::newRow("ui-request, PLAINTEXT") <<
++        "PLAINTEXT" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "text/plain" <<
++        "oauth_token=HiThere&oauth_token_secret=BigSecret" <<
++        -1 <<
++        true << QVariantMap() << QVariantMap();
++
++    /* Now store some tokens and test the responses */
++    hmacSha1Data.m_data.insert("UiPolicy", NoUserInteractionPolicy);
++    QVariantMap tokens; // ConsumerKey to Token map
++    QVariantMap token;
++    token.insert("oauth_token", QLatin1String("hmactokenfromtest"));
++    token.insert("oauth_token_secret", QLatin1String("hmacsecretfromtest"));
++    token.insert("timestamp", QDateTime::currentDateTime().toTime_t());
++    token.insert("Expiry", (uint)50000);
++    tokens.insert(QLatin1String("invalidid"), QVariant::fromValue(token));
++    hmacSha1Data.m_data.insert(QLatin1String("Tokens"), tokens);
++
++    // Try without cached token for our ConsumerKey
++    QTest::newRow("cached tokens, no ConsumerKey") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "text/plain" <<
++        "oauth_token=HiThere&oauth_token_secret=BigSecret" <<
++        -1 <<
++        true << QVariantMap() << QVariantMap();
++
++    // Ensure that the cached token is returned as required
++    tokens.insert(hmacSha1Data.ConsumerKey(), QVariant::fromValue(token));
++    hmacSha1Data.m_data.insert(QLatin1String("Tokens"), tokens);
++    QVariantMap response;
++    response.insert("AccessToken", QLatin1String("hmactokenfromtest"));
++    QTest::newRow("cached tokens, with ConsumerKey") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "" << "" <<
++        -1 <<
++        false << response << QVariantMap();
++
++    hmacSha1Data.m_data.insert("UiPolicy", RequestPasswordPolicy);
++    QTest::newRow("cached tokens, request password policy") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "text/plain" <<
++        "oauth_token=HiThere&oauth_token_secret=BigSecret" <<
++        -1 <<
++        true << QVariantMap() << QVariantMap();
++    hmacSha1Data.m_data.remove("UiPolicy");
++
++    hmacSha1Data.setForceTokenRefresh(true);
++    QTest::newRow("cached tokens, force refresh") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "text/plain" <<
++        "oauth_token=HiThere&oauth_token_secret=BigSecret" <<
++        -1 <<
++        true << QVariantMap() << QVariantMap();
++    hmacSha1Data.setForceTokenRefresh(false);
++
++    token.insert("timestamp", QDateTime::currentDateTime().toTime_t() - 50000);
++    token.insert("Expiry", (uint)100);
++    tokens.insert(hmacSha1Data.ConsumerKey(), QVariant::fromValue(token));
++    hmacSha1Data.m_data.insert(QLatin1String("Tokens"), tokens);
++    QTest::newRow("cached tokens, expired") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "text/plain" <<
++        "oauth_token=HiThere&oauth_token_secret=BigSecret" <<
++        -1 <<
++        true << QVariantMap() << QVariantMap();
++
++    /* test the ProvidedTokens semantics */
++    OAuth1PluginData providedTokensHmacSha1Data;
++    providedTokensHmacSha1Data.setRequestEndpoint("https://localhost/oauth/request_token");
++    providedTokensHmacSha1Data.setTokenEndpoint("https://localhost/oauth/access_token");
++    providedTokensHmacSha1Data.setAuthorizationEndpoint("https://localhost/oauth/authorize");
++    providedTokensHmacSha1Data.setCallback("https://localhost/connect/login_success.html");
++    providedTokensHmacSha1Data.setConsumerKey("104660106251471");
++    providedTokensHmacSha1Data.setConsumerSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    QVariantMap providedTokens;
++    providedTokens.insert("AccessToken", "providedhmactokenfromtest");
++    providedTokens.insert("TokenSecret", "providedhmacsecretfromtest");
++    providedTokens.insert("ScreenName", "providedhmacscreennamefromtest");
++    providedTokens.insert("UserId", "providedUserId");
++
++    // try providing tokens to be stored
++    providedTokensHmacSha1Data.m_data.insert("ProvidedTokens", providedTokens);
++    QVariantMap storedTokensForKey;
++    storedTokensForKey.insert("oauth_token", providedTokens.value("AccessToken"));
++    storedTokensForKey.insert("oauth_token_secret", providedTokens.value("TokenSecret"));
++    QVariantMap storedTokens;
++    storedTokens.insert(providedTokensHmacSha1Data.ConsumerKey(), storedTokensForKey);
++    QVariantMap stored;
++    stored.insert("Tokens", storedTokens);
++    QTest::newRow("provided tokens") <<
++        "HMAC-SHA1" <<
++        providedTokensHmacSha1Data.toMap() <<
++        int(200) << "" << "" <<
++        -1 <<
++        false << providedTokens << stored;
++
++    QTest::newRow("http error 401") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(401) << "text/plain" <<
++        "oauth_token=HiThere&oauth_token_secret=BigSecret" <<
++        int(Error::OperationFailed) <<
++        false << QVariantMap() << QVariantMap();
++
++    QTest::newRow("no content returned") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "" << "" <<
++        int(Error::OperationFailed) <<
++        false << QVariantMap() << QVariantMap();
++
++    QTest::newRow("no token returned") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(200) << "text/plain" <<
++        "oauth_token=HiThere" <<
++        int(Error::OperationFailed) <<
++        false << QVariantMap() << QVariantMap();
++
++    /* Test handling of oauth_problem; this is a non standard extension:
++     * http://wiki.oauth.net/w/page/12238543/ProblemReporting
++     * https://developer.yahoo.com/oauth/guide/oauth-errors.html
++     */
++    QTest::newRow("problem user_refused") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(400) << "text/plain" <<
++        "oauth_problem=user_refused" <<
++        int(Error::PermissionDenied) <<
++        false << QVariantMap() << QVariantMap();
++    QTest::newRow("problem permission_denied") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(400) << "text/plain" <<
++        "oauth_problem=permission_denied" <<
++        int(Error::PermissionDenied) <<
++        false << QVariantMap() << QVariantMap();
++    QTest::newRow("problem signature_invalid") <<
++        "HMAC-SHA1" <<
++        hmacSha1Data.toMap() <<
++        int(400) << "text/plain" <<
++        "oauth_problem=signature_invalid" <<
++        int(Error::OperationFailed) <<
++        false << QVariantMap() << QVariantMap();
++}
++
++void PluginTest::testPluginHmacSha1Process()
++{
++    QFETCH(QString, mechanism);
++    QFETCH(QVariantMap, sessionData);
++    QFETCH(int, replyStatusCode);
++    QFETCH(QString, replyContentType);
++    QFETCH(QString, replyContents);
++    QFETCH(int, errorCode);
++    QFETCH(bool, uiExpected);
++    QFETCH(QVariantMap, response);
++    QFETCH(QVariantMap, stored);
++
++    QSignalSpy result(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++    QSignalSpy store(m_testPlugin, SIGNAL(store(const SignOn::SessionData&)));
++
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    reply->setStatusCode(replyStatusCode);
++    if (!replyContentType.isEmpty()) {
++        reply->setContentType(replyContentType);
++    }
++    reply->setContent(replyContents.toUtf8());
++    nam->setNextReply(reply);
++
++    m_testPlugin->process(sessionData, mechanism);
++
++    QTRY_COMPARE(result.count(), response.isEmpty() ? 0 : 1);
++    /* In the test data sometimes we don't specify the expected stored data,
++     * but this doesn't mean that store() shouldn't be emitted. */
++    if (!stored.isEmpty()) { QTRY_COMPARE(store.count(), 1); }
++    QTRY_COMPARE(userActionRequired.count(), uiExpected ? 1 : 0);
++    QTRY_COMPARE(error.count(), errorCode < 0 ? 0 : 1);
++
++    if (errorCode < 0) {
++        QCOMPARE(error.count(), 0);
++
++        QVariantMap resp = result.count() > 0 ?
++            result.at(0).at(0).value<SessionData>().toMap() : QVariantMap();
++        QVariantMap storedData = store.count() > 0 ?
++            store.at(0).at(0).value<SessionData>().toMap() : QVariantMap();
++        /* We don't check the network request if a response was received,
++         * because a response can only be received if a cached token was
++         * found -- and that doesn't cause any network request to be made. */
++        if (resp.isEmpty()) {
++            QCOMPARE(nam->m_lastRequest.url(),
++                     sessionData.value("RequestEndpoint").toUrl());
++            QVERIFY(nam->m_lastRequestData.isEmpty());
++
++            /* Check the authorization header */
++            QString authorizationHeader =
++                QString::fromUtf8(nam->m_lastRequest.rawHeader("Authorization"));
++            QStringList authorizationHeaderParts =
++                authorizationHeader.split(QRegExp(",?\\s+"));
++            QCOMPARE(authorizationHeaderParts[0], QString("OAuth"));
++
++            /* The rest of the header should be a mapping, let's parse it */
++            bool ok = true;
++            QVariantMap authMap =
++                parseAuthorizationHeader(authorizationHeaderParts.mid(1), &ok);
++            QVERIFY(ok);
++            QCOMPARE(authMap.value("oauth_signature_method").toString(), mechanism);
++        }
++
++        QVERIFY(mapIsSubset(response, resp));
++        QVERIFY(mapIsSubset(stored, storedData));
++    } else {
++        Error err = error.at(0).at(0).value<Error>();
++        QCOMPARE(err.type(), errorCode);
++    }
++}
++
++void PluginTest::testPluginUseragentUserActionFinished()
++{
++    SignOn::UiSessionData info;
++    PluginData data;
++    data.setHost("https://localhost");
++    data.setAuthPath("authorize");
++    data.setTokenPath("access_token");
++    data.setClientId("104660106251471");
++    data.setClientSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    data.setRedirectUri("http://localhost/connect/login_success.html");
++    QStringList scopes = QStringList() << "scope1" << "scope2";
++    data.setScope(scopes);
++
++    QSignalSpy resultSpy(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++    QSignalSpy store(m_testPlugin, SIGNAL(store(const SignOn::SessionData&)));
++
++    m_testPlugin->process(data, QString("user_agent"));
++
++    QTRY_COMPARE(userActionRequired.count(), 1);
++    QString state = parseState(userActionRequired);
++
++    //empty data
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(error.count(), 1);
++    QCOMPARE(error.at(0).at(0).value<Error>().type(), int(Error::NotAuthorized));
++    error.clear();
++
++    //invalid data
++    info.setUrlResponse(QString("http://www.facebook.com/connect/login_success.html#access_token=&expires_in=4776"));
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(error.count(), 1);
++    QCOMPARE(error.at(0).at(0).value<Error>().type(), int(Error::NotAuthorized));
++    error.clear();
++
++    //Invalid data
++    info.setUrlResponse(QString("http://www.facebook.com/connect/login_success.html"));
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(error.count(), 1);
++    QCOMPARE(error.at(0).at(0).value<Error>().type(), int(Error::NotAuthorized));
++    error.clear();
++
++    // Wrong state
++    info.setUrlResponse(QString("http://www.facebook.com/connect/login_success.html"
++                                "#access_token=123&expires_in=456&state=%1").
++                        arg(state + "Boo"));
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(error.count(), 1);
++    QCOMPARE(error.at(0).at(0).value<Error>().type(), int(Error::NotAuthorized));
++    error.clear();
++
++    //valid data
++    info.setUrlResponse(QString("http://www.facebook.com/connect/login_success.html#access_token=testtoken.&expires_in=4776&state=%1").
++                        arg(state));
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(resultSpy.count(), 1);
++    SessionData response = resultSpy.at(0).at(0).value<SessionData>();
++    PluginTokenData result = response.data<PluginTokenData>();
++    QCOMPARE(result.AccessToken(), QString("testtoken."));
++    QCOMPARE(result.ExpiresIn(), 4776);
++    QCOMPARE(result.Scope(), QStringList() << "scope1" << "scope2");
++    resultSpy.clear();
++    QTRY_COMPARE(store.count(), 1);
++    SessionData storedData = store.at(0).at(0).value<SessionData>();
++    QVariantMap storedTokenData = storedData.data<TokenData>().Tokens();
++    QVariantMap storedClientData =
++        storedTokenData.value(data.ClientId()).toMap();
++    QVERIFY(!storedClientData.isEmpty());
++    QCOMPARE(storedClientData["Scopes"].toStringList(), scopes);
++    store.clear();
++
++    //valid data, got scopes
++    info.setUrlResponse(QString("http://www.facebook.com/connect/login_success.html#access_token=testtoken.&expires_in=4776&state=%1&scope=scope2").
++                        arg(state));
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(resultSpy.count(), 1);
++    response = resultSpy.at(0).at(0).value<SessionData>();
++    result = response.data<PluginTokenData>();
++    QCOMPARE(result.AccessToken(), QString("testtoken."));
++    QCOMPARE(result.ExpiresIn(), 4776);
++    QCOMPARE(result.Scope(), QStringList() << "scope2");
++    resultSpy.clear();
++    store.clear();
++
++    //valid data
++    info.setUrlResponse(QString("http://www.facebook.com/connect/login_success.html"
++                                "#state=%1&access_token=testtoken.").
++                        arg(state));
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(resultSpy.count(), 1);
++    response = resultSpy.at(0).at(0).value<SessionData>();
++    result = response.data<PluginTokenData>();
++    QCOMPARE(result.AccessToken(), QString("testtoken."));
++    QCOMPARE(result.ExpiresIn(), 0);
++    resultSpy.clear();
++    /* Check that the expiration time has not been stored, since the expiration
++     * time was not given (https://bugs.launchpad.net/bugs/1316021)
++     */
++    QTRY_COMPARE(store.count(), 1);
++    storedData = store.at(0).at(0).value<SessionData>();
++    storedTokenData = storedData.data<TokenData>().Tokens();
++    storedClientData = storedTokenData.value(data.ClientId()).toMap();
++    QVERIFY(!storedClientData.isEmpty());
++    QCOMPARE(storedClientData["Token"].toString(), QString("testtoken."));
++    QVERIFY(!storedClientData.contains("Expiry"));
++    store.clear();
++
++    //Permission denied
++    info.setUrlResponse(QString("http://www.facebook.com/connect/login_success.html?error=user_denied"));
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(error.count(), 1);
++    QCOMPARE(error.at(0).at(0).value<Error>().type(), int(Error::NotAuthorized));
++    error.clear();
++}
++
++void PluginTest::testPluginWebserverUserActionFinished_data()
++{
++    QTest::addColumn<QString>("urlResponse");
++    QTest::addColumn<int>("errorCode");
++    QTest::addColumn<QString>("postUrl");
++    QTest::addColumn<QString>("postContents");
++    QTest::addColumn<bool>("disableStateParameter");
++    QTest::addColumn<int>("replyStatusCode");
++    QTest::addColumn<QString>("replyContentType");
++    QTest::addColumn<QString>("replyContents");
++    QTest::addColumn<QVariantMap>("response");
++
++    QVariantMap response;
++
++    QTest::newRow("empty data") <<
++        "" <<
++        int(Error::NotAuthorized) <<
++        "" << "" << false << 0 << "" << "" << QVariantMap();
++
++    QTest::newRow("no query data") <<
++        "http://localhost/resp.html" <<
++        int(Error::NotAuthorized) <<
++        "" << "" << false << 0 << "" << "" << QVariantMap();
++
++    QTest::newRow("permission denied") <<
++        "http://localhost/resp.html?error=user_denied&$state" <<
++        int(Error::NotAuthorized) <<
++        "" << "" << false << 0 << "" << "" << QVariantMap();
++
++    QTest::newRow("invalid data") <<
++        "http://localhost/resp.html?sdsdsds=access.grant." <<
++        int(Error::NotAuthorized) <<
++        "" << "" << false << 0 << "" << "" << QVariantMap();
++
++    QTest::newRow("reply code, http error 401") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(Error::OperationFailed) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(401) <<
++        "application/json" <<
++        "something else" <<
++        QVariantMap();
++
++    QTest::newRow("reply code, empty reply") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(Error::NotAuthorized) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "application/json" <<
++        "something else" <<
++        QVariantMap();
++
++    QTest::newRow("reply code, no access token") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(Error::NotAuthorized) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "application/json" <<
++        "{ \"expires_in\": 3600 }" <<
++        QVariantMap();
++
++    QTest::newRow("reply code, no content type") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(Error::OperationFailed) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "" <<
++        "something else" <<
++        QVariantMap();
++
++    QTest::newRow("reply code, unsupported content type") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(Error::OperationFailed) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "image/jpeg" <<
++        "something else" <<
++        QVariantMap();
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    QTest::newRow("reply code, valid token, wrong state") <<
++        "http://localhost/resp.html?code=c0d3&$wrongstate" <<
++        int(Error::NotAuthorized) <<
++        "" <<
++        "" <<
++        false <<
++        int(200) <<
++        "application/json" <<
++        "{ \"access_token\":\"t0k3n\", \"expires_in\": 3600 }" <<
++        response;
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList() << "one" << "two");
++    QTest::newRow("reply code, valid token, wrong state ignored") <<
++        "http://localhost/resp.html?code=c0d3&$wrongstate" <<
++        int(-1) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        true <<
++        int(200) <<
++        "application/json" <<
++        "{ \"access_token\":\"t0k3n\", \"expires_in\": 3600, "
++        "\"scope\": \"one two\" }" <<
++        response;
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList() << "one" << "two" << "three");
++    QTest::newRow("reply code, valid token, no scope") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(-1) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "application/json" <<
++        "{ \"access_token\":\"t0k3n\", \"expires_in\": 3600 }" <<
++        response;
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList());
++    QTest::newRow("reply code, valid token, empty scope") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(-1) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "application/json" <<
++        "{ \"access_token\":\"t0k3n\", \"expires_in\": 3600, \"scope\": \"\" }" <<
++        response;
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList() << "one" << "two");
++    QTest::newRow("reply code, valid token, other scope") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(-1) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "application/json" <<
++        "{ \"access_token\":\"t0k3n\", \"expires_in\": 3600, "
++        "\"scope\": \"one two\" }" <<
++        response;
++
++    response.clear();
++    QTest::newRow("reply code, facebook, no token") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(Error::NotAuthorized) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "text/plain" <<
++        "expires=3600" <<
++        response;
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList() << "one" << "two" << "three");
++    QTest::newRow("reply code, facebook, valid token") <<
++        "http://localhost/resp.html?code=c0d3&$state" <<
++        int(-1) <<
++        "https://localhost/access_token" <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        false <<
++        int(200) <<
++        "text/plain" <<
++        "access_token=t0k3n&expires=3600" <<
++        response;
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList() << "one" << "two" << "three");
++    QTest::newRow("username-password, valid token") <<
++        "http://localhost/resp.html?username=us3r&password=s3cr3t" <<
++        int(-1) <<
++        "https://localhost/access_token" <<
++        "grant_type=user_basic&username=us3r&password=s3cr3t" <<
++        false <<
++        int(200) <<
++        "application/json" <<
++        "{ \"access_token\":\"t0k3n\", \"expires_in\": 3600 }" <<
++        response;
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList() << "one" << "two" << "three");
++    QTest::newRow("assertion, valid token") <<
++        "http://localhost/resp.html?assertion_type=http://oauth.net/token/1.0"
++        "&assertion=oauth1t0k3n" <<
++        int(-1) <<
++        "https://localhost/access_token" <<
++        "grant_type=assertion&assertion_type=http://oauth.net/token/1.0&assertion=oauth1t0k3n" <<
++        false <<
++        int(200) <<
++        "application/json" <<
++        "{ \"access_token\":\"t0k3n\", \"expires_in\": 3600 }" <<
++        response;
++
++    response.clear();
++    response.insert("AccessToken", "t0k3n");
++    response.insert("ExpiresIn", int(3600));
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList() << "one" << "two" << "three");
++    QTest::newRow("username-password, valid token, wrong content type") <<
++        "http://localhost/resp.html?username=us3r&password=s3cr3t" <<
++        int(-1) <<
++        "https://localhost/access_token" <<
++        "grant_type=user_basic&username=us3r&password=s3cr3t" <<
++        false <<
++        int(200) <<
++        "text/plain" <<
++        "{ \"access_token\":\"t0k3n\", \"expires_in\": 3600 }" <<
++        response;
++}
++
++void PluginTest::testPluginWebserverUserActionFinished()
++{
++    QFETCH(QString, urlResponse);
++    QFETCH(int, errorCode);
++    QFETCH(QString, postUrl);
++    QFETCH(QString, postContents);
++    QFETCH(bool, disableStateParameter);
++    QFETCH(int, replyStatusCode);
++    QFETCH(QString, replyContentType);
++    QFETCH(QString, replyContents);
++    QFETCH(QVariantMap, response);
++
++    SignOn::UiSessionData info;
++    PluginData data;
++    data.setHost("localhost");
++    data.setAuthPath("authorize");
++    data.setTokenPath("access_token");
++    data.setClientId("104660106251471");
++    data.setClientSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    data.setRedirectUri("http://localhost/resp.html");
++    data.setScope(QStringList() << "one" << "two" << "three");
++    data.setDisableStateParameter(disableStateParameter);
++
++    QSignalSpy result(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    reply->setStatusCode(replyStatusCode);
++    if (!replyContentType.isEmpty()) {
++        reply->setContentType(replyContentType);
++    }
++    reply->setContent(replyContents.toUtf8());
++    nam->setNextReply(reply);
++
++    m_testPlugin->process(data, QString("web_server"));
++    QTRY_COMPARE(userActionRequired.count(), 1);
++    QString state = parseState(userActionRequired);
++
++    if (!urlResponse.isEmpty()) {
++        urlResponse.replace("$state", QString("state=") + state);
++        urlResponse.replace("$wrongstate", QString("state=12") + state);
++        info.setUrlResponse(urlResponse);
++    }
++
++    m_testPlugin->userActionFinished(info);
++
++    QTRY_COMPARE(error.count(), errorCode < 0 ? 0 : 1);
++    QTRY_COMPARE(result.count(), errorCode < 0 ? 1 : 0);
++    if (errorCode >= 0) {
++        QCOMPARE(error.at(0).at(0).value<Error>().type(), errorCode);
++    } else {
++        QCOMPARE(result.at(0).at(0).value<SessionData>().toMap(), response);
++    }
++    QCOMPARE(nam->m_lastRequest.url(), QUrl(postUrl));
++    QCOMPARE(QString::fromUtf8(nam->m_lastRequestData), postContents);
++
++    delete nam;
++}
++
++void PluginTest::testUserActionFinishedErrors_data()
++{
++    QTest::addColumn<int>("uiError");
++    QTest::addColumn<int>("expectedErrorCode");
++
++    QTest::newRow("user canceled") <<
++        int(QUERY_ERROR_CANCELED) <<
++        int(Error::SessionCanceled);
++
++    QTest::newRow("network error") <<
++        int(QUERY_ERROR_NETWORK) <<
++        int(Error::Network);
++
++    QTest::newRow("SSL error") <<
++        int(QUERY_ERROR_SSL) <<
++        int(Error::Ssl);
++
++    QTest::newRow("generic") <<
++        int(QUERY_ERROR_NOT_AVAILABLE) <<
++        int(Error::UserInteraction);
++}
++
++void PluginTest::testUserActionFinishedErrors()
++{
++    QFETCH(int, uiError);
++    QFETCH(int, expectedErrorCode);
++
++    SignOn::UiSessionData info;
++    PluginData data;
++    data.setHost("localhost");
++    data.setAuthPath("authorize");
++    data.setTokenPath("access_token");
++    data.setClientId("104660106251471");
++    data.setClientSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    data.setRedirectUri("http://localhost/resp.html");
++
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++
++    m_testPlugin->process(data, QString("web_server"));
++    QTRY_COMPARE(userActionRequired.count(), 1);
++
++    info.setQueryErrorCode(uiError);
++    m_testPlugin->userActionFinished(info);
++
++    QTRY_COMPARE(error.count(), 1);
++    QCOMPARE(error.at(0).at(0).value<Error>().type(), expectedErrorCode);
++}
++
++void PluginTest::testOauth1UserActionFinished_data()
++{
++    QTest::addColumn<QString>("mechanism");
++    QTest::addColumn<QString>("urlResponse");
++    QTest::addColumn<int>("errorCode");
++    QTest::addColumn<QVariantMap>("expectedAuthMap");
++    QTest::addColumn<int>("replyStatusCode");
++    QTest::addColumn<QString>("replyContentType");
++    QTest::addColumn<QString>("replyContents");
++    QTest::addColumn<QVariantMap>("response");
++
++    QTest::newRow("empty data") <<
++        "HMAC-SHA1" <<
++        "" <<
++        int(Error::NotAuthorized) <<
++        QVariantMap() << 0 << "" << "" << QVariantMap();
++
++    QTest::newRow("auth error") <<
++        "HMAC-SHA1" <<
++        "http://localhost/resp.html?error=permission_denied" <<
++        int(Error::NotAuthorized) <<
++        QVariantMap() << 0 << "" << "" << QVariantMap();
++
++    QTest::newRow("auth problem") <<
++        "HMAC-SHA1" <<
++        "http://localhost/resp.html?oauth_problem=permission_denied" <<
++        int(Error::PermissionDenied) <<
++        QVariantMap() << 0 << "" << "" << QVariantMap();
++
++    QVariantMap authMap;
++    authMap.insert("oauth_verifier", QString("v3r1f13r"));
++    authMap.insert("oauth_token", QString("HiThere"));
++    QTest::newRow("http error 401") <<
++        "HMAC-SHA1" <<
++        "http://localhost/resp.html?oauth_verifier=v3r1f13r" <<
++        int(Error::OperationFailed) <<
++        authMap <<
++        int(401) <<
++        "text/plain" <<
++        "something else" <<
++        QVariantMap();
++
++    QTest::newRow("empty reply") <<
++        "HMAC-SHA1" <<
++        "http://localhost/resp.html?oauth_verifier=v3r1f13r" <<
++        int(Error::OperationFailed) <<
++        authMap <<
++        int(200) <<
++        "text/plain" <<
++        "" <<
++        QVariantMap();
++
++    QTest::newRow("missing secret") <<
++        "HMAC-SHA1" <<
++        "http://localhost/resp.html?oauth_verifier=v3r1f13r" <<
++        int(Error::OperationFailed) <<
++        authMap <<
++        int(200) <<
++        "text/plain" <<
++        "oauth_token=t0k3n" <<
++        QVariantMap();
++
++    QVariantMap response;
++    response.insert("AccessToken", QString("t0k3n"));
++    response.insert("TokenSecret", QString("t0k3nS3cr3t"));
++
++    QTest::newRow("success") <<
++        "HMAC-SHA1" <<
++        "http://localhost/resp.html?oauth_verifier=v3r1f13r" <<
++        int(-1) <<
++        authMap <<
++        int(200) <<
++        "text/plain" <<
++        "oauth_token=t0k3n&oauth_token_secret=t0k3nS3cr3t" <<
++        response;
++
++    response.insert("ExtraField", QString("v4lu3"));
++    QTest::newRow("success with data") <<
++        "HMAC-SHA1" <<
++        "http://localhost/resp.html?oauth_verifier=v3r1f13r" <<
++        int(-1) <<
++        authMap <<
++        int(200) <<
++        "text/plain" <<
++        "oauth_token=t0k3n&oauth_token_secret=t0k3nS3cr3t"
++        "&ExtraField=v4lu3" <<
++        response;
++}
++
++void PluginTest::testOauth1UserActionFinished()
++{
++    QFETCH(QString, mechanism);
++    QFETCH(QString, urlResponse);
++    QFETCH(int, errorCode);
++    QFETCH(QVariantMap, expectedAuthMap);
++    QFETCH(int, replyStatusCode);
++    QFETCH(QString, replyContentType);
++    QFETCH(QString, replyContents);
++    QFETCH(QVariantMap, response);
++
++    SignOn::UiSessionData info;
++    OAuth1PluginData data;
++    data.setRequestEndpoint("https://localhost/oauth/request_token");
++    data.setTokenEndpoint("https://localhost/oauth/access_token");
++    data.setAuthorizationEndpoint("https://localhost/oauth/authorize");
++    data.setCallback("http://localhost/resp.html");
++    data.setConsumerKey("104660106251471");
++    data.setConsumerSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    data.setRealm("MyHost");
++
++    QSignalSpy result(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    reply->setStatusCode(200);
++    reply->setContentType("text/plain");
++    reply->setContent("oauth_token=HiThere&oauth_token_secret=BigSecret");
++    nam->setNextReply(reply);
++
++    m_testPlugin->process(data, mechanism);
++    QTRY_COMPARE(userActionRequired.count(), 1);
++
++    nam->m_lastRequest = QNetworkRequest();
++    nam->m_lastRequestData = QByteArray();
++
++    reply = new TestNetworkReply(this);
++    reply->setStatusCode(replyStatusCode);
++    if (!replyContentType.isEmpty()) {
++        reply->setContentType(replyContentType);
++    }
++    reply->setContent(replyContents.toUtf8());
++    nam->setNextReply(reply);
++
++    if (!urlResponse.isEmpty()) {
++        info.setUrlResponse(urlResponse);
++    }
++
++    m_testPlugin->userActionFinished(info);
++    QTRY_COMPARE(error.count(), errorCode < 0 ? 0 : 1);
++    QTRY_COMPARE(result.count(), errorCode < 0 ? 1 : 0);
++    QVariantMap resp;
++    if (errorCode >= 0) {
++        QCOMPARE(error.at(0).at(0).value<Error>().type(), errorCode);
++    } else {
++        resp = result.at(0).at(0).value<SessionData>().toMap();
++        QVERIFY(mapIsSubset(response, resp));
++    }
++
++    if (!expectedAuthMap.isEmpty()) {
++        QCOMPARE(nam->m_lastRequest.url().toString(), data.TokenEndpoint());
++        QVERIFY(nam->m_lastRequestData.isEmpty());
++
++        QString authorizationHeader =
++            QString::fromUtf8(nam->m_lastRequest.rawHeader("Authorization"));
++        QStringList authorizationHeaderParts =
++            authorizationHeader.split(QRegExp(",?\\s+"));
++        QCOMPARE(authorizationHeaderParts[0], QString("OAuth"));
++
++        /* The rest of the header should be a mapping, let's parse it */
++        bool ok = true;
++        QVariantMap authMap =
++            parseAuthorizationHeader(authorizationHeaderParts.mid(1), &ok);
++        QVERIFY(ok);
++        QCOMPARE(authMap.value("oauth_signature_method").toString(), mechanism);
++        QVERIFY(mapIsSubset(expectedAuthMap, authMap));
++    }
++
++    delete nam;
++}
++
++void PluginTest::testErrors_data()
++{
++    QTest::addColumn<QString>("replyContents");
++    QTest::addColumn<int>("expectedErrorCode");
++
++    QTest::newRow("incorrect_client_credentials") <<
++        "{ \"error\": \"incorrect_client_credentials\" }" <<
++        int(Error::InvalidCredentials);
++
++    QTest::newRow("redirect_uri_mismatch") <<
++        "{ \"error\": \"redirect_uri_mismatch\" }" <<
++        int(Error::InvalidCredentials);
++
++    QTest::newRow("bad_authorization_code") <<
++        "{ \"error\": \"bad_authorization_code\" }" <<
++        int(Error::InvalidCredentials);
++
++    QTest::newRow("invalid_client_credentials") <<
++        "{ \"error\": \"invalid_client_credentials\" }" <<
++        int(Error::InvalidCredentials);
++
++    QTest::newRow("unauthorized_client") <<
++        "{ \"error\": \"unauthorized_client\" }" <<
++        int(Error::NotAuthorized);
++
++    QTest::newRow("invalid_assertion") <<
++        "{ \"error\": \"invalid_assertion\" }" <<
++        int(Error::InvalidCredentials);
++
++    QTest::newRow("unknown_format") <<
++        "{ \"error\": \"unknown_format\" }" <<
++        int(Error::InvalidQuery);
++
++    QTest::newRow("authorization_expired") <<
++        "{ \"error\": \"authorization_expired\" }" <<
++        int(Error::InvalidCredentials);
++
++    QTest::newRow("multiple_credentials") <<
++        "{ \"error\": \"multiple_credentials\" }" <<
++        int(Error::InvalidQuery);
++
++    QTest::newRow("invalid_user_credentials") <<
++        "{ \"error\": \"invalid_user_credentials\" }" <<
++        int(Error::InvalidCredentials);
++}
++
++void PluginTest::testErrors()
++{
++    QFETCH(QString, replyContents);
++    QFETCH(int, expectedErrorCode);
++
++    SignOn::UiSessionData info;
++    PluginData data;
++    data.setHost("localhost");
++    data.setAuthPath("authorize");
++    data.setTokenPath("access_token");
++    data.setClientId("104660106251471");
++    data.setClientSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    data.setRedirectUri("http://localhost/resp.html");
++
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    reply->setStatusCode(401);
++    reply->setContentType("application/json");
++    reply->setContent(replyContents.toUtf8());
++    nam->setNextReply(reply);
++
++    m_testPlugin->process(data, QString("web_server"));
++    QTRY_COMPARE(userActionRequired.count(), 1);
++    QString state = parseState(userActionRequired);
++
++    info.setUrlResponse("http://localhost/resp.html?code=c0d3&state=" + state);
++    m_testPlugin->userActionFinished(info);
++
++    QTRY_COMPARE(error.count(), 1);
++    QCOMPARE(error.at(0).at(0).value<Error>().type(), expectedErrorCode);
++
++    delete nam;
++}
++
++void PluginTest::testRefreshToken_data()
++{
++    QTest::addColumn<QVariantMap>("sessionData");
++    QTest::addColumn<QVariantMap>("expectedResponse");
++
++    PluginData data;
++    data.setHost("localhost");
++    data.setAuthPath("authorize");
++    data.setTokenPath("access_token");
++    data.setClientId("104660106251471");
++    data.setClientSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    data.setRedirectUri("http://localhost/resp.html");
++
++    QVariantMap tokens;
++    QVariantMap token;
++    token.insert("Token", QLatin1String("tokenfromtest"));
++    token.insert("timestamp", QDateTime::currentDateTime().toTime_t() - 10000);
++    token.insert("Expiry", 1000);
++    token.insert("refresh_token", QString("r3fr3sh"));
++    tokens.insert(data.ClientId(), QVariant::fromValue(token));
++    data.m_data.insert("Tokens", tokens);
++
++    QVariantMap response;
++    response.insert("AccessToken", "n3w-t0k3n");
++    response.insert("ExpiresIn", 3600);
++    response.insert("RefreshToken", QString());
++    response.insert("Scope", QStringList());
++
++    QTest::newRow("expired access token") << data.toMap() << response;
++
++    token.insert("timestamp", QDateTime::currentDateTime().toTime_t());
++    token.insert("Expiry", 50000);
++    tokens.insert(data.ClientId(), QVariant::fromValue(token));
++    data.m_data.insert("Tokens", tokens);
++    data.setForceTokenRefresh(true);
++    QTest::newRow("valid access token, force refresh") << data.toMap() << response;
++}
++
++void PluginTest::testRefreshToken()
++{
++    QFETCH(QVariantMap, sessionData);
++    QFETCH(QVariantMap, expectedResponse);
++
++    SignOn::UiSessionData info;
++
++    QSignalSpy result(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    reply->setStatusCode(200);
++    reply->setContentType("application/json");
++    reply->setContent("{ \"access_token\":\"n3w-t0k3n\", \"expires_in\": 3600 }");
++    nam->setNextReply(reply);
++
++    m_testPlugin->process(sessionData, QString("web_server"));
++    QTRY_COMPARE(result.count(), 1);
++    QCOMPARE(error.count(), 0);
++
++    QCOMPARE(nam->m_lastRequest.url(), QUrl("https://localhost/access_token"));
++    QCOMPARE(QString::fromUtf8(nam->m_lastRequestData),
++             QString("grant_type=refresh_token&refresh_token=r3fr3sh"));
++
++    QCOMPARE(result.at(0).at(0).value<SessionData>().toMap(), expectedResponse);
++
++    delete nam;
++}
++
++void PluginTest::testRefreshTokenError_data()
++{
++    QTest::addColumn<int>("replyErrorCode");
++    QTest::addColumn<int>("replyStatusCode");
++    QTest::addColumn<QString>("replyContents");
++    QTest::addColumn<int>("expectedError");
++
++    QTest::newRow("invalid grant, 400") <<
++        int(QNetworkReply::ProtocolInvalidOperationError) <<
++        int(400) <<
++        "{ \"error\":\"invalid_grant\" }" <<
++        int(-1);
++
++    QTest::newRow("invalid grant, 401") <<
++        int(QNetworkReply::ContentAccessDenied) <<
++        int(401) <<
++        "{ \"error\":\"invalid_grant\" }" <<
++        int(-1);
++
++    QTest::newRow("invalid grant, 401, no error signal") <<
++        int(-1) <<
++        int(401) <<
++        "{ \"error\":\"invalid_grant\" }" <<
++        int(-1);
++
++    QTest::newRow("temporary network failure") <<
++        int(QNetworkReply::TemporaryNetworkFailureError) <<
++        int(-1) <<
++        "" <<
++        int(Error::NoConnection);
++}
++
++void PluginTest::testRefreshTokenError()
++{
++    QFETCH(int, replyErrorCode);
++    QFETCH(int, replyStatusCode);
++    QFETCH(QString, replyContents);
++    QFETCH(int, expectedError);
++
++    PluginData data;
++    data.setHost("localhost");
++    data.setAuthPath("authorize");
++    data.setTokenPath("access_token");
++    data.setClientId("104660106251471");
++    data.setClientSecret("fa28f40b5a1f8c1d5628963d880636fbkjkjkj");
++    data.setRedirectUri("http://localhost/resp.html");
++
++    QVariantMap tokens;
++    QVariantMap token;
++    token.insert("Token", QLatin1String("tokenfromtest"));
++    token.insert("timestamp", QDateTime::currentDateTime().toTime_t() - 10000);
++    token.insert("Expiry", 1000);
++    token.insert("refresh_token", QString("r3fr3sh"));
++    tokens.insert(data.ClientId(), QVariant::fromValue(token));
++    data.m_data.insert("Tokens", tokens);
++
++    SignOn::UiSessionData info;
++
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    if (replyErrorCode >= 0) {
++        reply->setError(QNetworkReply::NetworkError(replyErrorCode),
++                        "Dummy error", 5);
++    }
++    reply->setStatusCode(replyStatusCode);
++    reply->setContentType("application/json");
++    reply->setContent(replyContents.toUtf8());
++    nam->setNextReply(reply);
++
++    m_testPlugin->process(data, QString("web_server"));
++
++    if (expectedError < 0) {
++        QTRY_COMPARE(userActionRequired.count(), 1);
++        QCOMPARE(error.count(), 0);
++    } else {
++        QTRY_COMPARE(error.count(), 1);
++        QCOMPARE(error.at(0).at(0).value<Error>().type(), expectedError);
++    }
++
++    delete nam;
++}
++
++void PluginTest::testClientAuthentication_data()
++{
++    QTest::addColumn<QString>("clientSecret");
++    QTest::addColumn<bool>("forceAuthViaRequestBody");
++    QTest::addColumn<QString>("postContents");
++    QTest::addColumn<QString>("postAuthorization");
++
++    QTest::newRow("no secret, std auth") <<
++        "" << false <<
++        "grant_type=authorization_code&code=c0d3"
++        "&redirect_uri=http://localhost/resp.html&client_id=104660106251471" <<
++        "";
++    QTest::newRow("no secret, auth in body") <<
++        "" << true <<
++        "grant_type=authorization_code&code=c0d3"
++        "&redirect_uri=http://localhost/resp.html&client_id=104660106251471" <<
++        "";
++
++    QTest::newRow("with secret, std auth") <<
++        "s3cr3t" << false <<
++        "grant_type=authorization_code&code=c0d3&redirect_uri=http://localhost/resp.html" <<
++        "Basic MTA0NjYwMTA2MjUxNDcxOnMzY3IzdA==";
++    QTest::newRow("with secret, auth in body") <<
++        "s3cr3t" << true <<
++        "grant_type=authorization_code&code=c0d3"
++        "&redirect_uri=http://localhost/resp.html"
++        "&client_id=104660106251471&client_secret=s3cr3t" <<
++        "";
++}
++
++void PluginTest::testClientAuthentication()
++{
++    QFETCH(QString, clientSecret);
++    QFETCH(bool, forceAuthViaRequestBody);
++    QFETCH(QString, postContents);
++    QFETCH(QString, postAuthorization);
++
++    SignOn::UiSessionData info;
++    PluginData data;
++    data.setHost("localhost");
++    data.setAuthPath("authorize");
++    data.setTokenPath("access_token");
++    data.setClientId("104660106251471");
++    data.setClientSecret(clientSecret);
++    data.setRedirectUri("http://localhost/resp.html");
++    data.setForceClientAuthViaRequestBody(forceAuthViaRequestBody);
++
++    QSignalSpy result(m_testPlugin, SIGNAL(result(const SignOn::SessionData&)));
++    QSignalSpy error(m_testPlugin, SIGNAL(error(const SignOn::Error &)));
++    QSignalSpy userActionRequired(m_testPlugin,
++                                  SIGNAL(userActionRequired(const SignOn::UiSessionData&)));
++
++    TestNetworkAccessManager *nam = new TestNetworkAccessManager;
++    m_testPlugin->m_networkAccessManager = nam;
++    TestNetworkReply *reply = new TestNetworkReply(this);
++    reply->setStatusCode(200);
++    reply->setContentType("application/json");
++    reply->setContent("{ \"access_token\":\"t0k3n\", \"expires_in\": 3600 }");
++    nam->setNextReply(reply);
++
++    m_testPlugin->process(data, QString("web_server"));
++    QTRY_COMPARE(userActionRequired.count(), 1);
++    QString state = parseState(userActionRequired);
++
++    info.setUrlResponse("http://localhost/resp.html?code=c0d3&state=" + state);
++    m_testPlugin->userActionFinished(info);
++
++    QTRY_COMPARE(result.count(), 1);
++    QCOMPARE(error.count(), 0);
++    QCOMPARE(nam->m_lastRequest.url(), QUrl("https://localhost/access_token"));
++    QCOMPARE(QString::fromUtf8(nam->m_lastRequestData), postContents);
++    QCOMPARE(QString::fromUtf8(nam->m_lastRequest.rawHeader("Authorization")),
++             postAuthorization);
++
++    delete nam;
++}
++
++#endif
++
++QTEST_MAIN(PluginTest)
++#include "tst_plugin.moc"
 === modified file 'signon-plugin/ubuntuone-plugin.cpp'
 --- signon-plugin/ubuntuone-plugin.cpp	2013-08-12 21:16:29 +0000
 +++ signon-plugin/ubuntuone-plugin.cpp	2016-04-22 09:51:32 +0000
@@ -15,15 +15,37 @@
   * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
   * Boston, MA 02110-1301, USA.
   */
++
++#include <QJsonDocument>
++#include <QJsonObject>
++#include <QNetworkAccessManager>
++#include <QNetworkReply>
++#include <QNetworkRequest>
++
++#include <SignOn/UiSessionData>
++#include <SignOn/uisessiondata_priv.h>
++
  #include <token.h>
++#include "i18n.h"
  #include "ubuntuone-plugin.h"
++#define BASE_URL "https://login.ubuntu.com"
++
++#define ERR_INVALID_CREDENTIALS QLatin1String("INVALID_CREDENTIALS")
++#define ERR_INVALID_DATA QLatin1String("INVALID_DATA")
++#define ERR_TWOFACTOR_REQUIRED QLatin1String("TWOFACTOR_REQUIRED")
++#define ERR_TWOFACTOR_FAILURE QLatin1String("TWOFACTOR_FAILURE")
++#define ERR_PASSWORD_POLICY_ERROR QLatin1String("PASSWORD_POLICY_ERROR")
  namespace UbuntuOne {
--    SignOnPlugin::SignOnPlugin(QObject *parent)
--        : AuthPluginInterface(parent)
++    SignOnPlugin::SignOnPlugin(QObject *parent):
++        AuthPluginInterface(parent),
++        m_networkAccessManager(0),
++        m_reply(0),
++        m_didAskForPassword(false),
++        m_needsOtp(false)
+     {
+     }
@@ -47,33 +69,319 @@
+     {
+     }
++    bool SignOnPlugin::validateInput(const PluginData &data,
++                                     const QString &mechanism)
++    {
++        Q_UNUSED(mechanism);
++
++        if (data.TokenName().isEmpty()) {
++            return false;
++        }
++
++        return true;
++    }
++
++    bool SignOnPlugin::respondWithStoredData()
++    {
++        QVariantMap storedData = m_data.StoredData();
++
++        /* When U1 was using the password plugin, it was storing the token data
++         * in the password field. So, if we don't have any data stored in the
++         * plugin's data, try to get a token from the password field.
++         */
++        if (storedData.isEmpty() && !m_data.Secret().isEmpty()) {
++            Token *token = Token::fromQuery(m_data.Secret());
++            if (token->isValid()) {
++                PluginData tokenData;
++                tokenData.setConsumerKey(token->consumerKey());
++                tokenData.setConsumerSecret(token->consumerSecret());
++                tokenData.setTokenKey(token->tokenKey());
++                tokenData.setTokenSecret(token->tokenSecret());
++                storedData[token->name()] = tokenData.toMap();
++                PluginData pluginData;
++                pluginData.setStoredData(storedData);
++                Q_EMIT store(pluginData);
++
++                /* We know that the given secret is a valid token, so it cannot
++                 * be a valid password as well: let's clear it out now, so that
++                 * if it turns out that the token is no longer valid and that
++                 * we need to create a new one, we won't make a useless attempt
++                 * to create one with a wrong password.
++                 */
++                m_data.setSecret(QString());
++            }
++            delete token;
++        }
++
++        /* Check if we have stored data for this token name */
++        PluginData tokenData(storedData[m_data.TokenName()].toMap());
++        Token token(tokenData.TokenKey(), tokenData.TokenSecret(),
++                    tokenData.ConsumerKey(), tokenData.ConsumerSecret());
++        if (!token.isValid()) return false;
++        qDebug() << "Token is valid!" << tokenData.TokenKey();
++
++        tokenData.setTokenName(m_data.TokenName());
++        checkTokenValidity(token, tokenData);
++        return true;
++    }
++
++    void SignOnPlugin::emitErrorFromReply(QNetworkReply *reply)
++    {
++        int errorCode = reply->error();
++        int type = SignOn::Error::Network;
++        if (errorCode == QNetworkReply::SslHandshakeFailedError) {
++            type = SignOn::Error::Ssl;
++        } else if (errorCode == QNetworkReply::ServiceUnavailableError) {
++            type = SignOn::Error::ServiceNotAvailable;
++        } else if (errorCode == QNetworkReply::AuthenticationRequiredError) {
++            type = SignOn::Error::NotAuthorized;
++        } else if (errorCode <= QNetworkReply::UnknownNetworkError) {
++            type = SignOn::Error::NoConnection;
++        }
++
++        qDebug() << "Got error:" << reply->errorString();
++        Q_EMIT error(SignOn::Error(type, reply->errorString()));
++    }
++
++    void SignOnPlugin::onValidationFinished()
++    {
++        QNetworkReply *reply = m_reply;
++        m_reply->deleteLater();
++        m_reply = 0;
++
++        /* Note on error handling: we consider the token to be (in)valid only if
++         * we can parse the JSON response and it contains the response.  If the
++         * validation has failed because of some other error (SSL error,
++         * unparsable server reply, etc.) then we report the error to the
++         * client.
++         */
++        QJsonDocument json = QJsonDocument::fromJson(reply->readAll());
++        QJsonObject object = json.object();
++        QJsonValue value = object.value("is_valid");
++
++        int statusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
++        if (statusCode == 200 && value.isBool()) {
++            bool isValid = value.toBool();
++            if (isValid) {
++                Q_EMIT result(m_checkedToken);
++            } else {
++                qDebug() << "Server verification failed";
++                getCredentialsAndCreateNewToken();
++            }
++        } else {
++            emitErrorFromReply(reply);
++        }
++    }
++
++    void SignOnPlugin::checkTokenValidity(const Token &token,
++                                          const PluginData &tokenData)
++    {
++        m_checkedToken = tokenData;
++
++        QNetworkRequest req(QUrl(BASE_URL "/api/v2/requests/validate"));
++        req.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
++
++        QString httpUrl("http://www.example.com");
++        QString httpMethod("GET");
++
++        QJsonObject formData;
++        formData.insert("http_url", httpUrl);
++        formData.insert("http_method", httpMethod);
++        formData.insert("authorization", token.signUrl(httpUrl, httpMethod));
++
++        m_reply =
++            m_networkAccessManager->post(req, QJsonDocument(formData).toJson());
++        QObject::connect(m_reply, SIGNAL(finished()),
++                         this, SLOT(onValidationFinished()));
++    }
++
      void SignOnPlugin::process(const SignOn::SessionData &inData,
                                 const QString &mechanism)
+     {
--        Q_UNUSED(mechanism);
++        if (!m_networkAccessManager) {
++            m_networkAccessManager = new QNetworkAccessManager(this);
++        }
++
++        initTr("ubuntuone-credentials", NULL);
++
          PluginData response;
          m_data = inData.data<PluginData>();
--        if (!inData.Secret().isEmpty()) {
--            response.setConsumer(m_data.Consumer());
--            response.setConsumerSecret(m_data.ConsumerSecret());
--            response.setToken(m_data.Token());
--            response.setTokenSecret(m_data.TokenSecret());
--
--            response.setName(Token::buildTokenName());
--
--            emit result(response);
--            return;
--        }
--
--        SignOn::UiSessionData data;
--        data.setRealm(inData.Realm());
--        data.setShowRealm(!data.Realm().isEmpty());
--        emit userActionRequired(data);
++        if (!validateInput(m_data, mechanism)) {
++            qWarning() << "Invalid parameters passed";
++            Q_EMIT error(SignOn::Error(SignOn::Error::MissingData));
++            return;
++        }
++
++        /* It may be that the stored token is valid; however, do the check only
++         * if no OTP was provided (since the presence of an OTP is a clear
++         * signal that the caller wants to get a new token). */
++        if (m_data.OneTimePassword().isEmpty() &&
++            respondWithStoredData()) {
++            return;
++        }
++
++        getCredentialsAndCreateNewToken();
++    }
++
++    void SignOnPlugin::onCreationFinished()
++    {
++        QNetworkReply *reply = m_reply;
++        m_reply->deleteLater();
++        m_reply = 0;
++
++        QByteArray data = reply->readAll();
++        qDebug() << "Received" << data;
++        QJsonDocument json = QJsonDocument::fromJson(data);
++        QJsonObject object = json.object();
++
++        QString error = object.value("code").toString();
++
++        int statusCode = reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
++        qDebug() << "Status code:" << statusCode;
++        if (statusCode == 200 || statusCode == 201) {
++            QString tokenName = object.value("token_name").toString();
++            PluginData token;
++            token.setConsumerKey(object.value("consumer_key").toString());
++            token.setConsumerSecret(object.value("consumer_secret").toString());
++            token.setTokenKey(object.value("token_key").toString());
++            token.setTokenSecret(object.value("token_secret").toString());
++
++            /* Store the token */
++            QVariantMap storedData;
++            storedData[tokenName] = token.toMap();
++            PluginData pluginData;
++            pluginData.setStoredData(storedData);
++            Q_EMIT store(pluginData);
++
++            token.setTokenName(tokenName);
++            Q_EMIT result(token);
++        } else if (statusCode == 401 && error == ERR_INVALID_CREDENTIALS) {
++            m_data.setSecret(QString());
++            m_data.setOneTimePassword(QString());
++            getCredentialsAndCreateNewToken();
++        } else if (statusCode == 401 && error == ERR_TWOFACTOR_REQUIRED) {
++            m_needsOtp = true;
++            getCredentialsAndCreateNewToken();
++        } else if (statusCode == 403 && error == ERR_TWOFACTOR_FAILURE) {
++            m_data.setOneTimePassword(QString());
++            getCredentialsAndCreateNewToken();
++        } else if (statusCode == 403 && error == ERR_PASSWORD_POLICY_ERROR) {
++            QVariantMap data;
++            QJsonObject extra = object.value("extra").toObject();
++            data[SSOUI_KEY_OPENURL] = extra.value("location").toString();
++            Q_EMIT userActionRequired(data);
++        } else if (error == ERR_INVALID_DATA) {
++            // This error is received when the email address is invalid
++            m_data.setUserName(QString());
++            m_data.setSecret(QString());
++            m_data.setOneTimePassword(QString());
++            getCredentialsAndCreateNewToken();
++        } else {
++            emitErrorFromReply(reply);
++        }
++    }
++
++    void SignOnPlugin::createNewToken()
++    {
++        QNetworkRequest req(QUrl(BASE_URL "/api/v2/tokens/oauth"));
++        req.setHeader(QNetworkRequest::ContentTypeHeader, "application/json");
++
++        QJsonObject formData;
++        formData.insert("email", m_data.UserName());
++        formData.insert("password", m_data.Secret());
++        formData.insert("token_name", m_data.TokenName());
++        if (!m_data.OneTimePassword().isEmpty()) {
++            formData.insert("otp", m_data.OneTimePassword());
++        }
++
++        qDebug() << "Sending data for token creation";
++        m_reply =
++            m_networkAccessManager->post(req, QJsonDocument(formData).toJson());
++        QObject::connect(m_reply, SIGNAL(finished()),
++                         this, SLOT(onCreationFinished()));
++    }
++
++    void SignOnPlugin::getCredentialsAndCreateNewToken()
++    {
++        if (!m_data.Secret().isEmpty() &&
++            (!m_needsOtp || !m_data.OneTimePassword().isEmpty())) {
++            createNewToken();
++        } else if (m_data.Secret().isEmpty()) {
++            QVariantMap data;
++            data[SSOUI_KEY_TITLE] = _("UbuntuOne authentication");
++            data[SSOUI_KEY_QUERYUSERNAME] = true;
++            data[SSOUI_KEY_USERNAME] = m_data.UserName();
++            data[SSOUI_KEY_QUERYPASSWORD] = true;
++            m_didAskForPassword = true;
++            Q_EMIT userActionRequired(data);
++        } else {
++            QVariantMap data;
++            data[SSOUI_KEY_TITLE] = _("UbuntuOne authentication");
++            data[SSOUI_KEY_USERNAME] = m_data.UserName();
++            data[SSOUI_KEY_PASSWORD] = m_data.Secret();
++            data[SSOUI_KEY_QUERY2FA] = true;
++            data[SSOUI_KEY_2FA_TEXT] = _("2-factor device code");
++            Q_EMIT userActionRequired(data);
++        }
++    }
++
++    bool SignOnPlugin::handleUiError(const SignOn::UiSessionData &data)
++    {
++        using namespace SignOn;
++
++        int code = data.QueryErrorCode();
++        if (code == QUERY_ERROR_NONE) {
++            return false;
++        }
++
++        qDebug() << "userActionFinished with error: " << code;
++        if (code == QUERY_ERROR_CANCELED) {
++            Q_EMIT error(Error(Error::SessionCanceled,
++                               QLatin1String("Cancelled by user")));
++        } else if (code == QUERY_ERROR_NETWORK) {
++            Q_EMIT error(Error(Error::Network, QLatin1String("Network error")));
++        } else if (code == QUERY_ERROR_SSL) {
++            Q_EMIT error(Error(Error::Ssl, QLatin1String("SSL error")));
++        } else {
++            QVariantMap map = data.toMap();
++            if (map.contains(SSOUI_KEY_QUERY2FA)) {
++                PluginData reply;
++                reply.setU1ErrorCode(PluginData::OneTimePasswordRequired);
++                Q_EMIT result(reply);
++            } else if (map.contains(SSOUI_KEY_QUERYPASSWORD)) {
++                PluginData reply;
++                reply.setU1ErrorCode(PluginData::InvalidPassword);
++                Q_EMIT result(reply);
++            } else {
++                Q_EMIT error(Error(Error::UserInteraction,
++                                   QString("userActionFinished error: ")
++                                   + QString::number(data.QueryErrorCode())));
++            }
++        }
++        return true;
+     }
      void SignOnPlugin::userActionFinished(const SignOn::UiSessionData &data)
+     {
++        if (handleUiError(data)) return;
++
++        PluginData uiData = data.data<PluginData>();
++        if (!uiData.UserName().isEmpty()) {
++            m_data.setUserName(uiData.UserName());
++        }
++
++        if (!uiData.Secret().isEmpty()) {
++            m_data.setSecret(uiData.Secret());
++        }
++
++        QVariantMap map = data.toMap();
++        QString oneTimePassword = map.value(SSOUI_KEY_2FA).toString();
++        if (!oneTimePassword.isEmpty()) {
++            m_data.setOneTimePassword(oneTimePassword);
++        }
++
++        getCredentialsAndCreateNewToken();
+     }
      SIGNON_DECL_AUTH_PLUGIN(SignOnPlugin)
 === modified file 'signon-plugin/ubuntuone-plugin.h'
 --- signon-plugin/ubuntuone-plugin.h	2013-08-12 21:16:29 +0000
 +++ signon-plugin/ubuntuone-plugin.h	2016-04-22 09:51:32 +0000
@@ -27,9 +27,15 @@
  #include "ubuntuonedata.h"
++class PluginTest;
++
++class QNetworkAccessManager;
++class QNetworkReply;
  namespace UbuntuOne {
++    class Token;
++
      class SignOnPlugin : public AuthPluginInterface
+     {
          Q_OBJECT
@@ -40,17 +46,49 @@
          virtual ~SignOnPlugin();
      public Q_SLOTS:
--        QString type() const;
--        QStringList mechanisms() const;
--        void cancel();
++        QString type() const Q_DECL_OVERRIDE;
++        QStringList mechanisms() const Q_DECL_OVERRIDE;
++        void cancel() Q_DECL_OVERRIDE;
          void process(const SignOn::SessionData &inData,
--                     const QString &mechanism = 0);
--        void userActionFinished(const SignOn::UiSessionData &data);
--
--    private:
++                     const QString &mechanism = 0) Q_DECL_OVERRIDE;
++        void userActionFinished(const SignOn::UiSessionData &data) Q_DECL_OVERRIDE;
++
++    private:
++        bool validateInput(const PluginData &data, const QString &mechanism);
++        bool respondWithStoredData();
++        void checkTokenValidity(const Token &token,
++                                const PluginData &tokenData);
++        void emitErrorFromReply(QNetworkReply *reply);
++        void createNewToken();
++        void getCredentialsAndCreateNewToken();
++        bool handleUiError(const SignOn::UiSessionData &data);
++
++    private Q_SLOTS:
++        void onValidationFinished();
++        void onCreationFinished();
++
++    private:
++        friend class ::PluginTest;
          PluginData m_data;
++        PluginData m_checkedToken;
++        QNetworkAccessManager *m_networkAccessManager;
++        QNetworkReply *m_reply;
++        bool m_didAskForPassword;
++        bool m_needsOtp;
      };
  } // namespace UbuntuOne
++/* These fields are temporarily defined here; they'll be eventually moved to
++ * signond's include files. */
++#define SSOUI_KEY_USERNAME_TEXT QLatin1String("UserNameText")
++#define SSOUI_KEY_PASSWORD_TEXT QLatin1String("PasswordText")
++#define SSOUI_KEY_REGISTER_URL  QLatin1String("RegisterUrl")
++#define SSOUI_KEY_REGISTER_TEXT QLatin1String("RegisterText")
++#define SSOUI_KEY_LOGIN_TEXT QLatin1String("LoginText")
++#define SSOUI_KEY_QUERY2FA QLatin1String("Query2fa")
++#define SSOUI_KEY_2FA QLatin1String("2fa")
++#define SSOUI_KEY_2FA_TEXT QLatin1String("2faText")
++#define SSOUI_KEY_ERROR_MESSAGE QLatin1String("ErrorMessage")
++
  #endif
 === modified file 'signon-plugin/ubuntuonedata.h'
 --- signon-plugin/ubuntuonedata.h	2013-08-12 21:16:29 +0000
 +++ signon-plugin/ubuntuonedata.h	2016-04-22 09:51:32 +0000
@@ -25,16 +25,33 @@
      class PluginData : public SignOn::SessionData
+     {
      public:
++        PluginData(const QVariantMap &data = QVariantMap()):
++            SignOn::SessionData(data) {}
++
          // The name of the token
--        SIGNON_SESSION_DECLARE_PROPERTY(QString, Name);
++        SIGNON_SESSION_DECLARE_PROPERTY(QString, TokenName);
++
++        // The one-time password (optional)
++        SIGNON_SESSION_DECLARE_PROPERTY(QString, OneTimePassword);
          // The consumer key and secret for signing
--        SIGNON_SESSION_DECLARE_PROPERTY(QString, Consumer);
++        SIGNON_SESSION_DECLARE_PROPERTY(QString, ConsumerKey);
          SIGNON_SESSION_DECLARE_PROPERTY(QString, ConsumerSecret);
          // The access token and secret for signing
--        SIGNON_SESSION_DECLARE_PROPERTY(QString, Token);
++        SIGNON_SESSION_DECLARE_PROPERTY(QString, TokenKey);
          SIGNON_SESSION_DECLARE_PROPERTY(QString, TokenSecret);
++
++        // Error code
++        enum ErrorCode {
++            NoError = 0,
++            OneTimePasswordRequired,
++            InvalidPassword,
++        };
++        SIGNON_SESSION_DECLARE_PROPERTY(int, U1ErrorCode);
++
++        // Data which the plugin has stored into signond
++        SIGNON_SESSION_DECLARE_PROPERTY(QVariantMap, StoredData);
      };
  } // namespace UbuntuOne