Polish up signature

Author: jingming

src/main/java/com/twilio/jwt/validation/ValidationToken.java

@@ -3,6 +3,8 @@
 import com.google.common.base.Charsets;
 import com.google.common.base.Function;
 import com.google.common.base.Joiner;
+import com.google.common.base.Strings;
+import com.google.common.collect.Lists;
 import com.google.common.hash.HashFunction;
 import com.google.common.hash.Hashing;
 import com.google.common.io.CharStreams;
@@ -19,7 +21,6 @@
 import java.io.InputStreamReader;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.Comparator;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
@@ -80,19 +81,19 @@ public Map<String, Object> getClaims() {
 
         // Normalize all the headers
         Header[] lowercaseHeaders = LOWERCASE_KEYS.apply(headers);
-        Arrays.sort(lowercaseHeaders, new Comparator<Header>() {
-            @Override
-            public int compare(Header o1, Header o2) {
-                return o1.getName().compareTo(o2.getName());
-            }
-        });
+        Map<String, List<String>> combinedHeaders = COMBINE_HEADERS.apply(lowercaseHeaders);
 
         // Add the headers that we care about
-        for (Header header: lowercaseHeaders) {
-            if (signedHeaders.contains(header.getName().toLowerCase())) {
-                signature.append(header.getName().toLowerCase().trim())
+        for (String header : signedHeaders) {
+            String lowercase = header.toLowerCase().trim();
+
+            if (combinedHeaders.containsKey(lowercase)) {
+                List<String> values = combinedHeaders.get(lowercase);
+                Collections.sort(values);
+
+                signature.append(lowercase)
                     .append(":")
-                    .append(header.getValue().trim())
+                    .append(Joiner.on(',').join(values))
                     .append(NEW_LINE);
             }
         }
@@ -102,8 +103,10 @@ public int compare(Header o1, Header o2) {
         signature.append(includedHeaders).append(NEW_LINE);
 
         // Hash and hex the request payload
-        String hashedPayload = HASH_FUNCTION.hashString(requestBody, Charsets.UTF_8).toString();
-        signature.append(hashedPayload).append(NEW_LINE);
+        if (!Strings.isNullOrEmpty(requestBody)) {
+            String hashedPayload = HASH_FUNCTION.hashString(requestBody, Charsets.UTF_8).toString();
+            signature.append(hashedPayload);
+        }
 
         // Hash and hex the canonical request
         String hashedSignature = HASH_FUNCTION.hashString(signature.toString(), Charsets.UTF_8).toString();
@@ -143,6 +146,23 @@ public static ValidationToken fromHttpRequest(
         return builder.build();
     }
 
+    private static Function<Header[], Map<String, List<String>>> COMBINE_HEADERS = new Function<Header[], Map<String, List<String>>>() {
+        @Override
+        public Map<String, List<String>> apply(Header[] headers) {
+            Map<String, List<String>> combinedHeaders = new HashMap<>();
+
+            for (Header header : headers)  {
+                if (combinedHeaders.containsKey(header.getName())) {
+                    combinedHeaders.get(header.getName()).add(header.getValue());
+                } else {
+                    combinedHeaders.put(header.getName(), Lists.newArrayList(header.getValue()));
+                }
+            }
+
+            return combinedHeaders;
+        }
+    };
+
     private static Function<Header[], Header[]> LOWERCASE_KEYS = new Function<Header[], Header[]>() {
         @Override
         public Header[] apply(Header[] headers) {

src/test/java/com/twilio/jwt/validation/ValidationTokenTest.java

@@ -7,14 +7,16 @@
 import mockit.Expectations;
 import mockit.Mocked;
 import org.apache.http.Header;
-import org.apache.http.HttpRequest;
-import org.apache.http.RequestLine;
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpEntityEnclosingRequest;
 import org.apache.http.message.BasicHeader;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import java.util.Date;
 import java.util.List;
 
@@ -27,10 +29,10 @@ public class ValidationTokenTest {
     private Header[] headers;
 
     @Mocked
-    private HttpRequest request;
+    private HttpEntityEnclosingRequest request;
 
     @Mocked
-    private RequestLine requestLine;
+    private HttpEntity entity;
 
     @Before
     public void setup() {
@@ -83,7 +85,38 @@ public void testTokenFromHttpRequest() throws IOException {
 
 
         Assert.assertEquals("authorization;host", claims.get("hrh"));
-        Assert.assertEquals("3e84e1e5af4c084e413f9bd103f9f11abb3d5f58c4b0b72a79a986aebe58cd5b", claims.get("rqh"));
+        Assert.assertEquals("4b3d2666845a38f00259a5231a08765bb2d12564bc4469fd5b2816204c588967", claims.get("rqh"));
+    }
+
+    @Test
+    public void testTokenFromPostRequest() throws IOException {
+        new Expectations() {{
+            request.getRequestLine().getMethod();
+            result = "POST";
+
+            request.getRequestLine().getUri();
+            result = "/Messages";
+
+            request.getAllHeaders();
+            result = headers;
+
+            request.getEntity();
+            result = entity;
+
+            entity.getContent();
+            result = new ByteArrayInputStream("testbody".getBytes(StandardCharsets.UTF_8));
+        }};
+
+        Jwt jwt = ValidationToken.fromHttpRequest(CREDENTIAL_SID, SECRET, request, SIGNED_HEADERS);
+        Claims claims =
+            Jwts.parser()
+                .setSigningKey(SECRET.getBytes())
+                .parseClaimsJws(jwt.toJwt())
+                .getBody();
+
+
+        Assert.assertEquals("authorization;host", claims.get("hrh"));
+        Assert.assertEquals("bd792c967c20d546c738b94068f5f72758a10d26c12979677501e1eefe58c65a", claims.get("rqh"));
     }
 
     private void validateToken(Claims claims) {