Add RequestValidator

Author: jingming

src/main/java/com/twilio/security/RequestValidator.java

@@ -0,0 +1,72 @@
+package com.twilio.security;
+
+import org.apache.commons.codec.binary.Base64;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+public class RequestValidator {
+
+    private static final String HMAC = "HmacSHA1";
+
+    private final SecretKeySpec signingKey;
+
+    public RequestValidator(String authToken) {
+        this.signingKey = new SecretKeySpec(authToken.getBytes(), HMAC);
+    }
+
+    public boolean validate(String url, Map<String, String> params, String expectedSignature) {
+        String signature = getValidationSignature(url, params);
+        return secureCompare(signature, expectedSignature);
+    }
+
+    private String getValidationSignature(String url, Map<String, String> params) {
+        try {
+
+            StringBuilder builder = new StringBuilder(url);
+            if (params != null) {
+                List<String> sortedKeys = new ArrayList<>(params.keySet());
+                Collections.sort(sortedKeys);
+
+                for (String s : sortedKeys) {
+                    builder.append(s);
+
+                    String v = params.get(s);
+                    builder.append(v == null ? "" : v);
+                }
+            }
+
+            Mac mac = Mac.getInstance(HMAC);
+            mac.init(signingKey);
+
+            byte[] rawHmac = mac.doFinal(builder.toString().getBytes(StandardCharsets.UTF_8));
+            return new String(Base64.encodeBase64(rawHmac));
+
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    private boolean secureCompare(String a, String b) {
+        if (a == null || b == null) {
+            return false;
+        }
+
+        int n = a.length();
+        if (n != b.length()) {
+            return false;
+        }
+
+        int mismatch = 0;
+        for (int i = 0; i < n; ++i) {
+            mismatch |= a.charAt(i) ^ b.charAt(i);
+        }
+        return mismatch == 0;
+    }
+
+}

src/test/java/com/twilio/security/RequestValidatorTest.java

@@ -0,0 +1,32 @@
+package com.twilio.security;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Test class for {@link RequestValidator}.
+ */
+public class RequestValidatorTest {
+
+    @Test
+    public void testValidate() {
+
+        RequestValidator validator = new RequestValidator("12345");
+
+        String url = "https://mycompany.com/myapp.php?foo=1&bar=2";
+        Map<String, String> params = new HashMap<>();
+        params.put("CallSid", "CA1234567890ABCDE");
+        params.put("Caller", "+14158675309");
+        params.put("Digits", "1234");
+        params.put("From", "+14158675309");
+        params.put("To", "+18005551212");
+
+        String signature = "RSOYDt4T1cUTdK1PDd93/VVr8B8=";
+
+        Assert.assertTrue("Request does not match provided signature", validator.validate(url, params, signature));
+    }
+
+}