Added support for storing encryption parameters in HTTP headers (Google API client)

jaaufauvre · jaaufauvre · commit 2e442f2da091 · 2019-03-12T17:46:08.000Z
diff --git a/src/main/java/com/mastercard/developer/interceptors/HttpExecuteFieldLevelEncryptionInterceptor.java b/src/main/java/com/mastercard/developer/interceptors/HttpExecuteFieldLevelEncryptionInterceptor.java
@@ -4,6 +4,7 @@
 import com.mastercard.developer.encryption.EncryptionException;
 import com.mastercard.developer.encryption.FieldLevelEncryption;
 import com.mastercard.developer.encryption.FieldLevelEncryptionConfig;
+import com.mastercard.developer.encryption.FieldLevelEncryptionParams;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -41,10 +42,25 @@ public void intercept(HttpRequest request) throws IOException {
             content.writeTo(outputStream);
             String requestPayload = outputStream.toString(StandardCharsets.UTF_8.name());
 
-            // Encrypt fields
-            String encryptedPayload = FieldLevelEncryption.encryptPayload(requestPayload, config);
+            // Encrypt fields & update headers
+            String encryptedPayload;
+            HttpHeaders headers = request.getHeaders();
+            if (config.useHttpHeaders()) {
+                // Generate encryption params and add them as HTTP headers
+                FieldLevelEncryptionParams params = FieldLevelEncryptionParams.generate(config);
+                updateHeader(headers, config.getIvHeaderName(), params.getIvValue());
+                updateHeader(headers, config.getEncryptedKeyHeaderName(), params.getEncryptedKeyValue());
+                updateHeader(headers, config.getEncryptionCertificateFingerprintHeaderName(), params.getEncryptionCertificateFingerprintValue());
+                updateHeader(headers, config.getEncryptionKeyFingerprintHeaderName(), params.getEncryptionKeyFingerprintValue());
+                updateHeader(headers, config.getOaepPaddingDigestAlgorithmHeaderName(), params.getOaepPaddingDigestAlgorithmValue());
+                encryptedPayload = FieldLevelEncryption.encryptPayload(requestPayload, config, params);
+            } else {
+                // Encryption params will be stored in the payload
+                encryptedPayload = FieldLevelEncryption.encryptPayload(requestPayload, config);
+            }
+            
             HttpContent encryptedContent = new ByteArrayContent("application/json; charset=" + StandardCharsets.UTF_8.name(), encryptedPayload.getBytes());
-            request.getHeaders().setContentLength(encryptedContent.getLength());
+            headers.setContentLength(encryptedContent.getLength());
             request.setContent(encryptedContent);
 
         } catch (EncryptionException e) {
@@ -62,10 +78,29 @@ public void interceptResponse(HttpResponse response) throws IOException {
                 return;
             }
 
-            // Decrypt fields
-            String decryptedPayload = FieldLevelEncryption.decryptPayload(responsePayload, config);
+            // Decrypt fields & update headers
+            String decryptedPayload;
+            HttpHeaders headers = response.getHeaders();
+            if (config.useHttpHeaders()) {
+                // Read encryption params from HTTP headers and delete headers
+                String ivValue = headers.getFirstHeaderStringValue(config.getIvHeaderName());
+                String oaepPaddingDigestAlgorithmValue = headers.getFirstHeaderStringValue(config.getOaepPaddingDigestAlgorithmHeaderName());
+                String encryptedKeyValue = headers.getFirstHeaderStringValue(config.getEncryptedKeyHeaderName());
+                removeHeader(headers, config.getIvHeaderName());
+                removeHeader(headers, config.getEncryptedKeyHeaderName());
+                removeHeader(headers, config.getOaepPaddingDigestAlgorithmHeaderName());
+                removeHeader(headers, config.getEncryptionCertificateFingerprintHeaderName());
+                removeHeader(headers, config.getEncryptionKeyFingerprintHeaderName());
+                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue,
+                                                                                   null, null, config);
+                decryptedPayload = FieldLevelEncryption.decryptPayload(responsePayload, config, params);
+            } else {
+                // Encryption params are stored in the payload
+                decryptedPayload = FieldLevelEncryption.decryptPayload(responsePayload, config);
+            }
+
             HttpContent decryptedContent = new ByteArrayContent("application/json; charset=" + StandardCharsets.UTF_8.name(), decryptedPayload.getBytes());
-            response.getHeaders().setContentLength(decryptedContent.getLength());
+            headers.setContentLength(decryptedContent.getLength());
 
             // The HttpResponse public interface prevent from updating the response payload:
             // "Do not read from the content stream unless you intend to throw an exception"
@@ -79,4 +114,21 @@ public void interceptResponse(HttpResponse response) throws IOException {
             throw new IOException("Failed to update response with decrypted payload!", e);
         }
     }
+
+    private static void removeHeader(HttpHeaders headers, String name) {
+        if (name == null) {
+            // Do nothing
+            return;
+        }
+        headers.remove(name);
+    }
+
+    private static void updateHeader(HttpHeaders headers, String name, String value) {
+        if (name == null) {
+            // Do nothing
+            return;
+        }
+        headers.remove(name);
+        headers.set(name, value);
+    }
 }
diff --git a/src/test/java/com/mastercard/developer/interceptor/HttpExecuteFieldLevelEncryptionInterceptorTest.java b/src/test/java/com/mastercard/developer/interceptor/HttpExecuteFieldLevelEncryptionInterceptorTest.java
@@ -23,6 +23,7 @@
 import static com.mastercard.developer.test.TestUtils.assertPayloadEquals;
 import static com.mastercard.developer.test.TestUtils.getTestFieldLevelEncryptionConfigBuilder;
 import static org.hamcrest.core.Is.isA;
+import static org.junit.Assert.*;
 import static org.mockito.Mockito.*;
 
 @RunWith(MockitoJUnitRunner.class)
@@ -57,7 +58,7 @@ public void testIntercept_ShouldEncryptRequestPayloadAndUpdateContentLengthHeade
         String encryptedPayload = encryptedPayloadStream.toString(StandardCharsets.UTF_8.name());
         Assert.assertFalse(encryptedPayload.contains("foo"));
         Assert.assertTrue(encryptedPayload.contains("encryptedFoo"));
-        Assert.assertEquals(encryptedPayload.length(), httpHeaders.getContentLength().intValue());
+        assertEquals(encryptedPayload.length(), httpHeaders.getContentLength().intValue());
     }
 
     @Test
@@ -117,6 +118,7 @@ public void testInterceptResponse_ShouldDecryptResponsePayloadAndUpdateContentLe
                 .build();
         HttpResponse response = mock(HttpResponse.class);
         HttpHeaders httpHeaders = new HttpHeaders();
+        httpHeaders.setContentLength(100l);
         when(response.parseAsString()).thenReturn(encryptedPayload);
         when(response.getHeaders()).thenReturn(httpHeaders);
 
@@ -130,7 +132,7 @@ public void testInterceptResponse_ShouldDecryptResponsePayloadAndUpdateContentLe
         InputStream payloadInputStream = (InputStream) contentField.get(response);
         String payload = IOUtils.toString(payloadInputStream, StandardCharsets.UTF_8);
         assertPayloadEquals("{\"data\":\"string\"}", payload);
-        Assert.assertEquals(payload.length(), httpHeaders.getContentLength().intValue());
+        assertEquals(payload.length(), httpHeaders.getContentLength().intValue());
     }
 
     @Test
@@ -176,4 +178,88 @@ public void testInterceptResponse_ShouldThrowIOException_WhenDecryptionFails() t
         HttpExecuteFieldLevelEncryptionInterceptor instanceUnderTest = new HttpExecuteFieldLevelEncryptionInterceptor(config);
         instanceUnderTest.interceptResponse(response);
     }
+
+    @Test
+    public void testIntercept_ShouldEncryptRequestPayloadAndAddEncryptionHttpHeaders_WhenRequestedInConfig() throws Exception {
+
+        // GIVEN
+        FieldLevelEncryptionConfig config = getTestFieldLevelEncryptionConfigBuilder()
+                .withEncryptionPath("$.foo", "$.encryptedFoo")
+                .withIvHeaderName("x-iv")
+                .withEncryptedKeyHeaderName("x-encrypted-key")
+                .withOaepPaddingDigestAlgorithmHeaderName("x-oaep-padding-digest-algorithm")
+                .withEncryptionCertificateFingerprintHeaderName("x-encryption-certificate-fingerprint")
+                .withEncryptionKeyFingerprintHeaderName("x-encryption-key-fingerprint")
+                .build();
+        HttpRequest request = mock(HttpRequest.class);
+        HttpHeaders httpHeaders = new HttpHeaders();
+        when(request.getContent()).thenReturn(new ByteArrayContent(JSON_TYPE, "{\"foo\":\"bar\"}".getBytes()));
+        when(request.getHeaders()).thenReturn(httpHeaders);
+
+        // WHEN
+        HttpExecuteFieldLevelEncryptionInterceptor instanceUnderTest = new HttpExecuteFieldLevelEncryptionInterceptor(config);
+        instanceUnderTest.intercept(request);
+
+        // THEN
+        ArgumentCaptor<HttpContent> contentCaptor = ArgumentCaptor.forClass(HttpContent.class);
+        verify(request).setContent(contentCaptor.capture());
+        ByteArrayOutputStream encryptedPayloadStream = new ByteArrayOutputStream();
+        contentCaptor.getValue().writeTo(encryptedPayloadStream);
+        String encryptedPayload = encryptedPayloadStream.toString(StandardCharsets.UTF_8.name());
+        Assert.assertFalse(encryptedPayload.contains("foo"));
+        Assert.assertTrue(encryptedPayload.contains("encryptedFoo"));
+        assertEquals(encryptedPayload.length(), httpHeaders.getContentLength().intValue());
+        assertNotNull(httpHeaders.get("x-iv"));
+        assertNotNull(httpHeaders.get("x-encrypted-key"));
+        assertEquals("SHA256", httpHeaders.get("x-oaep-padding-digest-algorithm"));
+        assertEquals("80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279", httpHeaders.get("x-encryption-certificate-fingerprint"));
+        assertEquals("761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79", httpHeaders.get("x-encryption-key-fingerprint"));
+    }
+
+    @Test
+    public void testInterceptResponse_ShouldDecryptResponsePayloadAndRemoveEncryptionHttpHeaders_WhenRequestedInConfig() throws Exception {
+
+        // GIVEN
+        String encryptedPayload = "{" +
+                "    \"encryptedData\": {" +
+                "        \"encryptedValue\": \"21d754bdb4567d35d58720c9f8364075\"" +
+                "    }" +
+                "}";
+        FieldLevelEncryptionConfig config = getTestFieldLevelEncryptionConfigBuilder()
+                .withDecryptionPath("$.encryptedData", "$.data")
+                .withIvHeaderName("x-iv")
+                .withEncryptedKeyHeaderName("x-encrypted-key")
+                .withOaepPaddingDigestAlgorithmHeaderName("x-oaep-padding-digest-algorithm")
+                .withEncryptionCertificateFingerprintHeaderName("x-encryption-certificate-fingerprint")
+                .withEncryptionKeyFingerprintHeaderName("x-encryption-key-fingerprint")
+                .build();
+
+        HttpResponse response = mock(HttpResponse.class);
+        HttpHeaders httpHeaders = new HttpHeaders();
+        httpHeaders.set("x-iv", "a32059c51607d0d02e823faecda5fb15");
+        httpHeaders.set("x-encrypted-key", "a31cfe7a7981b72428c013270619554c1d645c04b9d51c7eaf996f55749ef62fd7c7f8d334f95913be41ae38c46d192670fd1acb84ebb85a00cd997f1a9a3f782229c7bf5f0fdf49fe404452d7ed4fd41fbb95b787d25893fbf3d2c75673cecc8799bbe3dd7eb4fe6d3f744b377572cdf8aba1617194e10475b6cd6a8dd4fb8264f8f51534d8f7ac7c10b4ce9c44d15066724b03a0ab0edd512f9e6521fdb5841cd6964e457d6b4a0e45ba4aac4e77d6bbe383d6147e751fa88bc26278bb9690f9ee84b17123b887be2dcef0873f4f9f2c895d90e23456fafb01b99885e31f01a3188f0ad47edf22999cc1d0ddaf49e1407375117b5d66f1f185f2b57078d255");
+        httpHeaders.set("x-oaep-padding-digest-algorithm", "SHA256");
+        httpHeaders.set("x-encryption-key-fingerprint", "761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79");
+        httpHeaders.set("x-encryption-certificate-fingerprint", "80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279");
+        httpHeaders.setContentLength(100l);
+        when(response.parseAsString()).thenReturn(encryptedPayload);
+        when(response.getHeaders()).thenReturn(httpHeaders);
+
+        // WHEN
+        HttpExecuteFieldLevelEncryptionInterceptor instanceUnderTest = new HttpExecuteFieldLevelEncryptionInterceptor(config);
+        instanceUnderTest.interceptResponse(response);
+
+        // THEN
+        Field contentField = response.getClass().getDeclaredField("content");
+        contentField.setAccessible(true);
+        InputStream payloadInputStream = (InputStream) contentField.get(response);
+        String payload = IOUtils.toString(payloadInputStream, StandardCharsets.UTF_8);
+        assertPayloadEquals("{\"data\":\"string\"}", payload);
+        assertEquals(payload.length(), httpHeaders.getContentLength().intValue());
+        assertNull(response.getHeaders().get("x-iv"));
+        assertNull(response.getHeaders().get("x-encrypted-key"));
+        assertNull(response.getHeaders().get("x-oaep-padding-digest-algorithm"));
+        assertNull(response.getHeaders().get("x-encryption-key-fingerprint"));
+        assertNull(response.getHeaders().get("x-encryption-certificate-fingerprint"));
+    }
 }
