Merge pull request #54 from rfeelin/feature/adding-wildcard-paths

Adding support for wildcard encryption and decryption paths

Author: rfeelin

README.md

@@ -138,6 +138,8 @@ This library supports two types of encryption/decryption, both of which support
 + [Performing JWE Decryption](#performing-jwe-decryption)
 + [Encrypting Entire Payloads](#encrypting-entire-payloads-jwe)
 + [Decrypting Entire Payloads](#decrypting-entire-payloads-jwe)
++ [Encrypting Payloads with Wildcards](#encrypting-wildcard-payloads-jwe)
++ [Decrypting Payloads with Wildcards](#decrypting-wildcard-payloads-jwe)
 
 ##### • Introduction <a name="jwe-introduction"></a>
 
@@ -294,6 +296,70 @@ Output:
 }
 ```
 
+##### • Encrypting Payloads with Wildcards <a name="encrypting-wildcard-payloads-jwe"></a>
+
+Wildcards can be encrypted using the "[*]" operator as part of encryption path:
+
+```java
+JweConfig config = JweConfigBuilder.aJweEncryptionConfig()
+    .withEncryptionCertificate(encryptionCertificate)
+    .withEncryptionPath("$.list[*]sensitiveField1", "$.list[*]encryptedField")
+    // …
+    .build();
+```
+
+Example:
+```java
+String payload = "{ \"list\": [ " +
+    "   { \"sensitiveField1\" : \"sensitiveValue1\"}, "+
+    "   { \"sensitiveField1\" : \"sensitiveValue2\"} " +
+    "]}";
+String encryptedPayload = JweEncryption.encryptPayload(payload, config);
+System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(encryptedPayload)));
+```
+
+Output:
+```json
+{
+  "list": [
+    {"encryptedField": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw"},
+    {"encryptedField": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+asdvarvasdvfdvakmkmm"}
+  ]
+}
+```
+
+##### • Decrypting Payloads with Wildcards <a name="decrypting-wildcard-payloads-jwe"></a>
+
+Wildcards can be decrypted using the "[*]" operator as part of decryption path:
+
+```java
+JweConfig config = JweConfigBuilder.aJweEncryptionConfig()
+    .withDecryptionKey(decryptionKey)
+    .withDecryptionPath("$.list[*]encryptedField", "$.list[*]sensitiveField1")
+    // …
+    .build();
+```
+
+Example:
+```java
+String encryptedPayload = "{ \"list\": [ " +
+        " { \"encryptedField\": \"eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw\"}, " +
+        " { \"encryptedField\": \"eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+asdvarvasdvfdvakmkmm\"} " +
+        " ]}";
+String payload = JweEncryption.decryptPayload(encryptedPayload, config);
+System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(payload)));
+```
+
+Output:
+```json
+{
+  "list": [
+    {"sensitiveField1": "sensitiveValue1"},
+    {"sensitiveField2": "sensitiveValue2"}
+  ]
+}
+```
+
 #### Mastercard Encryption and Decryption <a name="mastercard-encryption-and-decryption"></a>
 
 + [Introduction](#mastercard-introduction)
@@ -302,6 +368,8 @@ Output:
 + [Performing Mastercard Decryption](#performing-mastercard-decryption)
 + [Encrypting Entire Payloads](#encrypting-entire-mastercard-payloads)
 + [Decrypting Entire Payloads](#decrypting-entire-mastercard-payloads)
++ [Encrypting Payloads with Wildcards](#encrypting-wildcard-mastercard-payloads)
++ [Decrypting Payloads with Wildcards](#decrypting-wildcard-mastercard-payloads)
 + [Using HTTP Headers for Encryption Params](#using-http-headers-for-encryption-params)
 
 ##### • Introduction <a name="mastercard-introduction"></a>
@@ -469,6 +537,70 @@ Output:
     "sensitiveField1": "sensitiveValue1",
     "sensitiveField2": "sensitiveValue2"
 }
+
+```
+##### • Encrypting Payloads with Wildcards <a name="encrypting-wildcard-mastercard-payloads"></a>
+
+Wildcards can be encrypted using the "[*]" operator as part of encryption path:
+
+```java
+FLEConfig config = FieldLevelEncryptionConfigBuilder.aFieldLevelEncryptionConfig()
+    .withEncryptionCertificate(encryptionCertificate)
+    .withEncryptionPath("$.list[*]sensitiveField1", "$.list[*]encryptedField")
+    // …
+    .build();
+```
+
+Example:
+```java
+String payload = "{ \"list\": [ " +
+    "   { \"sensitiveField1\" : \"sensitiveValue1\"}, "+
+    "   { \"sensitiveField1\" : \"sensitiveValue2\"} " +
+    "]}";
+String encryptedPayload = FieldLevelEncryption.encryptPayload(payload, config);
+System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(encryptedPayload)));
+```
+
+Output:
+```json
+{
+  "list": [
+    {"encryptedField": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw"},
+    {"encryptedField": "eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+asdvarvasdvfdvakmkmm"}
+  ]
+}
+```
+
+##### • Decrypting Payloads with Wildcards <a name="decrypting-wildcard-mastercard-payloads"></a>
+
+Wildcards can be decrypted using the "[*]" operator as part of decryption path:
+
+```java
+FLEConfig config = FieldLevelEncryptionConfigBuilder.aFieldLevelEncryptionConfig()
+    .withDecryptionKey(decryptionKey)
+    .withDecryptionPath("$.list[*]encryptedField", "$.list[*]sensitiveField1")
+    // …
+    .build();
+```
+
+Example:
+```java
+String encryptedPayload = "{ \"list\": [ " +
+        " { \"encryptedField\": \"eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+oPYKZEMTKyYcSIVEgtQw\"}, " +
+        " { \"encryptedField\": \"eyJraWQiOiI3NjFiMDAzYzFlYWRlM….Y+asdvarvasdvfdvakmkmm\"} " +
+        " ]}";
+String payload = FieldLevelEncryption.decryptPayload(encryptedPayload, config);
+System.out.println(new GsonBuilder().setPrettyPrinting().create().toJson(new JsonParser().parse(payload)));
+```
+
+Output:
+```json
+{
+  "list": [
+    {"sensitiveField1": "sensitiveValue1"},
+    {"sensitiveField2": "sensitiveValue2"}
+  ]
+}
 ```
 
 ##### • Using HTTP Headers for Encryption Params <a name="using-http-headers-for-encryption-params"></a>

src/main/java/com/mastercard/developer/encryption/EncryptionConfigBuilder.java

@@ -42,14 +42,32 @@ static byte[] sha256digestBytes(byte[] bytes) throws NoSuchAlgorithmException {
 
     void checkJsonPathParameterValues() {
         for (Map.Entry<String, String> entry : decryptionPaths.entrySet()) {
-            if (!JsonPath.isPathDefinite(entry.getKey()) || !JsonPath.isPathDefinite(entry.getValue())) {
-                throw new IllegalArgumentException("JSON paths for decryption must point to a single item!");
+            if(entry.getKey().contains("[*]") || entry.getValue().contains("[*]")){
+                if(!(entry.getKey().contains("[*]") && entry.getValue().contains("[*]"))){
+                    throw new IllegalArgumentException("JSON paths for decryption with wildcard must both contain a wildcard!");
+                }
+                if((entry.getKey().split("[*]", -1).length-1 > 1 || entry.getValue().split("[*]", -1).length-1 > 1)){
+                    throw new IllegalArgumentException("JSON paths for decryption with can only contain one wildcard!");
+                }
+            } else {
+                if (!JsonPath.isPathDefinite(entry.getKey()) || !JsonPath.isPathDefinite(entry.getValue())) {
+                    throw new IllegalArgumentException("JSON paths for decryption must point to a single item!");
+                }
             }
         }
 
         for (Map.Entry<String, String> entry : encryptionPaths.entrySet()) {
-            if (!JsonPath.isPathDefinite(entry.getKey()) || !JsonPath.isPathDefinite(entry.getValue())) {
-                throw new IllegalArgumentException("JSON paths for encryption must point to a single item!");
+            if(entry.getKey().contains("[*]") || entry.getValue().contains("[*]")){
+                if(!(entry.getKey().contains("[*]") && entry.getValue().contains("[*]"))){
+                    throw new IllegalArgumentException("JSON paths for encryption with wildcard must both contain a wildcard!");
+                }
+                if((entry.getKey().split("[*]", -1).length-1 > 1 || entry.getValue().split("[*]", -1).length-1 > 1)){
+                    throw new IllegalArgumentException("JSON paths for encryption with can only contain one wildcard!");
+                }
+            } else {
+                if (!JsonPath.isPathDefinite(entry.getKey()) || !JsonPath.isPathDefinite(entry.getValue())) {
+                    throw new IllegalArgumentException("JSON paths for encryption must point to a single item!");
+                }
             }
         }
     }

src/main/java/com/mastercard/developer/encryption/FieldLevelEncryption.java

@@ -38,7 +38,17 @@ public static String encryptPayload(String payload, FieldLevelEncryptionConfig c
             for (Entry<String, String> entry : config.encryptionPaths.entrySet()) {
                 String jsonPathIn = entry.getKey();
                 String jsonPathOut = entry.getValue();
-                payloadContext = encryptPayloadPath(payloadContext, jsonPathIn, jsonPathOut, config, (FieldLevelEncryptionParams) params);
+                if(!jsonPathIn.contains("[*]")){
+                    payloadContext = encryptPayloadPath(payloadContext, jsonPathIn, jsonPathOut, config, (FieldLevelEncryptionParams) params);
+                }else {
+                    String getFieldLength = jsonPathIn.split("\\[.*?\\]")[0].concat(".length()");
+                    Integer length = JsonPath.read(payload, getFieldLength);
+                    for (Integer i = 0; i < length; i++) {
+                        String newJsonPathIn = jsonPathIn.replace("*", i.toString());
+                        String newJsonPathOut = jsonPathOut.replace("*", i.toString());
+                        payloadContext = encryptPayloadPath(payloadContext, newJsonPathIn, newJsonPathOut, config, (FieldLevelEncryptionParams) params);
+                    }
+                }
             }
 
             // Return the updated payload
@@ -61,7 +71,17 @@ public static String decryptPayload(String payload, FieldLevelEncryptionConfig c
             for (Entry<String, String> entry : config.decryptionPaths.entrySet()) {
                 String jsonPathIn = entry.getKey();
                 String jsonPathOut = entry.getValue();
-                payloadContext = decryptPayloadPath(payloadContext, jsonPathIn, jsonPathOut, config, (FieldLevelEncryptionParams) params);
+                if(!jsonPathIn.contains("[*]")){
+                    payloadContext = decryptPayloadPath(payloadContext, jsonPathIn, jsonPathOut, config, (FieldLevelEncryptionParams) params);
+                }else {
+                    String getFieldLength = jsonPathIn.split("\\[.*?\\]")[0].concat(".length()");
+                    Integer length = JsonPath.read(payload, getFieldLength);
+                    for (Integer i = 0; i < length; i++) {
+                        String newJsonPathIn = jsonPathIn.replace("*", i.toString());
+                        String newJsonPathOut = jsonPathOut.replace("*", i.toString());
+                        payloadContext = decryptPayloadPath(payloadContext, newJsonPathIn, newJsonPathOut, config, (FieldLevelEncryptionParams) params);
+                    }
+                }
             }
 
             // Return the updated payload

src/main/java/com/mastercard/developer/encryption/JweEncryption.java

@@ -30,7 +30,17 @@ public static String encryptPayload(String payload, JweConfig config) throws Enc
             for (Map.Entry<String, String> entry : config.getEncryptionPaths().entrySet()) {
                 String jsonPathIn = entry.getKey();
                 String jsonPathOut = entry.getValue();
-                payloadContext = encryptPayloadPath(payloadContext, jsonPathIn, jsonPathOut, config);
+                if(!jsonPathIn.contains("[*]")){
+                    payloadContext = encryptPayloadPath(payloadContext, jsonPathIn, jsonPathOut, config);
+                }else {
+                    String getFieldLength = jsonPathIn.split("\\[.*?\\]")[0].concat(".length()");
+                    Integer length = JsonPath.read(payload, getFieldLength);
+                    for (Integer i = 0; i < length; i++) {
+                        String newJsonPathIn = jsonPathIn.replace("*", i.toString());
+                        String newJsonPathOut = jsonPathOut.replace("*", i.toString());
+                        payloadContext = encryptPayloadPath(payloadContext, newJsonPathIn, newJsonPathOut, config);
+                    }
+                }
             }
 
             // Return the updated payload
@@ -49,7 +59,17 @@ public static String decryptPayload(String payload, JweConfig config) throws Enc
             for (Map.Entry<String, String> entry : config.getDecryptionPaths().entrySet()) {
                 String jsonPathIn = entry.getKey();
                 String jsonPathOut = entry.getValue();
-                payloadContext = decryptPayloadPath(payloadContext, jsonPathIn, jsonPathOut, config);
+                if(!jsonPathIn.contains("[*]")){
+                    payloadContext = decryptPayloadPath(payloadContext, jsonPathIn, jsonPathOut, config);
+                }else {
+                    String getFieldLength = jsonPathIn.split("\\[.*?\\]")[0].concat(".length()");
+                    Integer length = JsonPath.read(payload, getFieldLength);
+                    for (Integer i = 0; i < length; i++) {
+                        String newJsonPathIn = jsonPathIn.replace("*", i.toString());
+                        String newJsonPathOut = jsonPathOut.replace("*", i.toString());
+                        payloadContext = decryptPayloadPath(payloadContext, newJsonPathIn, newJsonPathOut, config);
+                    }
+                }
             }
 
             // Return the updated payload

src/test/java/com/mastercard/developer/encryption/FieldLevelEncryptionConfigBuilderTest.java

@@ -97,15 +97,51 @@ public void testBuild_ShouldComputeCertificateAndKeyFingerprints_WhenFingerprint
     }
 
     @Test
-    public void testBuild_ShouldThrowIllegalArgumentException_WhenNotDefiniteDecryptionPath() throws Exception {
+    public void testBuild_ShouldBuild_WhenHavingWildcardPaths() throws Exception {
+        FieldLevelEncryptionConfig config = FieldLevelEncryptionConfigBuilder.aFieldLevelEncryptionConfig()
+                .withEncryptionPath("$.encryptedPayloads[*]", "$.payload[*]")
+                .withEncryptionCertificate(TestUtils.getTestEncryptionCertificate())
+                .withEncryptionCertificateFingerprint("97A2FFE9F0D48960EF31E87FCD7A55BF7843FB4A9EEEF01BDB6032AD6FEF146B")
+                .withEncryptionKeyFingerprint("F806B26BC4870E26986C70B6590AF87BAF4C2B56BB50622C51B12212DAFF2810")
+                .withEncryptionCertificateFingerprintFieldName("publicCertificateFingerprint")
+                .withEncryptionCertificateFingerprintHeaderName("x-public-certificate-fingerprint")
+                .withEncryptionKeyFingerprintFieldName("publicKeyFingerprint")
+                .withEncryptionKeyFingerprintHeaderName("x-public-key-fingerprint")
+                .withDecryptionPath("$.encryptedPayloads[*]", "$.payload[*]")
+                .withDecryptionKey(TestUtils.getTestDecryptionKey())
+                .withOaepPaddingDigestAlgorithm("SHA-512")
+                .withOaepPaddingDigestAlgorithmFieldName("oaepPaddingDigestAlgorithm")
+                .withOaepPaddingDigestAlgorithmHeaderName("x-oaep-padding-digest-algorithm")
+                .withEncryptedValueFieldName("encryptedValue")
+                .withEncryptedKeyFieldName("encryptedKey")
+                .withEncryptedKeyHeaderName("x-encrypted-key")
+                .withIvFieldName("iv")
+                .withIvHeaderName("x-iv")
+                .withFieldValueEncoding(HEX)
+                .build();
+        Assert.assertNotNull(config);
+    }
+
+    @Test
+    public void testBuild_ShouldThrowIllegalArgumentException_WhenNotHavingWildcardOnBothDecryptionPaths() throws Exception {
         expectedException.expect(IllegalArgumentException.class);
-        expectedException.expectMessage("JSON paths for decryption must point to a single item!");
+        expectedException.expectMessage("JSON paths for decryption with wildcard must both contain a wildcard!");
         FieldLevelEncryptionConfigBuilder.aFieldLevelEncryptionConfig()
                 .withDecryptionPath("$.encryptedPayloads[*]", "$.payload")
                 .withDecryptionKey(TestUtils.getTestDecryptionKey())
                 .build();
     }
 
+    @Test
+    public void testBuild_ShouldThrowIllegalArgumentException_WhenMultipleWildcardsOnDecryptionPaths() throws Exception {
+        expectedException.expect(IllegalArgumentException.class);
+        expectedException.expectMessage("JSON paths for decryption with can only contain one wildcard!");
+        FieldLevelEncryptionConfigBuilder.aFieldLevelEncryptionConfig()
+                .withDecryptionPath("$.encryptedPayloads[*]field1[*]subField", "$.payload[*]field1[*]encryptedSubField")
+                .withDecryptionKey(TestUtils.getTestDecryptionKey())
+                .build();
+    }
+
     @Test
     public void testBuild_ShouldThrowIllegalArgumentException_WhenMissingDecryptionKey() throws Exception {
         expectedException.expect(IllegalArgumentException.class);
@@ -121,11 +157,21 @@ public void testBuild_ShouldThrowIllegalArgumentException_WhenMissingDecryptionK
     }
 
     @Test
-    public void testBuild_ShouldThrowIllegalArgumentException_WhenNotDefiniteEncryptionPath() throws Exception {
+    public void testBuild_ShouldThrowIllegalArgumentException_WhenNotHavingWildcardOnBothEncryptionPaths() throws Exception {
+        expectedException.expect(IllegalArgumentException.class);
+        expectedException.expectMessage("JSON paths for encryption with wildcard must both contain a wildcard!");
+        FieldLevelEncryptionConfigBuilder.aFieldLevelEncryptionConfig()
+                .withEncryptionPath("$.encryptedPayloads[*]", "$.payload")
+                .withEncryptionCertificate(TestUtils.getTestEncryptionCertificate())
+                .build();
+    }
+
+    @Test
+    public void testBuild_ShouldThrowIllegalArgumentException_WhenMultipleWildcardsOnEncryptionPaths() throws Exception {
         expectedException.expect(IllegalArgumentException.class);
-        expectedException.expectMessage("JSON paths for encryption must point to a single item!");
+        expectedException.expectMessage("JSON paths for encryption with can only contain one wildcard!");
         FieldLevelEncryptionConfigBuilder.aFieldLevelEncryptionConfig()
-                .withEncryptionPath("$.payloads[*]", "$.encryptedPayload")
+                .withEncryptionPath("$.encryptedPayloads[*]field1[*]subField", "$.payload[*]field1[*]encryptedSubField")
                 .withEncryptionCertificate(TestUtils.getTestEncryptionCertificate())
                 .build();
     }

src/test/java/com/mastercard/developer/encryption/FieldLevelEncryptionWithDefaultJsonEngineTest.java

@@ -24,6 +24,7 @@
 import static com.mastercard.developer.utils.EncodingUtils.base64Decode;
 import static com.mastercard.developer.utils.EncryptionUtils.loadDecryptionKey;
 import static org.hamcrest.core.Is.isA;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.jupiter.api.Assertions.*;
 
 public class FieldLevelEncryptionWithDefaultJsonEngineTest {
@@ -127,6 +128,34 @@ public void testEncryptPayload_Nominal() throws Exception {
         assertDecryptedPayloadEquals("{\"data\":{\"field1\":\"value1\",\"field2\":\"value2\"}}", encryptedPayload, config);
     }
 
+    @Test
+    public void testEncryptPayload_ShouldEncryptWithWildcard() throws Exception {
+
+        // GIVEN
+        String payload = "{ \"fields\": [" +
+                "   {" +
+                "      \"field1\": \"AAAA\"," +
+                "      \"field2\": \"asdf\"" +
+                "   }," +
+                "   {" +
+                "      \"field1\": \"BBBB\"," +
+                "      \"field2\": \"zxcv\"" +
+                "   }" +
+                "]}";
+        FieldLevelEncryptionConfig config = getTestFieldLevelEncryptionConfigBuilder()
+                .withEncryptionPath("$.fields[*]field1", "$.fields[*]encryptedData")
+                .withDecryptionPath("$.fields[*]encryptedData", "$.fields[*]field1")
+                .withOaepPaddingDigestAlgorithm("SHA-256")
+                .build();
+
+        // WHEN
+        String encryptedPayload = FieldLevelEncryption.encryptPayload(payload, config);
+
+        // THEN
+        assertDecryptedPayloadEquals("{\"fields\":[{\"field2\":\"asdf\",\"field1\":\"AAAA\"},{\"field2\":\"zxcv\",\"field1\":\"BBBB\"}]}", encryptedPayload, config);
+    }
+
+
     @Test
     public void testEncryptPayload_ShouldSupportBase64FieldValueEncoding() throws Exception {