Func: Rearreange qp before calculating

Juanita De La Cuesta · Juanita De La Cuesta · commit 6acdc9b7f672 · 2019-01-11T12:33:19.000+01:00
diff --git a/signature/signature.go b/signature/signature.go
@@ -8,11 +8,16 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"math"
 	"net/http"
+	"net/url"
 	"strconv"
 	"time"
 )
 
+const tsHeader = "MessageBird-Request-Timestamp"
+const sHeader = "MessageBird-Signature"
+
 // ValidityPeriod is the time in hours after which a request is descarded
 type ValidityPeriod *float64
 
@@ -44,10 +49,10 @@ type Validator struct {
 }
 
 // NewValidator returns a signature validator object
-func NewValidator(signingKey string, period float64, log *log.Logger, message *string) *Validator {
+func NewValidator(signingKey string, period ValidityPeriod, log *log.Logger, message *string) *Validator {
 	return &Validator{
 		SigningKey:  signingKey,
-		Period:      &period,
+		Period:      period,
 		Log:         log,
 		LogMesssage: message,
 	}
@@ -56,11 +61,14 @@ func NewValidator(signingKey string, period float64, log *log.Logger, message *s
 // ValidTimestamp validates if the MessageBird-Request-Timestamp is a valid
 // date and if the request is older than the validator Period.
 func (v *Validator) ValidTimestamp(ts string) bool {
+	t, err := StringToTime(ts)
+	if err != nil {
+		return false
+	}
 	if v.Period != nil {
 		now := time.Now()
-		t, err := StringToTime(ts)
 		diff := now.Sub(t)
-		if err != nil || diff.Hours() > *v.Period {
+		if math.Abs(diff.Hours()) > *v.Period {
 			return false
 		}
 	}
@@ -85,15 +93,16 @@ func (v *Validator) CalculateSignature(ts, qp string, b []byte) ([]byte, error)
 
 // ValidSignature takes the timestamp, query params and body from the request,
 // calculates the expected signature and compares it to the one sent by MessageBird.
-func (v *Validator) ValidSignature(ts, qp, rs string, b []byte) bool {
-	es, _ := v.CalculateSignature(ts, qp, b)
+func (v *Validator) ValidSignature(ts, rqp string, b []byte, rs string) bool {
+	uqp, _ := url.Parse("?" + rqp)
+	es, _ := v.CalculateSignature(ts, uqp.Query().Encode(), b)
 	drs, _ := base64.StdEncoding.DecodeString(rs)
 	return hmac.Equal(drs, es)
 }
 
 func (v *Validator) Error(w http.ResponseWriter, r *http.Request) {
 	if v.Log != nil {
-		v.Log.Println(v.LogMesssage, r.Host)
+		v.Log.Printf("%s, sending host: %s", *v.LogMesssage, r.Host)
 	}
 	http.Error(w, "Request not allowed", http.StatusUnauthorized)
 	return
@@ -103,17 +112,17 @@ func (v *Validator) Error(w http.ResponseWriter, r *http.Request) {
 // incoming requests and rejects them if invalid or pass them on to your handler
 // otherwise.
 // To use just wrappe your handler with it:
-//  http.Handle("/path", signature.Validate(handleThing))
+// http.Handle("/path", signature.Validate(handleThing))
 func (v *Validator) Validate(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ts := r.Header.Get("MessageBird-Request-Timestamp")
-		rs := r.Header.Get("MessageBird-Request-Signature")
+		ts := r.Header.Get(tsHeader)
+		rs := r.Header.Get(sHeader)
 		if ts == "" || rs == "" {
 			v.Error(w, r)
 			return
 		}
 		b, _ := ioutil.ReadAll(r.Body)
-		if v.ValidTimestamp(ts) == false || v.ValidSignature(ts, r.URL.RawQuery, rs, b) == false {
+		if v.ValidTimestamp(ts) == false || v.ValidSignature(ts, r.URL.RawQuery, b, rs) == false {
 			v.Error(w, r)
 			return
 		}
diff --git a/signature/signature_test.go b/signature/signature_test.go
@@ -3,22 +3,250 @@ package signature
 import (
 	"bytes"
 	"encoding/base64"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
+	"time"
 )
 
 const testTs = "1544544948"
 const testQp = "abc=foo&def=bar"
 const testBody = `{"a key":"some value"}`
 const testSignature = "orb0adPhRCYND1WCAvPBr+qjm4STGtyvNDIDNBZ4Ir4="
+const testKey = "other-secret"
 
 func TestCalculateSignature(t *testing.T) {
-	v := NewValidator("other-secret", 2, nil, nil)
-	s, err := v.CalculateSignature(testTs, testQp, []byte(testBody))
-	if err != nil {
-		t.Errorf("Error calculating signature: %s, expected: orb0adPhRCYND1WCAvPBr+qjm4STGtyvNDIDNBZ4Ir4=", s)
+	var cases = []struct {
+		sKey string
+		ts   string
+		qp   string
+		b    string
+		es   string
+		e    bool
+	}{
+		{
+			sKey: testKey,
+			ts:   testTs,
+			qp:   testQp,
+			b:    testBody,
+			es:   testSignature,
+			e:    true,
+		},
+		{
+			sKey: testKey,
+			ts:   testTs,
+			qp:   testQp,
+			b:    testBody,
+			es:   "LISw4Je7n0/MkYDgVSzTJm8dW6BkytKTXMZZk1IElMs=",
+			e:    false,
+		},
+		{
+			sKey: "secret",
+			ts:   testTs,
+			qp:   "",
+			b:    "",
+			es:   "LISw4Je7n0/MkYDgVSzTJm8dW6BkytKTXMZZk1IElMs=",
+			e:    true,
+		},
+		{
+			sKey: "secret",
+			ts:   testTs,
+			qp:   "",
+			b:    testBody,
+			es:   "p2e20OtAg39DEmz1ORHpjQ556U4o1ZaH4NWbM9Q8Qjk=",
+			e:    true,
+		},
+		{
+			sKey: "secret",
+			ts:   testTs,
+			qp:   testQp,
+			b:    "",
+			es:   "Tfn+nRUBsn6lQgf6IpxBMS1j9lm7XsGjt5xh47M3jCk=",
+			e:    true,
+		},
 	}
-	drs, _ := base64.StdEncoding.DecodeString(testSignature)
-	if bytes.Compare(s, drs) != 0 {
-		t.Errorf("Unexpected signature: %s, expected: orb0adPhRCYND1WCAvPBr+qjm4STGtyvNDIDNBZ4Ir4=", s)
+	for i, tt := range cases {
+		v := NewValidator(tt.sKey, nil, nil, nil)
+		s, err := v.CalculateSignature(tt.ts, tt.qp, []byte(tt.b))
+		if err != nil {
+			t.Errorf("Error calculating signature: %s, expected: %s", s, tt.es)
+		}
+		drs, _ := base64.StdEncoding.DecodeString(tt.es)
+		e := bool(bytes.Compare(s, drs) == 0)
+		if e != tt.e {
+			t.Errorf("Unexpected signature: %s, test case: %d", s, i)
+		}
 	}
 }
+func TestValidTimestamp(t *testing.T) {
+	var p float64 = 2
+	now := time.Now()
+	nowts := fmt.Sprintf("%d", now.Unix())
+	var cases = []struct {
+		ts string
+		p  ValidityPeriod
+		e  bool
+	}{
+		{
+			ts: nowts,
+			p:  nil,
+			e:  true,
+		},
+		{
+			ts: "",
+			p:  nil,
+			e:  false,
+		},
+		{
+			ts: "wrongTs",
+			p:  nil,
+			e:  false,
+		},
+		{
+			ts: nowts,
+			p:  &p,
+			e:  true,
+		},
+		{
+			ts: fmt.Sprintf("%d", now.AddDate(0, 0, 1).Unix()),
+			p:  &p,
+			e:  false,
+		},
+		{
+			ts: fmt.Sprintf("%d", now.AddDate(0, 0, -1).Unix()),
+			p:  &p,
+			e:  false,
+		},
+	}
+
+	for i, tt := range cases {
+		v := NewValidator(testKey, tt.p, nil, nil)
+		r := v.ValidTimestamp(tt.ts)
+		if r != tt.e {
+			t.Errorf("Unexpected error validating ts: %s, test case: %d", tt.ts, i)
+		}
+	}
+}
+
+func TestValidSignature(t *testing.T) {
+	var cases = []struct {
+		ts string
+		qp string
+		b  string
+		s  string
+		e  bool
+	}{
+		{
+			ts: testTs,
+			qp: testQp,
+			b:  testBody,
+			s:  testSignature,
+			e:  true,
+		},
+		{
+			ts: testTs,
+			qp: "def=bar&abc=foo",
+			b:  testBody,
+			s:  testSignature,
+			e:  true,
+		},
+		{
+			ts: testTs,
+			qp: testQp,
+			b:  testBody,
+			s:  "wrong signature",
+			e:  false,
+		},
+	}
+
+	for i, tt := range cases {
+		v := NewValidator(testKey, nil, nil, nil)
+		r := v.ValidSignature(tt.ts, tt.qp, []byte(tt.b), tt.s)
+		if r != tt.e {
+			t.Errorf("Unexpected error validating signature: %s, test case: %d", tt.s, i)
+		}
+	}
+}
+
+func testHandler(w http.ResponseWriter, r *http.Request) {
+
+}
+func TestValidate(t *testing.T) {
+	var cases = []struct {
+		k   string
+		ts  string
+		s   string
+		sh  string
+		tsh string
+		e   int
+	}{
+		{
+			k:   testKey,
+			ts:  testTs,
+			s:   testSignature,
+			sh:  sHeader,
+			tsh: tsHeader,
+			e:   http.StatusOK,
+		},
+		{
+			k:   "",
+			ts:  testTs,
+			s:   testSignature,
+			sh:  sHeader,
+			tsh: tsHeader,
+			e:   http.StatusUnauthorized,
+		},
+		{
+			k:   testKey,
+			ts:  "",
+			s:   testSignature,
+			sh:  sHeader,
+			tsh: tsHeader,
+			e:   http.StatusUnauthorized,
+		},
+		{
+			k:   testKey,
+			ts:  testTs,
+			s:   "",
+			sh:  sHeader,
+			tsh: tsHeader,
+			e:   http.StatusUnauthorized,
+		},
+		{
+			k:   testKey,
+			ts:  testTs,
+			s:   testSignature,
+			sh:  "wrong-header",
+			tsh: tsHeader,
+			e:   http.StatusUnauthorized,
+		},
+		{
+			k:   testKey,
+			ts:  testTs,
+			s:   testSignature,
+			sh:  sHeader
+			tsh: "wrong-header",
+			e:   http.StatusUnauthorized,
+		},
+	}
+
+	for i, tt := range cases {
+		v := NewValidator(tt.k, nil, nil, nil)
+		ts := httptest.NewServer(v.Validate(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		})))
+		defer ts.Close()
+
+		client := &http.Client{}
+		req, _ := http.NewRequest("GET", ts.URL+"?"+testQp, strings.NewReader(testBody))
+		req.Header.Set(tt.sh, tt.s)
+		req.Header.Set(tt.tsh, tt.ts)
+		res, _ := client.Do(req)
+		if res.StatusCode != tt.e {
+			t.Errorf("Unexpected response code: %s, test case: %d", res.Status, i)
+		}
+	}
+
+}
