Merge pull request #11 from elreydetodo/mmeyer-fixes-for-rc2

Fix Java 7 compile; README updates; signed header order

Author: elreydetodo

README.md

@@ -36,12 +36,17 @@ build one with its internal builder:
 ```java
 Request request = Request.builder()
         .method("POST")
-        .uriWithQuery(URI.create("https://localhost/service/v2/users"))
-        .body("{ field: \"foo\" }")
-        .header("Content-Type", "application/json")
+        .uriWithQuery(URI.create("https://akaa-baseurl-xxxxxxxxxxx-xxxxxxxxxxxxx.luna.akamaiapis.net/billing-usage/v1/reportSources"))
+        .body("{ \"field\": \"field value\" }")
+        .header("X-Some-Signed-Header", "header value")
+        .header("X-Some-Other-Signed-Header", "header value 2")
         .build();
 ```
 
+NOTE: You only need to include headers in your `Request` that will be included
+in the EdgeGrid request signature. Many APIs do not require any headers to be
+signed.
+
 `EdgeGridV1Signer` is an implementation of the EdgeGrid V1 Signing Algorithm.
 You can use `EdgeGridV1Signer#getSignature(Request, ClientCredential)` to
 generate the `Authorization` header for an EdgeGrid request:
@@ -100,16 +105,16 @@ Sign your REST-assured request specification with a defined client credential:
 
 ```java
 given()
-    .baseUri("https://endpoint.net")
-    .filter(new RestAssuredEdgeGridFilter(credential))
+    .baseUri("https://akaa-baseurl-xxxxxxxxxxx-xxxxxxxxxxxxx.luna.akamaiapis.net")
+    .filter(new RestAssuredEdgeGridFilter(clientCredential))
 .when()
-    .get("/service/v2/users")
+    .get("/billing-usage/v1/reportSources")
 .then()
     .statusCode(200);
 ```
 
 REST-assured request specifications *must* contain a relative path in `get(path)`, `post
-(path)` etc. 
+(path)` etc.
 
 ## Usage with Google HTTP Client Library for Java
 
@@ -130,22 +135,24 @@ Sign your HTTP request with a defined client credential:
 ```java
 HttpTransport httpTransport = new ApacheHttpTransport();
 HttpRequestFactory requestFactory = httpTransport.createRequestFactory();
-URI uri = URI.create("https://endpoint.net/billing-usage/v1/reportSources");
+URI uri = URI.create("https://akaa-baseurl-xxxxxxxxxxx-xxxxxxxxxxxxx.luna.akamaiapis.net/billing-usage/v1/reportSources");
 HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(uri));
 
-GoogleHttpClientEdgeGridRequestSigner requestSigner = new GoogleHttpClientEdgeGridRequestSigner(credential);
+GoogleHttpClientEdgeGridRequestSigner requestSigner = new GoogleHttpClientEdgeGridRequestSigner(clientCredential);
 requestSigner.sign(request);
 request.execute();
 ```
 
-This, however, requires remembering to sign explicitly every request. Alternatively, you may create <code>HttpRequestFactory</code>
-that will be doing it for yourself:
+This, however, requires remembering to sign explicitly every request.
+Alternately, you may create an `HttpRequestFactory` that will automatically
+sign requests via an Interceptor:
 
 ```java
-private HttpRequestFactory createSigningRequestFactory(HttpTransport httpTransport) {
+private HttpRequestFactory createSigningRequestFactory() {
+    HttpTransport httpTransport = new ApacheHttpTransport();
     return httpTransport.createRequestFactory(new HttpRequestInitializer() {
         public void initialize(HttpRequest request) throws IOException {
-            request.setInterceptor(new GoogleHttpClientEdgeGridInterceptor(credential));
+            request.setInterceptor(new GoogleHttpClientEdgeGridInterceptor(clientCredentialProvider));
         }
     });
 }
@@ -154,14 +161,19 @@ private HttpRequestFactory createSigningRequestFactory(HttpTransport httpTranspo
 And then
 
 ```java
-HttpTransport httpTransport = new ApacheHttpTransport();
-HttpRequestFactory requestFactory = createSigningRequestFactory(httpTransport);
-URI uri = URI.create("https://endpoint.net/billing-usage/v1/reportSources");
+HttpRequestFactory requestFactory = createSigningRequestFactory();
+URI uri = URI.create("https://akaa-baseurl-xxxxxxxxxxx-xxxxxxxxxxxxx.luna.akamaiapis.net/billing-usage/v1/reportSources");
 HttpRequest request = requestFactory.buildGetRequest(new GenericUrl(uri));
 
 request.execute();
 ```
 
+NOTE: In this example we have used a `ClientCredentialProvider` rather than
+a more simple `ClientCredential`. `ClientCredentialProvider` provides a
+mechanism to construct a `ClientCredential` at the time of a request based on
+any logic you may want. For example, your own implementation could read
+credentials from a database or other secret store.
+
 ## Releases
 
 2.0:
@@ -178,12 +190,12 @@ A number of similar libraries for signing requests exist for popular
 programming languages:
 
 * There are two Python bindings: a [command line tool similar to curl][1] and a [Python library][2].
-* [Ruby binding][2]
-* [Perl binding][3]
-* [Powershell binding][4]
-* [NodeJS binding][5]
-* [C# binding][6]
-* [Go binding][7]
+* [Ruby binding][3]
+* [Perl binding][4]
+* [Powershell binding][5]
+* [NodeJS binding][6]
+* [C# binding][7]
+* [Go binding][8]
 
 [1]: https://github.com/akamai-open/edgegrid-curl
 [2]: https://github.com/akamai-open/AkamaiOPEN-edgegrid-python

edgegrid-signer-core/pom.xml

@@ -23,6 +23,10 @@
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
         </dependency>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-configuration2</artifactId>

edgegrid-signer-core/src/main/java/com/akamai/edgegrid/signer/ClientCredential.java

@@ -16,9 +16,9 @@
 
 package com.akamai.edgegrid.signer;
 
-import java.util.HashSet;
 import java.util.Objects;
 import java.util.Set;
+import java.util.TreeSet;
 
 import org.apache.commons.lang3.Validate;
 import org.apache.commons.lang3.builder.Builder;
@@ -42,7 +42,7 @@ public class ClientCredential implements Comparable<ClientCredential> {
     private String accessToken;
     private String clientSecret;
     private String clientToken;
-    private Set<String> headersToSign;
+    private TreeSet<String> headersToSign;
     private String host;
     private Integer maxBodySize;
 
@@ -132,7 +132,8 @@ public static class ClientCredentialBuilder implements Builder<ClientCredential>
         private String accessToken;
         private String clientSecret;
         private String clientToken;
-        private Set<String> headersToSign = new HashSet<>();
+        // NOTE: Headers are expected to be in order, so we pre-sort them here by using TreeSet.
+        private TreeSet<String> headersToSign = new TreeSet<>();
         private String host;
         private Integer maxBodySize;
 

edgegrid-signer-core/src/main/java/com/akamai/edgegrid/signer/EdgeGridV1Signer.java

@@ -16,6 +16,25 @@
 
 package com.akamai.edgegrid.signer;
 
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Map;
+import java.util.TimeZone;
+import java.util.UUID;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.Validate;
@@ -27,18 +46,6 @@
 import com.akamai.edgegrid.signer.Request.RequestBuilder;
 import com.akamai.edgegrid.signer.exceptions.RequestSigningException;
 
-import javax.crypto.Mac;
-import javax.crypto.spec.SecretKeySpec;
-import java.net.URI;
-import java.nio.charset.StandardCharsets;
-import java.security.InvalidKeyException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.text.SimpleDateFormat;
-import java.util.*;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
 
 /**
  * <p>
@@ -85,8 +92,6 @@ public class EdgeGridV1Signer {
 
     private static final Logger log = LoggerFactory.getLogger(EdgeGridV1Signer.class);
 
-    private final Base64.Encoder base64 = Base64.getEncoder();
-
     /**
      * Creates signer with default configuration.
      */
@@ -172,7 +177,7 @@ String getSignature(Request request, ClientCredential credential, long timestamp
         String timeStamp = formatTimeStamp(timestamp);
         String authData = getAuthData(credential, timeStamp, nonce);
         String signature = getSignature(request, credential, timeStamp, authData);
-        log.debug(String.format("Signature: '%s'", signature));
+        log.debug("Signature: {}", signature);
 
         return getAuthorizationHeaderValue(authData, signature);
     }
@@ -181,23 +186,21 @@ private String getSignature(Request request, ClientCredential credential, String
                                 String authData) throws RequestSigningException {
         String signingKey = getSigningKey(timeStamp, credential.getClientSecret());
         String canonicalizedRequest = getCanonicalizedRequest(request, credential);
-        log.debug(String.format("Canonicalized request: '%s'",
-                StringEscapeUtils.escapeJava(canonicalizedRequest)));
+        log.debug("Canonicalized request: {}", StringEscapeUtils.escapeJava(canonicalizedRequest));
         String dataToSign = getDataToSign(canonicalizedRequest, authData);
-        log.debug(String.format("Data to sign: '%s'",
-                StringEscapeUtils.escapeJava(dataToSign)));
+        log.debug("Data to sign: {}", StringEscapeUtils.escapeJava(dataToSign));
 
         return signAndEncode(dataToSign, signingKey);
     }
 
     private String signAndEncode(String stringToSign, String signingKey) throws RequestSigningException {
         byte[] signatureBytes = sign(stringToSign, signingKey);
-        return base64.encodeToString(signatureBytes);
+        return Base64.encodeBase64String(signatureBytes);
     }
 
     private String getSigningKey(String timeStamp, String clientSecret) throws RequestSigningException {
         byte[] signingKeyBytes = sign(timeStamp, clientSecret);
-        return base64.encodeToString(signingKeyBytes);
+        return Base64.encodeBase64String(signingKeyBytes);
     }
 
     private String getDataToSign(String canonicalizedRequest, String authData) {
@@ -236,15 +239,15 @@ private String getCanonicalizedRequest(Request request, ClientCredential credent
         sb.append(request.getMethod().toUpperCase());
         sb.append('\t');
 
-        String scheme = StringUtils.defaultString(request.getUriWithQuery().getScheme(), "https");
+        String scheme = StringUtils.defaultString(request.getUri().getScheme(), "https");
         sb.append(scheme.toLowerCase());
         sb.append('\t');
 
         String host = credential.getHost();
         sb.append(host.toLowerCase());
         sb.append('\t');
 
-        String relativePath = getRelativePathWithQuery(request.getUriWithQuery());
+        String relativePath = getRelativePathWithQuery(request.getUri());
         String relativeUrl = canonicalizeUri(relativePath);
         sb.append(relativeUrl);
         sb.append('\t');
@@ -272,6 +275,7 @@ private byte[] getHash(byte[] requestBody, int offset, int len) throws RequestSi
 
     private String canonicalizeHeaders(Map<String, String> requestHeaders, ClientCredential credential) {
         List<String> headers = new ArrayList<>();
+        // NOTE: Headers are expected to be in order. ClientCredential#headersToSign is a TreeSet.
         for (String headerName : credential.getHeadersToSign()) {
             String headerValue = requestHeaders.get(headerName);
             if (StringUtils.isBlank(headerValue)) {
@@ -304,18 +308,21 @@ private String getContentHash(String requestMethod, byte[] requestBody, int maxB
 
         int lengthToHash = requestBody.length;
         if (lengthToHash > maxBodySize) {
-            log.info(String.format("Content length '%d' is larger than the max '%d'. " +
-                    "Using first '%d' bytes for computing the hash.", lengthToHash, maxBodySize, maxBodySize));
+            log.info("Content length '{}' exceeds signing length of '{}'. Less than the entire message will be signed.",
+                    lengthToHash,
+                    maxBodySize);
             lengthToHash = maxBodySize;
         } else {
-            log.debug(String.format("Content (Base64): %s", base64.encodeToString(requestBody)));
+            if (log.isTraceEnabled()) {
+                log.trace("Content (Base64): {}", Base64.encodeBase64String(requestBody));
+            }
         }
 
         byte[] digestBytes = getHash(requestBody, 0, lengthToHash);
-        log.debug(String.format("Content hash (Base64): %s", base64.encodeToString(digestBytes)));
+        log.debug("Content hash (Base64): {}", Base64.encodeBase64String(digestBytes));
 
         // (mgawinec) I removed support for non-retryable content, that used to reset the content for downstream handlers
-        return base64.encodeToString(digestBytes);
+        return Base64.encodeBase64String(digestBytes);
     }
 
 }