Validate auth token

YomesInc · web-flow · commit 14c0d95803db · 2022-03-22T16:05:27.000+02:00
diff --git a/cloudinary-core/src/main/java/com/cloudinary/AuthToken.java b/cloudinary-core/src/main/java/com/cloudinary/AuthToken.java
@@ -29,7 +29,7 @@ public class AuthToken {
     private long startTime;
     private long expiration;
     private String ip;
-    private String acl;
+    private List<String> acl = new ArrayList<>();
     private long duration;
     private boolean isNullToken = false;
     private static final Pattern UNSAFE_URL_CHARS_PATTERN = Pattern.compile("[ \"#%&'/:;<=>?@\\[\\\\\\]^`{|}~]");
@@ -53,7 +53,16 @@ public AuthToken(Map options) {
             this.startTime = ObjectUtils.asLong(options.get("startTime"), 0L);
             this.expiration = ObjectUtils.asLong(options.get("expiration"), 0L);
             this.ip = (String) options.get("ip");
-            this.acl = (String) options.get("acl");
+
+            Object acl = options.get("acl");
+            if (acl != null) {
+                if (acl instanceof String) {
+                    this.acl = Collections.singletonList(acl.toString());
+                } else if (Collection.class.isAssignableFrom(acl.getClass())) {
+                    this.acl = new ArrayList<String>((Collection<String>)acl);
+                }
+            }
+
             this.duration = ObjectUtils.asLong(options.get("duration"), 0L);
         }
     }
@@ -122,8 +131,8 @@ public AuthToken ip(String ip) {
      * @param acl
      * @return this
      */
-    public AuthToken acl(String acl) {
-        this.acl = acl;
+    public AuthToken acl(String... acl) {
+        this.acl = Arrays.asList(acl);
         return this;
     }
 
@@ -155,6 +164,11 @@ public String generate() {
      * @return a URL token
      */
     public String generate(String url) {
+
+        if (url == null && (acl == null || acl.size() == 0)) {
+            throw new IllegalArgumentException("Must provide acl or url");
+        }
+
         long expiration = this.expiration;
         if (expiration == 0) {
             if (duration > 0) {
@@ -172,11 +186,11 @@ public String generate(String url) {
             tokenParts.add("st=" + startTime);
         }
         tokenParts.add("exp=" + expiration);
-        if (acl != null) {
-            tokenParts.add("acl=" + escapeToLower(acl));
+        if (acl != null && acl.size() > 0) {
+            tokenParts.add("acl=" + escapeToLower(String.join("!", acl)));
         }
         ArrayList<String> toSign = new ArrayList<String>(tokenParts);
-        if (url != null && acl == null) {
+        if (url != null && (acl == null || acl.size() == 0)) {
             toSign.add("url=" + escapeToLower(url));
         }
         String auth = digest(StringUtils.join(toSign, "~"));
diff --git a/cloudinary-core/src/test/java/com/cloudinary/AuthTokenTest.java b/cloudinary-core/src/test/java/com/cloudinary/AuthTokenTest.java
@@ -1,14 +1,20 @@
 package com.cloudinary;
 
 import com.cloudinary.utils.Analytics;
+import com.cloudinary.utils.ObjectUtils;
+
+import org.hamcrest.CoreMatchers;
 import org.hamcrest.Matchers;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TestName;
 
 import java.io.UnsupportedEncodingException;
 import java.util.Calendar;
+import java.util.Collections;
+import java.util.Map;
 import java.util.TimeZone;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -127,4 +133,32 @@ public void testIgnoreUrlIfAclIsProvided() {
         String cookieAclToken = aclToken.generate("http://res.cloudinary.com/test123/image/upload/v1486020273/sample.jpg");
         assertEquals(cookieToken, cookieAclToken);
     }
+
+    @Test
+    public void testMultiplePatternsInAcl() {
+        AuthToken token = new AuthToken(KEY).duration(3600).acl("/image/authenticated/*", "/image2/authenticated/*", "/image3/authenticated/*").startTime(22222222);
+        String cookieToken = token.generate();
+        Assert.assertThat(cookieToken, CoreMatchers.containsString("~acl=%2fimage%2fauthenticated%2f*!%2fimage2%2fauthenticated%2f*!%2fimage3%2fauthenticated%2f*~"));
+    }
+
+    @Test
+    public void testPublicAclInitializationFromMap() {
+        Map options = ObjectUtils.asMap(
+                "acl", Collections.singleton("foo"),
+                "expiration", 100,
+                "key", KEY,
+                "tokenName", "token");
+        String token = new AuthToken(options).generate();
+        assertEquals("token=exp=100~acl=foo~hmac=88be250f3a912add862959076ee74f392fa0959a953fddd9128787d5c849efd9", token);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testMissingAclAndUrlShouldThrow() {
+        String token = new AuthToken(KEY).duration(300).generate();
+    }
+
+    @Test
+    public void testMissingUrlNotMissingAclShouldNotThrow() {
+        String token = new AuthToken(KEY).duration(300).generate("http://res.cloudinary.com/test123");
+    }
 }
diff --git a/cloudinary-core/src/test/java/com/cloudinary/test/CloudinaryTest.java b/cloudinary-core/src/test/java/com/cloudinary/test/CloudinaryTest.java
@@ -18,6 +18,7 @@
 import java.lang.reflect.Field;
 import java.lang.reflect.Modifier;
 import java.lang.reflect.Type;
+import java.lang.reflect.ParameterizedType;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
@@ -1468,6 +1469,8 @@ private void setRandomValue(Random rand, Field field, Object instance) throws Il
             field.set(instance, rand.nextInt());
         } else if (fieldType.equals(long.class) || fieldType.equals(Long.class)) {
             field.set(instance, rand.nextLong());
+        } else if (field.get(instance) instanceof List) {
+            field.set(instance, Collections.singletonList(cloudinary.randomPublicId()));
         } else if (fieldType.equals(String.class)) {
             field.set(instance, cloudinary.randomPublicId());
         } else if (fieldType.equals(AuthToken.class)) {
