|
| 1 | +package com.midtrans.snapbi; |
| 2 | + |
| 3 | +import org.junit.jupiter.api.AfterEach; |
| 4 | +import org.junit.jupiter.api.Tag; |
| 5 | +import org.junit.jupiter.api.Test; |
| 6 | + |
| 7 | +import java.nio.charset.StandardCharsets; |
| 8 | +import java.security.*; |
| 9 | +import java.util.Base64; |
| 10 | + |
| 11 | +import static org.junit.jupiter.api.Assertions.*; |
| 12 | + |
| 13 | +@Tag("junit5") |
| 14 | +public class SnapBiWebhookSignatureTest { |
| 15 | + |
| 16 | + // RSA key pair generated once for all tests |
| 17 | + private static final KeyPair KEY_PAIR = generateKeyPair(); |
| 18 | + |
| 19 | + private static KeyPair generateKeyPair() { |
| 20 | + try { |
| 21 | + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); |
| 22 | + kpg.initialize(2048); |
| 23 | + return kpg.generateKeyPair(); |
| 24 | + } catch (NoSuchAlgorithmException e) { |
| 25 | + throw new RuntimeException(e); |
| 26 | + } |
| 27 | + } |
| 28 | + |
| 29 | + private static String publicKeyToPem(PublicKey publicKey) { |
| 30 | + String base64 = Base64.getEncoder().encodeToString(publicKey.getEncoded()); |
| 31 | + return "-----BEGIN PUBLIC KEY-----\n" + base64 + "\n-----END PUBLIC KEY-----"; |
| 32 | + } |
| 33 | + |
| 34 | + /** |
| 35 | + * Produces the same signature that Midtrans would produce: |
| 36 | + * sign(SHA256withRSA, "POST:<urlPath>:<sha256hex(minifiedBody)>:<timestamp>") |
| 37 | + */ |
| 38 | + private static String signPayload(String notificationPayload, String urlPath, String timeStamp) throws Exception { |
| 39 | + String minified = SnapBi.minifyJson(notificationPayload); |
| 40 | + MessageDigest digest = MessageDigest.getInstance("SHA-256"); |
| 41 | + byte[] hash = digest.digest(minified.getBytes()); |
| 42 | + String hexHash = bytesToHex(hash).toLowerCase(); |
| 43 | + |
| 44 | + String rawString = "POST:" + urlPath + ":" + hexHash + ":" + timeStamp; |
| 45 | + |
| 46 | + Signature signer = Signature.getInstance("SHA256withRSA"); |
| 47 | + signer.initSign(KEY_PAIR.getPrivate()); |
| 48 | + signer.update(rawString.getBytes(StandardCharsets.UTF_8)); |
| 49 | + byte[] signatureBytes = signer.sign(); |
| 50 | + return Base64.getEncoder().encodeToString(signatureBytes); |
| 51 | + } |
| 52 | + |
| 53 | + private static String bytesToHex(byte[] bytes) { |
| 54 | + StringBuilder sb = new StringBuilder(bytes.length * 2); |
| 55 | + for (byte b : bytes) { |
| 56 | + sb.append(String.format("%02x", b)); |
| 57 | + } |
| 58 | + return sb.toString(); |
| 59 | + } |
| 60 | + |
| 61 | + @AfterEach |
| 62 | + void cleanUp() { |
| 63 | + // Reset static config to avoid leaking into other tests |
| 64 | + SnapBiConfig.setSnapBiPublicKey(null); |
| 65 | + } |
| 66 | + |
| 67 | + @Test |
| 68 | + void verificationSucceedsWithSpacesInStringValues() throws Exception { |
| 69 | + String urlPath = "/webhook/snap-bi/va"; |
| 70 | + String timeStamp = "2024-09-23T15:11:08+07:00"; |
| 71 | + String payload = "{\n" + |
| 72 | + " \"originalReferenceNo\" : \"A1202409231511081IDnMTwbGpYp\",\n" + |
| 73 | + " \"virtualAccountNo\" : \"7082214536759543\",\n" + |
| 74 | + " \"virtualAccountName\" : \"Midtrans Yudhi\",\n" + |
| 75 | + " \"paymentRequestId\" : \"test yudhi3\",\n" + |
| 76 | + " \"paidAmount\" : {\n" + |
| 77 | + " \"value\" : \"15000.00\",\n" + |
| 78 | + " \"currency\" : \"IDR\"\n" + |
| 79 | + " }\n" + |
| 80 | + "}"; |
| 81 | + |
| 82 | + String signature = signPayload(payload, urlPath, timeStamp); |
| 83 | + SnapBiConfig.setSnapBiPublicKey(publicKeyToPem(KEY_PAIR.getPublic())); |
| 84 | + |
| 85 | + Boolean result = SnapBi.notification() |
| 86 | + .withNotificationPayload(payload) |
| 87 | + .withNotificationUrlPath(urlPath) |
| 88 | + .withTimeStamp(timeStamp) |
| 89 | + .withSignature(signature) |
| 90 | + .isWebhookNotificationVerified(); |
| 91 | + |
| 92 | + assertTrue(result, "Signature verification should succeed for payload with spaces in string values"); |
| 93 | + } |
| 94 | + |
| 95 | + @Test |
| 96 | + void verificationFailsWithTamperedPayload() throws Exception { |
| 97 | + String urlPath = "/webhook/snap-bi/va"; |
| 98 | + String timeStamp = "2024-09-23T15:11:08+07:00"; |
| 99 | + String originalPayload = "{\"name\" : \"Midtrans Yudhi\"}"; |
| 100 | + |
| 101 | + // Sign the original payload |
| 102 | + String signature = signPayload(originalPayload, urlPath, timeStamp); |
| 103 | + SnapBiConfig.setSnapBiPublicKey(publicKeyToPem(KEY_PAIR.getPublic())); |
| 104 | + |
| 105 | + // Verify with tampered payload |
| 106 | + String tamperedPayload = "{\"name\" : \"Midtrans Hacker\"}"; |
| 107 | + |
| 108 | + Boolean result = SnapBi.notification() |
| 109 | + .withNotificationPayload(tamperedPayload) |
| 110 | + .withNotificationUrlPath(urlPath) |
| 111 | + .withTimeStamp(timeStamp) |
| 112 | + .withSignature(signature) |
| 113 | + .isWebhookNotificationVerified(); |
| 114 | + |
| 115 | + assertFalse(result, "Signature verification should fail for tampered payload"); |
| 116 | + } |
| 117 | + |
| 118 | + @Test |
| 119 | + void verificationSucceedsWithAlreadyMinifiedPayload() throws Exception { |
| 120 | + String urlPath = "/api/notification"; |
| 121 | + String timeStamp = "2024-01-01T00:00:00Z"; |
| 122 | + // Already minified - no extra whitespace |
| 123 | + String payload = "{\"code\":\"ABC\",\"name\":\"John Doe\"}"; |
| 124 | + |
| 125 | + String signature = signPayload(payload, urlPath, timeStamp); |
| 126 | + SnapBiConfig.setSnapBiPublicKey(publicKeyToPem(KEY_PAIR.getPublic())); |
| 127 | + |
| 128 | + Boolean result = SnapBi.notification() |
| 129 | + .withNotificationPayload(payload) |
| 130 | + .withNotificationUrlPath(urlPath) |
| 131 | + .withTimeStamp(timeStamp) |
| 132 | + .withSignature(signature) |
| 133 | + .isWebhookNotificationVerified(); |
| 134 | + |
| 135 | + assertTrue(result, "Signature verification should succeed for already-minified payload with spaces in values"); |
| 136 | + } |
| 137 | + |
| 138 | + @Test |
| 139 | + void verificationThrowsWhenPublicKeyNotSet() { |
| 140 | + SnapBiConfig.setSnapBiPublicKey(null); |
| 141 | + |
| 142 | + assertThrows(IllegalStateException.class, () -> |
| 143 | + SnapBi.notification() |
| 144 | + .withNotificationPayload("{}") |
| 145 | + .withNotificationUrlPath("/test") |
| 146 | + .withTimeStamp("2024-01-01T00:00:00Z") |
| 147 | + .withSignature("dummysig") |
| 148 | + .isWebhookNotificationVerified() |
| 149 | + ); |
| 150 | + } |
| 151 | +} |
0 commit comments