StringUtils class & better API key validation (#928)

Author: ob-stripe

src/main/java/com/stripe/net/ApiResource.java

@@ -20,6 +20,7 @@
 import com.stripe.model.StripeObject;
 import com.stripe.model.StripeRawJsonObject;
 import com.stripe.model.StripeRawJsonObjectDeserializer;
+import com.stripe.util.StringUtils;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
@@ -55,12 +56,7 @@ private static Gson createGson() {
 
   private static String className(Class<?> clazz) {
     // Convert CamelCase to snake_case
-    String className =
-        clazz
-            .getSimpleName()
-            .replaceAll("(.)([A-Z][a-z]+)", "$1_$2")
-            .replaceAll("([a-z0-9])([A-Z])", "$1_$2")
-            .toLowerCase();
+    String className = StringUtils.toSnakeCase(clazz.getSimpleName());
 
     // Handle namespaced resources by checking if the class is in a sub-package, and if so prepend
     // it to the class name

src/main/java/com/stripe/net/StripeRequest.java

@@ -5,6 +5,7 @@
 import com.stripe.exception.AuthenticationException;
 import com.stripe.exception.StripeException;
 import com.stripe.util.ReflectionUtils;
+import com.stripe.util.StringUtils;
 import java.io.IOException;
 import java.net.URL;
 import java.net.URLStreamHandler;
@@ -129,12 +130,30 @@ private static Map<String, String> buildHeaders(
 
     // Authorization
     String apiKey = options.getApiKey();
-    if (apiKey == null || apiKey.trim().isEmpty()) {
+    if (apiKey == null) {
       throw new AuthenticationException(
-          "No API key provided. (HINT: set your API key using 'Stripe.apiKey = <API-KEY>'. "
-              + "You can generate API keys from the Stripe web interface. "
-              + "See https://stripe.com/api for details or email [email protected] if you have "
-              + "questions.",
+          "No API key provided. Set your API key using `Stripe.apiKey = \"<API-KEY>\"`. You can "
+              + "generate API keys from the Stripe Dashboard. See "
+              + "https://stripe.com/docs/api/authentication for details or contact support at "
+              + "https://support.stripe.com/email if you have any questions.",
+          null,
+          null,
+          0);
+    } else if (apiKey.isEmpty()) {
+      throw new AuthenticationException(
+          "Your API key is invalid, as it is an empty string. You can double-check your API key "
+              + "from the Stripe Dashboard. See "
+              + "https://stripe.com/docs/api/authentication for details or contact support at "
+              + "https://support.stripe.com/email if you have any questions.",
+          null,
+          null,
+          0);
+    } else if (StringUtils.containsWhitespace(apiKey)) {
+      throw new AuthenticationException(
+          "Your API key is invalid, as it contains whitespace. You can double-check your API key "
+              + "from the Stripe Dashboard. See "
+              + "https://stripe.com/docs/api/authentication for details or contact support at "
+              + "https://support.stripe.com/email if you have any questions.",
           null,
           null,
           0);
@@ -148,7 +167,7 @@ private static Map<String, String> buildHeaders(
       headers.put("Stripe-Version", options.getStripeVersion());
     } else {
       throw new IllegalStateException(
-          "Either `stripeVersion`, or `stripeVersionOverride` " + "value must be set.");
+          "Either `stripeVersion` or `stripeVersionOverride` value must be set.");
     }
 
     // Stripe-Account

src/main/java/com/stripe/net/Webhook.java

@@ -2,9 +2,9 @@
 
 import com.stripe.exception.SignatureVerificationException;
 import com.stripe.model.Event;
+import com.stripe.util.StringUtils;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.List;
@@ -93,7 +93,7 @@ public static boolean verifyHeader(
       // Check if expected signature is found in list of header's signatures
       boolean signatureFound = false;
       for (String signature : signatures) {
-        if (Util.secureCompare(expectedSignature, signature)) {
+        if (StringUtils.secureCompare(expectedSignature, signature)) {
           signatureFound = true;
           break;
         }
@@ -186,21 +186,6 @@ public static String computeHmacSha256(String key, String message)
       return result;
     }
 
-    /**
-     * Compares two strings for equality. The time taken is independent of the number of characters
-     * that match.
-     *
-     * @param a one of the strings to compare.
-     * @param b the other string to compare.
-     * @return true if the strings are equal, false otherwise.
-     */
-    public static boolean secureCompare(String a, String b) {
-      byte[] digesta = a.getBytes(StandardCharsets.UTF_8);
-      byte[] digestb = b.getBytes(StandardCharsets.UTF_8);
-
-      return MessageDigest.isEqual(digesta, digestb);
-    }
-
     /**
      * Returns the current UTC timestamp in seconds.
      *

src/main/java/com/stripe/util/StringUtils.java

@@ -0,0 +1,50 @@
+package com.stripe.util;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.util.regex.Pattern;
+
+public final class StringUtils {
+  private static Pattern whitespacePattern = Pattern.compile("\\s");
+
+  /**
+   * Checks whether a string contains any whitespace characters or not.
+   *
+   * @param str the string to check.
+   * @return {@code true} if the string contains any whitespace characters; otherwise, {@code
+   *     false}.
+   */
+  public static boolean containsWhitespace(String str) {
+    requireNonNull(str);
+    return whitespacePattern.matcher(str).find();
+  }
+
+  /**
+   * Compares two strings for equality. The time taken is independent of the number of characters
+   * that match.
+   *
+   * @param a one of the strings to compare.
+   * @param b the other string to compare.
+   * @return true if the strings are equal, false otherwise.
+   */
+  public static boolean secureCompare(String a, String b) {
+    byte[] digesta = a.getBytes(StandardCharsets.UTF_8);
+    byte[] digestb = b.getBytes(StandardCharsets.UTF_8);
+
+    return MessageDigest.isEqual(digesta, digestb);
+  }
+
+  /**
+   * Converts the string to snake case.
+   *
+   * @param str the string to convert.
+   * @return A string with the contents of the input string converted to snake case.
+   */
+  public static String toSnakeCase(String str) {
+    return str.replaceAll("(.)([A-Z][a-z]+)", "$1_$2")
+        .replaceAll("([a-z0-9])([A-Z])", "$1_$2")
+        .toLowerCase();
+  }
+}

src/test/java/com/stripe/net/StripeRequestTest.java

@@ -101,7 +101,7 @@ public void testCtorRequestOptions() throws StripeException {
   }
 
   @Test
-  public void testCtorThrowsOnEmptyApiKey() throws StripeException {
+  public void testCtorThrowsOnNullApiKey() throws StripeException {
     String origApiKey = Stripe.apiKey;
 
     try {
@@ -119,4 +119,44 @@ public void testCtorThrowsOnEmptyApiKey() throws StripeException {
       Stripe.apiKey = origApiKey;
     }
   }
+
+  @Test
+  public void testCtorThrowsOnEmptyApiKey() throws StripeException {
+    String origApiKey = Stripe.apiKey;
+
+    try {
+      Stripe.apiKey = "";
+
+      AuthenticationException e =
+          assertThrows(
+              AuthenticationException.class,
+              () -> {
+                new StripeRequest(
+                    ApiResource.RequestMethod.GET, "http://example.com/get", null, null);
+              });
+      assertTrue(e.getMessage().contains("Your API key is invalid, as it is an empty string."));
+    } finally {
+      Stripe.apiKey = origApiKey;
+    }
+  }
+
+  @Test
+  public void testCtorThrowsOnApiKeyContainingWhitespace() throws StripeException {
+    String origApiKey = Stripe.apiKey;
+
+    try {
+      Stripe.apiKey = "sk_test_123\n";
+
+      AuthenticationException e =
+          assertThrows(
+              AuthenticationException.class,
+              () -> {
+                new StripeRequest(
+                    ApiResource.RequestMethod.GET, "http://example.com/get", null, null);
+              });
+      assertTrue(e.getMessage().contains("Your API key is invalid, as it contains whitespace."));
+    } finally {
+      Stripe.apiKey = origApiKey;
+    }
+  }
 }

src/test/java/com/stripe/util/StringUtilsTest.java

@@ -0,0 +1,110 @@
+package com.stripe.util;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.ArrayList;
+import java.util.List;
+import lombok.Data;
+import org.junit.jupiter.api.Test;
+
+public class StringUtilsTest {
+  @Test
+  public void testContainsWhitespace() {
+    @Data
+    class TestCase {
+      private final String data;
+      private final Boolean want;
+    }
+
+    List<TestCase> testCases =
+        new ArrayList<TestCase>() {
+          private static final long serialVersionUID = 1L;
+
+          {
+            add(new TestCase("sk_test_123", false));
+            add(new TestCase("sk_test_4eC39HqLyjWDarjtT1zdp7dc", false));
+            add(new TestCase("abc", false));
+            add(new TestCase("sk-test-123", false));
+            add(new TestCase("", false));
+            add(new TestCase("sk_test_123\n", true));
+            add(new TestCase("\nsk_test_123", true));
+            add(new TestCase("sk_test_\n123", true));
+            add(new TestCase("sk_test_123 ", true));
+            add(new TestCase(" sk_test_123", true));
+            add(new TestCase("sk_test_ 123", true));
+          }
+        };
+
+    for (TestCase testCase : testCases) {
+      assertTrue(
+          testCase.getWant() == StringUtils.containsWhitespace(testCase.getData()),
+          String.format(
+              "Expected containsWhitespace(\"%s\") to be %s",
+              testCase.getData(), testCase.getWant() ? "true" : "false"));
+    }
+  }
+
+  @Test
+  public void testSecureCompare() {
+    @Data
+    class TestCase {
+      private final String[] data;
+      private final Boolean want;
+    }
+
+    List<TestCase> testCases =
+        new ArrayList<TestCase>() {
+          private static final long serialVersionUID = 1L;
+
+          {
+            add(new TestCase(new String[] {"Hello", "Hello"}, true));
+            add(new TestCase(new String[] {"Hello", "hello"}, false));
+            add(new TestCase(new String[] {"Hello", "Helloo"}, false));
+            add(new TestCase(new String[] {"Hello", "Hell"}, false));
+            add(new TestCase(new String[] {"Hello", ""}, false));
+            add(new TestCase(new String[] {"", "Hello"}, false));
+            add(new TestCase(new String[] {"", ""}, true));
+            add(new TestCase(new String[] {"\0AAAAAAAAA", "\0BBBBBBBBBBBB"}, false));
+          }
+        };
+
+    for (TestCase testCase : testCases) {
+      assertTrue(
+          testCase.getWant()
+              == StringUtils.secureCompare(testCase.getData()[0], testCase.getData()[1]),
+          String.format(
+              "Expected secureCompare(\"%s\", \"%s\") to be %s",
+              testCase.getData()[0], testCase.getData()[1], testCase.getWant() ? "true" : "false"));
+    }
+  }
+
+  @Test
+  public void testToSnakeCase() {
+    @Data
+    class TestCase {
+      private final String data;
+      private final String want;
+    }
+
+    List<TestCase> testCases =
+        new ArrayList<TestCase>() {
+          private static final long serialVersionUID = 1L;
+
+          {
+            add(new TestCase("Foo", "foo"));
+            add(new TestCase("FooBar", "foo_bar"));
+            add(new TestCase("FooBar123", "foo_bar123"));
+            add(new TestCase("Foo123Bar", "foo123_bar"));
+            add(new TestCase("FOOBar", "foo_bar"));
+            add(new TestCase("FooBAR", "foo_bar"));
+            add(new TestCase("FOOBAR", "foobar"));
+            add(new TestCase("FOO_BAR", "foo_bar"));
+          }
+        };
+
+    for (TestCase testCase : testCases) {
+      assertEquals(testCase.getWant(), StringUtils.toSnakeCase(testCase.getData()));
+    }
+  }
+}