2018-12-01 10:55:35 -08:00
|
|
|
package slack
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/hmac"
|
|
|
|
"crypto/sha256"
|
|
|
|
"encoding/hex"
|
|
|
|
"fmt"
|
|
|
|
"hash"
|
|
|
|
"net/http"
|
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Signature headers
|
|
|
|
const (
|
|
|
|
hSignature = "X-Slack-Signature"
|
|
|
|
hTimestamp = "X-Slack-Request-Timestamp"
|
|
|
|
)
|
|
|
|
|
|
|
|
// SecretsVerifier contains the information needed to verify that the request comes from Slack
|
|
|
|
type SecretsVerifier struct {
|
2020-12-31 05:48:12 -08:00
|
|
|
d Debug
|
2018-12-01 10:55:35 -08:00
|
|
|
signature []byte
|
|
|
|
hmac hash.Hash
|
|
|
|
}
|
|
|
|
|
|
|
|
func unsafeSignatureVerifier(header http.Header, secret string) (_ SecretsVerifier, err error) {
|
|
|
|
var (
|
|
|
|
bsignature []byte
|
|
|
|
)
|
|
|
|
|
|
|
|
signature := header.Get(hSignature)
|
|
|
|
stimestamp := header.Get(hTimestamp)
|
|
|
|
|
|
|
|
if signature == "" || stimestamp == "" {
|
2019-09-07 13:46:58 -07:00
|
|
|
return SecretsVerifier{}, ErrMissingHeaders
|
2018-12-01 10:55:35 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
if bsignature, err = hex.DecodeString(strings.TrimPrefix(signature, "v0=")); err != nil {
|
|
|
|
return SecretsVerifier{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
hash := hmac.New(sha256.New, []byte(secret))
|
2019-01-31 08:06:36 -08:00
|
|
|
if _, err = hash.Write([]byte(fmt.Sprintf("v0:%s:", stimestamp))); err != nil {
|
|
|
|
return SecretsVerifier{}, err
|
|
|
|
}
|
2018-12-01 10:55:35 -08:00
|
|
|
|
|
|
|
return SecretsVerifier{
|
|
|
|
signature: bsignature,
|
|
|
|
hmac: hash,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewSecretsVerifier returns a SecretsVerifier object in exchange for an http.Header object and signing secret
|
|
|
|
func NewSecretsVerifier(header http.Header, secret string) (sv SecretsVerifier, err error) {
|
|
|
|
var (
|
|
|
|
timestamp int64
|
|
|
|
)
|
|
|
|
|
|
|
|
stimestamp := header.Get(hTimestamp)
|
|
|
|
|
|
|
|
if sv, err = unsafeSignatureVerifier(header, secret); err != nil {
|
|
|
|
return SecretsVerifier{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if timestamp, err = strconv.ParseInt(stimestamp, 10, 64); err != nil {
|
|
|
|
return SecretsVerifier{}, err
|
|
|
|
}
|
|
|
|
|
2019-01-31 08:06:36 -08:00
|
|
|
diff := absDuration(time.Since(time.Unix(timestamp, 0)))
|
2018-12-01 10:55:35 -08:00
|
|
|
if diff > 5*time.Minute {
|
2019-09-07 13:46:58 -07:00
|
|
|
return SecretsVerifier{}, ErrExpiredTimestamp
|
2018-12-01 10:55:35 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
return sv, err
|
|
|
|
}
|
|
|
|
|
2020-12-31 05:48:12 -08:00
|
|
|
func (v *SecretsVerifier) WithDebug(d Debug) *SecretsVerifier {
|
|
|
|
v.d = d
|
|
|
|
return v
|
|
|
|
}
|
|
|
|
|
2018-12-01 10:55:35 -08:00
|
|
|
func (v *SecretsVerifier) Write(body []byte) (n int, err error) {
|
|
|
|
return v.hmac.Write(body)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure compares the signature sent from Slack with the actual computed hash to judge validity
|
|
|
|
func (v SecretsVerifier) Ensure() error {
|
|
|
|
computed := v.hmac.Sum(nil)
|
|
|
|
// use hmac.Equal prevent leaking timing information.
|
|
|
|
if hmac.Equal(computed, v.signature) {
|
|
|
|
return nil
|
|
|
|
}
|
2020-12-31 05:48:12 -08:00
|
|
|
if v.d != nil && v.d.Debug() {
|
|
|
|
v.d.Debugln(fmt.Sprintf("Expected signing signature: %s, but computed: %s", hex.EncodeToString(v.signature), hex.EncodeToString(computed)))
|
|
|
|
}
|
|
|
|
return fmt.Errorf("Computed unexpected signature of: %s", hex.EncodeToString(computed))
|
2018-12-01 10:55:35 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
func abs64(n int64) int64 {
|
|
|
|
y := n >> 63
|
|
|
|
return (n ^ y) - y
|
|
|
|
}
|
|
|
|
|
|
|
|
func absDuration(n time.Duration) time.Duration {
|
|
|
|
return time.Duration(abs64(int64(n)))
|
|
|
|
}
|