summaryrefslogtreecommitdiffstats
path: root/vendor/github.com/nlopes/slack/security.go
diff options
context:
space:
mode:
authorPatrick Connolly <patrick.c.connolly@gmail.com>2018-12-02 02:55:35 +0800
committerWim <wim@42.be>2018-12-01 19:55:35 +0100
commite538a4d30459e9da1a021400b5de85894b4efabc (patch)
treeead4f82d5459fe0d3465f7e3656243cd613c07a6 /vendor/github.com/nlopes/slack/security.go
parentf94c2b40a3e8eb45054bda1b71eb6fd3f9bc9e6d (diff)
downloadmatterbridge-msglm-e538a4d30459e9da1a021400b5de85894b4efabc.tar.gz
matterbridge-msglm-e538a4d30459e9da1a021400b5de85894b4efabc.tar.bz2
matterbridge-msglm-e538a4d30459e9da1a021400b5de85894b4efabc.zip
Update nlopes/slack to 4.1-dev (#595)
Diffstat (limited to 'vendor/github.com/nlopes/slack/security.go')
-rw-r--r--vendor/github.com/nlopes/slack/security.go146
1 files changed, 99 insertions, 47 deletions
diff --git a/vendor/github.com/nlopes/slack/security.go b/vendor/github.com/nlopes/slack/security.go
index 50201d99..6ab3c698 100644
--- a/vendor/github.com/nlopes/slack/security.go
+++ b/vendor/github.com/nlopes/slack/security.go
@@ -1,47 +1,99 @@
-package slack
-
-import (
- "crypto/hmac"
- "crypto/sha256"
- "encoding/hex"
- "errors"
- "fmt"
- "hash"
- "net/http"
-)
-
-// SecretsVerifier contains the information needed to verify that the request comes from Slack
-type SecretsVerifier struct {
- slackSig string
- timeStamp string
- hmac hash.Hash
-}
-
-// NewSecretsVerifier returns a SecretsVerifier object in exchange for an http.Header object and signing secret
-func NewSecretsVerifier(header http.Header, signingSecret string) (SecretsVerifier, error) {
- if header["X-Slack-Signature"][0] == "" || header["X-Slack-Request-Timestamp"][0] == "" {
- return SecretsVerifier{}, errors.New("Headers are empty, cannot create SecretsVerifier")
- }
-
- hash := hmac.New(sha256.New, []byte(signingSecret))
- hash.Write([]byte(fmt.Sprintf("v0:%s:", header["X-Slack-Request-Timestamp"][0])))
- return SecretsVerifier{
- slackSig: header["X-Slack-Signature"][0],
- timeStamp: header["X-Slack-Request-Timestamp"][0],
- hmac: hash,
- }, nil
-}
-
-func (v *SecretsVerifier) Write(body []byte) (n int, err error) {
- return v.hmac.Write(body)
-}
-
-// Ensure compares the signature sent from Slack with the actual computed hash to judge validity
-func (v SecretsVerifier) Ensure() error {
- computed := "v0=" + string(hex.EncodeToString(v.hmac.Sum(nil)))
- if computed == v.slackSig {
- return nil
- }
-
- return fmt.Errorf("Expected signing signature: %s, but computed: %s", v.slackSig, computed)
-}
+package slack
+
+import (
+ "crypto/hmac"
+ "crypto/sha256"
+ "encoding/hex"
+ "errors"
+ "fmt"
+ "hash"
+ "net/http"
+ "strconv"
+ "strings"
+ "time"
+)
+
+// Signature headers
+const (
+ hSignature = "X-Slack-Signature"
+ hTimestamp = "X-Slack-Request-Timestamp"
+)
+
+// SecretsVerifier contains the information needed to verify that the request comes from Slack
+type SecretsVerifier struct {
+ signature []byte
+ hmac hash.Hash
+}
+
+func unsafeSignatureVerifier(header http.Header, secret string) (_ SecretsVerifier, err error) {
+ var (
+ bsignature []byte
+ )
+
+ signature := header.Get(hSignature)
+ stimestamp := header.Get(hTimestamp)
+
+ if signature == "" || stimestamp == "" {
+ return SecretsVerifier{}, errors.New("missing headers")
+ }
+
+ if bsignature, err = hex.DecodeString(strings.TrimPrefix(signature, "v0=")); err != nil {
+ return SecretsVerifier{}, err
+ }
+
+ hash := hmac.New(sha256.New, []byte(secret))
+ hash.Write([]byte(fmt.Sprintf("v0:%s:", stimestamp)))
+
+ return SecretsVerifier{
+ signature: bsignature,
+ hmac: hash,
+ }, nil
+}
+
+// NewSecretsVerifier returns a SecretsVerifier object in exchange for an http.Header object and signing secret
+func NewSecretsVerifier(header http.Header, secret string) (sv SecretsVerifier, err error) {
+ var (
+ timestamp int64
+ )
+
+ stimestamp := header.Get(hTimestamp)
+
+ if sv, err = unsafeSignatureVerifier(header, secret); err != nil {
+ return SecretsVerifier{}, err
+ }
+
+ if timestamp, err = strconv.ParseInt(stimestamp, 10, 64); err != nil {
+ return SecretsVerifier{}, err
+ }
+
+ diff := absDuration(time.Now().Sub(time.Unix(timestamp, 0)))
+ if diff > 5*time.Minute {
+ return SecretsVerifier{}, fmt.Errorf("timestamp is too old")
+ }
+
+ return sv, err
+}
+
+func (v *SecretsVerifier) Write(body []byte) (n int, err error) {
+ return v.hmac.Write(body)
+}
+
+// Ensure compares the signature sent from Slack with the actual computed hash to judge validity
+func (v SecretsVerifier) Ensure() error {
+ computed := v.hmac.Sum(nil)
+ // use hmac.Equal prevent leaking timing information.
+ if hmac.Equal(computed, v.signature) {
+ return nil
+ }
+
+ return fmt.Errorf("Expected signing signature: %s, but computed: %s", v.signature, computed)
+}
+
+func abs64(n int64) int64 {
+ y := n >> 63
+ return (n ^ y) - y
+}
+
+func absDuration(n time.Duration) time.Duration {
+ return time.Duration(abs64(int64(n)))
+}