Merge pull request #361 from adnanh/feature/check-payload-hash-sha512

Add SHA512 payload check rule
2025-05-13 00:54:53 +00:00 · 2019-12-02 22:34:07 +01:00 · 2019-12-02 22:34:07 +01:00 · a617b1a6ac
commit a617b1a6ac
parent 9117f4f6d6 b53996f175
3 changed files with 87 additions and 2 deletions
--- a/docs/Hook-Rules.md
+++ b/docs/Hook-Rules.md
@ -186,7 +186,39 @@ For the regex syntax, check out <http://golang.org/pkg/regexp/syntax/>
 }
 ```

-### 4. Match Whitelisted IP range
+### 4. Match payload-hash-sha256
+```json
+{
+  "match":
+  {
+    "type": "payload-hash-sha256",
+    "secret": "yoursecret",
+    "parameter":
+    {
+      "source": "header",
+      "name": "X-Signature"
+    }
+  }
+}
+```
+
+### 5. Match payload-hash-sha512
+```json
+{
+  "match":
+  {
+    "type": "payload-hash-sha512",
+    "secret": "yoursecret",
+    "parameter":
+    {
+      "source": "header",
+      "name": "X-Signature"
+    }
+  }
+}
+```
+
+### 6. Match Whitelisted IP range

 The IP can be IPv4- or IPv6-formatted, using [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_blocks).  To match a single IP address only, use `/32`.

@ -200,7 +232,7 @@ The IP can be IPv4- or IPv6-formatted, using [CIDR notation](https://en.wikipedi
 }
 ```

-### 5. Match scalr-signature
+### 7. Match scalr-signature

 The trigger rule checks the scalr signature and also checks that the request was signed less than 5 minutes before it was received. 
 A unqiue signing key is generated for each webhook endpoint URL you register in Scalr.
--- a/hook/hook.go
+++ b/hook/hook.go
@ -5,6 +5,7 @@ import (
 	"crypto/hmac"
 	"crypto/sha1"
 	"crypto/sha256"
+	"crypto/sha512"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@ -134,6 +135,27 @@ func CheckPayloadSignature256(payload []byte, secret string, signature string) (
 	return expectedMAC, err
 }

+// CheckPayloadSignature512 calculates and verifies SHA512 signature of the given payload
+func CheckPayloadSignature512(payload []byte, secret string, signature string) (string, error) {
+	if secret == "" {
+		return "", errors.New("signature validation secret can not be empty")
+	}
+
+	signature = strings.TrimPrefix(signature, "sha512=")
+
+	mac := hmac.New(sha512.New, []byte(secret))
+	_, err := mac.Write(payload)
+	if err != nil {
+		return "", err
+	}
+	expectedMAC := hex.EncodeToString(mac.Sum(nil))
+
+	if !hmac.Equal([]byte(signature), []byte(expectedMAC)) {
+		return expectedMAC, &SignatureError{signature}
+	}
+	return expectedMAC, err
+}
+
 func CheckScalrSignature(headers map[string]interface{}, body []byte, signingKey string, checkDate bool) (bool, error) {
 	// Check for the signature and date headers
 	if _, ok := headers["X-Signature"]; !ok {
@ -748,6 +770,7 @@ const (
 	MatchRegex      string = "regex"
 	MatchHashSHA1   string = "payload-hash-sha1"
 	MatchHashSHA256 string = "payload-hash-sha256"
+	MatchHashSHA512 string = "payload-hash-sha512"
 	IPWhitelist     string = "ip-whitelist"
 	ScalrSignature  string = "scalr-signature"
 )
@ -773,6 +796,9 @@ func (r MatchRule) Evaluate(headers, query, payload *map[string]interface{}, bod
 		case MatchHashSHA256:
 			_, err := CheckPayloadSignature256(*body, r.Secret, arg)
 			return err == nil, err
+		case MatchHashSHA512:
+			_, err := CheckPayloadSignature512(*body, r.Secret, arg)
+			return err == nil, err
 		}
 	}
 	return false, nil
--- a/hook/hook_test.go
+++ b/hook/hook_test.go
@ -94,6 +94,33 @@ func TestCheckPayloadSignature256(t *testing.T) {
 	}
 }

+var checkPayloadSignature512Tests = []struct {
+	payload   []byte
+	secret    string
+	signature string
+	mac       string
+	ok        bool
+}{
+	{[]byte(`{"a": "z"}`), "secret", "4ab17cc8ec668ead8bf498f87f8f32848c04d5ca3c9bcfcd3db9363f0deb44e580b329502a7fdff633d4d8fca301cc5c94a55a2fec458c675fb0ff2655898324", "4ab17cc8ec668ead8bf498f87f8f32848c04d5ca3c9bcfcd3db9363f0deb44e580b329502a7fdff633d4d8fca301cc5c94a55a2fec458c675fb0ff2655898324", true},
+	{[]byte(`{"a": "z"}`), "secret", "sha512=4ab17cc8ec668ead8bf498f87f8f32848c04d5ca3c9bcfcd3db9363f0deb44e580b329502a7fdff633d4d8fca301cc5c94a55a2fec458c675fb0ff2655898324", "4ab17cc8ec668ead8bf498f87f8f32848c04d5ca3c9bcfcd3db9363f0deb44e580b329502a7fdff633d4d8fca301cc5c94a55a2fec458c675fb0ff2655898324", true},
+	// failures
+	{[]byte(`{"a": "z"}`), "secret", "74a0081f5b5988f4f3e8b8dd34dadc6291611f2e6260635a7e1535f8e95edb97ff520ba8b152e8ca5760ac42639854f3242e29efc81be73a8bf52d474d31ffea", "4ab17cc8ec668ead8bf498f87f8f32848c04d5ca3c9bcfcd3db9363f0deb44e580b329502a7fdff633d4d8fca301cc5c94a55a2fec458c675fb0ff2655898324", false},
+	{[]byte(`{"a": "z"}`), "", "74a0081f5b5988f4f3e8b8dd34dadc6291611f2e6260635a7e1535f8e95edb97ff520ba8b152e8ca5760ac42639854f3242e29efc81be73a8bf52d474d31ffea", "", false},
+}
+
+func TestCheckPayloadSignature512(t *testing.T) {
+	for _, tt := range checkPayloadSignature512Tests {
+		mac, err := CheckPayloadSignature512(tt.payload, tt.secret, tt.signature)
+		if (err == nil) != tt.ok || mac != tt.mac {
+			t.Errorf("failed to check payload signature {%q, %q, %q}:\nexpected {mac:%#v, ok:%#v},\ngot {mac:%#v, ok:%#v}", tt.payload, tt.secret, tt.signature, tt.mac, tt.ok, mac, (err == nil))
+		}
+
+		if err != nil && tt.mac != "" && strings.Contains(err.Error(), tt.mac) {
+			t.Errorf("error message should not disclose expected mac: %s", err)
+		}
+	}
+}
+
 var checkScalrSignatureTests = []struct {
 	description       string
 	headers           map[string]interface{}