Merge branch 'development' into development

hook/hook.go

@@ -94,6 +94,10 @@ func (e *ParseError) Error() string {
 
 // CheckPayloadSignature calculates and verifies SHA1 signature of the given payload
 func CheckPayloadSignature(payload []byte, secret string, signature string) (string, error) {
+	if secret == "" {
+		return "", errors.New("signature validation secret can not be empty")
+	}
+
 	signature = strings.TrimPrefix(signature, "sha1=")
 
 	mac := hmac.New(sha1.New, []byte(secret))
@@ -111,6 +115,10 @@ func CheckPayloadSignature(payload []byte, secret string, signature string) (str
 
 // CheckPayloadSignature256 calculates and verifies SHA256 signature of the given payload
 func CheckPayloadSignature256(payload []byte, secret string, signature string) (string, error) {
+	if secret == "" {
+		return "", errors.New("signature validation secret can not be empty")
+	}
+
 	signature = strings.TrimPrefix(signature, "sha256=")
 
 	mac := hmac.New(sha256.New, []byte(secret))
@@ -134,6 +142,10 @@ func CheckScalrSignature(headers map[string]interface{}, body []byte, signingKey
 	if _, ok := headers["Date"]; !ok {
 		return false, nil
 	}
+	if signingKey == "" {
+		return false, errors.New("signature validation signing key can not be empty")
+	}
+
 	providedSignature := headers["X-Signature"].(string)
 	dateHeader := headers["Date"].(string)
 	mac := hmac.New(sha1.New, []byte(signingKey))
@@ -168,41 +180,36 @@ func CheckScalrSignature(headers map[string]interface{}, body []byte, signingKey
 func CheckIPWhitelist(remoteAddr string, ipRange string) (bool, error) {
 	// Extract IP address from remote address.
 
-	ip := remoteAddr
+	// IPv6 addresses will likely be surrounded by [].
+	ip := strings.Trim(remoteAddr, " []")
 
-	if strings.LastIndex(remoteAddr, ":") != -1 {
-		ip = remoteAddr[0:strings.LastIndex(remoteAddr, ":")]
+	if i := strings.LastIndex(ip, ":"); i != -1 {
+		ip = ip[:i]
 	}
 
-	ip = strings.TrimSpace(ip)
-
-	// IPv6 addresses will likely be surrounded by [], so don't forget to remove those.
-
-	if strings.HasPrefix(ip, "[") && strings.HasSuffix(ip, "]") {
-		ip = ip[1 : len(ip)-1]
-	}
-
-	parsedIP := net.ParseIP(strings.TrimSpace(ip))
-
+	parsedIP := net.ParseIP(ip)
 	if parsedIP == nil {
 		return false, fmt.Errorf("invalid IP address found in remote address '%s'", remoteAddr)
 	}
 
-	// Extract IP range in CIDR form.  If a single IP address is provided, turn it into CIDR form.
+	for _, r := range strings.Fields(ipRange) {
+		// Extract IP range in CIDR form.  If a single IP address is provided, turn it into CIDR form.
 
-	ipRange = strings.TrimSpace(ipRange)
+		if !strings.Contains(r, "/") {
+			r = r + "/32"
+		}
 
-	if !strings.Contains(ipRange, "/") {
-		ipRange = ipRange + "/32"
+		_, cidr, err := net.ParseCIDR(r)
+		if err != nil {
+			return false, err
+		}
+
+		if cidr.Contains(parsedIP) {
+			return true, nil
+		}
 	}
 
-	_, cidr, err := net.ParseCIDR(ipRange)
-
-	if err != nil {
-		return false, err
-	}
-
-	return cidr.Contains(parsedIP), nil
+	return false, nil
 }
 
 // ReplaceParameter replaces parameter value with the passed value in the passed map

hook/hook_test.go

@@ -19,6 +19,7 @@ var checkPayloadSignatureTests = []struct {
 	// failures
 	{[]byte(`{"a": "z"}`), "secret", "XXXe04cbb22afa8ffbff8796fc1894ed27badd9e", "b17e04cbb22afa8ffbff8796fc1894ed27badd9e", false},
 	{[]byte(`{"a": "z"}`), "secreX", "b17e04cbb22afa8ffbff8796fc1894ed27badd9e", "900225703e9342328db7307692736e2f7cc7b36e", false},
+	{[]byte(`{"a": "z"}`), "", "b17e04cbb22afa8ffbff8796fc1894ed27badd9e", "", false},
 }
 
 func TestCheckPayloadSignature(t *testing.T) {
@@ -28,7 +29,7 @@ func TestCheckPayloadSignature(t *testing.T) {
 			t.Errorf("failed to check payload signature {%q, %q, %q}:\nexpected {mac:%#v, ok:%#v},\ngot {mac:%#v, ok:%#v}", tt.payload, tt.secret, tt.signature, tt.mac, tt.ok, mac, (err == nil))
 		}
 
-		if err != nil && strings.Contains(err.Error(), tt.mac) {
+		if err != nil && tt.mac != "" && strings.Contains(err.Error(), tt.mac) {
 			t.Errorf("error message should not disclose expected mac: %s", err)
 		}
 	}
@@ -45,6 +46,7 @@ var checkPayloadSignature256Tests = []struct {
 	{[]byte(`{"a": "z"}`), "secret", "sha256=f417af3a21bd70379b5796d5f013915e7029f62c580fb0f500f59a35a6f04c89", "f417af3a21bd70379b5796d5f013915e7029f62c580fb0f500f59a35a6f04c89", true},
 	// failures
 	{[]byte(`{"a": "z"}`), "secret", "XXX7af3a21bd70379b5796d5f013915e7029f62c580fb0f500f59a35a6f04c89", "f417af3a21bd70379b5796d5f013915e7029f62c580fb0f500f59a35a6f04c89", false},
+	{[]byte(`{"a": "z"}`), "", "XXX7af3a21bd70379b5796d5f013915e7029f62c580fb0f500f59a35a6f04c89", "", false},
 }
 
 func TestCheckPayloadSignature256(t *testing.T) {
@@ -54,7 +56,7 @@ func TestCheckPayloadSignature256(t *testing.T) {
 			t.Errorf("failed to check payload signature {%q, %q, %q}:\nexpected {mac:%#v, ok:%#v},\ngot {mac:%#v, ok:%#v}", tt.payload, tt.secret, tt.signature, tt.mac, tt.ok, mac, (err == nil))
 		}
 
-		if err != nil && strings.Contains(err.Error(), tt.mac) {
+		if err != nil && tt.mac != "" && strings.Contains(err.Error(), tt.mac) {
 			t.Errorf("error message should not disclose expected mac: %s", err)
 		}
 	}
@@ -92,6 +94,12 @@ var checkScalrSignatureTests = []struct {
 		[]byte(`{"a": "b"}`), "bilFGi4ZVZUdG+C6r0NIM9tuRq6PaG33R3eBUVhLwMAErGBaazvXe4Gq2DcJs5q+",
 		"48e395e38ac48988929167df531eb2da00063a7d", false,
 	},
+	{
+		"Missing signing key",
+		map[string]interface{}{"Date": "Thu 07 Sep 2017 06:30:04 UTC", "X-Signature": "48e395e38ac48988929167df531eb2da00063a7d"},
+		[]byte(`{"a": "b"}`), "",
+		"48e395e38ac48988929167df531eb2da00063a7d", false,
+	},
 }
 
 func TestCheckScalrSignature(t *testing.T) {
@@ -102,12 +110,36 @@ func TestCheckScalrSignature(t *testing.T) {
 				testCase.description, testCase.ok, valid)
 		}
 
-		if err != nil && strings.Contains(err.Error(), testCase.expectedSignature) {
+		if err != nil && testCase.secret != "" && strings.Contains(err.Error(), testCase.expectedSignature) {
 			t.Errorf("error message should not disclose expected mac: %s on test case %s", err, testCase.description)
 		}
 	}
 }
 
+var checkIPWhitelistTests = []struct {
+	addr    string
+	ipRange string
+	expect  bool
+	ok      bool
+}{
+	{"[ 10.0.0.1:1234 ] ", "  10.0.0.1 ", true, true},
+	{"[ 10.0.0.1:1234 ] ", "  10.0.0.0 ", false, true},
+	{"[ 10.0.0.1:1234 ] ", "  10.0.0.1 10.0.0.1 ", true, true},
+	{"[ 10.0.0.1:1234 ] ", "  10.0.0.0/31 ", true, true},
+	{" [2001:db8:1:2::1:1234] ", "  2001:db8:1::/48 ", true, true},
+	{" [2001:db8:1:2::1:1234] ", "  2001:db8:1::/48 2001:db8:1::/64", true, true},
+	{" [2001:db8:1:2::1:1234] ", "  2001:db8:1::/64 ", false, true},
+}
+
+func TestCheckIPWhitelist(t *testing.T) {
+	for _, tt := range checkIPWhitelistTests {
+		result, err := CheckIPWhitelist(tt.addr, tt.ipRange)
+		if (err == nil) != tt.ok || result != tt.expect {
+			t.Errorf("ip whitelist test failed {%q, %q}:\nwant {expect:%#v, ok:%#v},\ngot {result:%#v, ok:%#v}", tt.addr, tt.ipRange, tt.expect, tt.ok, result, err)
+		}
+	}
+}
+
 var extractParameterTests = []struct {
 	s      string
 	params interface{}
@@ -129,7 +161,7 @@ var extractParameterTests = []struct {
 	{"a.501.b", map[string]interface{}{"a": []interface{}{map[string]interface{}{"b": "y"}, map[string]interface{}{"b": "z"}}}, "", false}, // non-existent slice index
 	{"a.502.b", map[string]interface{}{"a": []interface{}{}}, "", false},                                                                   // non-existent slice index
 	{"a.b.503", map[string]interface{}{"a": map[string]interface{}{"b": []interface{}{"x", "y", "z"}}}, "", false},                         // trailing, non-existent slice index
-	{"a.b", interface{}("a"), "", false},                                                                                                   // non-map, non-slice input
+	{"a.b", interface{}("a"), "", false}, // non-map, non-slice input
 }
 
 func TestExtractParameter(t *testing.T) {