Move the signature checking rules out of MatchRule into their own dedicated SignatureRule, configured as "check-signature" in the hooks file. This takes an algorithm, secret and Argument giving the source of the signature, and by default behaves exactly like the old payload-hmac-<algorithm> match rules. However it can also take a second optional Argument to customize how to generate the "string to sign", allowing signatures to be computed over something other than the full request body content.
This could be a single header or payload item but more likely will be a "template" argument to combine items from different places in the request, such as the body content and one or more headers, e.g. to compute a signature over the X-Request-Id header, Date header, and request body, concatenated with CRLF, you could specify
check-signature:
algorithm: sha512
secret: 5uper5eecret
signature:
source: header
name: X-Hook-Signature
string-to-sign:
source: template
name: |
{{- printf "%s\r\n" (.GetHeader "x-request-id") -}}
{{- printf "%s\r\n" (.GetHeader "date") -}}
{{- .BodyText -}}
When you want to use "source":"template" arguments inside your hook file but also parse the hook file itself as a template, it is necessary use different delimiters on the two template parsers to avoid having to pepper all the inner templates with constructs like {{"{{"}}. Added an extra command line argument -template-delims that expects a comma-separated pair of delimiters like '[[,]]' that will be used when parsing the whole hooks file template. Inner templates in an Argument always use the default double-brace style.
Added a new "source": "template" argument type, that evaluates a Go text/template against a context containing the request Body, Query, Payload and Headers, enabling much richer mapping from request attributes to argument parameters.
The payload-hash-* options are imprecisely named. Clarify their function
as HMAC validations by renaming them. The existing options will continue
to work but are deprecated. Log a warning if the old options are used.
All tests, examples, and documentation are updated.
Fixes#289
To avoid having to pass around so many parameters to the hook package,
create a Request object to store all request-specific data. Update APIs
accordingly.
When attempting to match a JSON path for initial setup, it would be
helpful to know where the path failed. This change logs the failed
parameter node. For example, if you are trying to match path "a.b.d.e",
but you failed to include the "c" node, webhook will log an error
"parameter node not found: d.e" to assist in troubleshooting.
