39 lines
1.1 KiB
Go
39 lines
1.1 KiB
Go
|
package api
|
||
|
|
|
||
|
|
import (
|
||
|
|
"crypto/hmac"
|
||
|
|
"crypto/sha256"
|
||
|
|
"encoding/hex"
|
||
|
|
"fmt"
|
||
|
|
)
|
||
|
|
|
||
|
|
func isValidWebhook(message []byte, key string, signature string, component string) (bool, error) {
|
||
|
|
if key == "" && signature == "" {
|
||
|
|
// No webhook token configured and no signature header received. Skipping request validation.
|
||
|
|
return true, nil
|
||
|
|
}
|
||
|
|
|
||
|
|
if key == "" && signature != "" {
|
||
|
|
return false, fmt.Errorf("Signature header received but no %s webhook secret configured. Request rejected due to possible configuration mismatch.", component)
|
||
|
|
}
|
||
|
|
|
||
|
|
if key != "" && signature == "" {
|
||
|
|
return false, fmt.Errorf("%s webhook secret configured but no signature header received. Request rejected due to possible configuration mismatch.", component)
|
||
|
|
}
|
||
|
|
|
||
|
|
decodedSignature, err := hex.DecodeString(signature)
|
||
|
|
if err != nil {
|
||
|
|
return false, fmt.Errorf("Error decoding signature for %s webhook.", component)
|
||
|
|
}
|
||
|
|
|
||
|
|
mac := hmac.New(sha256.New, []byte(key))
|
||
|
|
mac.Write(message)
|
||
|
|
sum := mac.Sum(nil)
|
||
|
|
|
||
|
|
if !hmac.Equal(decodedSignature, sum) {
|
||
|
|
return false, fmt.Errorf("Signature header does not match the received %s webhook content. Request rejected.", component)
|
||
|
|
}
|
||
|
|
|
||
|
|
return true, nil
|
||
|
|
}
|