Convert boosted api received hook to signature validation

dustinrouillard · Nov 7, 2024 · db3c736 · db3c736
1 parent ed96d92
commit db3c736
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 29 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,40 @@
+on:
+  push:
+    branches:
+      - main
+
+env:
+  RESOURCE_NAME: deployment/dstn-api
+
+jobs:
+  build:
+    name: Build, and push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ghcr.io/${{ github.repository }}:${{ github.sha }},ghcr.io/${{ github.repository }}:latest
+
+      - name: Set deployment image
+        uses: danielr1996/[email protected]
+        with:
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+          args: set image ${{ env.RESOURCE_NAME }} api=ghcr.io/${{ github.repository }}:${{ github.sha }}
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -41,6 +41,9 @@ prometheus-http-query = "0.8.3"
 influxdb2 = "0.5.1"
 influxdb2-structmap = "0.2.0"
 serde_repr = "0.1.19"
+hmac = "0.12.1"
+sha2 = "0.10.8"
+base64 = "0.22.1"
 
 [profile.release]
 lto = true

diff --git a/src/services/hooks/boosted.rs b/src/services/hooks/boosted.rs
@@ -1,6 +1,10 @@
 use actix_web::{http::Error, post, web, HttpRequest, HttpResponse};
+use base64::engine::general_purpose::STANDARD;
+use base64::Engine;
 use envconfig::Envconfig as _;
+use hmac::{Hmac, Mac};
 use redis::aio::ConnectionManager;
+use sha2::Sha256;
 
 use crate::{
   config::Config,
@@ -17,14 +21,32 @@ async fn execute(
 ) -> Result<HttpResponse, Error> {
   let config = Config::init_from_env().unwrap();
 
-  let auth_header = req.headers().get("authorization");
+  let auth_header = req.headers().get("x-hook-signature");
   if auth_header.is_none() {
     return Ok(HttpResponse::BadRequest().finish());
   }
 
-  let auth_header = auth_header.unwrap().to_str().unwrap();
+  let received_signature = auth_header.unwrap().to_str().unwrap();
+  let received_signature_bytes = match STANDARD.decode(received_signature)
+  {
+    Ok(bytes) => bytes,
+    Err(_) => {
+      return Ok(
+        HttpResponse::BadRequest().body("Invalid signature encoding"),
+      )
+    }
+  };
+
+  let mut mac =
+    Hmac::<Sha256>::new_from_slice(config.boosted_hook_token.as_bytes())
+      .expect("HMAC can take key of any size");
+  let payload_string =
+    serde_json::to_string::<BoostedHookPayload>(&payload)
+      .unwrap_or("".into());
+  mac.update(payload_string.as_bytes());
 
-  if auth_header != config.boosted_hook_token {
+  let expected_signature = mac.finalize().into_bytes().to_vec();
+  if expected_signature != received_signature_bytes {
     return Ok(HttpResponse::BadRequest().finish());
   }