rack-slack_request_verification 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 62381da5d7fb58f307747f07e786e8ab2146a56128e18edcdff142ae007a2896
4
+ data.tar.gz: cbad6d1cf50520166b7e82e6a9ff13b1346b78a1e5cb55f06d43317b4bab9b93
5
+ SHA512:
6
+ metadata.gz: 5c9884a7729394cfefcf3dba9550a57d3c92986d1b3e7dba68fa844ef58c3d8105cd005d035fa5f0e29405e7b89221eaf92e5fa6188de574e5d04f64546fe5e4
7
+ data.tar.gz: 6aa11e0045975efefab53246b074dca2f962cc28c2821ec6743935c76cab7e8c1a4561c5dfbeb00c61944c9da57434a6bb8caf5dae10c0d49c15e169b6498608
@@ -0,0 +1,11 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /_yardoc/
4
+ /coverage/
5
+ /doc/
6
+ /pkg/
7
+ /spec/reports/
8
+ /tmp/
9
+
10
+ # rspec failure tracking
11
+ .rspec_status
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --format documentation
2
+ --color
3
+ --require spec_helper
@@ -0,0 +1,7 @@
1
+ ---
2
+ sudo: false
3
+ language: ruby
4
+ cache: bundler
5
+ rvm:
6
+ - 2.6.2
7
+ before_install: gem install bundler -v 2.0.1
@@ -0,0 +1,74 @@
1
+ # Contributor Covenant Code of Conduct
2
+
3
+ ## Our Pledge
4
+
5
+ In the interest of fostering an open and welcoming environment, we as
6
+ contributors and maintainers pledge to making participation in our project and
7
+ our community a harassment-free experience for everyone, regardless of age, body
8
+ size, disability, ethnicity, gender identity and expression, level of experience,
9
+ nationality, personal appearance, race, religion, or sexual identity and
10
+ orientation.
11
+
12
+ ## Our Standards
13
+
14
+ Examples of behavior that contributes to creating a positive environment
15
+ include:
16
+
17
+ * Using welcoming and inclusive language
18
+ * Being respectful of differing viewpoints and experiences
19
+ * Gracefully accepting constructive criticism
20
+ * Focusing on what is best for the community
21
+ * Showing empathy towards other community members
22
+
23
+ Examples of unacceptable behavior by participants include:
24
+
25
+ * The use of sexualized language or imagery and unwelcome sexual attention or
26
+ advances
27
+ * Trolling, insulting/derogatory comments, and personal or political attacks
28
+ * Public or private harassment
29
+ * Publishing others' private information, such as a physical or electronic
30
+ address, without explicit permission
31
+ * Other conduct which could reasonably be considered inappropriate in a
32
+ professional setting
33
+
34
+ ## Our Responsibilities
35
+
36
+ Project maintainers are responsible for clarifying the standards of acceptable
37
+ behavior and are expected to take appropriate and fair corrective action in
38
+ response to any instances of unacceptable behavior.
39
+
40
+ Project maintainers have the right and responsibility to remove, edit, or
41
+ reject comments, commits, code, wiki edits, issues, and other contributions
42
+ that are not aligned to this Code of Conduct, or to ban temporarily or
43
+ permanently any contributor for other behaviors that they deem inappropriate,
44
+ threatening, offensive, or harmful.
45
+
46
+ ## Scope
47
+
48
+ This Code of Conduct applies both within project spaces and in public spaces
49
+ when an individual is representing the project or its community. Examples of
50
+ representing a project or community include using an official project e-mail
51
+ address, posting via an official social media account, or acting as an appointed
52
+ representative at an online or offline event. Representation of a project may be
53
+ further defined and clarified by project maintainers.
54
+
55
+ ## Enforcement
56
+
57
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
58
+ reported by contacting the project team at pn@trineo.com. All
59
+ complaints will be reviewed and investigated and will result in a response that
60
+ is deemed necessary and appropriate to the circumstances. The project team is
61
+ obligated to maintain confidentiality with regard to the reporter of an incident.
62
+ Further details of specific enforcement policies may be posted separately.
63
+
64
+ Project maintainers who do not follow or enforce the Code of Conduct in good
65
+ faith may face temporary or permanent repercussions as determined by other
66
+ members of the project's leadership.
67
+
68
+ ## Attribution
69
+
70
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71
+ available at [http://contributor-covenant.org/version/1/4][version]
72
+
73
+ [homepage]: http://contributor-covenant.org
74
+ [version]: http://contributor-covenant.org/version/1/4/
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source "https://rubygems.org"
2
+
3
+ # Specify your gem's dependencies in rack-slack_request_verification.gemspec
4
+ gemspec
@@ -0,0 +1,41 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ rack-slack_request_verification (0.1.0)
5
+
6
+ GEM
7
+ remote: https://rubygems.org/
8
+ specs:
9
+ diff-lcs (1.3)
10
+ rack (2.0.7)
11
+ rack-test (1.1.0)
12
+ rack (>= 1.0, < 3)
13
+ rake (10.5.0)
14
+ rspec (3.8.0)
15
+ rspec-core (~> 3.8.0)
16
+ rspec-expectations (~> 3.8.0)
17
+ rspec-mocks (~> 3.8.0)
18
+ rspec-core (3.8.0)
19
+ rspec-support (~> 3.8.0)
20
+ rspec-expectations (3.8.3)
21
+ diff-lcs (>= 1.2.0, < 2.0)
22
+ rspec-support (~> 3.8.0)
23
+ rspec-mocks (3.8.0)
24
+ diff-lcs (>= 1.2.0, < 2.0)
25
+ rspec-support (~> 3.8.0)
26
+ rspec-support (3.8.0)
27
+ timecop (0.9.1)
28
+
29
+ PLATFORMS
30
+ ruby
31
+
32
+ DEPENDENCIES
33
+ bundler (~> 2.0)
34
+ rack-slack_request_verification!
35
+ rack-test
36
+ rake (~> 10.0)
37
+ rspec (~> 3.0)
38
+ timecop
39
+
40
+ BUNDLED WITH
41
+ 2.0.1
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2019 Pete Nicholls
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
@@ -0,0 +1,90 @@
1
+ # Rack::SlackRequestVerification
2
+
3
+ Rack middleware to verify Slack requests made using signed secrets.
4
+
5
+ ## Installation
6
+
7
+ Add this line to your application's Gemfile:
8
+
9
+ ```ruby
10
+ gem 'rack-slack_request_verification'
11
+ ```
12
+
13
+ And then execute:
14
+
15
+ $ bundle
16
+
17
+ Or install it yourself as:
18
+
19
+ $ gem install rack-slack_request_verification
20
+
21
+ ## Usage
22
+
23
+ Inside your `config.ru`:
24
+
25
+ ```ruby
26
+ # Apply signed request verification to every path starting with "/slack/"
27
+ use Rack::SlackRequestVerification, path_pattern: %{^/slack/}
28
+ run MyApp
29
+ ```
30
+
31
+ Will use a `SLACK_SIGNING_KEY` environment variable by default.
32
+
33
+ You can override this with:
34
+
35
+ ```ruby
36
+ use Rack::SlackRequestVerification, path_pattern: %{^/slack/}, signing_key: '...'
37
+ ```
38
+
39
+ A **401 Not Authorized** is returned in the following circumstances:
40
+
41
+ * When either or both of the `X-Slack-Request-Timestamp` or `X-Slack-Signature` headers are absent
42
+ * When the timestamp is more than five minutes old (to mitigate replay attacks)
43
+ * When the computed signature of the request does not match the `X-Slack-Signature`
44
+
45
+ A log message is also generated.
46
+
47
+ ### Full options
48
+
49
+ ```ruby
50
+ use Rack::SlackRequestVerification, {
51
+ # A regular expression used to determine which requests to verify
52
+ path_pattern: %r{^/slack/},
53
+
54
+ # You can provide a signing key directly, set a SLACK_SIGNING_KEY env var
55
+ # or customise the env var to something else
56
+ signing_key: nil,
57
+ signing_key_env_var: 'SLACK_SIGNING_KEY',
58
+
59
+ # Mitigates replay attacks by verifying the request was sent recently –
60
+ # a better strategy is to record the signature header to ensure you only
61
+ # process each request once
62
+ max_staleness_in_secs: 60 * 5,
63
+
64
+ # Where to log error messages
65
+ logger: Logger.new($stdout),
66
+
67
+ # Settings as currently in use by Slack
68
+ signing_version: 'v0',
69
+ timestamp_header: 'X-Slack-Request-Timestamp',
70
+ signature_header: 'X-Slack-Signature'
71
+ }
72
+ ```
73
+
74
+ ## Development
75
+
76
+ After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
77
+
78
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
79
+
80
+ ## Contributing
81
+
82
+ Bug reports and pull requests are welcome on GitHub at https://github.com/Aupajo/rack-slack_request_verification. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
83
+
84
+ ## License
85
+
86
+ The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
87
+
88
+ ## Code of Conduct
89
+
90
+ Everyone interacting in the Rack::SlackRequestVerification project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/Aupajo/rack-slack_request_verification/blob/master/CODE_OF_CONDUCT.md).
@@ -0,0 +1,6 @@
1
+ require "bundler/gem_tasks"
2
+ require "rspec/core/rake_task"
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task default: :spec
@@ -0,0 +1,7 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "rack/slack_request_verification"
5
+
6
+ require "irb"
7
+ IRB.start(__FILE__)
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,12 @@
1
+ module Rack
2
+ module SlackRequestVerification
3
+ class Error < StandardError; end
4
+
5
+ def self.new(*args)
6
+ Middleware.new(*args)
7
+ end
8
+ end
9
+ end
10
+
11
+ require "rack/slack_request_verification/version"
12
+ require "rack/slack_request_verification/middleware"
@@ -0,0 +1,99 @@
1
+ require 'logger'
2
+ require 'openssl'
3
+
4
+ module Rack::SlackRequestVerification
5
+ class Middleware
6
+ attr_reader *%i(
7
+ signing_key
8
+ path_pattern
9
+ signing_version
10
+ timestamp_header
11
+ signature_header
12
+ logger
13
+ max_staleness_in_secs
14
+ )
15
+
16
+ def initialize(app,
17
+ # A regular expression used to determine which requests to verify
18
+ path_pattern:,
19
+
20
+ # You can provide a signing key directly, set a SLACK_SIGNING_KEY env var
21
+ # or customise the env var to something else
22
+ signing_key: nil,
23
+ signing_key_env_var: 'SLACK_SIGNING_KEY',
24
+
25
+ # Mitigates replay attacks by verifying the request was sent recently –
26
+ # a better strategy is to record the signature header to ensure you only
27
+ # process each request once
28
+ max_staleness_in_secs: 60 * 5,
29
+
30
+ # Where to log error messages
31
+ logger: Logger.new($stdout),
32
+
33
+ signing_version: 'v0',
34
+ timestamp_header: 'X-Slack-Request-Timestamp',
35
+ signature_header: 'X-Slack-Signature'
36
+ )
37
+ @app = app
38
+ @path_pattern = path_pattern
39
+ @signing_version = signing_version
40
+ @timestamp_header = timestamp_header
41
+ @signature_header = signature_header
42
+ @logger = logger
43
+ @max_staleness_in_secs = max_staleness_in_secs
44
+
45
+ @signing_key = signing_key || ENV.fetch(signing_key_env_var) do
46
+ fail Error, "#{signing_key_env_var} env var not set, please configure a signing key"
47
+ end
48
+ end
49
+
50
+ def call(env)
51
+ if !path_pattern.match?(env['PATH_INFO'])
52
+ @app.call(env)
53
+ else
54
+ headers = {
55
+ signature_header => env["HTTP_" + signature_header.gsub('-', '_').upcase],
56
+ timestamp_header => env["HTTP_" + timestamp_header.gsub('-', '_').upcase]&.to_i
57
+ }
58
+
59
+ missing_headers = headers.select { |_, value| value.nil? }.keys
60
+
61
+ if !missing_headers.empty?
62
+ logger.error "Slack verification failed: missing #{missing_headers.join(', ')}"
63
+ return [401, {}, "Not authorized"]
64
+ end
65
+
66
+ timestamp = headers[timestamp_header]
67
+ signature = headers[signature_header]
68
+
69
+ minimum_timestamp = Time.now.to_i - max_staleness_in_secs
70
+
71
+ if timestamp < minimum_timestamp
72
+ logger.error "Slack verification failed: #{timestamp_header} is #{timestamp}, only #{minimum_timestamp} or later is allowed"
73
+ return [401, {}, "Not authorized"]
74
+ end
75
+
76
+ body = env['rack.input']
77
+
78
+ signature_base_string = [
79
+ signing_version,
80
+ timestamp,
81
+ body.read
82
+ ].join(':')
83
+
84
+ body.rewind
85
+
86
+ digest = OpenSSL::HMAC.hexdigest("SHA256", signing_key, signature_base_string)
87
+
88
+ computed_signature = [signing_version, digest].join('=')
89
+
90
+ if computed_signature != signature
91
+ logger.error "Slack verification failed: #{signature_header} does not match the signature"
92
+ return [401, {}, "Not authorized"]
93
+ end
94
+
95
+ @app.call(env)
96
+ end
97
+ end
98
+ end
99
+ end
@@ -0,0 +1,5 @@
1
+ module Rack
2
+ module SlackRequestVerification
3
+ VERSION = "0.1.0"
4
+ end
5
+ end
@@ -0,0 +1,29 @@
1
+ lib = File.expand_path("../lib", __FILE__)
2
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
3
+ require "rack/slack_request_verification/version"
4
+
5
+ Gem::Specification.new do |spec|
6
+ spec.name = "rack-slack_request_verification"
7
+ spec.version = Rack::SlackRequestVerification::VERSION
8
+ spec.authors = ["Pete Nicholls"]
9
+ spec.email = ["aupajo@gmail.com"]
10
+
11
+ spec.summary = %q{Rack middleware to verify Slack requests made using signed secrets.}
12
+ spec.homepage = "https://github.com/Aupajo/rack-slack_request_verification"
13
+ spec.license = "MIT"
14
+
15
+ # Specify which files should be added to the gem when it is released.
16
+ # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
17
+ spec.files = Dir.chdir(File.expand_path('..', __FILE__)) do
18
+ `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
19
+ end
20
+ spec.bindir = "exe"
21
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
22
+ spec.require_paths = ["lib"]
23
+
24
+ spec.add_development_dependency "bundler", "~> 2.0"
25
+ spec.add_development_dependency "rake", "~> 10.0"
26
+ spec.add_development_dependency "rspec", "~> 3.0"
27
+ spec.add_development_dependency "rack-test"
28
+ spec.add_development_dependency "timecop"
29
+ end
metadata ADDED
@@ -0,0 +1,128 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: rack-slack_request_verification
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Pete Nicholls
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2019-04-27 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bundler
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '2.0'
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '2.0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: rake
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '10.0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '10.0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rspec
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '3.0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '3.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: rack-test
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: timecop
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
83
+ description:
84
+ email:
85
+ - aupajo@gmail.com
86
+ executables: []
87
+ extensions: []
88
+ extra_rdoc_files: []
89
+ files:
90
+ - ".gitignore"
91
+ - ".rspec"
92
+ - ".travis.yml"
93
+ - CODE_OF_CONDUCT.md
94
+ - Gemfile
95
+ - Gemfile.lock
96
+ - LICENSE.txt
97
+ - README.md
98
+ - Rakefile
99
+ - bin/console
100
+ - bin/setup
101
+ - lib/rack/slack_request_verification.rb
102
+ - lib/rack/slack_request_verification/middleware.rb
103
+ - lib/rack/slack_request_verification/version.rb
104
+ - rack-slack_request_verification.gemspec
105
+ homepage: https://github.com/Aupajo/rack-slack_request_verification
106
+ licenses:
107
+ - MIT
108
+ metadata: {}
109
+ post_install_message:
110
+ rdoc_options: []
111
+ require_paths:
112
+ - lib
113
+ required_ruby_version: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - ">="
116
+ - !ruby/object:Gem::Version
117
+ version: '0'
118
+ required_rubygems_version: !ruby/object:Gem::Requirement
119
+ requirements:
120
+ - - ">="
121
+ - !ruby/object:Gem::Version
122
+ version: '0'
123
+ requirements: []
124
+ rubygems_version: 3.0.3
125
+ signing_key:
126
+ specification_version: 4
127
+ summary: Rack middleware to verify Slack requests made using signed secrets.
128
+ test_files: []