Documentation
¶
Overview ¶
Utility methods for implementing authenticated webhooks.
All requests must either be over a private channel (e.g. https) or must be idempotent and return no data. Requests sent via an open channel (e.g. http) could be resent by an attacker.
Index ¶
- Constants
- func AuthenticateRequest(r *http.Request) ([]byte, error)
- func ComputeAuthHashBase64(data []byte) (string, error)
- func InitRequestSaltForTesting()
- func InitRequestSaltFromFile(filename string) error
- func InitRequestSaltFromMetadata(metadataKey string) error
- func InitRequestSaltFromSecret(project, secretName string) error
- func MustInitRequestSaltFromFile(filename string)
- func MustInitRequestSaltFromMetadata(metadataKey string)
- func MustInitRequestSaltFromSecret(project, secret string)
- func NewRequest(method, urlStr string, body []byte) (*http.Request, error)
Constants ¶
const REQUEST_AUTH_HASH_HEADER = "X-Webhook-Auth-Hash"
Required header for requests to a webhook authenticated using AuthenticateRequest. The value must be set to the result of ComputeAuthHashBase64.
Variables ¶
This section is empty.
Functions ¶
func AuthenticateRequest ¶
Authenticates a webhook request.
- If an error occurs reading r.Body, returns nil and the error.
- If the request could not be authenticated as a webhook request, returns the contents of r.Body and an error.
- Otherwise, returns the contents of r.Body and nil.
In all cases, closes r.Body.
func ComputeAuthHashBase64 ¶
Computes the value for REQUEST_AUTH_HASH_HEADER from the request body. Returns error if requestSalt has not been initialized. The result is the base64-encoded SHA-512 hash of the request body with requestSalt appended.
func InitRequestSaltForTesting ¶
func InitRequestSaltForTesting()
InitRequestSaltForTesting sets requestSalt to "notverysecret". Should be called once at startup when running in test mode.
To test a webhook endpoint using curl, the following commands should work: $ DATA='my post request' $ AUTH="$(echo -n "${DATA}notverysecret" | sha512sum | xxd -r -p - | base64 -w 0)" $ curl -v -H "X-Webhook-Auth-Hash: $AUTH" -d "$DATA" http://localhost:8000/endpoint
func InitRequestSaltFromFile ¶
InitRequestSaltFromFile reads requestSalt from the given file and returns any error encountered. Should be called once at startup.
func InitRequestSaltFromMetadata ¶
InitRequestSaltFromMetadata reads requestSalt from the specified project metadata and returns any error encountered. Should be called once at startup.
func InitRequestSaltFromSecret ¶
InitRequestSaltFromSecret reads requestSalt from the specified GCP secret and returns any error encountered. Should be called once at startup.
func MustInitRequestSaltFromFile ¶
func MustInitRequestSaltFromFile(filename string)
MustInitRequestSaltFromFile reads requestSalt from the given file. Exits the program on error. Should be called once at startup.
func MustInitRequestSaltFromMetadata ¶
func MustInitRequestSaltFromMetadata(metadataKey string)
MustInitRequestSaltFromMetadata reads requestSalt from the specified project metadata. Exits the program on error. Should be called once at startup.
func MustInitRequestSaltFromSecret ¶
func MustInitRequestSaltFromSecret(project, secret string)
MustInitRequestSaltFromSecret reads requestSalt from the specified GCP secret. Exits the program on error. Should be called once at startup.
Types ¶
This section is empty.
Source Files