add slack incoming request signature validation

yasunariw · yasunariw · commit ce68f5fe583c · 2021-01-04T14:45:02.000+08:00
diff --git a/documentation/secret_docs.md b/documentation/secret_docs.md
@@ -19,6 +19,7 @@ A secrets file stores sensitive information. Unlike the repository configuration
 | `gh_hook_token` | specify to ensure the bot only receives GitHub notifications from pre-approved repositories | Yes | - |
 | `slack_access_token` | slack bot access token to enable message posting to the workspace | Yes | try to use webhooks defined in `slack_hooks` instead |
 | `slack_hooks` | list of channel names and their corresponding webhook endpoint | Yes | try to use token defined in `slack_access_token` instead |
+| `slack_signing_secret` | specify to verify incoming slack requests | Yes | - |
 
 Note that either `slack_access_token` or `slack_hooks` must be defined.
 
diff --git a/lib/common.ml b/lib/common.ml
@@ -35,3 +35,6 @@ let get_local_file path = try Ok (Std.input_file path) with exn -> fmt_error "%s
 let write_to_local_file ~data path =
   try Ok (Devkit.Files.save_as path (fun oc -> Stdio.Out_channel.fprintf oc "%s" data))
   with exn -> fmt_error "%s" (Exn.to_string exn)
+
+let sign_string_sha256 ~key ~basestring =
+  Cstruct.of_string basestring |> Nocrypto.Hash.SHA256.hmac ~key:(Cstruct.of_string key) |> Hex.of_cstruct |> Hex.show
diff --git a/lib/config.atd b/lib/config.atd
@@ -47,4 +47,6 @@ type secrets = {
   ~slack_hooks <ocaml default="[]"> : webhook list;
   (* Slack bot token obtained via OAuth, enabling message posting to the workspace *)
   ?slack_access_token : string nullable;
+ (* Slack uses this secret to sign requests; provide to verify incoming Slack requests *)
+  ?slack_signing_secret : string nullable;
 }
diff --git a/lib/slack.ml b/lib/slack.ml
@@ -358,3 +358,17 @@ let generate_commit_comment_notification api_commit notification channel =
     }
   in
   { channel; text = None; attachments = Some [ attachment ]; blocks = None }
+
+let validate_signature ?(version = "v0") ?signing_key ~headers body =
+  match signing_key with
+  | None -> Ok ()
+  | Some key ->
+  match List.Assoc.find headers "x-slack-signature" ~equal:String.equal with
+  | None -> Error "unable to find header X-Slack-Signature"
+  | Some signature ->
+  match List.Assoc.find headers "x-slack-request-timestamp" ~equal:String.equal with
+  | None -> Error "unable to find header X-Slack-Request-Timestamp"
+  | Some timestamp ->
+    let basestring = Printf.sprintf "%s:%s:%s" version timestamp body in
+    let expected_signature = Printf.sprintf "%s=%s" version (Common.sign_string_sha256 ~key ~basestring) in
+    if String.equal expected_signature signature then Ok () else Error "signatures don't match"

Original file line number	Diff line number	Diff line change
`@@ -47,4 +47,6 @@ type secrets = {`
`47`	`47`	`~slack_hooks <ocaml default="[]"> : webhook list;`
`48`	`48`	`(* Slack bot token obtained via OAuth, enabling message posting to the workspace *)`
`49`	`49`	`?slack_access_token : string nullable;`
	`50`	`+ (* Slack uses this secret to sign requests; provide to verify incoming Slack requests *)`
	`51`	`+ ?slack_signing_secret : string nullable;`
`50`	`52`	`}`