Capstone/service/controllers/pco_auth_middleware.go

package controllers

import (
	"bytes"
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"errors"
	"fmt"
	"io"

	"git.preston-baxter.com/Preston_PLB/capstone/webhook-service/vendors/pco/webhooks"
	"github.com/gin-gonic/gin"
	"github.com/google/jsonapi"
)

const PCO_VALIDATE_HEADER = "X-PCO-Webhooks-Authenticity"

func ValidatePcoWebhook(c *gin.Context) {
	//get remote version from header
	remoteDigestStr := c.GetHeader(PCO_VALIDATE_HEADER)
	if remoteDigestStr == "" {
		log.Warnf("Request was sent with no %s header. Rejecting", PCO_VALIDATE_HEADER)
		c.AbortWithStatus(401)
		return
	}
	pcoSig := make([]byte, len(remoteDigestStr)/2)
	_, err := hex.Decode(pcoSig, []byte(remoteDigestStr))
	if err != nil {
		log.WithError(err).Error("Failed to decode byte digest")
		_ = c.AbortWithError(501, err)
		return
	}

	//clone request body to harmlessly inspect the body
	bodyCopy := bytes.NewBuffer([]byte{})
	_, err = io.Copy(bodyCopy, c.Request.Body)
	if err != nil {
		log.WithError(err).Error("Failed to copy body while validating PCO webhook")
		_ = c.AbortWithError(501, err)
		return
	}
	body := bodyCopy.Bytes()
	c.Request.Body = io.NopCloser(bytes.NewReader(body))

	//Get secret
	key, err := getAuthSecret(c, body)
	if err != nil {
		log.WithError(err).Error("Failed to find auth secret for event. It may not be setup")
		_ = c.AbortWithError(501, err)
		return
	}

	//Get HMAC
	hmacSig := hmac.New(sha256.New, []byte(key))
	hmacSig.Write(body)

	if !hmac.Equal(hmacSig.Sum(nil), pcoSig) {
		log.Warn("")
		c.AbortWithStatus(401)
	}
}

func getAuthSecret(c *gin.Context, body []byte) (string, error) {
	userObjectId := userIdFromContext(c)
	log.Debug(string(body))

	//Pco is weird and sends a data array instead of an object. Yet there is only one event. Fun times
	event, err := jsonapi.UnmarshalManyPayload[webhooks.EventDelivery](bytes.NewBuffer(body))
	if err != nil {
		return "", errors.Join(fmt.Errorf("Failed to unmarshall event delivery from PCO"), err)
	}

	if len(event) == 0 {
		return "", fmt.Errorf("There are no events in the delivery. Something is wrong")
	}

	webhook, err := mongo.FindPcoWebhookSubscriptionForUser(*userObjectId, event[0].Name)
	if err != nil {
		return "", errors.Join(fmt.Errorf("Failed to find pco subscription for user: %s and event: %s", userObjectId.Hex(), event[0].Name), err)
	}

	if webhook == nil {
		return "", fmt.Errorf("Could not find subscription for user: %s and name %s", userObjectId.Hex(), event[0].Name)
	}

	return webhook.Details.AuthenticitySecret, nil
}
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00			`package controllers`

			`import (`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`"bytes"`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00			`"crypto/hmac"`
			`"crypto/sha256"`
			`"encoding/hex"`
B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`"errors"`
			`"fmt"`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00			`"io"`

B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`"git.preston-baxter.com/Preston_PLB/capstone/webhook-service/vendors/pco/webhooks"`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00			`"github.com/gin-gonic/gin"`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`"github.com/google/jsonapi"`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00			`)`

			`const PCO_VALIDATE_HEADER = "X-PCO-Webhooks-Authenticity"`

			`func ValidatePcoWebhook(c *gin.Context) {`
			`//get remote version from header`
			`remoteDigestStr := c.GetHeader(PCO_VALIDATE_HEADER)`
			`if remoteDigestStr == "" {`
			`log.Warnf("Request was sent with no %s header. Rejecting", PCO_VALIDATE_HEADER)`
			`c.AbortWithStatus(401)`
			`return`
			`}`
			`pcoSig := make([]byte, len(remoteDigestStr)/2)`
			`_, err := hex.Decode(pcoSig, []byte(remoteDigestStr))`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`if err != nil {`
			`log.WithError(err).Error("Failed to decode byte digest")`
			`_ = c.AbortWithError(501, err)`
			`return`
			`}`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00
B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`//clone request body to harmlessly inspect the body`
			`bodyCopy := bytes.NewBuffer([]byte{})`
			`_, err = io.Copy(bodyCopy, c.Request.Body)`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00			`if err != nil {`
B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`log.WithError(err).Error("Failed to copy body while validating PCO webhook")`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`_ = c.AbortWithError(501, err)`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00			`return`
			`}`
B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`body := bodyCopy.Bytes()`
			`c.Request.Body = io.NopCloser(bytes.NewReader(body))`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00
			`//Get secret`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`key, err := getAuthSecret(c, body)`
			`if err != nil {`
			`log.WithError(err).Error("Failed to find auth secret for event. It may not be setup")`
			`_ = c.AbortWithError(501, err)`
			`return`
			`}`
B: Big squash B: Trying tailwind things update gitignore B: Updates after moving machines B: Action Skeleton B: Add pco vendor to service directory. And tests B: add extra pco structs B: Catch up commit 2023-11-07 22:34:57 -05:00
			`//Get HMAC`
			`hmacSig := hmac.New(sha256.New, []byte(key))`
			`hmacSig.Write(body)`

			`if !hmac.Equal(hmacSig.Sum(nil), pcoSig) {`
			`log.Warn("")`
			`c.AbortWithStatus(401)`
			`}`
			`}`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00
			`func getAuthSecret(c *gin.Context, body []byte) (string, error) {`
			`userObjectId := userIdFromContext(c)`
B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`log.Debug(string(body))`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00
B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`//Pco is weird and sends a data array instead of an object. Yet there is only one event. Fun times`
			`event, err := jsonapi.UnmarshalManyPayload[webhooks.EventDelivery](bytes.NewBuffer(body))`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`if err != nil {`
B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`return "", errors.Join(fmt.Errorf("Failed to unmarshall event delivery from PCO"), err)`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`}`

B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`if len(event) == 0 {`
			`return "", fmt.Errorf("There are no events in the delivery. Something is wrong")`
			`}`

B: Move to webhook_subscription 2023-11-23 10:25:31 -05:00			`webhook, err := mongo.FindPcoWebhookSubscriptionForUser(*userObjectId, event[0].Name)`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`if err != nil {`
B: Several Silly fixes for silly mistakes 2023-11-23 09:05:44 -05:00			`return "", errors.Join(fmt.Errorf("Failed to find pco subscription for user: %s and event: %s", userObjectId.Hex(), event[0].Name), err)`
			`}`

			`if webhook == nil {`
			`return "", fmt.Errorf("Could not find subscription for user: %s and name %s", userObjectId.Hex(), event[0].Name)`
B: Dynamically get Auth Secret 2023-11-18 19:17:14 -05:00			`}`

			`return webhook.Details.AuthenticitySecret, nil`
			`}`