1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
// SPDX-FileCopyrightText: © 2021 Grégoire Duchêne <gduchene@awhk.org>
// SPDX-License-Identifier: ISC
package twilio
import (
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"go.awhk.org/core"
)
func TestFilter_CheckRequestSignature(s *testing.T) {
t := core.T{T: s}
th := &Filter{[]byte("token"), EmptyResponseHandler}
t.Run("Good Signature (POST)", func(t *core.T) {
t.AssertErrorIs(nil, th.CheckRequestSignature(newRequest(Post)))
})
t.Run("Good Signature (GET)", func(t *core.T) {
t.AssertErrorIs(nil, th.CheckRequestSignature(newRequest(Get)))
})
t.Run("Missing Header", func(t *core.T) {
r := newRequest(Post)
r.Header.Del("X-Twilio-Signature")
t.AssertErrorIs(ErrMissingHeader, th.CheckRequestSignature(r))
})
t.Run("Bad Base64", func(t *core.T) {
r := newRequest(Post)
r.Header.Set("X-Twilio-Signature", "Very suspicious Base64 header.")
t.AssertErrorIs(ErrBase64, th.CheckRequestSignature(r))
})
t.Run("Signature Mismatch", func(t *core.T) {
r := newRequest(Post)
r.Header.Set("X-Twilio-Signature", "dpE7iSS3LEQo72hCT34eBRt3UEI=")
t.AssertErrorIs(ErrSignatureMismatch, th.CheckRequestSignature(r))
})
}
func TestFilter_ServeHTTP(s *testing.T) {
t := core.T{T: s}
th := &Filter{[]byte("token"), EmptyResponseHandler}
t.Run("Good Signature (POST)", func(t *core.T) {
w := httptest.NewRecorder()
th.ServeHTTP(w, newRequest(Post))
t.AssertEqual(http.StatusOK, w.Code)
t.AssertEqual("text/xml", w.Result().Header.Get("Content-Type"))
t.AssertEqual("<Response/>", w.Body.String())
})
t.Run("Good Signature (GET)", func(t *core.T) {
w := httptest.NewRecorder()
th.ServeHTTP(w, newRequest(Get))
t.AssertEqual(http.StatusOK, w.Code)
t.AssertEqual("text/xml", w.Result().Header.Get("Content-Type"))
t.AssertEqual("<Response/>", w.Body.String())
})
t.Run("Missing Header", func(t *core.T) {
w := httptest.NewRecorder()
r := newRequest(Post)
r.Header.Del("X-Twilio-Signature")
th.ServeHTTP(w, r)
t.AssertEqual(http.StatusBadRequest, w.Code)
})
t.Run("Bad Base64", func(t *core.T) {
w := httptest.NewRecorder()
r := newRequest(Post)
r.Header.Set("X-Twilio-Signature", "Very suspicious Base64 header.")
th.ServeHTTP(w, r)
t.AssertEqual(http.StatusBadRequest, w.Code)
})
t.Run("Signature Mismatch", func(t *core.T) {
w := httptest.NewRecorder()
r := newRequest(Post)
r.Header.Set("X-Twilio-Signature", "dpE7iSS3LEQo72hCT34eBRt3UEI=")
th.ServeHTTP(w, r)
t.AssertEqual(http.StatusForbidden, w.Code)
})
}
const (
Get = true
Post = false
)
// X-Twilio-Signature can be manually generated with:
// % echo -n "${SOME_STRING}" | openssl dgst -binary -hmac ${AUTH_TOKEN} -sha1 | base64
func newRequest(get bool) *http.Request {
vals := url.Values{
"To": {"Bob"},
"From": {"Alice"},
"Body": {"A random message."},
}.Encode()
if get {
r := httptest.NewRequest(http.MethodGet, "https://example.test/endpoint?"+vals, nil)
r.Header.Set("X-Twilio-Signature", "Hh0ReTk/+7Ea38qZ3Xt1/NQx4i4=")
return r
}
rd := strings.NewReader(vals)
r := httptest.NewRequest(http.MethodPost, "https://example.test/endpoint", rd)
r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
r.Header.Set("X-Twilio-Signature", "j61PPnnoUAAsfEnLuwUefOfylf4=")
return r
}
|
