1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
// SPDX-FileCopyrightText: © 2021 Grégoire Duchêne <gduchene@awhk.org>
// SPDX-License-Identifier: ISC
package twilio
import (
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"github.com/stretchr/testify/assert"
)
func TestFilter_CheckRequestSignature(t *testing.T) {
th := &Filter{[]byte("token"), EmptyResponseHandler}
t.Run("Good Signature (POST)", func(t *testing.T) {
assert.NoError(t, th.CheckRequestSignature(newRequest(Post)))
})
t.Run("Good Signature (GET)", func(t *testing.T) {
assert.NoError(t, th.CheckRequestSignature(newRequest(Get)))
})
t.Run("Missing Header", func(t *testing.T) {
r := newRequest(Post)
r.Header.Del("X-Twilio-Signature")
assert.ErrorIs(t, th.CheckRequestSignature(r), ErrMissingHeader)
})
t.Run("Bad Base64", func(t *testing.T) {
r := newRequest(Post)
r.Header.Set("X-Twilio-Signature", "Very suspicious Base64 header.")
assert.ErrorIs(t, th.CheckRequestSignature(r), ErrBase64)
})
t.Run("Signature Mismatch", func(t *testing.T) {
r := newRequest(Post)
r.Header.Set("X-Twilio-Signature", "dpE7iSS3LEQo72hCT34eBRt3UEI=")
assert.ErrorIs(t, th.CheckRequestSignature(r), ErrSignatureMismatch)
})
}
func TestFilter_ServeHTTP(t *testing.T) {
th := &Filter{[]byte("token"), EmptyResponseHandler}
t.Run("Good Signature (POST)", func(t *testing.T) {
w := httptest.NewRecorder()
th.ServeHTTP(w, newRequest(Post))
assert.Equal(t, http.StatusOK, w.Code)
assert.Equal(t, "text/xml", w.HeaderMap.Get("Content-Type"))
assert.Equal(t, "<Response/>", w.Body.String())
})
t.Run("Good Signature (GET)", func(t *testing.T) {
w := httptest.NewRecorder()
th.ServeHTTP(w, newRequest(Get))
assert.Equal(t, http.StatusOK, w.Code)
assert.Equal(t, "text/xml", w.HeaderMap.Get("Content-Type"))
assert.Equal(t, "<Response/>", w.Body.String())
})
t.Run("Missing Header", func(t *testing.T) {
w := httptest.NewRecorder()
r := newRequest(Post)
r.Header.Del("X-Twilio-Signature")
th.ServeHTTP(w, r)
assert.Equal(t, http.StatusBadRequest, w.Code)
})
t.Run("Bad Base64", func(t *testing.T) {
w := httptest.NewRecorder()
r := newRequest(Post)
r.Header.Set("X-Twilio-Signature", "Very suspicious Base64 header.")
th.ServeHTTP(w, r)
assert.Equal(t, http.StatusBadRequest, w.Code)
})
t.Run("Signature Mismatch", func(t *testing.T) {
w := httptest.NewRecorder()
r := newRequest(Post)
r.Header.Set("X-Twilio-Signature", "dpE7iSS3LEQo72hCT34eBRt3UEI=")
th.ServeHTTP(w, r)
assert.Equal(t, http.StatusBadRequest, w.Code)
})
}
const (
Get = true
Post = false
)
// X-Twilio-Signature can be manually generated with:
// % echo -n "${SOME_STRING}" | openssl dgst -binary -hmac ${AUTH_TOKEN} -sha1 | base64
func newRequest(get bool) *http.Request {
vals := url.Values{
"To": {"Bob"},
"From": {"Alice"},
"Body": {"A random message."},
}.Encode()
if get {
r := httptest.NewRequest(http.MethodGet, "https://example.test/endpoint?"+vals, nil)
r.Header.Set("X-Twilio-Signature", "Hh0ReTk/+7Ea38qZ3Xt1/NQx4i4=")
return r
}
rd := strings.NewReader(vals)
r := httptest.NewRequest(http.MethodPost, "https://example.test/endpoint", rd)
r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
r.Header.Set("X-Twilio-Signature", "j61PPnnoUAAsfEnLuwUefOfylf4=")
return r
}
|
