Merge pull request #15 from github/v3-auth

Ben Lavender · web-flow · commit 5586435a17ee · 2017-05-17T14:48:18.000-05:00
Use public key authentication as per v3
diff --git a/README.md b/README.md
@@ -5,8 +5,8 @@ Rails helpers for easy, JSON-RPC based chatops.
 A minimal controller example:
 
 ```ruby
-class ChatOpsController < ApplicationController
-  include ::ChatOps::Controller
+class ChatopsController < ApplicationController
+  include ::Chatops::Controller
 
   chatops_namespace :echo
 
@@ -79,7 +79,7 @@ You can return `jsonrpc_success` with a string to return text to chat. If you
 have an input validation or other handle-able error, you can use
 `jsonrpc_failure` to send a helpful error message.
 
-ChatOps are regular old rails controller actions, and you can use niceties like
+Chatops are regular old rails controller actions, and you can use niceties like
 `before_action` and friends. `before_action :echo, :load_user` for the above
 case would call `load_user` before running `echo`.
 
diff --git a/chatops-controller.gemspec b/chatops-controller.gemspec
@@ -1,14 +1,14 @@
 $:.push File.expand_path("../lib", __FILE__)
 
 # Maintain your gem's version:
-require "chatops_controller/version"
+require "chatops/controller/version"
 
 # Describe your gem and declare its dependencies:
 Gem::Specification.new do |s|
-  s.name        = "chatops_controller"
+  s.name        = "chatops-controller"
   s.version     = ChatopsController::VERSION
   s.authors     = ["Ben Lavender"]
-  s.homepage    = "https://github.com/github/chatops_controller"
+  s.homepage    = "https://github.com/github/chatops-controller"
   s.email       = ["bhuga@github.com"]
   s.license     = "unknown - maybe we'll open source this?"
   s.summary     = %q{Rails helpers to create JSON-RPC chatops}
diff --git a/lib/chatops-controller.rb b/lib/chatops-controller.rb
@@ -0,0 +1 @@
+require 'chatops/controller'
diff --git a/lib/chatops.rb b/lib/chatops.rb
@@ -0,0 +1,21 @@
+module Chatops
+  def self.public_key
+    ENV[public_key_env_var_name]
+  end
+
+  def self.public_key_env_var_name
+    "CHATOPS_AUTH_PUBLIC_KEY"
+  end
+
+  def self.alt_public_key
+    ENV["CHATOPS_AUTH_ALT_PUBLIC_KEY"]
+  end
+
+  def self.auth_base_url
+    ENV[auth_base_url_env_var_name]
+  end
+
+  def self.auth_base_url_env_var_name
+    "CHATOPS_AUTH_BASE_URL"
+  end
+end
diff --git a/lib/chatops/controller.rb b/lib/chatops/controller.rb
@@ -1,9 +1,18 @@
-module ChatOps
+require "chatops"
+
+module Chatops
   module Controller
+    class ConfigurationError < StandardError ; end
     extend ActiveSupport::Concern
 
     included do
-      before_action :ensure_chatops_authenticated
+      with_options if: :should_authenticate_chatops? do |controller|
+        controller.before_action :ensure_valid_chatops_url
+        controller.before_action :ensure_valid_chatops_timestamp
+        controller.before_action :ensure_valid_chatops_signature
+        controller.before_action :ensure_valid_chatops_nonce
+        controller.before_action :ensure_chatops_authenticated
+      end
       before_action :ensure_user_given
       before_action :ensure_method_exists
     end
@@ -16,7 +25,7 @@ def list
         help: self.class.chatops_help,
         error_response: self.class.chatops_error_response,
         methods: chatops,
-        version: "2" }
+        version: "3" }
     end
 
     def process(*args)
@@ -90,21 +99,78 @@ def ensure_user_given
     end
 
     def ensure_chatops_authenticated
-      return true unless (chatop_names + [:list]).include?(params[:action].to_sym)
-      authenticated = authenticate_with_http_basic do |u, p|
-        if ENV["CHATOPS_AUTH_TOKEN"].nil?
-          raise StandardError, "Attempting to authenticate chatops with nil token"
-        end
-        if ENV["CHATOPS_ALT_AUTH_TOKEN"].nil?
-          raise StandardError, "Attempting to authenticate chatops with nil alternate token"
-        end
+      body = request.raw_post || ""
+      signature_string = [@chatops_url, @chatops_nonce, @chatops_timestamp, body].join("\n")
+      # We return this just to aid client debugging.
+      response.headers["Chatops-Signature-String"] = signature_string
+      raise ConfigurationError.new("You need to add a client's public key in .pem format via #{Chatops.public_key_env_var_name}") unless Chatops.public_key.present?
+      if signature_valid?(Chatops.public_key, @chatops_signature, signature_string) ||
+          signature_valid?(Chatops.alt_public_key, @chatops_signature, signature_string)
+          return true
+      end
+      return render :status => :forbidden, :plain => "Not authorized"
+    end
 
-        Rack::Utils.secure_compare(ENV["CHATOPS_AUTH_TOKEN"], p) ||
-        Rack::Utils.secure_compare(ENV["CHATOPS_ALT_AUTH_TOKEN"], p)
+    def ensure_valid_chatops_url
+      unless Chatops.auth_base_url.present?
+        raise ConfigurationError.new("You need to set the server's base URL to authenticate chatops RPC via #{Chatops.auth_base_url_env_var_name}")
       end
-      unless authenticated
-        render :status => :forbidden, :plain => "Not authorized"
+      if Chatops.auth_base_url[-1] == "/"
+        raise ConfigurationError.new("Don't include a trailing slash in #{Chatops.auth_base_url_env_var_name}; the rails path will be appended and it must match exactly.")
       end
+      @chatops_url = Chatops.auth_base_url + request.path
+    end
+
+    def ensure_valid_chatops_nonce
+      @chatops_nonce = request.headers["Chatops-Nonce"]
+      return render :status => :forbidden, :plain => "A Chatops-Nonce header is required" unless @chatops_nonce.present?
+    end
+
+    def ensure_valid_chatops_signature
+      signature_header = request.headers["Chatops-Signature"]
+
+      begin
+        # "Chatops-Signature: Signature keyid=foo,signature=abc123" => { "keyid"" => "foo", "signature" => "abc123" }
+        signature_items = signature_header.split(" ", 2)[1].split(",").map { |item| item.split("=", 2) }.to_h
+        @chatops_signature = signature_items["signature"]
+      rescue NoMethodError
+        # The signature header munging, if something's amiss, can produce a `nil` that raises a
+        # no method error. We'll just carry on; the nil signature will raise below
+      end
+
+      unless @chatops_signature.present?
+        return render :status => :forbidden, :plain => "Failed to parse signature header"
+      end
+    end
+
+    def ensure_valid_chatops_timestamp
+      @chatops_timestamp = request.headers["Chatops-Timestamp"]
+      time = Time.iso8601(@chatops_timestamp)
+      if !(time > 1.minute.ago && time < 1.minute.from_now)
+        return render :status => :forbidden, :plain => "Chatops timestamp not within 1 minute of server time: #{@chatops_timestamp} vs #{Time.now.utc.iso8601}"
+      end
+    rescue ArgumentError, TypeError
+        # time parsing or missing can raise these
+      return render :status => :forbidden, :plain => "Invalid Chatops-Timestamp: #{@chatops_timestamp}"
+    end
+
+    def request_is_chatop?
+      (chatop_names + [:list]).include?(params[:action].to_sym)
+    end
+
+    def chatops_test_auth?
+      Rails.env.test? && request.env["CHATOPS_TESTING_AUTH"]
+    end
+
+    def should_authenticate_chatops?
+      request_is_chatop? && !chatops_test_auth?
+    end
+
+    def signature_valid?(key_string, signature, signature_string)
+      digest = OpenSSL::Digest::SHA256.new
+      decoded_signature = Base64.decode64(signature)
+      public_key = OpenSSL::PKey::RSA.new(key_string)
+      public_key.verify(digest, decoded_signature, signature_string)
     end
 
     def ensure_method_exists
diff --git a/lib/chatops/controller/rspec.rb b/lib/chatops/controller/rspec.rb
@@ -1,5 +1,5 @@
 require "chatops/controller/test_case"
 
 RSpec.configure do |config|
-  config.include ChatOps::Controller::TestCaseHelpers
+  config.include Chatops::Controller::TestCaseHelpers
 end
diff --git a/lib/chatops/controller/test_case.rb b/lib/chatops/controller/test_case.rb
@@ -1,5 +1,5 @@
 require "chatops/controller/test_case_helpers"
 
-class ChatOps::Controller::TestCase < ActionController::TestCase
-  include ChatOps::Controller::TestCaseHelpers
+class Chatops::Controller::TestCase < ActionController::TestCase
+  include Chatops::Controller::TestCaseHelpers
 end
diff --git a/lib/chatops/controller/test_case_helpers.rb b/lib/chatops/controller/test_case_helpers.rb
@@ -1,9 +1,9 @@
-module ChatOps::Controller::TestCaseHelpers
+module Chatops::Controller::TestCaseHelpers
 
   class NoMatchingCommandRegex < StandardError ; end
 
-  def chatops_auth!(user = "_", pass = ENV["CHATOPS_AUTH_TOKEN"])
-    request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(user, pass)
+  def chatops_auth!
+    request.env["CHATOPS_TESTING_AUTH"] = true
   end
 
   def chatop(method, params = {})
diff --git a/lib/chatops/controller/version.rb b/lib/chatops/controller/version.rb
@@ -1,3 +1,3 @@
 module ChatopsController
-  VERSION = "2.0.0"
+  VERSION = "3.0.0"
 end
diff --git a/lib/chatops_controller.rb b/lib/chatops_controller.rb
diff --git a/spec/dummy/config/application.rb b/spec/dummy/config/application.rb
@@ -3,7 +3,7 @@
 require 'action_controller/railtie'
 
 Bundler.require(*Rails.groups)
-require "chatops_controller"
+require "chatops/controller"
 
 module Dummy
   class Application < Rails::Application
diff --git a/spec/lib/chatops/controller_spec.rb b/spec/lib/chatops/controller_spec.rb
