Add ability to set public key signature

bswinnerton · bswinnerton · commit 6e1cbd8a1ec8 · 2018-04-06T18:32:54.000-04:00
This commit adds support for fetching and assigning a public key-based
signature of the request body.

Higher in the call stack, we instantiate a public key that is capable of
signing a message and inject it into the `Service` base class along with
whether or not the request needs to be signed. If it does need to be
signed, we add the base64 encoded signature to the headers of the
request, similar to HMAC signing.

This, paired with metadata that's injected into the webhook body with
requests that need to be signed, helps ensure that the request is
authentic and not a malicious payload and can help protect against
replay attacks.
diff --git a/lib/service.rb b/lib/service.rb
@@ -484,6 +484,8 @@ def inherited(svc)
 
   attr_reader :remote_calls
 
+  attr_accessor :needs_public_key_signature, :public_key
+
   def initialize(event = :push, data = {}, payload = nil)
     helper_name = "#{event.to_s.classify}Helpers"
     if Service.const_defined?(helper_name)
diff --git a/lib/service/http_helper.rb b/lib/service/http_helper.rb
@@ -17,6 +17,7 @@ def deliver(url_value, options = {})
         body = encode_body(ctype)
 
         set_body_signature(body, secret)
+        set_public_key_signature(body) if needs_public_key_signature
 
         http_post url, body
       end
@@ -77,6 +78,12 @@ def set_body_signature(body, secret)
         'sha1='+OpenSSL::HMAC.hexdigest(HMAC_DIGEST, secret, body)
     end
 
+    def set_public_key_signature(body)
+      public_key_signature  = public_key.sign(message: body).signature
+      encoded_signature     = Base64.strict_encode64(public_key_signature)
+      http.headers['GITHUB-PUBLIC-KEY-SIGNATURE'] = encoded_signature
+    end
+
     def original_body
       raise NotImplementedError
     end
