[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Signature Support #355

Merged
merged 4 commits into from
Dec 22, 2019
Merged

Multiple Signature Support #355

merged 4 commits into from
Dec 22, 2019

Conversation

wyattjoh
Copy link
Contributor

The current implementation of the payload-hash-sha256 and payload-hash-sha1 match types only considers secrets provided one per header. To support secret rolling (as used by Stripe), I propose supporting the following scheme:

Initially, we have the following:

X-Coral-Signature: sha256=9ebcba58721f138c3f82a5896f350601aa5b162f5e274b47a312118bbc9ba9f0

But when we're rolling secrets, we send requests with a signature from the old secret, and the new secret for a time frame allowing administrators to update code or environment variables to the new secret. This gives us a header that looks like this instead:

X-Coral-Signature: sha256=3ad8d2e511faefce65e6576f5ea850431ca2e1f39d8b3b13e3dce6971d35f1eb,sha256=9ebcba58721f138c3f82a5896f350601aa5b162f5e274b47a312118bbc9ba9f0

Which is essentially:

sha256={ new signature },sha256={ old signature }

This is the same process for the sha1 type.

moorereason
moorereason reviewed Nov 18, 2019
View reviewed changes
hook/hook.go Outdated Show resolved Hide resolved
@wyattjoh
Copy link
Contributor Author

Hi @moorereason! Is there anything else we can do to the proposal to move this ahead?

@moorereason
Copy link
Collaborator
moorereason commented Dec 17, 2019
edited
Loading

Two things:

  • We now have SHA512 support, so you can rebase and update that function as well.
  • Add a note in docs/Hook-Rules.md about this feature.

Once those are done, I'm in favor of merging.

@wyattjoh
Copy link
Contributor Author

I've updated to latest, added support for sha512, and updated the docs! Let me know if there's anything else I can add!

@moorereason
Copy link
Collaborator

This looks great. And you added a generic ValidateMAC function, which I was going to do later. Thank you for that!

@moorereason moorereason requested a review from adnanh December 17, 2019 18:15
@moorereason moorereason added this to the 2.7.0 milestone Dec 17, 2019
@moorereason moorereason self-requested a review December 17, 2019 18:16
moorereason
moorereason approved these changes Dec 17, 2019
View reviewed changes
Copy link
Collaborator
@moorereason moorereason left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@adnanh adnanh merged commit e72a7d2 into adnanh:master Dec 22, 2019
@moorereason moorereason mentioned this pull request Jan 1, 2020
Closed
@adnanh adnanh mentioned this pull request Jan 3, 2020
Merged
@moorereason moorereason mentioned this pull request Jan 7, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moorereason moorereason moorereason approved these changes

@adnanh adnanh Awaiting requested review from adnanh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@wyattjoh @moorereason @adnanh