Add SignatureVerifier for request verification

seratch · seratch · commit 0143c253f2d9 · 2020-05-14T14:29:41.000+09:00
diff --git a/slack/signature/__init__.py b/slack/signature/__init__.py
@@ -0,0 +1 @@
+from .verifier import SignatureVerifier  # noqa
diff --git a/slack/signature/verifier.py b/slack/signature/verifier.py
@@ -0,0 +1,47 @@
+import hashlib
+import hmac
+from time import time
+from typing import Dict
+
+
+class Clock:
+    def now(self) -> float:
+        return time()
+
+
+class SignatureVerifier:
+    def __init__(self, signing_secret: str, clock: Clock = Clock()):
+        """Slack request signature verifier
+
+        Slack signs its requests using a secret that's unique to your app.
+        With the help of signing secrets, your app can more confidently verify
+        whether requests from us are authentic.
+        https://api.slack.com/authentication/verifying-requests-from-slack
+        """
+        self.signing_secret = signing_secret
+        self.clock = clock
+
+    def is_valid_request(self, body: str, headers: Dict[str, str],) -> bool:
+        """Verifies if the given signature is valid"""
+        normalized_headers = {k.lower(): v for k, v in headers.items()}
+        return self.is_valid(
+            body=body,
+            timestamp=normalized_headers.get("x-slack-request-timestamp", None),
+            signature=normalized_headers.get("x-slack-signature", None),
+        )
+
+    def is_valid(self, body: str, timestamp: str, signature: str,) -> bool:
+        """Verifies if the given signature is valid"""
+        if abs(self.clock.now() - int(timestamp)) > 60 * 5:
+            return False
+
+        calculated_signature = self.generate_signature(timestamp=timestamp, body=body)
+        return hmac.compare_digest(calculated_signature, signature)
+
+    def generate_signature(self, *, timestamp: str, body: str) -> str:
+        """Generates a signature"""
+        format_req = str.encode(f"v0:{timestamp}:{body}")
+        encoded_secret = str.encode(self.signing_secret)
+        request_hash = hmac.new(encoded_secret, format_req, hashlib.sha256).hexdigest()
+        calculated_signature = f"v0={request_hash}"
+        return calculated_signature
diff --git a/slack/web/base_client.py b/slack/web/base_client.py
@@ -6,6 +6,7 @@
 import logging
 import platform
 import sys
+import warnings
 from typing import Optional, Union
 
 # Standard Imports
@@ -317,6 +318,11 @@ def validate_slack_signature(
         Returns:
             True if signatures matches
         """
+        warnings.warn(
+            "As this method is deprecated since slackclient 2.6.0, "
+            "use `from slack.signature import SignatureVerifier` instead",
+            DeprecationWarning,
+        )
         format_req = str.encode(f"v0:{timestamp}:{data}")
         encoded_secret = str.encode(signing_secret)
         request_hash = hmac.new(encoded_secret, format_req, hashlib.sha256).hexdigest()
diff --git a/tests/signature/test_signature_verifier.py b/tests/signature/test_signature_verifier.py
@@ -0,0 +1,36 @@
+import unittest
+
+from slack.signature import SignatureVerifier
+
+
+class MockClock:
+    def now(self) -> float:
+        return 1531420618
+
+
+class TestSignatureVerifier(unittest.TestCase):
+    def setUp(self):
+        pass
+
+    def tearDown(self):
+        pass
+
+    def test_generate_signature(self):
+        # https://api.slack.com/authentication/verifying-requests-from-slack
+        verifier = SignatureVerifier("8f742231b10e8888abcd99yyyzzz85a5")
+        body = "token=xyzz0WbapA4vBCDEFasx0q6G&team_id=T1DC2JH3J&team_domain=testteamnow&channel_id=G8PSS9T3V&channel_name=foobar&user_id=U2CERLKJA&user_name=roadrunner&command=%2Fwebhook-collect&text=&response_url=https%3A%2F%2Fhooks.slack.com%2Fcommands%2FT1DC2JH3J%2F397700885554%2F96rGlfmibIGlgcZRskXaIFfN&trigger_id=398738663015.47445629121.803a0bc887a14d10d2c447fce8b6703c"
+        timestamp = "1531420618"
+        signature = verifier.generate_signature(timestamp=timestamp, body=body)
+        self.assertEqual("v0=a2114d57b48eac39b9ad189dd8316235a7b4a8d21a10bd27519666489c69b503", signature)
+
+    def test_is_valid_request(self):
+        verifier = SignatureVerifier(
+            signing_secret="8f742231b10e8888abcd99yyyzzz85a5",
+            clock=MockClock()
+        )
+        body = "token=xyzz0WbapA4vBCDEFasx0q6G&team_id=T1DC2JH3J&team_domain=testteamnow&channel_id=G8PSS9T3V&channel_name=foobar&user_id=U2CERLKJA&user_name=roadrunner&command=%2Fwebhook-collect&text=&response_url=https%3A%2F%2Fhooks.slack.com%2Fcommands%2FT1DC2JH3J%2F397700885554%2F96rGlfmibIGlgcZRskXaIFfN&trigger_id=398738663015.47445629121.803a0bc887a14d10d2c447fce8b6703c"
+        headers = {
+            "X-Slack-Request-Timestamp": "1531420618",
+            "X-Slack-Signature": "v0=a2114d57b48eac39b9ad189dd8316235a7b4a8d21a10bd27519666489c69b503",
+        }
+        self.assertTrue(verifier.is_valid_request(body, headers))

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+from .verifier import SignatureVerifier # noqa`