refactor: reworked salt mechanics

turbot · Feb 9, 2024 · 73dec50 · 73dec50
1 parent c27e88e
commit 73dec50
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 18 deletions.
diff --git a/internal/cmdconfig/init.go b/internal/cmdconfig/init.go
@@ -1,9 +1,11 @@
 package cmdconfig
 
 import (
+	"github.com/turbot/flowpipe/internal/cache"
 	"maps"
 	"os"
 	"path/filepath"
+	"time"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -105,10 +107,12 @@ func ensureGlobalSalt() error {
 	}
 
 	saltFileFullPath := filepath.Join(saltDir, "salt")
-	_, err = util.CreateFlowpipeSalt(saltFileFullPath, 32)
+	salt, err := util.CreateFlowpipeSalt(saltFileFullPath, 32)
 	if err != nil {
 		return err
 	}
 
+	cache.GetCache().SetWithTTL("salt", salt, 24*7*52*99*time.Hour)
+
 	return nil
 }
diff --git a/internal/service/api/webhook.go b/internal/service/api/webhook.go
@@ -124,8 +124,8 @@ func (api *APIService) runTriggerHook(c *gin.Context) {
 		return
 	}
 
-	salt, ok := cache.GetCache().Get("salt")
-	if !ok {
+	salt, err := util.GetModSaltOrDefault()
+	if err != nil {
 		common.AbortWithError(c, perr.InternalWithMessage("salt not found"))
 		return
 	}
@@ -138,7 +138,7 @@ func (api *APIService) runTriggerHook(c *gin.Context) {
 		return
 	}
 
-	hashString := util.CalculateHash(webhookTriggerName, salt.(string))
+	hashString := util.CalculateHash(webhookTriggerName, salt)
 
 	if hashString != webhookTriggerHash {
 		common.AbortWithError(c, perr.UnauthorizedWithMessage("invalid hash for webhook "+webhookTriggerName))
@@ -336,12 +336,21 @@ func (api *APIService) runIntegrationHook(c *gin.Context) {
 		return
 	}
 
-	// TODO: validate correct hash
-
 	// determine integration type: integration.slack.example -> slack
 	nameParts := strings.Split(webhookUri.Hook, ".")
 	integrationType := nameParts[1]
-	// integrationName := nameParts[2]
+	integrationName := nameParts[2]
+
+	salt, err := util.GetGlobalSalt()
+	if err != nil {
+		common.AbortWithError(c, perr.InternalWithMessage("salt not found"))
+		return
+	}
+	hashString := util.CalculateHash(webhookUri.Hook, salt)
+	if hashString != webhookUri.Hash {
+		common.AbortWithError(c, perr.UnauthorizedWithMessage("invalid hash for integration "+integrationName))
+		return
+	}
 
 	bodyBytes, err := io.ReadAll(c.Request.Body)
 	if err != nil {

diff --git a/internal/service/manager/manager.go b/internal/service/manager/manager.go
@@ -3,6 +3,7 @@ package manager
 import (
 	"context"
 	"fmt"
+	"github.com/turbot/go-kit/files"
 	"log/slog"
 	"os"
 	"os/signal"
@@ -168,15 +169,16 @@ func (m *Manager) initializeModDirectory() error {
 	}
 
 	internalDir := filepaths.ModInternalDir()
-	err = util.EnsureDir(internalDir)
-	if err != nil {
-		return err
-	}
-
-	saltFileFullPath := filepath.Join(internalDir, "salt")
-	salt, err := util.CreateFlowpipeSalt(saltFileFullPath, 32)
-	if err != nil {
-		return err
+	modSaltPath := filepath.Join(internalDir, "salt")
+	if files.DirectoryExists(internalDir) && files.FileExists(modSaltPath) {
+		saltBytes, err := os.ReadFile(modSaltPath)
+		if err != nil {
+			return err
+		}
+		modSalt := string(saltBytes)
+		if modSalt != "" {
+			cache.GetCache().SetWithTTL("mod_salt", modSalt, 24*7*52*99*time.Hour)
+		}
 	}
 
 	err = store.InitializeFlowpipeDB()
@@ -187,8 +189,6 @@ func (m *Manager) initializeModDirectory() error {
 	// Force cleanup if it hasn't run for 1 day
 	store.ForceCleanup()
 
-	cache.GetCache().SetWithTTL("salt", salt, 24*7*52*99*time.Hour)
-
 	return nil
 }
 

diff --git a/internal/util/salt.go b/internal/util/salt.go
@@ -3,8 +3,12 @@ package util
 import (
 	"crypto/rand"
 	"encoding/hex"
+	"fmt"
+	"github.com/turbot/flowpipe/internal/cache"
+	"github.com/turbot/flowpipe/internal/filepaths"
 	"log/slog"
 	"os"
+	"path/filepath"
 )
 
 // Assumes that the dir exists
@@ -42,3 +46,29 @@ func CreateFlowpipeSalt(filename string, length int) (string, error) {
 
 	return saltHex, nil
 }
+
+func GetModSaltOrDefault() (string, error) {
+	c := cache.GetCache()
+	if ms, exists := c.Get("mod_salt"); exists {
+		if modSalt, ok := ms.(string); ok {
+			return modSalt, nil
+		} else {
+			return modSalt, fmt.Errorf("mod specific salt not a string")
+		}
+	}
+
+	return GetGlobalSalt()
+}
+
+func GetGlobalSalt() (string, error) {
+	c := cache.GetCache()
+	if s, exists := c.Get("salt"); exists {
+		if salt, ok := s.(string); ok {
+			return salt, nil
+		} else {
+			return salt, fmt.Errorf("salt not a string")
+		}
+	}
+	globalSaltPath := filepath.Join(filepaths.GlobalInternalDir(), "salt")
+	return CreateFlowpipeSalt(globalSaltPath, 32)
+}