-
Notifications
You must be signed in to change notification settings - Fork 229
Expand file tree
/
Copy pathInvalidRequestPatternTest.java
More file actions
136 lines (116 loc) · 6 KB
/
InvalidRequestPatternTest.java
File metadata and controls
136 lines (116 loc) · 6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
package test_locally.servlet_test;
import com.slack.api.app_backend.SlackSignature;
import com.slack.api.bolt.App;
import com.slack.api.bolt.AppConfig;
import com.slack.api.bolt.middleware.builtin.RequestVerification;
import com.slack.api.bolt.servlet.SlackAppServlet;
import lombok.extern.slf4j.Slf4j;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.HttpStatus;
import org.eclipse.jetty.http.HttpTester;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.servlet.ServletTester;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import javax.servlet.Servlet;
import javax.servlet.annotation.WebServlet;
import java.util.Arrays;
import static org.hamcrest.CoreMatchers.*;
import static org.hamcrest.MatcherAssert.assertThat;
@Slf4j
public class InvalidRequestPatternTest {
private final String secret = "foo-bar-baz";
private final SlackSignature.Generator generator = new SlackSignature.Generator(secret);
private AppConfig appConfig = AppConfig.builder().singleTeamBotToken("xoxb-").signingSecret(secret).build();
private App app;
private Servlet webApp;
private static final String TEXT_PLAIN = MimeTypes.Type.TEXT_PLAIN.getContentTypeField().getValue();
private static final String APPLICATION_JSON = MimeTypes.Type.APPLICATION_JSON.getContentTypeField().getValue();
private static final String CONTENT_TYPE = HttpHeader.CONTENT_TYPE.toString();
@Before
public void setUp() {
// https://docs.slack.dev/authentication/verifying-requests-from-slack
String signingSecret = appConfig.getSigningSecret();
if (signingSecret == null || signingSecret.trim().isEmpty()) {
// This is just a random value to avoid SlackSignature.Generator's initialization error.
// When this App runs through Socket Mode connections, it skips request signature verification.
signingSecret = "---";
}
SlackSignature.Verifier verifier = new SlackSignature.Verifier(new SlackSignature.Generator(signingSecret));
RequestVerification requestVerification = new RequestVerification(verifier);
app = new App(appConfig, Arrays.asList(
requestVerification
));
webApp = new SlackWebApp(app);
app.start();
}
@After
public void tearDown() {
app.stop();
}
@WebServlet(urlPatterns = "/")
public static class SlackWebApp extends SlackAppServlet {
public SlackWebApp(App app) {
super(app);
}
}
@Test
public void valid() throws Exception {
ServletTester tester = TestUtils.getServletTester(webApp);
HttpTester.Request request = TestUtils.prepareRequest();
String requestBody = "{\n" +
" \"token\": \"fixed-value\",\n" +
" \"challenge\": \"challenge-value\",\n" +
" \"type\": \"url_verification\"\n" +
"}";
request.setContent(requestBody);
String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, generator.generate(timestamp, requestBody));
request.setHeader(CONTENT_TYPE, APPLICATION_JSON);
HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
assertThat(response.getStatus(), is(equalTo(HttpStatus.OK_200)));
assertThat(response.getContent(), is(equalTo("challenge-value")));
assertThat(response.get(CONTENT_TYPE), is(startsWith(TEXT_PLAIN)));
}
@Test
public void nonsense() throws Exception {
ServletTester tester = TestUtils.getServletTester(webApp);
HttpTester.Request request = TestUtils.prepareRequest();
String requestBody = "{\n" +
" \"token\": \"fixed-value\",\n" +
" \"challenge\": \"challenge-value\",\n" +
" \"type\": \"nonsense\"\n" +
"}";
request.setContent(requestBody);
String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, generator.generate(timestamp, requestBody));
request.setHeader(CONTENT_TYPE, APPLICATION_JSON);
HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
assertThat(response.getStatus(), is(equalTo(HttpStatus.BAD_REQUEST_400)));
assertThat(response.getContent(), is(equalTo("Invalid Request")));
assertThat(response.get(CONTENT_TYPE), is(startsWith(TEXT_PLAIN)));
}
@Test
public void invalidSignature() throws Exception {
ServletTester tester = TestUtils.getServletTester(webApp);
HttpTester.Request request = TestUtils.prepareRequest();
String requestBody = "{\n" +
" \"token\": \"fixed-value\",\n" +
" \"challenge\": \"challenge-value\",\n" +
" \"type\": \"url_verification\"\n" +
"}";
request.setContent(requestBody);
String timestamp = String.valueOf(System.currentTimeMillis() / 1000);
request.setHeader(SlackSignature.HeaderNames.X_SLACK_REQUEST_TIMESTAMP, timestamp);
SlackSignature.Generator differentGenerator = new SlackSignature.Generator("a different app's secret");
request.setHeader(SlackSignature.HeaderNames.X_SLACK_SIGNATURE, differentGenerator.generate(timestamp, requestBody));
request.setHeader(CONTENT_TYPE, APPLICATION_JSON);
HttpTester.Response response = HttpTester.parseResponse(tester.getResponses(request.generate()));
assertThat(response.getStatus(), is(equalTo(HttpStatus.UNAUTHORIZED_401)));
assertThat(response.getContent(), is(equalTo("{\"error\":\"invalid request\"}")));
assertThat(response.get(CONTENT_TYPE), is(startsWith(APPLICATION_JSON)));
}
}