CAST/cast-ghl-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cast-ghl-plugin/internal/ghl/webhook_test.go
Head of Product & Engineering a2826a3da7
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
fix: switch webhook signature verification from ECDSA to RSA-PKCS1v15+SHA-256 
GHL uses RSA + SHA-256 for x-wh-signature, not ECDSA P-256 as documented
in the original task files. Also adds forward-compatible Ed25519 support
for X-GHL-Signature (GHL migration scheduled July 2026): handler checks
X-GHL-Signature first, falls back to x-wh-signature.

- webhook.go: replace ecdsa.VerifyASN1 with rsa.VerifyPKCS1v15; add
  verifyEd25519 + verifyIncomingSignature dispatch; update struct fields
- webhook_test.go: regenerate test keys as RSA-2048, sign with PKCS1v15
- CLAUDE.md: correct crypto stack and key implementation notes
- .env.example: clarify GHL_WEBHOOK_PUBLIC_KEY is a static RSA key from docs

Co-Authored-By: SideKx <sidekx.ai@sds.dev>
2026-04-05 01:15:56 +02:00

212 lines
6.8 KiB
Go
Raw Permalink Blame History

package ghl
import (
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"net/http"
"net/http/httptest"
"strings"
"testing"
castclient "git.sds.dev/CAST/cast-ghl-plugin/internal/cast"
"git.sds.dev/CAST/cast-ghl-plugin/internal/store"
)
func generateTestKeyPair(t *testing.T) (*rsa.PrivateKey, string) {
t.Helper()
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("failed to generate RSA key: %v", err)
}
pubBytes, err := x509.MarshalPKIXPublicKey(&privKey.PublicKey)
if err != nil {
t.Fatalf("failed to marshal public key: %v", err)
}
pemBlock := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: pubBytes})
return privKey, string(pemBlock)
}
func signPayload(t *testing.T, privKey *rsa.PrivateKey, body []byte) string {
t.Helper()
hash := sha256.Sum256(body)
sig, err := rsa.SignPKCS1v15(rand.Reader, privKey, crypto.SHA256, hash[:])
if err != nil {
t.Fatalf("failed to sign payload: %v", err)
}
return base64.StdEncoding.EncodeToString(sig)
}
func newTestHandler(t *testing.T, pubPEM string) *WebhookHandler {
t.Helper()
ms := &inMemStore{}
oauth := NewOAuthHandler("c", "s", "http://x", "p", ms)
handler, err := NewWebhookHandler(pubPEM, castclient.NewClient("http://localhost:1", "k", ""), NewAPIClient(), oauth, ms)
if err != nil {
t.Fatalf("failed to create handler: %v", err)
}
return handler
}
func TestWebhook_ValidSignature_SMS(t *testing.T) {
privKey, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
body := `{"contactId":"c1","locationId":"loc1","messageId":"msg1","type":"SMS","phone":"+639171234567","message":"hello","attachments":[],"userId":"u1"}`
sig := signPayload(t, privKey, []byte(body))
req := httptest.NewRequest(http.MethodPost, "/api/ghl/v1/webhook/messages", strings.NewReader(body))
req.Header.Set("x-wh-signature", sig)
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200, got %d", rr.Code)
}
}
func TestWebhook_InvalidSignature(t *testing.T) {
_, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
body := `{"type":"SMS","phone":"+639171234567","message":"test"}`
req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
req.Header.Set("x-wh-signature", "aW52YWxpZA==")
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401, got %d", rr.Code)
}
}
func TestWebhook_MissingSignature(t *testing.T) {
_, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(`{"type":"SMS"}`))
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401, got %d", rr.Code)
}
}
func TestWebhook_NonSMSType(t *testing.T) {
privKey, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
body := `{"type":"Email","phone":"+639171234567","message":"test"}`
sig := signPayload(t, privKey, []byte(body))
req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
req.Header.Set("x-wh-signature", sig)
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200, got %d", rr.Code)
}
}
// TC9: Duplicate webhook delivery — second delivery of same messageId is silently accepted (200).
func TestWebhook_DuplicateMessageID(t *testing.T) {
privKey, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
body := `{"contactId":"c1","locationId":"loc1","messageId":"dup-msg-1","type":"SMS","phone":"+639171234567","message":"hello","attachments":[],"userId":"u1"}`
sig := signPayload(t, privKey, []byte(body))
sendRequest := func() *httptest.ResponseRecorder {
req := httptest.NewRequest(http.MethodPost, "/api/ghl/v1/webhook/messages", strings.NewReader(body))
req.Header.Set("x-wh-signature", sig)
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
return rr
}
rr1 := sendRequest()
if rr1.Code != http.StatusOK {
t.Errorf("first delivery: expected 200, got %d", rr1.Code)
}
rr2 := sendRequest()
if rr2.Code != http.StatusOK {
t.Errorf("duplicate delivery: expected 200 (idempotent), got %d", rr2.Code)
}
}
// TC11: 450-char boundary message — webhook accepts and returns 200.
func TestWebhook_450CharMessage(t *testing.T) {
privKey, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
msg450 := strings.Repeat("x", 450)
payload := `{"contactId":"c1","locationId":"loc1","messageId":"msg-450","type":"SMS","phone":"+639171234567","message":"` + msg450 + `","attachments":[],"userId":"u1"}`
sig := signPayload(t, privKey, []byte(payload))
req := httptest.NewRequest(http.MethodPost, "/api/ghl/v1/webhook/messages", strings.NewReader(payload))
req.Header.Set("x-wh-signature", sig)
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200 for 450-char message, got %d", rr.Code)
}
}
// TC12: Uninstall — valid signature deletes token.
func TestHandleUninstall_ValidSignature(t *testing.T) {
privKey, pubPEM := generateTestKeyPair(t)
ms := &inMemStore{
token: &store.TokenRecord{LocationID: "loc-uninstall"},
}
oauth := NewOAuthHandler("c", "s", "http://x", "p", ms)
handler, err := NewWebhookHandler(pubPEM, castclient.NewClient("http://localhost:1", "k", ""), NewAPIClient(), oauth, ms)
if err != nil {
t.Fatalf("failed to create handler: %v", err)
}
body := `{"locationId":"loc-uninstall","companyId":"comp1"}`
sig := signPayload(t, privKey, []byte(body))
req := httptest.NewRequest(http.MethodPost, "/api/ghl/v1/uninstall", strings.NewReader(body))
req.Header.Set("x-wh-signature", sig)
rr := httptest.NewRecorder()
handler.HandleUninstall(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200, got %d (body: %s)", rr.Code, rr.Body.String())
}
// Verify token was deleted
if ms.token != nil {
t.Errorf("expected token to be deleted after uninstall, still present")
}
}
// TC12: Uninstall — invalid signature returns 401.
func TestHandleUninstall_InvalidSignature(t *testing.T) {
_, pubPEM := generateTestKeyPair(t)
ms := &inMemStore{}
oauth := NewOAuthHandler("c", "s", "http://x", "p", ms)
handler, err := NewWebhookHandler(pubPEM, castclient.NewClient("http://localhost:1", "k", ""), NewAPIClient(), oauth, ms)
if err != nil {
t.Fatalf("failed to create handler: %v", err)
}
body := `{"locationId":"loc1","companyId":"comp1"}`
req := httptest.NewRequest(http.MethodPost, "/api/ghl/v1/uninstall", strings.NewReader(body))
req.Header.Set("x-wh-signature", "aW52YWxpZA==")
rr := httptest.NewRecorder()
handler.HandleUninstall(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401, got %d", rr.Code)
}
}
Reference in New Issue View Git Blame Copy Permalink