public DropboxWebHookReceiverTests()
{
byte[] secret = Encoding.UTF8.GetBytes(TestSecret);
using (var hasher = new HMACSHA256(secret))
{
byte[] data = Encoding.UTF8.GetBytes(TestContent);
byte[] testHash = hasher.ComputeHash(data);
_testSignature = EncodingUtilities.ToHex(testHash);
}
}
private static string GetSignatureHeader(string content)
{
var secret = Encoding.UTF8.GetBytes(TestSecret);
using (var hasher = new HMACSHA256(secret))
{
var fullContent = $"{TestTimestamp}.{content}";
var data = Encoding.UTF8.GetBytes(fullContent);
var testHash = hasher.ComputeHash(data);
var signature = EncodingUtilities.ToHex(testHash);
return($" {StripeWebHookReceiver.TimestampKey}={TestTimestamp}, " +
$"{StripeWebHookReceiver.SignatureKey}={signature} ");
}
}
public async Task ReceiveAsync_ReturnError_IfPostHasInvalidSignature()
{
// Arrange
Initialize(TestSecret);
string invalid = EncodingUtilities.ToHex(Encoding.UTF8.GetBytes("你好世界"));
_postRequest.Headers.Add(DropboxWebHookReceiver.SignatureHeaderName, invalid);
// Act
HttpResponseMessage actual = await ReceiverMock.Object.ReceiveAsync(TestId, RequestContext, _postRequest);
// Assert
HttpError error = await actual.Content.ReadAsAsync <HttpError>();
Assert.Equal("The WebHook signature provided by the 'X-Dropbox-Signature' header field does not match the value expected by the 'DropboxWebHookReceiverProxy' receiver. WebHook request is invalid.", error.Message);
ReceiverMock.Protected()
.Verify <Task <HttpResponseMessage> >("ExecuteWebHookAsync", Times.Never(), TestId, RequestContext, _postRequest, ItExpr.IsAny <IEnumerable <string> >(), ItExpr.IsAny <object>());
}
public async Task ReceiveAsync_Throws_IfPostHasInvalidSignature()
{
// Arrange
Initialize(TestSecret);
string invalid = EncodingUtilities.ToHex(Encoding.UTF8.GetBytes("invalid"));
_postRequest.Headers.Add(CustomWebHookReceiver.SignatureHeaderName, "sha256=" + invalid);
// Act
HttpResponseException ex = await Assert.ThrowsAsync <HttpResponseException>(() => ReceiverMock.Object.ReceiveAsync(TestId, RequestContext, _postRequest));
// Assert
HttpError error = await ex.Response.Content.ReadAsAsync <HttpError>();
Assert.Equal("The WebHook signature provided by the 'ms-signature' header field does not match the value expected by the 'CustomWebHookReceiverProxy' receiver. WebHook request is invalid.", error.Message);
ReceiverMock.Protected()
.Verify <Task <HttpResponseMessage> >("ExecuteWebHookAsync", Times.Never(), TestId, RequestContext, _postRequest, ItExpr.IsAny <IEnumerable <string> >(), ItExpr.IsAny <object>());
}
/// <summary>
/// Adds a SHA 256 signature to the <paramref name="body"/> and adds it to the <paramref name="request"/> as an
/// HTTP header to the <see cref="HttpRequestMessage"/> along with the entity body.
/// </summary>
/// <param name="workItem">The current <see cref="WebHookWorkItem"/>.</param>
/// <param name="request">The request to add the signature to.</param>
/// <param name="body">The body to sign and add to the request.</param>
protected virtual void SignWebHookRequest(WebHookWorkItem workItem, HttpRequestMessage request, JObject body)
{
if (workItem == null)
{
throw new ArgumentNullException(nameof(workItem));
}
if (workItem.WebHook == null)
{
string msg = string.Format(CultureInfo.CurrentCulture, CustomResources.Sender_BadWorkItem, this.GetType().Name, "WebHook");
throw new ArgumentException(msg, "workItem");
}
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (body == null)
{
throw new ArgumentNullException(nameof(body));
}
byte[] secret = Encoding.UTF8.GetBytes(workItem.WebHook.Secret);
using (var hasher = new HMACSHA256(secret))
{
string serializedBody = body.ToString();
request.Content = new StringContent(serializedBody, Encoding.UTF8, "application/json");
byte[] data = Encoding.UTF8.GetBytes(serializedBody);
byte[] sha256 = hasher.ComputeHash(data);
string headerValue = string.Format(CultureInfo.InvariantCulture, SignatureHeaderValueTemplate, EncodingUtilities.ToHex(sha256));
request.Headers.Add(SignatureHeaderName, headerValue);
}
}
internal static void SignWebHookRequest(WebHook webHook, HttpRequestMessage request, JObject body)
{
byte[] secret = Encoding.UTF8.GetBytes(webHook.Secret);
using (var hasher = new HMACSHA256(secret))
{
string serializedBody = body.ToString();
request.Content = new StringContent(serializedBody, Encoding.UTF8, "application/json");
byte[] data = Encoding.UTF8.GetBytes(serializedBody);
byte[] sha256 = hasher.ComputeHash(data);
string headerValue = string.Format(CultureInfo.InvariantCulture, SignatureHeaderValueTemplate, EncodingUtilities.ToHex(sha256));
request.Headers.Add(SignatureHeaderName, headerValue);
}
}