Merge pull request #2 from renoki-co/feature/validator

[feature] SNS Message Validator

Author: rennokki

README.md

@@ -82,29 +82,6 @@ protected $except = [
 
 If you have registered the route and created a SNS Topic, you should register the URL and click the confirmation button from the AWS Dashboard. In a short while, if you implemented the route well, you'll be seeing that your endpoint is registered.
 
-## Whitelisting Topic ARNs
-
-When receiving the SNS messages to your endpoint, it's good to filter them out. To do it, specify an `$allowedTopicArns` static attribute on your extended controller.
-
-The package will filter out any messages coming from other topic ARNs.
-
-```php
-use RenokiCo\AwsWebhooks\Http\Controllers\SesWebhook;
-
-class MySesController extends SesWebhook
-{
-    /**
-     * List the allowed SNS Topic ARNs
-     * that are allowed to run the business logic.
-     *
-     * @var array
-     */
-    protected static $allowedTopicArns = [
-        'arn:aws:sns:us-west-2:123456789012:MyTopic',
-    ];
-}
-```
-
 ## Simple Email Service (SES)
 
 Simple Email Service integrates with SNS to send notifications regarding mails. For example, you can catch bouncers or click/opens for various addresses.

composer.json

@@ -13,7 +13,7 @@
     ],
     "require": {
         "laravel/framework": "^6.18.28|^7.22.1",
-        "rennokki/laravel-sns-events": "^5.1"
+        "rennokki/laravel-sns-events": "^6.0"
     },
     "autoload": {
         "psr-4": {

src/Http/Controllers/CloudwatchWebhook.php

@@ -7,16 +7,6 @@
 
 class CloudwatchWebhook extends SnsController
 {
-    /**
-     * List the allowed SNS Topic ARNs
-     * that are allowed to run the business logic.
-     *
-     * @var array
-     */
-    protected static $allowedTopicArns = [
-        //
-    ];
-
     /**
      * Handle logic at the controller level on notification.
      *
@@ -26,10 +16,6 @@ class CloudwatchWebhook extends SnsController
      */
     protected function onNotification(array $snsMessage, Request $request): void
     {
-        if (! $this->shouldAllow($snsMessage)) {
-            return;
-        }
-
         $decodedMessage = json_decode($snsMessage['Message'], true);
 
         $state = $decodedMessage['NewStateValue'] ?? null;
@@ -42,20 +28,6 @@ protected function onNotification(array $snsMessage, Request $request): void
         }
     }
 
-    /**
-     * Check if the topic ARN from
-     * the SNS message is whitelisted.
-     *
-     * @param  array  $snsMessage
-     * @return bool
-     */
-    protected function shouldAllow(array $snsMessage): bool
-    {
-        return in_array(
-            $snsMessage['TopicArn'] ?? null, static::$allowedTopicArns
-        );
-    }
-
     /**
      * Handle the event when an alarm transitioned to OK.
      *

src/Http/Controllers/SesWebhook.php

@@ -7,16 +7,6 @@
 
 class SesWebhook extends SnsController
 {
-    /**
-     * List the allowed SNS Topic ARNs
-     * that are allowed to run the business logic.
-     *
-     * @var array
-     */
-    protected static $allowedTopicArns = [
-        //
-    ];
-
     /**
      * Associate each SNS `eventType` value
      * with a callable method from this class.
@@ -44,10 +34,6 @@ class SesWebhook extends SnsController
      */
     protected function onNotification(array $snsMessage, Request $request): void
     {
-        if (! $this->shouldAllow($snsMessage)) {
-            return;
-        }
-
         $decodedMessage = json_decode($snsMessage['Message'], true);
 
         $eventType = $decodedMessage['eventType'] ?? null;
@@ -62,20 +48,6 @@ protected function onNotification(array $snsMessage, Request $request): void
         }
     }
 
-    /**
-     * Check if the topic ARN from
-     * the SNS message is whitelisted.
-     *
-     * @param  array  $snsMessage
-     * @return bool
-     */
-    protected function shouldAllow(array $snsMessage): bool
-    {
-        return in_array(
-            $snsMessage['TopicArn'] ?? null, static::$allowedTopicArns
-        );
-    }
-
     /**
      * Handle the Bounce event.
      *

tests/CloudwatchTest.php

@@ -7,14 +7,14 @@ class CloudwatchTest extends TestCase
     public function test_callable_methods()
     {
         $payloads = [
-            $this->getCloudwatchNotificationPayload('ALARM', 'OK'),
-            $this->getCloudwatchNotificationPayload('OK', 'ALARM'),
-            $this->getCloudwatchNotificationPayload('INSUFFICIENT_DATA', 'OK'),
+            $this->getCloudwatchMessage('ALARM', 'OK'),
+            $this->getCloudwatchMessage('OK', 'ALARM'),
+            $this->getCloudwatchMessage('INSUFFICIENT_DATA', 'OK'),
         ];
 
         foreach ($payloads as $payload) {
-            $this
-                ->json('GET', route('cloudwatch'), $payload)
+            $this->withHeaders($this->getHeadersForMessage($payload))
+                ->json('GET', route('cloudwatch', ['certificate' => static::$certificate]), $payload)
                 ->assertSee('OK');
         }
     }

tests/Concerns/GeneratesSnsMessages.php

@@ -0,0 +1,151 @@
+<?php
+
+namespace RenokiCo\AwsWebhooks\Test\Concerns;
+
+use Aws\Sns\Message;
+use Aws\Sns\MessageValidator;
+
+trait GeneratesSnsMessages
+{
+    /**
+     * Get the private key to sign the request.
+     *
+     * @var string
+     */
+    protected static $privateKey;
+
+    /**
+     * The certificate to sign the request.
+     *
+     * @var string
+     */
+    protected static $certificate;
+
+    /**
+     * An valid certificate URL for test.
+     *
+     * @var string
+     */
+    public static $validCertUrl = 'https://sns.us-west-2.amazonaws.com/bar.pem';
+
+    /**
+     * Initialize the SSL keys and private keys.
+     *
+     * @return void
+     */
+    protected static function initializeSsl(): void
+    {
+        self::$privateKey = openssl_pkey_new();
+
+        $csr = openssl_csr_new([], self::$privateKey);
+
+        $x509 = openssl_csr_sign($csr, null, self::$privateKey, 1);
+
+        openssl_x509_export($x509, self::$certificate);
+
+        openssl_x509_free($x509);
+    }
+
+    /**
+     * Deinitialize the SSL keys.
+     *
+     * @return void
+     */
+    protected static function tearDownSsl(): void
+    {
+        openssl_pkey_free(self::$privateKey);
+    }
+
+    /**
+     * Get the signature for the message.
+     *
+     * @param  string  $stringToSign
+     * @return string
+     */
+    protected function getSignature($stringToSign)
+    {
+        openssl_sign($stringToSign, $signature, self::$privateKey);
+
+        return base64_encode($signature);
+    }
+
+    /**
+     * Get an example subscription payload for testing.
+     *
+     * @param  array  $custom
+     * @return array
+     */
+    protected function getSubscriptionConfirmationPayload(array $custom = []): array
+    {
+        $validator = new MessageValidator;
+
+        $message = array_merge([
+            'Type' => 'SubscriptionConfirmation',
+            'MessageId' => '165545c9-2a5c-472c-8df2-7ff2be2b3b1b',
+            'Token' => '2336412f37...',
+            'TopicArn' => 'arn:aws:sns:us-west-2:123456789012:MyTopic',
+            'Message' => 'You have chosen to subscribe to the topic arn:aws:sns:us-west-2:123456789012:MyTopic.\nTo confirm the subscription, visit the SubscribeURL included in this message.',
+            'SubscribeURL' => 'https://example.com',
+            'Timestamp' => now()->toDateTimeString(),
+            'SignatureVersion' => '1',
+            'Signature' => true,
+            'SigningCertURL' => static::$validCertUrl,
+        ], $custom);
+
+        $message['Signature'] = $this->getSignature(
+            $validator->getStringToSign(new Message($message))
+        );
+
+        return $message;
+    }
+
+    /**
+     * Get an example notification payload for testing.
+     *
+     * @param  array  $payload
+     * @param  array  $custom
+     * @return array
+     */
+    protected function getNotificationPayload(array $payload = [], array $custom = []): array
+    {
+        $validator = new MessageValidator;
+
+        $payload = json_encode($payload);
+
+        $message = array_merge([
+            'Type' => 'Notification',
+            'MessageId' => '22b80b92-fdea-4c2c-8f9d-bdfb0c7bf324',
+            'TopicArn' => 'arn:aws:sns:us-west-2:123456789012:MyTopic',
+            'Subject' => 'My First Message',
+            'Message' => "{$payload}",
+            'Timestamp' => now()->toDateTimeString(),
+            'SignatureVersion' => '1',
+            'Token' => '2336412f37...',
+            'Signature' => true,
+            'SigningCertURL' => static::$validCertUrl,
+            'UnsubscribeURL' => 'https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:MyTopic:c9135db0-26c4-47ec-8998-413945fb5a96',
+        ], $custom);
+
+        $message['Signature'] = $this->getSignature(
+            $validator->getStringToSign(new Message($message))
+        );
+
+        return $message;
+    }
+
+    /**
+     * Get the right headers for a SNS message.
+     *
+     * @param  array  $message
+     * @return array
+     */
+    protected function getHeadersForMessage(array $message): array
+    {
+        return [
+            'X-AMZ-SNS-MESSAGE-TYPE' => $message['Type'],
+            'X-AMZ-SNS-MESSAGE-ID' => $message['MessageId'],
+            'X-AMZ-SNS-TOPIC-ARN' => $message['TopicArn'],
+            'X-AMZ-SNS-SUBSCRIPTION-ARN' => "{$message['TopicArn']}:c9135db0-26c4-47ec-8998-413945fb5a96",
+        ];
+    }
+}

tests/Controllers/CloudwatchController.php

@@ -2,17 +2,22 @@
 
 namespace RenokiCo\AwsWebhooks\Test\Controllers;
 
+use Aws\Sns\MessageValidator;
+use Illuminate\Http\Request;
 use RenokiCo\AwsWebhooks\Http\Controllers\CloudwatchWebhook;
 
 class CloudwatchController extends CloudwatchWebhook
 {
     /**
-     * List the allowed SNS Topic ARNs
-     * that are allowed to run the business logic.
+     * Get the message validator instance.
      *
-     * @var array
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Aws\Sns\MessageValidator
      */
-    protected static $allowedTopicArns = [
-        'arn:aws:sns:us-west-2:123456789012:MyTopic',
-    ];
+    protected function getMessageValidator(Request $request)
+    {
+        return new MessageValidator(function ($url) use ($request) {
+            return $request->certificate ?: $url;
+        });
+    }
 }

tests/Controllers/SesController.php

@@ -2,17 +2,22 @@
 
 namespace RenokiCo\AwsWebhooks\Test\Controllers;
 
+use Aws\Sns\MessageValidator;
+use Illuminate\Http\Request;
 use RenokiCo\AwsWebhooks\Http\Controllers\SesWebhook;
 
 class SesController extends SesWebhook
 {
     /**
-     * List the allowed SNS Topic ARNs
-     * that are allowed to run the business logic.
+     * Get the message validator instance.
      *
-     * @var array
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Aws\Sns\MessageValidator
      */
-    protected static $allowedTopicArns = [
-        'arn:aws:sns:us-west-2:123456789012:MyTopic',
-    ];
+    protected function getMessageValidator(Request $request)
+    {
+        return new MessageValidator(function ($url) use ($request) {
+            return $request->certificate ?: $url;
+        });
+    }
 }

tests/SesTest.php

@@ -9,8 +9,10 @@ class SesTest extends TestCase
     public function test_callable_methods()
     {
         foreach (SesWebhook::$eventTypesWithCalledMethod as $callableEventType => $methodToCall) {
-            $this
-                ->json('GET', route('ses'), $this->getSesMessage($callableEventType))
+            $payload = $this->getSesMessage($callableEventType);
+
+            $this->withHeaders($this->getHeadersForMessage($payload))
+                ->json('GET', route('ses', ['certificate' => static::$certificate]), $payload)
                 ->assertSee('OK');
         }
     }