feat: add sha256 signatures to outgoing http requests (#2874)

2025-11-30 21:32:30 +00:00 · 2024-03-13 08:52:29 +00:00
--- a/spec/lib/postal_spec.rb
+++ b/spec/lib/postal_spec.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe Postal do
+  describe "#signer" do
+    it "returns a signer with the installation's signing key" do
+      expect(Postal.signer).to be_a(Signer)
+      expect(Postal.signer.private_key.to_pem).to eq OpenSSL::PKey::RSA.new(File.read(Postal::Config.postal.signing_key_path)).to_pem
+    end
+  end
+end
--- a/spec/lib/signer_spec.rb
+++ b/spec/lib/signer_spec.rb
@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe Signer do
+  STATIC_PRIVATE_KEY = OpenSSL::PKey::RSA.new(2048) # rubocop:disable Lint/ConstantDefinitionInBlock
+
+  subject(:signer) { described_class.new(STATIC_PRIVATE_KEY) }
+
+  describe "#private_key" do
+    it "returns the private key" do
+      expect(signer.private_key).to eq(STATIC_PRIVATE_KEY)
+    end
+  end
+
+  describe "#public_key" do
+    it "returns the public key" do
+      expect(signer.public_key.to_s).to eq(STATIC_PRIVATE_KEY.public_key.to_s)
+    end
+  end
+
+  describe "#sign" do
+    it "returns a valid signature" do
+      data = "hello world!"
+      signature = signer.sign(data)
+      expect(signature).to be_a(String)
+      verification = STATIC_PRIVATE_KEY.public_key.verify(OpenSSL::Digest.new("SHA256"),
+                                                          signature,
+                                                          data)
+      expect(verification).to be true
+    end
+  end
+
+  describe "#sign64" do
+    it "returns a valid Base64-encoded signature" do
+      data = "hello world!"
+      signature = signer.sign64(data)
+      expect(signature).to be_a(String)
+      verification = STATIC_PRIVATE_KEY.public_key.verify(OpenSSL::Digest.new("SHA256"),
+                                                          Base64.strict_decode64(signature),
+                                                          data)
+      expect(verification).to be true
+    end
+  end
+
+  describe "#jwk" do
+    it "returns a valid JWK" do
+      jwk = signer.jwk
+      expect(jwk).to be_a(JWT::JWK::RSA)
+    end
+  end
+
+  describe "#sha1_sign" do
+    it "returns a valid signature" do
+      data = "hello world!"
+      signature = signer.sha1_sign(data)
+      expect(signature).to be_a(String)
+      verification = STATIC_PRIVATE_KEY.public_key.verify(OpenSSL::Digest.new("SHA1"),
+                                                          signature,
+                                                          data)
+      expect(verification).to be true
+    end
+  end
+
+  describe "#sha1_sign64" do
+    it "returns a valid Base64-encoded signature" do
+      data = "hello world!"
+      signature = signer.sha1_sign64(data)
+      expect(signature).to be_a(String)
+      verification = STATIC_PRIVATE_KEY.public_key.verify(OpenSSL::Digest.new("SHA1"),
+                                                          Base64.strict_decode64(signature),
+                                                          data)
+      expect(verification).to be true
+    end
+  end
+end
--- a/spec/services/webhook_delivery_service_spec.rb
+++ b/spec/services/webhook_delivery_service_spec.rb
@@ -28,7 +28,9 @@ RSpec.describe WebhookDeliveryService do
        }.to_json,
        headers: {
          "Content-Type" => "application/json",
-          "X-Postal-Signature" => /\A[a-z0-9\/+]+=*\z/i
+          "X-Postal-Signature" => /\A[a-z0-9\/+]+=*\z/i,
+          "X-Postal-Signature-256" => /\A[a-z0-9\/+]+=*\z/i,
+          "X-Postal-Signature-KID" => /\A[a-f0-9\/+]{64}\z/i
        }
      })
    end