A tiny HTTP proxy that validates Slack payloads.
SlackMac is a tiny HTTP proxy that validates Slack payloads.
I wrote this because Spring Boot has an issue where it is impossible
to get the raw request body parameters in the correct order if a POST
request is sent with Content-Type application/x-www-form-urlencoded
.
By offloading this work to a proxy, SlackMac can be dropped in front of any service that needs to validate Slack payloads without the developer ever having to worry about calculating HMACs; it's already done!
See Verifying Requests From Slack for more information about the general process for calculating Slack's HMAC implementation.
SlackMac is a tiny HTTP proxy that validates Slack payloads.
I wrote this because Spring Boot has an issue where it is impossible
to get the raw request body parameters in the correct order if a POST
request is sent with Content-Type application/x-www-form-urlencoded.
By offloading this work to a proxy, SlackMac can be dropped in front
of any service that needs to validate Slack payloads without the developer
ever having to worry about calculating HMACs. It's already done!
Usage:
slackmac [flags]
Flags:
-c, --config string config file
-h, --help help for slackmac
-v, --verbose verbose level logging
See config.go for the defaults. Slackmac accepts both
json
and toml
config files.
Slackmac uses the concept of a Store
which describes the backend used to
retrieve the Slack token. The following backends are currently supported:
- Config: The token is stored in your config file. This is the least secure option but the easiest.
[store]
type = "config"
key = "store.secret"
secret = "THIS IS MY SLACK SIGNING SECRET"
- Propsd: The token is retrieved using Propsd.
[store]
type = "propsd"
key = "slack.secret"
- SecretsManager: The token is retrieved and decrypted from AWS Secrets Manager
[store]
type = "secretsmanager"
region = "us-east-1"
id = "the secret ID"
- KMS: The token is retrieved and decrypted from AWS KMS
[store]
type = "kms"
region = "us-east-1"
ciphertext = "The CiphertextBlob value that KMS returns when encrypting"
Stores are easy to build. They must comply with the store.Store
interface
which implements a Get() string
signature.
They should then be registered with the StoreFactory
by updating the
store.init()
function.
See the store package for more info.
We use dep to manage dependencies. You can install it via
$ go get -u github.com/golang/dep/cmd/dep
or, on macOS
$ brew install dep
$ brew upgrade dep
Once you clone the repo, make sure to run dep ensure
to pull down
the project's (minimal) dependencies.
You can build Slackmac with any Golang build tool. We prefer using Gox. It's simple to use:
$ go get github.com/mitchellh/gox
$ gox -output "dist/{{.Dir}}_{{.OS}}_{{.Arch}}"
Number of parallel builds: 7
--> freebsd/amd64: github.com/davepgreene/slackmac
--> linux/arm: github.com/davepgreene/slackmac
--> netbsd/arm: github.com/davepgreene/slackmac
--> darwin/amd64: github.com/davepgreene/slackmac
--> freebsd/386: github.com/davepgreene/slackmac
--> linux/386: github.com/davepgreene/slackmac
--> linux/amd64: github.com/davepgreene/slackmac
--> windows/amd64: github.com/davepgreene/slackmac
--> openbsd/386: github.com/davepgreene/slackmac
--> openbsd/amd64: github.com/davepgreene/slackmac
--> windows/386: github.com/davepgreene/slackmac
--> netbsd/386: github.com/davepgreene/slackmac
--> freebsd/arm: github.com/davepgreene/slackmac
--> netbsd/amd64: github.com/davepgreene/slackmac
--> darwin/386: github.com/davepgreene/slackmac