Merge pull request #64 from pusher/base64-master-key

Base64 master key

Author: mdpye

CHANGELOG.md

@@ -1,3 +1,9 @@
+next
+====
+
+* Added EncryptionMasterKeyBase64 parameter
+* Deprecated EncryptionMasterKey parameter
+
 4.0.0 / 2019-05-31
 ==================
 * This release modifies the entire repo to respect the go linter. This is a significant API breaking change and will likely require you to correct references to the names that were changed in your code. All future releases will respect the linter. A summary of the changes:

README.md

@@ -138,7 +138,7 @@ By default, this is `"api.pusherapp.com"`.
 
 Setting the `pusher.Client`'s `Cluster` property will make sure requests are sent to the cluster where you created your app.
 
-*NOTE! If `Host` is set then `Cluster` will be ignored.
+*NOTE! If `Host` is set then `Cluster` will be ignored.*
 
 ```go
 pusherClient.Cluster = "eu" // in this case requests will be made to api-eu.pusher.com.
@@ -149,26 +149,37 @@ This library supports end to end encryption of your private channels. This means
 
 1. You should first set up Private channels. This involves [creating an authentication endpoint on your server](https://pusher.com/docs/authenticating_users).
 
-2. Next, Specify your 32 character `EncryptionMasterKey`. This is secret and you should never share this with anyone. Not even Pusher.
+2. Next, generate a 32 byte master encryption key, base64 encode it and store
+   it securely.
 
-```go
-pusherClient := pusher.Client{
-    AppID:              "APP_ID",
-    Key:                "APP_KEY",
-    Secret:             "APP_SECRET",
-    Cluster:            "APP_CLUSTER",
-    EncryptionMasterKey "abcdefghijklmnopqrstuvwxyzabcdef",
-}
-```
-3. Channels where you wish to use end to end encryption should be prefixed with `private-encrypted-`.
+   This is secret and you should never share this with anyone. Not even Pusher.
+
+   To generate a suitable key from a secure random source, you could use:
 
-4. Subscribe to these channels in your client, and you're done! You can verify it is working by checking out the debug console on the https://dashboard.pusher.com/ and seeing the scrambled ciphertext.
+   ```bash
+   openssl rand -base64 32
+   ```
+
+3. Pass the encoded key when constructing your pusher.Client
+
+   ```go
+   pusherClient := pusher.Client{
+       AppID:                    "APP_ID",
+       Key:                      "APP_KEY",
+       Secret:                   "APP_SECRET",
+       Cluster:                  "APP_CLUSTER",
+       EncryptionMasterKeyBase64 "<output from command above>",
+   }
+   ```
+4. Channels where you wish to use end to end encryption should be prefixed with `private-encrypted-`.
+
+5. Subscribe to these channels in your client, and you're done! You can verify it is working by checking out the debug console on the https://dashboard.pusher.com/ and seeing the scrambled ciphertext.
 
 **Important note: This will not encrypt messages on channels that are not prefixed by private-encrypted-.**
 
 ### Google App Engine
 
-As of version 1.0.0, this library is compatible with Google App Engine's urlfetch library. Simply pass in the HTTP client returned by `urlfetch.Client` to your Pusher Channels initialization struct.
+As of version 1.0.0, this library is compatible with Google App Engine's urlfetch library. Pass in the HTTP client returned by `urlfetch.Client` to your Pusher Channels initialization struct.
 
 ```go
 package helloworldapp
@@ -613,8 +624,6 @@ Feel more than free to fork this repo, improve it in any way you'd prefer, and s
 
 ### Running the tests
 
-Simply type:
-
 ```sh
 $ go test
 ```

client.go

@@ -27,7 +27,7 @@ There easiest way to configure the library is by creating a `Pusher` instance:
       Secret: "your_app_secret",
     }
 
-To ensure requests occur over HTTPS, set the `Encrypted` property of a
+To ensure requests occur over HTTPS, set the `Secure` property of a
 `pusher.Client` to `true`.
 
     client.Secure = true // false by default
@@ -44,14 +44,16 @@ to your specified host.
 
 */
 type Client struct {
-	AppID               string
-	Key                 string
-	Secret              string
-	Host                string // host or host:port pair
-	Secure              bool   // true for HTTPS
-	Cluster             string
-	HTTPClient          *http.Client
-	EncryptionMasterKey string //for E2E
+	AppID                        string
+	Key                          string
+	Secret                       string
+	Host                         string // host or host:port pair
+	Secure                       bool   // true for HTTPS
+	Cluster                      string
+	HTTPClient                   *http.Client
+	EncryptionMasterKey          string  // deprecated
+	EncryptionMasterKeyBase64    string  // for E2E
+	validatedEncryptionMasterKey *[]byte // parsed key for use
 }
 
 /*
@@ -168,30 +170,32 @@ func (c *Client) TriggerMultiExclusive(channels []string, eventName string, data
 }
 
 func (c *Client) trigger(channels []string, eventName string, data interface{}, socketID *string) error {
+	if len(channels) > maxTriggerableChannels {
+		return fmt.Errorf("You cannot trigger on more than %d channels at once", maxTriggerableChannels)
+	}
+	if !channelsAreValid(channels) {
+		return errors.New("At least one of your channels' names are invalid")
+	}
+
 	hasEncryptedChannel := false
 	for _, channel := range channels {
 		if isEncryptedChannel(channel) {
 			hasEncryptedChannel = true
 		}
 	}
-	if len(channels) > maxTriggerableChannels {
-		return fmt.Errorf("You cannot trigger on more than %d channels at once", maxTriggerableChannels)
-	}
 	if hasEncryptedChannel && len(channels) > 1 {
 		// For rationale, see limitations of end-to-end encryption in the README
 		return errors.New("You cannot trigger to multiple channels when using encrypted channels")
-
 	}
-	if !channelsAreValid(channels) {
-		return errors.New("At least one of your channels' names are invalid")
-	}
-	if hasEncryptedChannel && !validEncryptionKey(c.EncryptionMasterKey) {
-		return errors.New("Your encryptionMasterKey is not of the correct format")
+	masterKey, keyErr := c.encryptionMasterKey()
+	if hasEncryptedChannel && keyErr != nil {
+		return keyErr
 	}
 	if err := validateSocketID(socketID); err != nil {
 		return err
 	}
-	payload, err := encodeTriggerBody(channels, eventName, data, socketID, c.EncryptionMasterKey)
+
+	payload, err := encodeTriggerBody(channels, eventName, data, socketID, masterKey)
 	if err != nil {
 		return err
 	}
@@ -236,13 +240,12 @@ func (c *Client) TriggerBatch(batch []Event) error {
 			hasEncryptedChannel = true
 		}
 	}
-	if hasEncryptedChannel {
-		// validate EncryptionMasterKey
-		if !validEncryptionKey(c.EncryptionMasterKey) {
-			return errors.New("Your encryptionMasterKey is not of the correct format")
-		}
+	masterKey, keyErr := c.encryptionMasterKey()
+	if hasEncryptedChannel && keyErr != nil {
+		return keyErr
 	}
-	payload, err := encodeTriggerBatchBody(batch, c.EncryptionMasterKey)
+
+	payload, err := encodeTriggerBatchBody(batch, masterKey)
 	if err != nil {
 		return err
 	}
@@ -405,7 +408,6 @@ func (c *Client) AuthenticatePresenceChannel(params []byte, member MemberData) (
 }
 
 func (c *Client) authenticateChannel(params []byte, member *MemberData) (response []byte, err error) {
-
 	channelName, socketID, err := parseAuthRequestParams(params)
 	if err != nil {
 		return
@@ -433,7 +435,11 @@ func (c *Client) authenticateChannel(params []byte, member *MemberData) (respons
 	var _response map[string]string
 
 	if isEncryptedChannel(channelName) {
-		sharedSecret := generateSharedSecret(channelName, c.EncryptionMasterKey)
+		masterKey, err := c.encryptionMasterKey()
+		if err != nil {
+			return nil, err
+		}
+		sharedSecret := generateSharedSecret(channelName, masterKey)
 		sharedSecretB64 := base64.StdEncoding.EncodeToString(sharedSecret[:])
 		_response = createAuthMap(c.Key, c.Secret, stringToSign, sharedSecretB64)
 	} else {
@@ -480,11 +486,57 @@ func (c *Client) Webhook(header http.Header, body []byte) (*Webhook, error) {
 		if token == c.Key && checkSignature(header.Get("X-Pusher-Signature"), c.Secret, body) {
 			unmarshalledWebhooks, err := unmarshalledWebhook(body)
 			if err != nil {
-				return unmarshalledWebhooks, err
+				return nil, err
 			}
-			decryptedWebhooks, err := decryptEvents(*unmarshalledWebhooks, c.EncryptionMasterKey)
-			return decryptedWebhooks, err
+
+			hasEncryptedChannel := false
+			for _, event := range unmarshalledWebhooks.Events {
+				if isEncryptedChannel(event.Channel) {
+					hasEncryptedChannel = true
+				}
+			}
+			masterKey, keyErr := c.encryptionMasterKey()
+			if hasEncryptedChannel && keyErr != nil {
+				return nil, keyErr
+			}
+
+			return decryptEvents(*unmarshalledWebhooks, masterKey)
 		}
 	}
 	return nil, errors.New("Invalid webhook")
 }
+
+func (c *Client) encryptionMasterKey() ([]byte, error) {
+	if c.validatedEncryptionMasterKey != nil {
+		return *(c.validatedEncryptionMasterKey), nil
+	}
+
+	if c.EncryptionMasterKey != "" && c.EncryptionMasterKeyBase64 != "" {
+		return nil, errors.New("Do not specify both EncryptionMasterKey and EncryptionMasterKeyBase64. EncryptionMasterKey is deprecated, specify only EncryptionMasterKeyBase64")
+	}
+
+	if c.EncryptionMasterKey != "" {
+		if len(c.EncryptionMasterKey) != 32 {
+			return nil, errors.New("EncryptionMasterKey must be 32 bytes. It is also deprecated, use EncryptionMasterKeyBase64")
+		}
+
+		keyBytes := []byte(c.EncryptionMasterKey)
+		c.validatedEncryptionMasterKey = &keyBytes
+		return keyBytes, nil
+	}
+
+	if c.EncryptionMasterKeyBase64 != "" {
+		keyBytes, err := base64.StdEncoding.DecodeString(c.EncryptionMasterKeyBase64)
+		if err != nil {
+			return nil, errors.New("EncryptionMasterKeyBase64 must be valid base64")
+		}
+		if len(keyBytes) != 32 {
+			return nil, errors.New("EncryptionMasterKeyBase64 must encode 32 bytes")
+		}
+
+		c.validatedEncryptionMasterKey = &keyBytes
+		return keyBytes, nil
+	}
+
+	return nil, errors.New("No master encryption key supplied")
+}