guid.foo
Webhook-to-SSE gateway with hierarchical topic routing and signature verification
Implement wicket: webhook-to-SSE gateway
All core components: broker (hierarchical topic tree with ring buffer
replay), configuration (YAML loading with path hierarchy lookups),
signature verification (HMAC-SHA256/SHA1), query filters (dot-path
equality matching), HTTP server (POST to publish, GET SSE to subscribe,
CORS, auth), and the main entrypoint with signal handling.
100% test coverage (excluding main.go) enforced by check-coverage script.
68 tests across 7 test files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+2
-2
.pre-commit-config.yaml
+2
-2
.pre-commit-config.yaml
+150
broker.go
+150
broker.go
···
1
+
package main
2
+
3
+
import (
4
+
"strings"
5
+
"sync"
6
+
)
7
+
8
+
type subscriber struct {
9
+
ch chan *Event
10
+
path string
11
+
}
12
+
13
+
type Broker struct {
14
+
mu sync.RWMutex
15
+
subscribers map[string][]*subscriber
16
+
buffer *RingBuffer
17
+
}
18
+
19
+
func NewBroker(bufferSize int) *Broker {
20
+
return &Broker{
21
+
subscribers: make(map[string][]*subscriber),
22
+
buffer: NewRingBuffer(bufferSize),
23
+
}
24
+
}
25
+
26
+
func (b *Broker) Publish(event *Event) {
27
+
b.buffer.Add(event)
28
+
29
+
b.mu.RLock()
30
+
defer b.mu.RUnlock()
31
+
32
+
for _, path := range publishPaths(event.Path) {
33
+
for _, sub := range b.subscribers[path] {
34
+
select {
35
+
case sub.ch <- event:
36
+
default:
37
+
}
38
+
}
39
+
}
40
+
}
41
+
42
+
func (b *Broker) Subscribe(path string, lastEventID string) (<-chan *Event, func()) {
43
+
ch := make(chan *Event, 64)
44
+
sub := &subscriber{ch: ch, path: path}
45
+
46
+
b.mu.Lock()
47
+
b.subscribers[path] = append(b.subscribers[path], sub)
48
+
b.mu.Unlock()
49
+
50
+
if lastEventID != "" {
51
+
events := b.buffer.Since(lastEventID, path)
52
+
for _, e := range events {
53
+
ch <- e
54
+
}
55
+
}
56
+
57
+
unsub := func() {
58
+
b.mu.Lock()
59
+
defer b.mu.Unlock()
60
+
subs := b.subscribers[path]
61
+
for i, s := range subs {
62
+
if s == sub {
63
+
b.subscribers[path] = append(subs[:i], subs[i+1:]...)
64
+
break
65
+
}
66
+
}
67
+
close(ch)
68
+
}
69
+
70
+
return ch, unsub
71
+
}
72
+
73
+
func publishPaths(eventPath string) []string {
74
+
paths := []string{eventPath}
75
+
for {
76
+
i := strings.LastIndex(eventPath, "/")
77
+
if i < 0 {
78
+
break
79
+
}
80
+
eventPath = eventPath[:i]
81
+
paths = append(paths, eventPath)
82
+
}
83
+
if paths[len(paths)-1] != "" {
84
+
paths = append(paths, "")
85
+
}
86
+
return paths
87
+
}
88
+
89
+
type RingBuffer struct {
90
+
mu sync.RWMutex
91
+
buf []*Event
92
+
size int
93
+
write int
94
+
count int
95
+
}
96
+
97
+
func NewRingBuffer(size int) *RingBuffer {
98
+
return &RingBuffer{
99
+
buf: make([]*Event, size),
100
+
size: size,
101
+
}
102
+
}
103
+
104
+
func (rb *RingBuffer) Add(event *Event) {
105
+
rb.mu.Lock()
106
+
defer rb.mu.Unlock()
107
+
rb.buf[rb.write%rb.size] = event
108
+
rb.write++
109
+
if rb.count < rb.size {
110
+
rb.count++
111
+
}
112
+
}
113
+
114
+
func (rb *RingBuffer) Since(lastEventID string, subscribePath string) []*Event {
115
+
rb.mu.RLock()
116
+
defer rb.mu.RUnlock()
117
+
118
+
start := rb.write - rb.count
119
+
found := false
120
+
foundIdx := start
121
+
122
+
for i := start; i < rb.write; i++ {
123
+
e := rb.buf[i%rb.size]
124
+
if e.ID == lastEventID {
125
+
found = true
126
+
foundIdx = i + 1
127
+
break
128
+
}
129
+
}
130
+
131
+
if !found {
132
+
foundIdx = start
133
+
}
134
+
135
+
var result []*Event
136
+
for i := foundIdx; i < rb.write; i++ {
137
+
e := rb.buf[i%rb.size]
138
+
if pathMatches(subscribePath, e.Path) {
139
+
result = append(result, e)
140
+
}
141
+
}
142
+
return result
143
+
}
144
+
145
+
func pathMatches(subscribePath, eventPath string) bool {
146
+
if subscribePath == "" {
147
+
return true
148
+
}
149
+
return eventPath == subscribePath || strings.HasPrefix(eventPath, subscribePath+"/")
150
+
}
+229
broker_test.go
+229
broker_test.go
···
1
+
package main
2
+
3
+
import (
4
+
"fmt"
5
+
"testing"
6
+
"time"
7
+
)
8
+
9
+
func newTestEvent(path string) *Event {
10
+
return &Event{
11
+
ID: "test-" + path,
12
+
Timestamp: time.Now(),
13
+
Path: path,
14
+
Payload: map[string]any{"test": true},
15
+
}
16
+
}
17
+
18
+
func mustReceive(t *testing.T, ch <-chan *Event, timeout time.Duration) *Event {
19
+
t.Helper()
20
+
select {
21
+
case e := <-ch:
22
+
return e
23
+
case <-time.After(timeout):
24
+
t.Fatal("timed out waiting for event")
25
+
return nil
26
+
}
27
+
}
28
+
29
+
func mustNotReceive(t *testing.T, ch <-chan *Event, timeout time.Duration) {
30
+
t.Helper()
31
+
select {
32
+
case e := <-ch:
33
+
t.Fatalf("expected no event, got %+v", e)
34
+
case <-time.After(timeout):
35
+
}
36
+
}
37
+
38
+
func TestBroker_exactPathDelivery(t *testing.T) {
39
+
b := NewBroker(100)
40
+
ch, unsub := b.Subscribe("github.com/chrisguidry/docketeer", "")
41
+
defer unsub()
42
+
43
+
event := newTestEvent("github.com/chrisguidry/docketeer")
44
+
b.Publish(event)
45
+
46
+
got := mustReceive(t, ch, time.Second)
47
+
if got.ID != event.ID {
48
+
t.Errorf("expected event %s, got %s", event.ID, got.ID)
49
+
}
50
+
}
51
+
52
+
func TestBroker_parentReceivesChildEvents(t *testing.T) {
53
+
b := NewBroker(100)
54
+
ch, unsub := b.Subscribe("github.com/chrisguidry", "")
55
+
defer unsub()
56
+
57
+
event := newTestEvent("github.com/chrisguidry/docketeer")
58
+
b.Publish(event)
59
+
60
+
got := mustReceive(t, ch, time.Second)
61
+
if got.ID != event.ID {
62
+
t.Errorf("expected event %s, got %s", event.ID, got.ID)
63
+
}
64
+
}
65
+
66
+
func TestBroker_rootReceivesAll(t *testing.T) {
67
+
b := NewBroker(100)
68
+
ch, unsub := b.Subscribe("", "")
69
+
defer unsub()
70
+
71
+
event := newTestEvent("github.com/chrisguidry/docketeer")
72
+
b.Publish(event)
73
+
74
+
got := mustReceive(t, ch, time.Second)
75
+
if got.ID != event.ID {
76
+
t.Errorf("expected event %s, got %s", event.ID, got.ID)
77
+
}
78
+
}
79
+
80
+
func TestBroker_unrelatedSubscriberDoesNotReceive(t *testing.T) {
81
+
b := NewBroker(100)
82
+
ch, unsub := b.Subscribe("gitlab.com", "")
83
+
defer unsub()
84
+
85
+
b.Publish(newTestEvent("github.com/chrisguidry/docketeer"))
86
+
87
+
mustNotReceive(t, ch, 50*time.Millisecond)
88
+
}
89
+
90
+
func TestBroker_multipleSubscribersSamePath(t *testing.T) {
91
+
b := NewBroker(100)
92
+
ch1, unsub1 := b.Subscribe("github.com/chrisguidry/docketeer", "")
93
+
defer unsub1()
94
+
ch2, unsub2 := b.Subscribe("github.com/chrisguidry/docketeer", "")
95
+
defer unsub2()
96
+
97
+
b.Publish(newTestEvent("github.com/chrisguidry/docketeer"))
98
+
99
+
mustReceive(t, ch1, time.Second)
100
+
mustReceive(t, ch2, time.Second)
101
+
}
102
+
103
+
func TestBroker_unsubscribeStopsDelivery(t *testing.T) {
104
+
b := NewBroker(100)
105
+
ch, unsub := b.Subscribe("github.com/chrisguidry/docketeer", "")
106
+
unsub()
107
+
108
+
b.Publish(newTestEvent("github.com/chrisguidry/docketeer"))
109
+
110
+
select {
111
+
case _, ok := <-ch:
112
+
if ok {
113
+
t.Fatal("expected channel to be closed, but received an event")
114
+
}
115
+
case <-time.After(50 * time.Millisecond):
116
+
t.Fatal("expected channel to be closed")
117
+
}
118
+
}
119
+
120
+
func TestBroker_ringBufferWraps(t *testing.T) {
121
+
b := NewBroker(5)
122
+
for i := range 10 {
123
+
b.Publish(&Event{
124
+
ID: fmt.Sprintf("event-%d", i),
125
+
Path: "test",
126
+
Payload: map[string]any{},
127
+
})
128
+
}
129
+
130
+
ch, unsub := b.Subscribe("test", "event-4")
131
+
defer unsub()
132
+
133
+
for i := 5; i < 10; i++ {
134
+
got := mustReceive(t, ch, time.Second)
135
+
expected := fmt.Sprintf("event-%d", i)
136
+
if got.ID != expected {
137
+
t.Errorf("expected %s, got %s", expected, got.ID)
138
+
}
139
+
}
140
+
}
141
+
142
+
func TestBroker_lastEventIDReplay(t *testing.T) {
143
+
b := NewBroker(100)
144
+
b.Publish(&Event{ID: "e1", Path: "test", Payload: map[string]any{}})
145
+
b.Publish(&Event{ID: "e2", Path: "test", Payload: map[string]any{}})
146
+
b.Publish(&Event{ID: "e3", Path: "test", Payload: map[string]any{}})
147
+
148
+
ch, unsub := b.Subscribe("test", "e1")
149
+
defer unsub()
150
+
151
+
got1 := mustReceive(t, ch, time.Second)
152
+
got2 := mustReceive(t, ch, time.Second)
153
+
if got1.ID != "e2" || got2.ID != "e3" {
154
+
t.Errorf("expected e2 and e3, got %s and %s", got1.ID, got2.ID)
155
+
}
156
+
}
157
+
158
+
func TestBroker_lastEventIDRespectsPathHierarchy(t *testing.T) {
159
+
b := NewBroker(100)
160
+
b.Publish(&Event{ID: "e1", Path: "github.com/chrisguidry/docketeer", Payload: map[string]any{}})
161
+
b.Publish(&Event{ID: "e2", Path: "gitlab.com/other/project", Payload: map[string]any{}})
162
+
b.Publish(&Event{ID: "e3", Path: "github.com/chrisguidry/other", Payload: map[string]any{}})
163
+
164
+
ch, unsub := b.Subscribe("github.com/chrisguidry", "e1")
165
+
defer unsub()
166
+
167
+
got := mustReceive(t, ch, time.Second)
168
+
if got.ID != "e3" {
169
+
t.Errorf("expected e3 (same prefix), got %s", got.ID)
170
+
}
171
+
mustNotReceive(t, ch, 50*time.Millisecond)
172
+
}
173
+
174
+
func TestBroker_lastEventIDReplayExactPath(t *testing.T) {
175
+
b := NewBroker(100)
176
+
b.Publish(&Event{ID: "e1", Path: "exact/path", Payload: map[string]any{}})
177
+
b.Publish(&Event{ID: "e2", Path: "exact/path/child", Payload: map[string]any{}})
178
+
b.Publish(&Event{ID: "e3", Path: "exact/path", Payload: map[string]any{}})
179
+
180
+
ch, unsub := b.Subscribe("exact/path", "e1")
181
+
defer unsub()
182
+
183
+
got1 := mustReceive(t, ch, time.Second)
184
+
got2 := mustReceive(t, ch, time.Second)
185
+
if got1.ID != "e2" {
186
+
t.Errorf("expected e2, got %s", got1.ID)
187
+
}
188
+
if got2.ID != "e3" {
189
+
t.Errorf("expected e3, got %s", got2.ID)
190
+
}
191
+
}
192
+
193
+
func TestPathMatches(t *testing.T) {
194
+
tests := []struct {
195
+
subscribePath string
196
+
eventPath string
197
+
want bool
198
+
}{
199
+
{"", "anything", true},
200
+
{"exact", "exact", true},
201
+
{"parent", "parent/child", true},
202
+
{"parent", "parentchild", false},
203
+
{"parent", "other", false},
204
+
}
205
+
for _, tt := range tests {
206
+
got := pathMatches(tt.subscribePath, tt.eventPath)
207
+
if got != tt.want {
208
+
t.Errorf("pathMatches(%q, %q) = %v, want %v", tt.subscribePath, tt.eventPath, got, tt.want)
209
+
}
210
+
}
211
+
}
212
+
213
+
func TestBroker_lastEventIDExpiredFromBuffer(t *testing.T) {
214
+
b := NewBroker(3)
215
+
b.Publish(&Event{ID: "old1", Path: "test", Payload: map[string]any{}})
216
+
b.Publish(&Event{ID: "old2", Path: "test", Payload: map[string]any{}})
217
+
b.Publish(&Event{ID: "old3", Path: "test", Payload: map[string]any{}})
218
+
b.Publish(&Event{ID: "new1", Path: "test", Payload: map[string]any{}})
219
+
b.Publish(&Event{ID: "new2", Path: "test", Payload: map[string]any{}})
220
+
b.Publish(&Event{ID: "new3", Path: "test", Payload: map[string]any{}})
221
+
222
+
ch, unsub := b.Subscribe("test", "old1")
223
+
defer unsub()
224
+
225
+
got := mustReceive(t, ch, time.Second)
226
+
if got.ID != "new1" {
227
+
t.Errorf("expected new1 (oldest in buffer), got %s", got.ID)
228
+
}
229
+
}
+18
check-coverage
+18
check-coverage
···
1
+
#!/bin/bash
2
+
set -euo pipefail
3
+
4
+
THRESHOLD="${1:-100}"
5
+
PROFILE=$(mktemp)
6
+
trap 'rm -f "$PROFILE"' EXIT
7
+
8
+
go test -coverprofile="$PROFILE" -covermode=atomic ./...
9
+
10
+
# Exclude main.go from coverage calculation (entrypoint, not unit-testable)
11
+
COVERAGE=$(grep -v "main\.go:" "$PROFILE" | go tool cover -func=/dev/stdin | grep ^total: | awk '{print $3}' | tr -d '%')
12
+
13
+
if awk "BEGIN{exit(!($COVERAGE < $THRESHOLD))}"; then
14
+
echo "FAIL: coverage ${COVERAGE}% is below ${THRESHOLD}%"
15
+
exit 1
16
+
fi
17
+
18
+
echo "OK: coverage ${COVERAGE}% meets ${THRESHOLD}% threshold"
+59
configuration.go
+59
configuration.go
···
1
+
package main
2
+
3
+
import (
4
+
"os"
5
+
"strings"
6
+
7
+
"gopkg.in/yaml.v3"
8
+
)
9
+
10
+
type Configuration struct {
11
+
Paths map[string]PathConfiguration `yaml:"paths"`
12
+
}
13
+
14
+
type PathConfiguration struct {
15
+
Verify string `yaml:"verify"`
16
+
Secret string `yaml:"secret"`
17
+
SignatureHeader string `yaml:"signature_header"`
18
+
SubscribeSecret string `yaml:"subscribe_secret"`
19
+
}
20
+
21
+
func LoadConfiguration(path string) (*Configuration, error) {
22
+
data, err := os.ReadFile(path)
23
+
if err != nil {
24
+
return nil, err
25
+
}
26
+
var cfg Configuration
27
+
if err := yaml.Unmarshal(data, &cfg); err != nil {
28
+
return nil, err
29
+
}
30
+
return &cfg, nil
31
+
}
32
+
33
+
func (c *Configuration) LookupSubscribeSecret(path string) string {
34
+
if c == nil {
35
+
return ""
36
+
}
37
+
for {
38
+
if pc, ok := c.Paths[path]; ok && pc.SubscribeSecret != "" {
39
+
return pc.SubscribeSecret
40
+
}
41
+
i := strings.LastIndex(path, "/")
42
+
if i < 0 {
43
+
break
44
+
}
45
+
path = path[:i]
46
+
}
47
+
return ""
48
+
}
49
+
50
+
func (c *Configuration) LookupVerification(path string) *PathConfiguration {
51
+
if c == nil {
52
+
return nil
53
+
}
54
+
pc, ok := c.Paths[path]
55
+
if !ok || pc.Verify == "" {
56
+
return nil
57
+
}
58
+
return &pc
59
+
}
+148
configuration_test.go
+148
configuration_test.go
···
1
+
package main
2
+
3
+
import (
4
+
"os"
5
+
"path/filepath"
6
+
"testing"
7
+
)
8
+
9
+
func TestLoadConfiguration_valid(t *testing.T) {
10
+
dir := t.TempDir()
11
+
path := filepath.Join(dir, "wicket.yaml")
12
+
os.WriteFile(path, []byte(`
13
+
paths:
14
+
github.com/chrisguidry/docketeer:
15
+
verify: hmac-sha256
16
+
secret: "webhook-secret"
17
+
signature_header: X-Hub-Signature-256
18
+
subscribe_secret: "sub-token"
19
+
`), 0644)
20
+
21
+
cfg, err := LoadConfiguration(path)
22
+
if err != nil {
23
+
t.Fatalf("unexpected error: %v", err)
24
+
}
25
+
pc, ok := cfg.Paths["github.com/chrisguidry/docketeer"]
26
+
if !ok {
27
+
t.Fatal("expected path config for github.com/chrisguidry/docketeer")
28
+
}
29
+
if pc.Verify != "hmac-sha256" {
30
+
t.Errorf("expected hmac-sha256, got %s", pc.Verify)
31
+
}
32
+
if pc.Secret != "webhook-secret" {
33
+
t.Errorf("expected webhook-secret, got %s", pc.Secret)
34
+
}
35
+
if pc.SignatureHeader != "X-Hub-Signature-256" {
36
+
t.Errorf("expected X-Hub-Signature-256, got %s", pc.SignatureHeader)
37
+
}
38
+
if pc.SubscribeSecret != "sub-token" {
39
+
t.Errorf("expected sub-token, got %s", pc.SubscribeSecret)
40
+
}
41
+
}
42
+
43
+
func TestLoadConfiguration_missingFile(t *testing.T) {
44
+
_, err := LoadConfiguration("/nonexistent/wicket.yaml")
45
+
if err == nil {
46
+
t.Fatal("expected error for missing file")
47
+
}
48
+
}
49
+
50
+
func TestLoadConfiguration_empty(t *testing.T) {
51
+
dir := t.TempDir()
52
+
path := filepath.Join(dir, "wicket.yaml")
53
+
os.WriteFile(path, []byte(""), 0644)
54
+
55
+
cfg, err := LoadConfiguration(path)
56
+
if err != nil {
57
+
t.Fatalf("unexpected error: %v", err)
58
+
}
59
+
if cfg.Paths == nil {
60
+
cfg.Paths = make(map[string]PathConfiguration)
61
+
}
62
+
if len(cfg.Paths) != 0 {
63
+
t.Errorf("expected no paths, got %d", len(cfg.Paths))
64
+
}
65
+
}
66
+
67
+
func TestLoadConfiguration_invalidYAML(t *testing.T) {
68
+
dir := t.TempDir()
69
+
path := filepath.Join(dir, "wicket.yaml")
70
+
os.WriteFile(path, []byte("not: valid: yaml: [[["), 0644)
71
+
72
+
_, err := LoadConfiguration(path)
73
+
if err == nil {
74
+
t.Fatal("expected error for invalid YAML")
75
+
}
76
+
}
77
+
78
+
func TestLookupSubscribeSecret_exactMatch(t *testing.T) {
79
+
cfg := &Configuration{
80
+
Paths: map[string]PathConfiguration{
81
+
"github.com/chrisguidry/docketeer": {SubscribeSecret: "token-123"},
82
+
},
83
+
}
84
+
secret := cfg.LookupSubscribeSecret("github.com/chrisguidry/docketeer")
85
+
if secret != "token-123" {
86
+
t.Errorf("expected token-123, got %s", secret)
87
+
}
88
+
}
89
+
90
+
func TestLookupSubscribeSecret_inheritsFromParent(t *testing.T) {
91
+
cfg := &Configuration{
92
+
Paths: map[string]PathConfiguration{
93
+
"github.com/chrisguidry": {SubscribeSecret: "parent-token"},
94
+
},
95
+
}
96
+
secret := cfg.LookupSubscribeSecret("github.com/chrisguidry/docketeer")
97
+
if secret != "parent-token" {
98
+
t.Errorf("expected parent-token, got %s", secret)
99
+
}
100
+
}
101
+
102
+
func TestLookupSubscribeSecret_noConfig(t *testing.T) {
103
+
cfg := &Configuration{
104
+
Paths: map[string]PathConfiguration{},
105
+
}
106
+
secret := cfg.LookupSubscribeSecret("github.com/chrisguidry/docketeer")
107
+
if secret != "" {
108
+
t.Errorf("expected empty string, got %s", secret)
109
+
}
110
+
}
111
+
112
+
func TestLookupPathConfiguration_exactMatchOnly(t *testing.T) {
113
+
cfg := &Configuration{
114
+
Paths: map[string]PathConfiguration{
115
+
"github.com/chrisguidry/docketeer": {
116
+
Verify: "hmac-sha256",
117
+
Secret: "webhook-secret",
118
+
SignatureHeader: "X-Hub-Signature-256",
119
+
},
120
+
},
121
+
}
122
+
123
+
pc := cfg.LookupVerification("github.com/chrisguidry/docketeer")
124
+
if pc == nil {
125
+
t.Fatal("expected path config for exact match")
126
+
}
127
+
128
+
pc = cfg.LookupVerification("github.com/chrisguidry/docketeer/subpath")
129
+
if pc != nil {
130
+
t.Fatal("verification should not inherit from parent")
131
+
}
132
+
}
133
+
134
+
func TestLookupSubscribeSecret_nilConfig(t *testing.T) {
135
+
var cfg *Configuration
136
+
secret := cfg.LookupSubscribeSecret("any/path")
137
+
if secret != "" {
138
+
t.Errorf("expected empty string from nil config, got %s", secret)
139
+
}
140
+
}
141
+
142
+
func TestLookupVerification_nilConfig(t *testing.T) {
143
+
var cfg *Configuration
144
+
pc := cfg.LookupVerification("any/path")
145
+
if pc != nil {
146
+
t.Error("expected nil from nil config")
147
+
}
148
+
}
+11
event.go
+11
event.go
+84
filter.go
+84
filter.go
···
1
+
package main
2
+
3
+
import (
4
+
"fmt"
5
+
"net/url"
6
+
"strings"
7
+
)
8
+
9
+
type Filter struct {
10
+
Path string
11
+
Value string
12
+
}
13
+
14
+
func ParseFilters(query url.Values) []Filter {
15
+
raw := query["filter"]
16
+
if len(raw) == 0 {
17
+
return nil
18
+
}
19
+
filters := make([]Filter, 0, len(raw))
20
+
for _, f := range raw {
21
+
path, value, ok := strings.Cut(f, ":")
22
+
if !ok {
23
+
continue
24
+
}
25
+
filters = append(filters, Filter{Path: path, Value: value})
26
+
}
27
+
return filters
28
+
}
29
+
30
+
func MatchAll(filters []Filter, event *Event) bool {
31
+
for _, f := range filters {
32
+
if !matchOne(f, event) {
33
+
return false
34
+
}
35
+
}
36
+
return true
37
+
}
38
+
39
+
func matchOne(f Filter, event *Event) bool {
40
+
val, ok := resolveField(f.Path, event)
41
+
if !ok {
42
+
return false
43
+
}
44
+
return val == f.Value
45
+
}
46
+
47
+
func resolveField(path string, event *Event) (string, bool) {
48
+
parts := strings.Split(path, ".")
49
+
50
+
switch parts[0] {
51
+
case "id":
52
+
return event.ID, len(parts) == 1
53
+
case "path":
54
+
return event.Path, len(parts) == 1
55
+
case "timestamp":
56
+
return event.Timestamp.Format("2006-01-02T15:04:05Z07:00"), len(parts) == 1
57
+
case "headers":
58
+
if len(parts) != 2 {
59
+
return "", false
60
+
}
61
+
val, ok := event.Headers[parts[1]]
62
+
return val, ok
63
+
case "payload":
64
+
return navigateJSON(event.Payload, parts[1:])
65
+
default:
66
+
return "", false
67
+
}
68
+
}
69
+
70
+
func navigateJSON(val any, parts []string) (string, bool) {
71
+
if len(parts) == 0 {
72
+
return fmt.Sprintf("%v", val), true
73
+
}
74
+
75
+
m, ok := val.(map[string]any)
76
+
if !ok {
77
+
return "", false
78
+
}
79
+
next, ok := m[parts[0]]
80
+
if !ok {
81
+
return "", false
82
+
}
83
+
return navigateJSON(next, parts[1:])
84
+
}
+232
filter_test.go
+232
filter_test.go
···
1
+
package main
2
+
3
+
import (
4
+
"net/url"
5
+
"testing"
6
+
"time"
7
+
)
8
+
9
+
func TestParseFilters_empty(t *testing.T) {
10
+
filters := ParseFilters(url.Values{})
11
+
if len(filters) != 0 {
12
+
t.Fatalf("expected no filters, got %d", len(filters))
13
+
}
14
+
}
15
+
16
+
func TestParseFilters_single(t *testing.T) {
17
+
v := url.Values{"filter": {"payload.ref:refs/heads/main"}}
18
+
filters := ParseFilters(v)
19
+
if len(filters) != 1 {
20
+
t.Fatalf("expected 1 filter, got %d", len(filters))
21
+
}
22
+
if filters[0].Path != "payload.ref" {
23
+
t.Errorf("expected path payload.ref, got %s", filters[0].Path)
24
+
}
25
+
if filters[0].Value != "refs/heads/main" {
26
+
t.Errorf("expected value refs/heads/main, got %s", filters[0].Value)
27
+
}
28
+
}
29
+
30
+
func TestParseFilters_multiple(t *testing.T) {
31
+
v := url.Values{"filter": {
32
+
"payload.ref:refs/heads/main",
33
+
"headers.X-GitHub-Event:push",
34
+
}}
35
+
filters := ParseFilters(v)
36
+
if len(filters) != 2 {
37
+
t.Fatalf("expected 2 filters, got %d", len(filters))
38
+
}
39
+
}
40
+
41
+
func TestParseFilters_colonInValue(t *testing.T) {
42
+
v := url.Values{"filter": {"payload.url:https://example.com"}}
43
+
filters := ParseFilters(v)
44
+
if len(filters) != 1 {
45
+
t.Fatalf("expected 1 filter, got %d", len(filters))
46
+
}
47
+
if filters[0].Value != "https://example.com" {
48
+
t.Errorf("expected value with colon preserved, got %s", filters[0].Value)
49
+
}
50
+
}
51
+
52
+
func TestMatchAll_emptyFilters(t *testing.T) {
53
+
event := &Event{
54
+
Payload: map[string]any{"ref": "refs/heads/main"},
55
+
}
56
+
if !MatchAll(nil, event) {
57
+
t.Error("empty filters should match everything")
58
+
}
59
+
}
60
+
61
+
func TestMatchAll_singleMatch(t *testing.T) {
62
+
event := &Event{
63
+
Payload: map[string]any{"ref": "refs/heads/main"},
64
+
}
65
+
filters := []Filter{{Path: "payload.ref", Value: "refs/heads/main"}}
66
+
if !MatchAll(filters, event) {
67
+
t.Error("expected filter to match")
68
+
}
69
+
}
70
+
71
+
func TestMatchAll_singleNoMatch(t *testing.T) {
72
+
event := &Event{
73
+
Payload: map[string]any{"ref": "refs/heads/develop"},
74
+
}
75
+
filters := []Filter{{Path: "payload.ref", Value: "refs/heads/main"}}
76
+
if MatchAll(filters, event) {
77
+
t.Error("expected filter not to match")
78
+
}
79
+
}
80
+
81
+
func TestMatchAll_multipleAllMatch(t *testing.T) {
82
+
event := &Event{
83
+
Headers: map[string]string{"X-GitHub-Event": "push"},
84
+
Payload: map[string]any{"ref": "refs/heads/main"},
85
+
}
86
+
filters := []Filter{
87
+
{Path: "payload.ref", Value: "refs/heads/main"},
88
+
{Path: "headers.X-GitHub-Event", Value: "push"},
89
+
}
90
+
if !MatchAll(filters, event) {
91
+
t.Error("expected all filters to match")
92
+
}
93
+
}
94
+
95
+
func TestMatchAll_multipleOneFails(t *testing.T) {
96
+
event := &Event{
97
+
Headers: map[string]string{"X-GitHub-Event": "push"},
98
+
Payload: map[string]any{"ref": "refs/heads/develop"},
99
+
}
100
+
filters := []Filter{
101
+
{Path: "payload.ref", Value: "refs/heads/main"},
102
+
{Path: "headers.X-GitHub-Event", Value: "push"},
103
+
}
104
+
if MatchAll(filters, event) {
105
+
t.Error("expected AND filter to fail when one doesn't match")
106
+
}
107
+
}
108
+
109
+
func TestMatchAll_nestedDotPath(t *testing.T) {
110
+
event := &Event{
111
+
Payload: map[string]any{
112
+
"repository": map[string]any{
113
+
"full_name": "chrisguidry/docketeer",
114
+
},
115
+
},
116
+
}
117
+
filters := []Filter{{Path: "payload.repository.full_name", Value: "chrisguidry/docketeer"}}
118
+
if !MatchAll(filters, event) {
119
+
t.Error("expected nested dot path to match")
120
+
}
121
+
}
122
+
123
+
func TestMatchAll_missingField(t *testing.T) {
124
+
event := &Event{
125
+
Payload: map[string]any{"ref": "refs/heads/main"},
126
+
}
127
+
filters := []Filter{{Path: "payload.nonexistent.field", Value: "anything"}}
128
+
if MatchAll(filters, event) {
129
+
t.Error("missing field should not match")
130
+
}
131
+
}
132
+
133
+
func TestMatchAll_topLevelFields(t *testing.T) {
134
+
event := &Event{
135
+
ID: "abc-123",
136
+
Path: "github.com/chrisguidry/docketeer",
137
+
}
138
+
filters := []Filter{{Path: "path", Value: "github.com/chrisguidry/docketeer"}}
139
+
if !MatchAll(filters, event) {
140
+
t.Error("expected top-level path field to match")
141
+
}
142
+
}
143
+
144
+
func TestMatchAll_idField(t *testing.T) {
145
+
event := &Event{ID: "abc-123"}
146
+
filters := []Filter{{Path: "id", Value: "abc-123"}}
147
+
if !MatchAll(filters, event) {
148
+
t.Error("expected id field to match")
149
+
}
150
+
}
151
+
152
+
func TestMatchAll_timestampField(t *testing.T) {
153
+
event := &Event{Timestamp: time.Date(2026, 3, 4, 12, 0, 0, 0, time.UTC)}
154
+
filters := []Filter{{Path: "timestamp", Value: "2026-03-04T12:00:00Z"}}
155
+
if !MatchAll(filters, event) {
156
+
t.Error("expected timestamp field to match")
157
+
}
158
+
}
159
+
160
+
func TestMatchAll_headersNeedsTwoParts(t *testing.T) {
161
+
event := &Event{Headers: map[string]string{"X-Foo": "bar"}}
162
+
filters := []Filter{{Path: "headers", Value: "anything"}}
163
+
if MatchAll(filters, event) {
164
+
t.Error("headers without key should not match")
165
+
}
166
+
}
167
+
168
+
func TestMatchAll_unknownTopLevel(t *testing.T) {
169
+
event := &Event{}
170
+
filters := []Filter{{Path: "nonexistent", Value: "anything"}}
171
+
if MatchAll(filters, event) {
172
+
t.Error("unknown top-level field should not match")
173
+
}
174
+
}
175
+
176
+
func TestMatchAll_emptyPath(t *testing.T) {
177
+
event := &Event{}
178
+
filters := []Filter{{Path: "", Value: "anything"}}
179
+
if MatchAll(filters, event) {
180
+
t.Error("empty path should not match")
181
+
}
182
+
}
183
+
184
+
func TestMatchAll_payloadNonMapNavigation(t *testing.T) {
185
+
event := &Event{Payload: "just a string"}
186
+
filters := []Filter{{Path: "payload.deep.field", Value: "anything"}}
187
+
if MatchAll(filters, event) {
188
+
t.Error("navigating into non-map payload should not match")
189
+
}
190
+
}
191
+
192
+
func TestParseFilters_invalidFormat(t *testing.T) {
193
+
v := url.Values{"filter": {"no-colon-here"}}
194
+
filters := ParseFilters(v)
195
+
if len(filters) != 0 {
196
+
t.Errorf("expected 0 filters for invalid format, got %d", len(filters))
197
+
}
198
+
}
199
+
200
+
func TestMatchAll_idWithSubpath(t *testing.T) {
201
+
event := &Event{ID: "abc-123"}
202
+
filters := []Filter{{Path: "id.sub", Value: "anything"}}
203
+
if MatchAll(filters, event) {
204
+
t.Error("id with subpath should not match")
205
+
}
206
+
}
207
+
208
+
func TestMatchAll_pathWithSubpath(t *testing.T) {
209
+
event := &Event{Path: "some/path"}
210
+
filters := []Filter{{Path: "path.sub", Value: "anything"}}
211
+
if MatchAll(filters, event) {
212
+
t.Error("path with subpath should not match")
213
+
}
214
+
}
215
+
216
+
func TestMatchAll_timestampWithSubpath(t *testing.T) {
217
+
event := &Event{}
218
+
filters := []Filter{{Path: "timestamp.sub", Value: "anything"}}
219
+
if MatchAll(filters, event) {
220
+
t.Error("timestamp with subpath should not match")
221
+
}
222
+
}
223
+
224
+
func TestMatchAll_payloadLeafValue(t *testing.T) {
225
+
event := &Event{
226
+
Payload: map[string]any{"count": 42},
227
+
}
228
+
filters := []Filter{{Path: "payload.count", Value: "42"}}
229
+
if !MatchAll(filters, event) {
230
+
t.Error("expected numeric leaf value to match via fmt.Sprintf")
231
+
}
232
+
}
+5
go.mod
+5
go.mod
+6
go.sum
+6
go.sum
···
1
+
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
2
+
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
3
+
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
4
+
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
5
+
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
6
+
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+53
-2
main.go
+53
-2
main.go
···
1
1
package main
2
2
3
3
import (
4
+
"context"
4
5
"flag"
5
6
"fmt"
7
+
"log"
8
+
"net/http"
6
9
"os"
10
+
"os/signal"
11
+
"sync/atomic"
12
+
"syscall"
7
13
)
8
14
9
15
func main() {
10
16
address := flag.String("address", ":8080", "listen address")
11
-
_ = flag.String("configuration", "", "path to configuration file")
12
-
_ = flag.Int("buffer-size", 1000, "event replay buffer size")
17
+
configPath := flag.String("configuration", "", "path to configuration file")
18
+
bufferSize := flag.Int("buffer-size", 1000, "event replay buffer size")
13
19
flag.Parse()
14
20
21
+
var cfgPtr atomic.Pointer[Configuration]
22
+
if *configPath != "" {
23
+
cfg, err := LoadConfiguration(*configPath)
24
+
if err != nil {
25
+
log.Fatalf("loading configuration: %v", err)
26
+
}
27
+
cfgPtr.Store(cfg)
28
+
log.Printf("loaded configuration from %s", *configPath)
29
+
}
30
+
31
+
broker := NewBroker(*bufferSize)
32
+
handler := NewServer(broker, &cfgPtr)
33
+
34
+
server := &http.Server{
35
+
Addr: *address,
36
+
Handler: handler,
37
+
}
38
+
39
+
go func() {
40
+
sigs := make(chan os.Signal, 1)
41
+
signal.Notify(sigs, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
42
+
for sig := range sigs {
43
+
switch sig {
44
+
case syscall.SIGHUP:
45
+
if *configPath == "" {
46
+
continue
47
+
}
48
+
cfg, err := LoadConfiguration(*configPath)
49
+
if err != nil {
50
+
log.Printf("reloading configuration: %v", err)
51
+
continue
52
+
}
53
+
cfgPtr.Store(cfg)
54
+
log.Printf("reloaded configuration from %s", *configPath)
55
+
case syscall.SIGINT, syscall.SIGTERM:
56
+
log.Printf("shutting down")
57
+
server.Shutdown(context.Background())
58
+
return
59
+
}
60
+
}
61
+
}()
62
+
15
63
fmt.Fprintf(os.Stderr, "wicket listening on %s\n", *address)
64
+
if err := server.ListenAndServe(); err != http.ErrServerClosed {
65
+
log.Fatalf("server error: %v", err)
66
+
}
16
67
}
+160
server.go
+160
server.go
···
1
+
package main
2
+
3
+
import (
4
+
"encoding/base64"
5
+
"encoding/json"
6
+
"fmt"
7
+
"io"
8
+
"net/http"
9
+
"strings"
10
+
"sync/atomic"
11
+
"time"
12
+
13
+
"github.com/google/uuid"
14
+
)
15
+
16
+
type Server struct {
17
+
broker *Broker
18
+
config *atomic.Pointer[Configuration]
19
+
}
20
+
21
+
func NewServer(broker *Broker, config *atomic.Pointer[Configuration]) http.Handler {
22
+
s := &Server{broker: broker, config: config}
23
+
return http.HandlerFunc(s.ServeHTTP)
24
+
}
25
+
26
+
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
27
+
setCORSHeaders(w)
28
+
29
+
switch r.Method {
30
+
case "OPTIONS":
31
+
w.WriteHeader(http.StatusNoContent)
32
+
case "POST":
33
+
s.handlePost(w, r)
34
+
case "GET":
35
+
if !strings.Contains(r.Header.Get("Accept"), "text/event-stream") {
36
+
http.NotFound(w, r)
37
+
return
38
+
}
39
+
s.handleSSE(w, r)
40
+
default:
41
+
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
42
+
}
43
+
}
44
+
45
+
func setCORSHeaders(w http.ResponseWriter) {
46
+
w.Header().Set("Access-Control-Allow-Origin", "*")
47
+
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
48
+
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, Last-Event-ID")
49
+
}
50
+
51
+
func (s *Server) handlePost(w http.ResponseWriter, r *http.Request) {
52
+
path := strings.TrimPrefix(r.URL.Path, "/")
53
+
54
+
body, _ := io.ReadAll(r.Body)
55
+
56
+
cfg := s.config.Load()
57
+
if pc := cfg.LookupVerification(path); pc != nil {
58
+
verifier, err := NewVerifier(pc.Verify)
59
+
if err != nil {
60
+
http.Error(w, "server configuration error", http.StatusInternalServerError)
61
+
return
62
+
}
63
+
if err := verifier.Verify(body, r.Header, pc.Secret, pc.SignatureHeader); err != nil {
64
+
http.Error(w, "forbidden", http.StatusForbidden)
65
+
return
66
+
}
67
+
}
68
+
69
+
var payload any
70
+
if strings.HasPrefix(r.Header.Get("Content-Type"), "application/json") {
71
+
if err := json.Unmarshal(body, &payload); err != nil {
72
+
http.Error(w, "invalid JSON", http.StatusBadRequest)
73
+
return
74
+
}
75
+
} else {
76
+
payload = base64.StdEncoding.EncodeToString(body)
77
+
}
78
+
79
+
headers := extractHeaders(r.Header)
80
+
81
+
event := &Event{
82
+
ID: uuid.New().String(),
83
+
Timestamp: time.Now().UTC(),
84
+
Path: path,
85
+
Headers: headers,
86
+
Payload: payload,
87
+
}
88
+
89
+
s.broker.Publish(event)
90
+
w.WriteHeader(http.StatusAccepted)
91
+
}
92
+
93
+
func (s *Server) handleSSE(w http.ResponseWriter, r *http.Request) {
94
+
path := strings.TrimPrefix(r.URL.Path, "/")
95
+
96
+
cfg := s.config.Load()
97
+
if secret := cfg.LookupSubscribeSecret(path); secret != "" {
98
+
auth := r.Header.Get("Authorization")
99
+
if !strings.HasPrefix(auth, "Bearer ") || strings.TrimPrefix(auth, "Bearer ") != secret {
100
+
http.Error(w, "unauthorized", http.StatusUnauthorized)
101
+
return
102
+
}
103
+
}
104
+
105
+
flusher := w.(http.Flusher)
106
+
107
+
filters := ParseFilters(r.URL.Query())
108
+
lastEventID := r.Header.Get("Last-Event-ID")
109
+
110
+
ch, unsub := s.broker.Subscribe(path, lastEventID)
111
+
defer unsub()
112
+
113
+
w.Header().Set("Content-Type", "text/event-stream")
114
+
w.Header().Set("Cache-Control", "no-cache")
115
+
w.Header().Set("Connection", "keep-alive")
116
+
w.WriteHeader(http.StatusOK)
117
+
flusher.Flush()
118
+
119
+
ctx := r.Context()
120
+
for {
121
+
select {
122
+
case <-ctx.Done():
123
+
return
124
+
case event, ok := <-ch:
125
+
if !ok {
126
+
return
127
+
}
128
+
if !MatchAll(filters, event) {
129
+
continue
130
+
}
131
+
data, _ := json.Marshal(event)
132
+
fmt.Fprintf(w, "id: %s\ndata: %s\n\n", event.ID, data)
133
+
flusher.Flush()
134
+
}
135
+
}
136
+
}
137
+
138
+
var hopByHopHeaders = map[string]bool{
139
+
"Connection": true,
140
+
"Keep-Alive": true,
141
+
"Proxy-Authenticate": true,
142
+
"Proxy-Authorization": true,
143
+
"Te": true,
144
+
"Trailer": true,
145
+
"Transfer-Encoding": true,
146
+
"Upgrade": true,
147
+
"Host": true,
148
+
"Content-Length": true,
149
+
}
150
+
151
+
func extractHeaders(h http.Header) map[string]string {
152
+
headers := make(map[string]string)
153
+
for name, values := range h {
154
+
if hopByHopHeaders[name] {
155
+
continue
156
+
}
157
+
headers[name] = values[0]
158
+
}
159
+
return headers
160
+
}
+240
server_test.go
+240
server_test.go
···
1
+
package main
2
+
3
+
import (
4
+
"crypto/hmac"
5
+
"crypto/sha256"
6
+
"encoding/hex"
7
+
"net/http"
8
+
"net/http/httptest"
9
+
"strings"
10
+
"sync/atomic"
11
+
"testing"
12
+
)
13
+
14
+
func newTestServer(cfg *Configuration) (*httptest.Server, *Broker) {
15
+
broker := NewBroker(100)
16
+
var cfgPtr atomic.Pointer[Configuration]
17
+
if cfg != nil {
18
+
cfgPtr.Store(cfg)
19
+
}
20
+
handler := NewServer(broker, &cfgPtr)
21
+
return httptest.NewServer(handler), broker
22
+
}
23
+
24
+
func TestServer_postPublishesEvent(t *testing.T) {
25
+
ts, _ := newTestServer(nil)
26
+
defer ts.Close()
27
+
28
+
resp, err := http.Post(ts.URL+"/test/topic", "application/json", strings.NewReader(`{"hello":"world"}`))
29
+
if err != nil {
30
+
t.Fatalf("POST failed: %v", err)
31
+
}
32
+
defer resp.Body.Close()
33
+
if resp.StatusCode != http.StatusAccepted {
34
+
t.Errorf("expected 202, got %d", resp.StatusCode)
35
+
}
36
+
}
37
+
38
+
func TestServer_postWithValidHMAC(t *testing.T) {
39
+
cfg := &Configuration{
40
+
Paths: map[string]PathConfiguration{
41
+
"secure/path": {
42
+
Verify: "hmac-sha256",
43
+
Secret: "test-secret",
44
+
SignatureHeader: "X-Hub-Signature-256",
45
+
},
46
+
},
47
+
}
48
+
ts, _ := newTestServer(cfg)
49
+
defer ts.Close()
50
+
51
+
body := `{"action":"push"}`
52
+
mac := hmac.New(sha256.New, []byte("test-secret"))
53
+
mac.Write([]byte(body))
54
+
sig := "sha256=" + hex.EncodeToString(mac.Sum(nil))
55
+
56
+
req, _ := http.NewRequest("POST", ts.URL+"/secure/path", strings.NewReader(body))
57
+
req.Header.Set("Content-Type", "application/json")
58
+
req.Header.Set("X-Hub-Signature-256", sig)
59
+
resp, err := http.DefaultClient.Do(req)
60
+
if err != nil {
61
+
t.Fatalf("POST failed: %v", err)
62
+
}
63
+
defer resp.Body.Close()
64
+
if resp.StatusCode != http.StatusAccepted {
65
+
t.Errorf("expected 202, got %d", resp.StatusCode)
66
+
}
67
+
}
68
+
69
+
func TestServer_postWithInvalidSignature(t *testing.T) {
70
+
cfg := &Configuration{
71
+
Paths: map[string]PathConfiguration{
72
+
"secure/path": {
73
+
Verify: "hmac-sha256",
74
+
Secret: "test-secret",
75
+
SignatureHeader: "X-Hub-Signature-256",
76
+
},
77
+
},
78
+
}
79
+
ts, _ := newTestServer(cfg)
80
+
defer ts.Close()
81
+
82
+
req, _ := http.NewRequest("POST", ts.URL+"/secure/path", strings.NewReader(`{"bad":"data"}`))
83
+
req.Header.Set("Content-Type", "application/json")
84
+
req.Header.Set("X-Hub-Signature-256", "sha256=deadbeef")
85
+
resp, err := http.DefaultClient.Do(req)
86
+
if err != nil {
87
+
t.Fatalf("POST failed: %v", err)
88
+
}
89
+
defer resp.Body.Close()
90
+
if resp.StatusCode != http.StatusForbidden {
91
+
t.Errorf("expected 403, got %d", resp.StatusCode)
92
+
}
93
+
}
94
+
95
+
func TestServer_postToUnconfiguredPath(t *testing.T) {
96
+
cfg := &Configuration{
97
+
Paths: map[string]PathConfiguration{
98
+
"secure/path": {
99
+
Verify: "hmac-sha256",
100
+
Secret: "test-secret",
101
+
SignatureHeader: "X-Hub-Signature-256",
102
+
},
103
+
},
104
+
}
105
+
ts, _ := newTestServer(cfg)
106
+
defer ts.Close()
107
+
108
+
resp, err := http.Post(ts.URL+"/open/path", "application/json", strings.NewReader(`{"ok":true}`))
109
+
if err != nil {
110
+
t.Fatalf("POST failed: %v", err)
111
+
}
112
+
defer resp.Body.Close()
113
+
if resp.StatusCode != http.StatusAccepted {
114
+
t.Errorf("expected 202, got %d", resp.StatusCode)
115
+
}
116
+
}
117
+
118
+
func TestServer_getWithoutSSEAccept(t *testing.T) {
119
+
ts, _ := newTestServer(nil)
120
+
defer ts.Close()
121
+
122
+
resp, err := http.Get(ts.URL + "/test/topic")
123
+
if err != nil {
124
+
t.Fatalf("GET failed: %v", err)
125
+
}
126
+
defer resp.Body.Close()
127
+
if resp.StatusCode != http.StatusNotFound {
128
+
t.Errorf("expected 404, got %d", resp.StatusCode)
129
+
}
130
+
}
131
+
132
+
func TestServer_corsHeaders(t *testing.T) {
133
+
ts, _ := newTestServer(nil)
134
+
defer ts.Close()
135
+
136
+
resp, err := http.Post(ts.URL+"/test", "application/json", strings.NewReader(`{}`))
137
+
if err != nil {
138
+
t.Fatalf("POST failed: %v", err)
139
+
}
140
+
defer resp.Body.Close()
141
+
142
+
if resp.Header.Get("Access-Control-Allow-Origin") != "*" {
143
+
t.Error("missing CORS Allow-Origin header")
144
+
}
145
+
}
146
+
147
+
func TestServer_optionsPreflight(t *testing.T) {
148
+
ts, _ := newTestServer(nil)
149
+
defer ts.Close()
150
+
151
+
req, _ := http.NewRequest("OPTIONS", ts.URL+"/test", nil)
152
+
resp, err := http.DefaultClient.Do(req)
153
+
if err != nil {
154
+
t.Fatalf("OPTIONS failed: %v", err)
155
+
}
156
+
defer resp.Body.Close()
157
+
if resp.StatusCode != http.StatusNoContent {
158
+
t.Errorf("expected 204, got %d", resp.StatusCode)
159
+
}
160
+
if resp.Header.Get("Access-Control-Allow-Methods") == "" {
161
+
t.Error("missing CORS Allow-Methods header")
162
+
}
163
+
}
164
+
165
+
func TestServer_methodNotAllowed(t *testing.T) {
166
+
ts, _ := newTestServer(nil)
167
+
defer ts.Close()
168
+
169
+
req, _ := http.NewRequest("DELETE", ts.URL+"/test", nil)
170
+
resp, err := http.DefaultClient.Do(req)
171
+
if err != nil {
172
+
t.Fatalf("DELETE failed: %v", err)
173
+
}
174
+
defer resp.Body.Close()
175
+
if resp.StatusCode != http.StatusMethodNotAllowed {
176
+
t.Errorf("expected 405, got %d", resp.StatusCode)
177
+
}
178
+
}
179
+
180
+
func TestServer_postWithBadVerifierConfig(t *testing.T) {
181
+
cfg := &Configuration{
182
+
Paths: map[string]PathConfiguration{
183
+
"bad/path": {
184
+
Verify: "unknown-method",
185
+
Secret: "secret",
186
+
SignatureHeader: "X-Signature",
187
+
},
188
+
},
189
+
}
190
+
ts, _ := newTestServer(cfg)
191
+
defer ts.Close()
192
+
193
+
req, _ := http.NewRequest("POST", ts.URL+"/bad/path", strings.NewReader(`{}`))
194
+
req.Header.Set("Content-Type", "application/json")
195
+
resp, err := http.DefaultClient.Do(req)
196
+
if err != nil {
197
+
t.Fatalf("POST failed: %v", err)
198
+
}
199
+
defer resp.Body.Close()
200
+
if resp.StatusCode != http.StatusInternalServerError {
201
+
t.Errorf("expected 500, got %d", resp.StatusCode)
202
+
}
203
+
}
204
+
205
+
func TestServer_postInvalidJSON(t *testing.T) {
206
+
ts, _ := newTestServer(nil)
207
+
defer ts.Close()
208
+
209
+
resp, err := http.Post(ts.URL+"/test", "application/json", strings.NewReader(`{not json`))
210
+
if err != nil {
211
+
t.Fatalf("POST failed: %v", err)
212
+
}
213
+
defer resp.Body.Close()
214
+
if resp.StatusCode != http.StatusBadRequest {
215
+
t.Errorf("expected 400, got %d", resp.StatusCode)
216
+
}
217
+
}
218
+
219
+
func TestServer_postWithMissingSignatureOnSecuredPath(t *testing.T) {
220
+
cfg := &Configuration{
221
+
Paths: map[string]PathConfiguration{
222
+
"secure/path": {
223
+
Verify: "hmac-sha256",
224
+
Secret: "test-secret",
225
+
SignatureHeader: "X-Hub-Signature-256",
226
+
},
227
+
},
228
+
}
229
+
ts, _ := newTestServer(cfg)
230
+
defer ts.Close()
231
+
232
+
resp, err := http.Post(ts.URL+"/secure/path", "application/json", strings.NewReader(`{}`))
233
+
if err != nil {
234
+
t.Fatalf("POST failed: %v", err)
235
+
}
236
+
defer resp.Body.Close()
237
+
if resp.StatusCode != http.StatusForbidden {
238
+
t.Errorf("expected 403, got %d", resp.StatusCode)
239
+
}
240
+
}
+317
sse_test.go
+317
sse_test.go
···
1
+
package main
2
+
3
+
import (
4
+
"bufio"
5
+
"bytes"
6
+
"context"
7
+
"encoding/json"
8
+
"net/http"
9
+
"net/http/httptest"
10
+
"strings"
11
+
"sync/atomic"
12
+
"testing"
13
+
"time"
14
+
)
15
+
16
+
func sseSubscribe(ctx context.Context, url string, headers map[string]string) <-chan *Event {
17
+
events := make(chan *Event, 10)
18
+
go func() {
19
+
defer close(events)
20
+
req, _ := http.NewRequestWithContext(ctx, "GET", url, nil)
21
+
req.Header.Set("Accept", "text/event-stream")
22
+
for k, v := range headers {
23
+
req.Header.Set(k, v)
24
+
}
25
+
resp, err := http.DefaultClient.Do(req)
26
+
if err != nil {
27
+
return
28
+
}
29
+
defer resp.Body.Close()
30
+
scanner := bufio.NewScanner(resp.Body)
31
+
for scanner.Scan() {
32
+
line := scanner.Text()
33
+
if strings.HasPrefix(line, "data: ") {
34
+
var event Event
35
+
json.Unmarshal([]byte(strings.TrimPrefix(line, "data: ")), &event)
36
+
select {
37
+
case events <- &event:
38
+
case <-ctx.Done():
39
+
return
40
+
}
41
+
}
42
+
}
43
+
}()
44
+
return events
45
+
}
46
+
47
+
func TestServer_postAndSSEReceive(t *testing.T) {
48
+
ts, _ := newTestServer(nil)
49
+
defer ts.Close()
50
+
51
+
ctx, cancel := context.WithCancel(context.Background())
52
+
defer cancel()
53
+
54
+
events := sseSubscribe(ctx, ts.URL+"/test/topic", nil)
55
+
time.Sleep(50 * time.Millisecond)
56
+
57
+
http.Post(ts.URL+"/test/topic", "application/json", strings.NewReader(`{"hello":"world"}`))
58
+
59
+
select {
60
+
case event := <-events:
61
+
if event.Path != "test/topic" {
62
+
t.Errorf("expected path test/topic, got %s", event.Path)
63
+
}
64
+
case <-time.After(2 * time.Second):
65
+
t.Fatal("timed out waiting for SSE event")
66
+
}
67
+
}
68
+
69
+
func TestServer_sseWithValidBearerToken(t *testing.T) {
70
+
cfg := &Configuration{
71
+
Paths: map[string]PathConfiguration{
72
+
"private/topic": {SubscribeSecret: "my-token"},
73
+
},
74
+
}
75
+
ts, _ := newTestServer(cfg)
76
+
defer ts.Close()
77
+
78
+
req, _ := http.NewRequest("GET", ts.URL+"/private/topic", nil)
79
+
req.Header.Set("Accept", "text/event-stream")
80
+
req.Header.Set("Authorization", "Bearer my-token")
81
+
82
+
client := &http.Client{Timeout: 500 * time.Millisecond}
83
+
resp, err := client.Do(req)
84
+
if err != nil {
85
+
t.Fatalf("GET failed: %v", err)
86
+
}
87
+
defer resp.Body.Close()
88
+
if resp.StatusCode != http.StatusOK {
89
+
t.Errorf("expected 200, got %d", resp.StatusCode)
90
+
}
91
+
}
92
+
93
+
func TestServer_sseWithWrongToken(t *testing.T) {
94
+
cfg := &Configuration{
95
+
Paths: map[string]PathConfiguration{
96
+
"private/topic": {SubscribeSecret: "my-token"},
97
+
},
98
+
}
99
+
ts, _ := newTestServer(cfg)
100
+
defer ts.Close()
101
+
102
+
req, _ := http.NewRequest("GET", ts.URL+"/private/topic", nil)
103
+
req.Header.Set("Accept", "text/event-stream")
104
+
req.Header.Set("Authorization", "Bearer wrong-token")
105
+
resp, err := http.DefaultClient.Do(req)
106
+
if err != nil {
107
+
t.Fatalf("GET failed: %v", err)
108
+
}
109
+
defer resp.Body.Close()
110
+
if resp.StatusCode != http.StatusUnauthorized {
111
+
t.Errorf("expected 401, got %d", resp.StatusCode)
112
+
}
113
+
}
114
+
115
+
func TestServer_sseToOpenPath(t *testing.T) {
116
+
ts, _ := newTestServer(nil)
117
+
defer ts.Close()
118
+
119
+
req, _ := http.NewRequest("GET", ts.URL+"/open/topic", nil)
120
+
req.Header.Set("Accept", "text/event-stream")
121
+
122
+
client := &http.Client{Timeout: 500 * time.Millisecond}
123
+
resp, err := client.Do(req)
124
+
if err != nil {
125
+
t.Fatalf("GET failed: %v", err)
126
+
}
127
+
defer resp.Body.Close()
128
+
if resp.StatusCode != http.StatusOK {
129
+
t.Errorf("expected 200, got %d", resp.StatusCode)
130
+
}
131
+
ct := resp.Header.Get("Content-Type")
132
+
if ct != "text/event-stream" {
133
+
t.Errorf("expected text/event-stream, got %s", ct)
134
+
}
135
+
}
136
+
137
+
func TestServer_prefixSubscription(t *testing.T) {
138
+
ts, _ := newTestServer(nil)
139
+
defer ts.Close()
140
+
141
+
ctx, cancel := context.WithCancel(context.Background())
142
+
defer cancel()
143
+
144
+
events := sseSubscribe(ctx, ts.URL+"/github.com/chrisguidry", nil)
145
+
time.Sleep(50 * time.Millisecond)
146
+
147
+
http.Post(ts.URL+"/github.com/chrisguidry/docketeer", "application/json", strings.NewReader(`{"ref":"main"}`))
148
+
149
+
select {
150
+
case event := <-events:
151
+
if event.Path != "github.com/chrisguidry/docketeer" {
152
+
t.Errorf("expected child path, got %s", event.Path)
153
+
}
154
+
case <-time.After(2 * time.Second):
155
+
t.Fatal("timed out waiting for SSE event")
156
+
}
157
+
}
158
+
159
+
func TestServer_lastEventIDReplay(t *testing.T) {
160
+
ts, broker := newTestServer(nil)
161
+
defer ts.Close()
162
+
163
+
broker.Publish(&Event{
164
+
ID: "replay-1",
165
+
Path: "test/topic",
166
+
Payload: map[string]any{"n": 1},
167
+
})
168
+
broker.Publish(&Event{
169
+
ID: "replay-2",
170
+
Path: "test/topic",
171
+
Payload: map[string]any{"n": 2},
172
+
})
173
+
174
+
ctx, cancel := context.WithCancel(context.Background())
175
+
defer cancel()
176
+
177
+
events := sseSubscribe(ctx, ts.URL+"/test/topic", map[string]string{
178
+
"Last-Event-ID": "replay-1",
179
+
})
180
+
181
+
select {
182
+
case event := <-events:
183
+
if event.ID != "replay-2" {
184
+
t.Errorf("expected replay-2, got %s", event.ID)
185
+
}
186
+
case <-time.After(2 * time.Second):
187
+
t.Fatal("timed out waiting for replayed event")
188
+
}
189
+
}
190
+
191
+
func TestServer_filterQueryParam(t *testing.T) {
192
+
ts, _ := newTestServer(nil)
193
+
defer ts.Close()
194
+
195
+
ctx, cancel := context.WithCancel(context.Background())
196
+
defer cancel()
197
+
198
+
events := sseSubscribe(ctx, ts.URL+"/test/topic?filter=payload.ref:refs/heads/main", nil)
199
+
time.Sleep(50 * time.Millisecond)
200
+
201
+
http.Post(ts.URL+"/test/topic", "application/json", strings.NewReader(`{"ref":"refs/heads/develop"}`))
202
+
time.Sleep(20 * time.Millisecond)
203
+
http.Post(ts.URL+"/test/topic", "application/json", strings.NewReader(`{"ref":"refs/heads/main"}`))
204
+
205
+
select {
206
+
case event := <-events:
207
+
payload := event.Payload.(map[string]any)
208
+
if payload["ref"] != "refs/heads/main" {
209
+
t.Errorf("expected filtered event with ref=main, got %v", payload["ref"])
210
+
}
211
+
case <-time.After(2 * time.Second):
212
+
t.Fatal("timed out waiting for filtered event")
213
+
}
214
+
}
215
+
216
+
func TestServer_sseWithMissingAuth(t *testing.T) {
217
+
cfg := &Configuration{
218
+
Paths: map[string]PathConfiguration{
219
+
"private/topic": {SubscribeSecret: "my-token"},
220
+
},
221
+
}
222
+
ts, _ := newTestServer(cfg)
223
+
defer ts.Close()
224
+
225
+
req, _ := http.NewRequest("GET", ts.URL+"/private/topic", nil)
226
+
req.Header.Set("Accept", "text/event-stream")
227
+
resp, err := http.DefaultClient.Do(req)
228
+
if err != nil {
229
+
t.Fatalf("GET failed: %v", err)
230
+
}
231
+
defer resp.Body.Close()
232
+
if resp.StatusCode != http.StatusUnauthorized {
233
+
t.Errorf("expected 401, got %d", resp.StatusCode)
234
+
}
235
+
}
236
+
237
+
func TestServer_sseChannelClosed(t *testing.T) {
238
+
broker := NewBroker(100)
239
+
var cfgPtr atomic.Pointer[Configuration]
240
+
handler := NewServer(broker, &cfgPtr)
241
+
ts := httptest.NewServer(handler)
242
+
defer ts.Close()
243
+
244
+
ctx, cancel := context.WithCancel(context.Background())
245
+
defer cancel()
246
+
247
+
events := sseSubscribe(ctx, ts.URL+"/test/topic", nil)
248
+
time.Sleep(50 * time.Millisecond)
249
+
250
+
broker.mu.Lock()
251
+
for _, subs := range broker.subscribers {
252
+
for _, sub := range subs {
253
+
close(sub.ch)
254
+
}
255
+
}
256
+
broker.subscribers = make(map[string][]*subscriber)
257
+
broker.mu.Unlock()
258
+
259
+
time.Sleep(50 * time.Millisecond)
260
+
261
+
select {
262
+
case _, ok := <-events:
263
+
if ok {
264
+
t.Error("expected channel to be closed")
265
+
}
266
+
case <-time.After(time.Second):
267
+
t.Fatal("timed out waiting for SSE to close")
268
+
}
269
+
}
270
+
271
+
func TestServer_nonJSONPayloadBase64(t *testing.T) {
272
+
ts, _ := newTestServer(nil)
273
+
defer ts.Close()
274
+
275
+
ctx, cancel := context.WithCancel(context.Background())
276
+
defer cancel()
277
+
278
+
done := make(chan string, 1)
279
+
go func() {
280
+
req, _ := http.NewRequestWithContext(ctx, "GET", ts.URL+"/test/topic", nil)
281
+
req.Header.Set("Accept", "text/event-stream")
282
+
resp, err := http.DefaultClient.Do(req)
283
+
if err != nil {
284
+
return
285
+
}
286
+
defer resp.Body.Close()
287
+
scanner := bufio.NewScanner(resp.Body)
288
+
for scanner.Scan() {
289
+
line := scanner.Text()
290
+
if strings.HasPrefix(line, "data: ") {
291
+
var envelope struct {
292
+
Payload json.RawMessage `json:"payload"`
293
+
}
294
+
json.Unmarshal([]byte(strings.TrimPrefix(line, "data: ")), &envelope)
295
+
var s string
296
+
if json.Unmarshal(envelope.Payload, &s) == nil {
297
+
done <- s
298
+
return
299
+
}
300
+
}
301
+
}
302
+
}()
303
+
304
+
time.Sleep(50 * time.Millisecond)
305
+
306
+
resp, _ := http.Post(ts.URL+"/test/topic", "text/plain", bytes.NewReader([]byte("hello world")))
307
+
resp.Body.Close()
308
+
309
+
select {
310
+
case payload := <-done:
311
+
if payload != "aGVsbG8gd29ybGQ=" {
312
+
t.Errorf("expected base64 encoded payload, got %s", payload)
313
+
}
314
+
case <-time.After(2 * time.Second):
315
+
t.Fatal("timed out waiting for event")
316
+
}
317
+
}
+59
verify.go
+59
verify.go
···
1
+
package main
2
+
3
+
import (
4
+
"crypto/hmac"
5
+
"crypto/sha1"
6
+
"crypto/sha256"
7
+
"encoding/hex"
8
+
"errors"
9
+
"fmt"
10
+
"hash"
11
+
"net/http"
12
+
"strings"
13
+
)
14
+
15
+
type Verifier interface {
16
+
Verify(body []byte, headers http.Header, secret string, signatureHeader string) error
17
+
}
18
+
19
+
func NewVerifier(method string) (Verifier, error) {
20
+
switch method {
21
+
case "hmac-sha256":
22
+
return &hmacVerifier{prefix: "sha256=", newHash: sha256.New}, nil
23
+
case "hmac-sha1":
24
+
return &hmacVerifier{prefix: "sha1=", newHash: sha1.New}, nil
25
+
default:
26
+
return nil, fmt.Errorf("unknown verification method: %s", method)
27
+
}
28
+
}
29
+
30
+
type hmacVerifier struct {
31
+
prefix string
32
+
newHash func() hash.Hash
33
+
}
34
+
35
+
func (v *hmacVerifier) Verify(body []byte, headers http.Header, secret string, signatureHeader string) error {
36
+
sig := headers.Get(signatureHeader)
37
+
if sig == "" {
38
+
return errors.New("missing signature header")
39
+
}
40
+
41
+
sigHex, ok := strings.CutPrefix(sig, v.prefix)
42
+
if !ok {
43
+
return fmt.Errorf("signature missing expected prefix %q", v.prefix)
44
+
}
45
+
46
+
sigBytes, err := hex.DecodeString(sigHex)
47
+
if err != nil {
48
+
return fmt.Errorf("invalid hex in signature: %w", err)
49
+
}
50
+
51
+
mac := hmac.New(v.newHash, []byte(secret))
52
+
mac.Write(body)
53
+
expected := mac.Sum(nil)
54
+
55
+
if !hmac.Equal(sigBytes, expected) {
56
+
return errors.New("signature mismatch")
57
+
}
58
+
return nil
59
+
}
+120
verify_test.go
+120
verify_test.go
···
1
+
package main
2
+
3
+
import (
4
+
"crypto/hmac"
5
+
"crypto/sha1"
6
+
"crypto/sha256"
7
+
"encoding/hex"
8
+
"net/http"
9
+
"testing"
10
+
)
11
+
12
+
func computeHMACSHA256(secret, body string) string {
13
+
mac := hmac.New(sha256.New, []byte(secret))
14
+
mac.Write([]byte(body))
15
+
return "sha256=" + hex.EncodeToString(mac.Sum(nil))
16
+
}
17
+
18
+
func computeHMACSHA1(secret, body string) string {
19
+
mac := hmac.New(sha1.New, []byte(secret))
20
+
mac.Write([]byte(body))
21
+
return "sha1=" + hex.EncodeToString(mac.Sum(nil))
22
+
}
23
+
24
+
func TestNewVerifier_hmacSHA256(t *testing.T) {
25
+
v, err := NewVerifier("hmac-sha256")
26
+
if err != nil {
27
+
t.Fatalf("unexpected error: %v", err)
28
+
}
29
+
if v == nil {
30
+
t.Fatal("expected verifier, got nil")
31
+
}
32
+
}
33
+
34
+
func TestNewVerifier_hmacSHA1(t *testing.T) {
35
+
v, err := NewVerifier("hmac-sha1")
36
+
if err != nil {
37
+
t.Fatalf("unexpected error: %v", err)
38
+
}
39
+
if v == nil {
40
+
t.Fatal("expected verifier, got nil")
41
+
}
42
+
}
43
+
44
+
func TestNewVerifier_unknown(t *testing.T) {
45
+
_, err := NewVerifier("unknown-method")
46
+
if err == nil {
47
+
t.Fatal("expected error for unknown method")
48
+
}
49
+
}
50
+
51
+
func TestHMACSHA256_validSignature(t *testing.T) {
52
+
secret := "test-secret"
53
+
body := `{"action":"push"}`
54
+
sig := computeHMACSHA256(secret, body)
55
+
56
+
v, _ := NewVerifier("hmac-sha256")
57
+
headers := http.Header{"X-Hub-Signature-256": {sig}}
58
+
err := v.Verify([]byte(body), headers, secret, "X-Hub-Signature-256")
59
+
if err != nil {
60
+
t.Fatalf("expected valid signature, got error: %v", err)
61
+
}
62
+
}
63
+
64
+
func TestHMACSHA256_invalidSignature(t *testing.T) {
65
+
v, _ := NewVerifier("hmac-sha256")
66
+
headers := http.Header{"X-Hub-Signature-256": {"sha256=deadbeef"}}
67
+
err := v.Verify([]byte("body"), headers, "secret", "X-Hub-Signature-256")
68
+
if err == nil {
69
+
t.Fatal("expected error for invalid signature")
70
+
}
71
+
}
72
+
73
+
func TestHMACSHA256_missingHeader(t *testing.T) {
74
+
v, _ := NewVerifier("hmac-sha256")
75
+
headers := http.Header{}
76
+
err := v.Verify([]byte("body"), headers, "secret", "X-Hub-Signature-256")
77
+
if err == nil {
78
+
t.Fatal("expected error for missing signature header")
79
+
}
80
+
}
81
+
82
+
func TestHMACSHA1_validSignature(t *testing.T) {
83
+
secret := "test-secret"
84
+
body := `{"action":"push"}`
85
+
sig := computeHMACSHA1(secret, body)
86
+
87
+
v, _ := NewVerifier("hmac-sha1")
88
+
headers := http.Header{"X-Hub-Signature": {sig}}
89
+
err := v.Verify([]byte(body), headers, secret, "X-Hub-Signature")
90
+
if err != nil {
91
+
t.Fatalf("expected valid signature, got error: %v", err)
92
+
}
93
+
}
94
+
95
+
func TestHMACSHA256_wrongPrefix(t *testing.T) {
96
+
v, _ := NewVerifier("hmac-sha256")
97
+
headers := http.Header{"X-Hub-Signature-256": {"sha1=abc123"}}
98
+
err := v.Verify([]byte("body"), headers, "secret", "X-Hub-Signature-256")
99
+
if err == nil {
100
+
t.Fatal("expected error for wrong prefix")
101
+
}
102
+
}
103
+
104
+
func TestHMACSHA256_invalidHex(t *testing.T) {
105
+
v, _ := NewVerifier("hmac-sha256")
106
+
headers := http.Header{"X-Hub-Signature-256": {"sha256=not-hex!"}}
107
+
err := v.Verify([]byte("body"), headers, "secret", "X-Hub-Signature-256")
108
+
if err == nil {
109
+
t.Fatal("expected error for invalid hex")
110
+
}
111
+
}
112
+
113
+
func TestHMACSHA1_invalidSignature(t *testing.T) {
114
+
v, _ := NewVerifier("hmac-sha1")
115
+
headers := http.Header{"X-Hub-Signature": {"sha1=deadbeef"}}
116
+
err := v.Verify([]byte("body"), headers, "secret", "X-Hub-Signature")
117
+
if err == nil {
118
+
t.Fatal("expected error for invalid signature")
119
+
}
120
+
}