1714bf5ed6
Compare strings of equal length (hashed with SHA-512) with ConstantTimeCompare. Closes: https://todo.xenrox.net/~xenrox/ntfy-alertmanager/1
220 lines
5.3 KiB
Go
220 lines
5.3 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/sha512"
|
|
"crypto/subtle"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"flag"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"git.xenrox.net/~xenrox/go-log"
|
|
"golang.org/x/text/cases"
|
|
"golang.org/x/text/language"
|
|
)
|
|
|
|
type receiver struct {
|
|
cfg *config
|
|
logger *log.Logger
|
|
}
|
|
|
|
type payload struct {
|
|
Status string `json:"status"`
|
|
Alerts []alert `json:"alerts"`
|
|
GroupLabels map[string]interface{} `json:"groupLabels"`
|
|
CommonLabels map[string]interface{} `json:"commonLabels"`
|
|
CommonAnnotations map[string]interface{} `json:"commonAnnotations"`
|
|
}
|
|
|
|
type alert struct {
|
|
Status string `json:"status"`
|
|
Labels map[string]interface{} `json:"labels"`
|
|
Annotations map[string]interface{} `json:"annotations"`
|
|
}
|
|
|
|
type notification struct {
|
|
title string
|
|
body string
|
|
priority string
|
|
tags string
|
|
}
|
|
|
|
func (rcv *receiver) publish(n *notification) error {
|
|
client := &http.Client{Timeout: time.Second * 3}
|
|
req, err := http.NewRequest(http.MethodPost, rcv.cfg.ntfy.Topic, strings.NewReader(n.body))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Basic auth
|
|
if rcv.cfg.ntfy.Password != "" && rcv.cfg.ntfy.User != "" {
|
|
auth := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", rcv.cfg.ntfy.User, rcv.cfg.ntfy.Password)))
|
|
req.Header.Set("Authorization", fmt.Sprintf("Basic %s", auth))
|
|
}
|
|
|
|
req.Header.Set("X-Title", n.title)
|
|
|
|
if n.priority != "" {
|
|
req.Header.Set("X-Priority", n.priority)
|
|
}
|
|
|
|
if n.tags != "" {
|
|
req.Header.Set("X-Tags", n.tags)
|
|
}
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != http.StatusOK {
|
|
return fmt.Errorf("ntfy: received status code %d", resp.StatusCode)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (rcv *receiver) handleWebhooks(w http.ResponseWriter, r *http.Request) {
|
|
defer r.Body.Close()
|
|
|
|
if r.Method != http.MethodPost {
|
|
http.Error(w, "Only POST allowed", http.StatusMethodNotAllowed)
|
|
rcv.logger.Debugf("illegal HTTP method: expected %q, got %q", "POST", r.Method)
|
|
return
|
|
}
|
|
|
|
contentType := r.Header.Get("Content-Type")
|
|
if contentType != "application/json" {
|
|
http.Error(w, "Only application/json allowed", http.StatusUnsupportedMediaType)
|
|
rcv.logger.Debugf("illegal content type: %s", contentType)
|
|
return
|
|
}
|
|
|
|
var event payload
|
|
if err := json.NewDecoder(r.Body).Decode(&event); err != nil {
|
|
rcv.logger.Debug(err)
|
|
return
|
|
}
|
|
|
|
count := len(event.Alerts)
|
|
title := fmt.Sprintf("[%s", strings.ToUpper(event.Status))
|
|
if event.Status == "firing" {
|
|
title = fmt.Sprintf("%s:%d", title, count)
|
|
}
|
|
|
|
title += "]"
|
|
for _, value := range event.GroupLabels {
|
|
title = fmt.Sprintf("%s %s", title, value)
|
|
}
|
|
|
|
var body string
|
|
c := cases.Title(language.English)
|
|
|
|
for _, alert := range event.Alerts {
|
|
alertBody := fmt.Sprintf("%s\nLabels:\n", c.String(alert.Status))
|
|
for key, value := range alert.Labels {
|
|
alertBody = fmt.Sprintf("%s%s = %s\n", alertBody, key, value)
|
|
}
|
|
|
|
alertBody += "Annotations:\n"
|
|
for key, value := range alert.Annotations {
|
|
alertBody = fmt.Sprintf("%s%s = %s\n", alertBody, key, value)
|
|
}
|
|
|
|
alertBody += "\n"
|
|
|
|
body += alertBody
|
|
}
|
|
|
|
var priority string
|
|
var tags []string
|
|
for _, labelName := range rcv.cfg.labels.Order {
|
|
val, ok := event.CommonLabels[labelName]
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
labelConfig, ok := rcv.cfg.labels.Label[fmt.Sprintf("%s:%s", labelName, val)]
|
|
if !ok {
|
|
continue
|
|
}
|
|
|
|
if priority == "" {
|
|
priority = labelConfig.Priority
|
|
}
|
|
|
|
for _, val := range labelConfig.Tags {
|
|
if !sliceContains(tags, val) {
|
|
tags = append(tags, val)
|
|
}
|
|
}
|
|
}
|
|
|
|
tagString := strings.Join(tags, ",")
|
|
|
|
notification := ¬ification{title: title, body: body, priority: priority, tags: tagString}
|
|
err := rcv.publish(notification)
|
|
if err != nil {
|
|
rcv.logger.Error(err)
|
|
}
|
|
}
|
|
|
|
func (rcv *receiver) basicAuthMiddleware(handler http.HandlerFunc) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
user, pass, ok := r.BasicAuth()
|
|
if !ok {
|
|
rcv.logger.Debug("basic auth failure")
|
|
return
|
|
}
|
|
|
|
inputUserHash := sha512.Sum512([]byte(user))
|
|
inputPassHash := sha512.Sum512([]byte(pass))
|
|
configUserHash := sha512.Sum512([]byte(rcv.cfg.User))
|
|
configPassHash := sha512.Sum512([]byte(rcv.cfg.Password))
|
|
|
|
validUser := subtle.ConstantTimeCompare(inputUserHash[:], configUserHash[:])
|
|
validPass := subtle.ConstantTimeCompare(inputPassHash[:], configPassHash[:])
|
|
|
|
if validUser != 1 || validPass != 1 {
|
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
|
rcv.logger.Debug("basic auth: wrong user or password")
|
|
return
|
|
}
|
|
|
|
handler(w, r)
|
|
}
|
|
}
|
|
|
|
func main() {
|
|
var configPath string
|
|
flag.StringVar(&configPath, "config", "/etc/ntfy-alertmanager/config", "config file path")
|
|
flag.Parse()
|
|
|
|
logger := log.NewDefaultLogger()
|
|
|
|
cfg, err := readConfig(configPath)
|
|
if err != nil {
|
|
logger.Fatalf("config: %v", err)
|
|
}
|
|
|
|
if err := logger.SetLevelFromString(cfg.LogLevel); err != nil {
|
|
logger.Errorf("config: %v", err)
|
|
}
|
|
|
|
receiver := &receiver{cfg: cfg, logger: logger}
|
|
|
|
logger.Infof("Listening on %s", cfg.HTTPAddress)
|
|
|
|
if cfg.User != "" && cfg.Password != "" {
|
|
logger.Info("Enabling HTTP Basic Authentication")
|
|
http.HandleFunc("/", receiver.basicAuthMiddleware(receiver.handleWebhooks))
|
|
} else {
|
|
http.HandleFunc("/", receiver.handleWebhooks)
|
|
}
|
|
|
|
logger.Fatal(http.ListenAndServe(cfg.HTTPAddress, nil))
|
|
}
|