Last active
January 26, 2023 02:13
-
-
Save ctcampbell/c82d895b0940c08408fb1800aa6718b0 to your computer and use it in GitHub Desktop.
Postman pre-request to add Veracode HMAC header
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var url = require('url'); | |
| var { Property } = require('postman-collection'); | |
| const id = pm.variables.get('veracodeApiKeyId'); | |
| const key = pm.variables.get('veracodeApiKeySecret'); | |
| const authorizationScheme = 'VERACODE-HMAC-SHA-256'; | |
| const requestVersion = "vcode_request_version_1"; | |
| const nonceSize = 16; | |
| function computeHashHex(message, key_hex) { | |
| return CryptoJS.HmacSHA256(message, CryptoJS.enc.Hex.parse(key_hex)).toString(CryptoJS.enc.Hex); | |
| } | |
| function calulateDataSignature(key, nonceBytes, dateStamp, data) { | |
| let kNonce = computeHashHex(nonceBytes, key); | |
| let kDate = computeHashHex(dateStamp, kNonce); | |
| let kSig = computeHashHex(requestVersion, kDate); | |
| let kFinal = computeHashHex(data, kSig); | |
| return kFinal; | |
| } | |
| function newNonce() { | |
| return CryptoJS.lib.WordArray.random(nonceSize).toString().toUpperCase(); | |
| } | |
| function toHexBinary(input) { | |
| return CryptoJS.enc.Hex.stringify(CryptoJS.enc.Utf8.parse(input)); | |
| } | |
| function calculateVeracodeAuthHeader(httpMethod, requestUrl) { | |
| let urlExpanded = Property.replaceSubstitutions(requestUrl, pm.variables.toObject()); | |
| let parsedUrl = url.parse(urlExpanded); | |
| let data = `id=${id}&host=${parsedUrl.hostname}&url=${parsedUrl.path}&method=${httpMethod}`; | |
| let dateStamp = Date.now().toString(); | |
| let nonceBytes = newNonce(nonceSize); | |
| let dataSignature = calulateDataSignature(key, nonceBytes, dateStamp, data); | |
| let authorizationParam = `id=${id},ts=${dateStamp},nonce=${toHexBinary(nonceBytes)},sig=${dataSignature}`; | |
| let header = authorizationScheme + " " + authorizationParam; | |
| return header; | |
| } | |
| pm.request.headers.add({ | |
| key: 'Authorization', | |
| value: calculateVeracodeAuthHeader(request['method'], request['url']) | |
| }); |
@Fleurpot82 Not sure if you've fixed this yet. You need to specify the two variable values so they can be retrieved in lines 4&5:
- veracodeApiKeyId
- veracodeApiKeySecret
If they are zero length it complains when tryoing to validate them.
Thanks @markdowd, taken me a while to get back to this, I had the variables added, as below it worked fine when a pasted the values directly in. Deleted the variables in my project and re added and it works a treat. No idea what was wrong before as I'd created multiple collections in attempting it earlier!
Please note that we've published an official project and how-to for using Veracode HMAC in Postman here: https://github.com/veracode/veracode-postman
Contributions are welcome!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Any fix for this yet? Removing pm.variables.get gives a 401 error. As with id and key added, the error I receive is TypeError: Cannot read property 'length' of undefined.