-
Notifications
You must be signed in to change notification settings - Fork 4.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(plugins): standard-webhooks (#12962)
* Revert "Revert "feat(plugins): add standard-webhooks plugin (#12757)"" This reverts commit 8ff1771. * Update kong/plugins/standard-webhooks/internal.lua Co-authored-by: Samuele <[email protected]> --------- Co-authored-by: Samuele <[email protected]>
- Loading branch information
Showing
10 changed files
with
413 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
message: | | ||
Add standard webhooks plugin | ||
type: feature | ||
scope: Plugin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
local plugin = require "kong.plugins.standard-webhooks.internal" | ||
|
||
local StandardWebhooks = { | ||
VERSION = require("kong.meta").version, | ||
PRIORITY = 760 | ||
} | ||
|
||
function StandardWebhooks:access(conf) | ||
plugin.access(conf) | ||
end | ||
|
||
return StandardWebhooks |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
local kong = kong | ||
local mac = require "resty.openssl.mac" | ||
local tonumber = tonumber | ||
local ngx = ngx | ||
local type = type | ||
|
||
local HEADER_WEBHOOK_ID = "webhook-id" | ||
local HEADER_WEBHOOK_SIGN = "webhook-signature" | ||
local HEADER_WEBHOOK_TS = "webhook-timestamp" | ||
|
||
local function getHeader(input) | ||
if type(input) == "table" then | ||
return input[1] | ||
end | ||
|
||
return input | ||
end | ||
|
||
local function sign(secret, id, ts, payload) | ||
local d, err = mac.new(secret, "HMAC", nil, "sha256") | ||
if err then | ||
kong.log.error(err) | ||
return kong.response.error(500) | ||
end | ||
local r, err = d:final(id .. "." .. ts .. "." .. payload) | ||
if err then | ||
kong.log.error(err) | ||
return kong.response.error(500) | ||
end | ||
return "v1," .. ngx.encode_base64(r) | ||
end | ||
|
||
local function extract_webhook() | ||
local headers = kong.request.get_headers() | ||
|
||
local id = getHeader(headers[HEADER_WEBHOOK_ID]) | ||
local signature = getHeader(headers[HEADER_WEBHOOK_SIGN]) | ||
local ts = getHeader(headers[HEADER_WEBHOOK_TS]) | ||
if not id or not signature or not ts then | ||
kong.log.debug("missing required headers") | ||
return kong.response.error(400) | ||
end | ||
|
||
ts = tonumber(ts) or 0 -- if parse fails we inject 0, which will fail on clock-skew check | ||
|
||
return id, signature, ts | ||
end | ||
|
||
|
||
local function access(config) | ||
local id, signature, ts = extract_webhook() | ||
|
||
if ngx.now() - ts > config.tolerance_second then | ||
kong.log.debug("timestamp tolerance exceeded") | ||
return kong.response.error(400) | ||
end | ||
|
||
local body = kong.request.get_raw_body() | ||
|
||
if not body or body == "" then | ||
kong.log.debug("missing required body") | ||
return kong.response.error(400) | ||
end | ||
|
||
local expected_signature = sign(config.secret_v1, id, ts, body) | ||
|
||
if signature ~= expected_signature then | ||
kong.log.debug("signature not matched") | ||
return kong.response.error(400) | ||
end | ||
end | ||
|
||
return { | ||
access = access, | ||
sign = sign | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
local typedefs = require "kong.db.schema.typedefs" | ||
|
||
local PLUGIN_NAME = "standard-webhooks" | ||
|
||
local schema = { | ||
name = PLUGIN_NAME, | ||
fields = { | ||
{ consumer = typedefs.no_consumer }, | ||
{ protocols = typedefs.protocols_http }, | ||
{ | ||
config = { | ||
type = "record", | ||
fields = { | ||
{ | ||
secret_v1 = { | ||
type = "string", | ||
required = true, | ||
description = "Webhook secret", | ||
referenceable = true, | ||
encrypted = true, | ||
}, | ||
}, | ||
{ | ||
tolerance_second = { | ||
description = "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", | ||
type = "integer", | ||
required = true, | ||
gt = -1, | ||
default = 5 * 60 | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
|
||
return schema |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
local PLUGIN_NAME = "standard-webhooks" | ||
|
||
|
||
-- helper function to validate data against a schema | ||
local validate do | ||
local validate_entity = require("spec.helpers").validate_plugin_config_schema | ||
local plugin_schema = require("kong.plugins."..PLUGIN_NAME..".schema") | ||
|
||
function validate(data) | ||
return validate_entity(data, plugin_schema) | ||
end | ||
end | ||
|
||
|
||
describe(PLUGIN_NAME .. ": (schema)", function() | ||
|
||
|
||
it("accepts a valid config", function() | ||
local ok, err = validate({ | ||
secret_v1 = "abc123", | ||
tolerance_second = 5*60, | ||
}) | ||
assert.is_nil(err) | ||
assert.is_truthy(ok) | ||
end) | ||
|
||
|
||
describe("secret", function() | ||
|
||
it("must be set", function() | ||
local ok, err = validate({ | ||
secret_v1 = nil, | ||
tolerance_second = 5*60, | ||
}) | ||
|
||
assert.is_same({ | ||
["config"] = { | ||
["secret_v1"] = 'required field missing', | ||
} | ||
}, err) | ||
assert.is_falsy(ok) | ||
end) | ||
|
||
|
||
it("is not nullable", function() | ||
local ok, err = validate({ | ||
secret_v1 = assert(ngx.null), | ||
tolerance_second = 5*60, | ||
}) | ||
|
||
assert.is_same({ | ||
["config"] = { | ||
["secret_v1"] = 'required field missing', | ||
} | ||
}, err) | ||
assert.is_falsy(ok) | ||
end) | ||
|
||
|
||
it("must be a string", function() | ||
local ok, err = validate({ | ||
secret_v1 = 123, | ||
tolerance_second = 5*60, | ||
}) | ||
|
||
assert.is_same({ | ||
["config"] = { | ||
["secret_v1"] = 'expected a string', | ||
} | ||
}, err) | ||
assert.is_falsy(ok) | ||
end) | ||
|
||
end) | ||
|
||
|
||
|
||
describe("tolerance_second", function() | ||
|
||
it("gets a default", function() | ||
local ok, err = validate({ | ||
secret_v1 = "abc123", | ||
tolerance_second = nil, | ||
}) | ||
|
||
assert.is_nil(err) | ||
assert.are.same(ok.config, { | ||
secret_v1 = "abc123", | ||
tolerance_second = 5*60, | ||
}) | ||
end) | ||
|
||
|
||
it("is not nullable", function() | ||
local ok, err = validate({ | ||
secret_v1 = "abc123", | ||
tolerance_second = assert(ngx.null), | ||
}) | ||
|
||
assert.is_same({ | ||
["config"] = { | ||
["tolerance_second"] = 'required field missing', | ||
} | ||
}, err) | ||
assert.is_falsy(ok) | ||
end) | ||
|
||
|
||
it("must be an integer", function() | ||
local ok, err = validate({ | ||
secret_v1 = "abc123", | ||
tolerance_second = 5.67, | ||
}) | ||
|
||
assert.is_same({ | ||
["config"] = { | ||
["tolerance_second"] = 'expected an integer', | ||
} | ||
}, err) | ||
assert.is_falsy(ok) | ||
end) | ||
|
||
|
||
it("must be >= 0", function() | ||
local ok, err = validate({ | ||
secret_v1 = "abc123", | ||
tolerance_second = -1, | ||
}) | ||
|
||
assert.is_same({ | ||
["config"] = { | ||
["tolerance_second"] = 'value must be greater than -1', | ||
} | ||
}, err) | ||
assert.is_falsy(ok) | ||
end) | ||
|
||
end) | ||
|
||
end) |
Oops, something went wrong.
03f056c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bazel Build
Docker image available
kong/kong:03f056cb1dd03bc305f8edd37aa035fd5552604e
Artifacts available https://github.com/Kong/kong/actions/runs/9003367411