notification-controller icon indicating copy to clipboard operation
notification-controller copied to clipboard
verified publisher icon fluxcd

Allow signing of generic webhook provider requests

Open bigkevmcd opened this issue 5 years ago • 4 comments

The HTTP endpoint should be able to ensure the provenance of incoming requests from the generic provider.

GitHub and GitLab use a shared-secret mechanism, where the outgoing requests have a header with an HMAC of the request body, the receiver can then sign the body it receives, and confirm the origin of the request.

This should be optional.

One proposal, is to add an additional signature field to the spec:

spec:
 signature:
   secretRef:
       name: hmac

Another option would be to use the presence of an hmac key in the Secret referenced by spec.secretRef.

Some other considerations, sha1 or sha256? What should the header name be?

bigkevmcd avatar Dec 07 '20 11:12 bigkevmcd

I would implement it as GitHub https://developer.github.com/webhooks/securing/

Header: X-Signature Algorithm : HMAC/SHA1

stefanprodan avatar Dec 07 '20 13:12 stefanprodan

I'm not sure that PR fixes the issue, that is only about receiving webhooks, not signing outgoing hooks.

bigkevmcd avatar Jan 21 '21 12:01 bigkevmcd

I've got a branch that I would need to tidy up the last bit of that would solve the signing part...

bigkevmcd avatar Jan 21 '21 12:01 bigkevmcd

@bigkevmcd you're right, that PR solves ingress not egress. We can reopen.

stefanprodan avatar Jan 21 '21 12:01 stefanprodan

I propose we introduce a new alert provider type named generic-hmac (like we did for receivers), that requires a secret with a token key.

Example definition with HMAC and self-signed TLS receiver:

apiVersion: notification.toolkit.fluxcd.io/v1beta1
kind: Provider
metadata:
  name: my-alert-provider
  namespace: default
spec:
  type: generic-hmac
  address: https://my-service.internal/flux-receiver
  secretRef:
    name: my-alert-provider-token
  certSecretRef:
    name: my-alert-provider-ca
---
apiVersion: v1
kind: Secret
metadata:
  name: my-alert-provider-token
  namespace: default
stringData:
  token: <my-hmac-token>
---
apiVersion: v1
kind: Secret
metadata:
  name: my-alert-provider-ca
  namespace: default
stringData:
  caFile: <my-custom-ca>

The HTTP POST will contain a header named X-Signature:

X-Signature: sha256=<hex-digest>

The receiver will lookup the prefix to determine the SHA algorithm, then it will calculate the digest of the body and compare it with the digest in the header.

stefanprodan avatar Sep 29 '22 11:09 stefanprodan