Description of problem:
Currently, there's no way to ascertain the identity/validity of a webhook requests sent by gluster-eventsd. If a Header was added that contains an HMAC token generated using content and secret key, this would ensure that server can validate the request is genuine before processing the event.
Version-Release number of selected component (if applicable):
As discussed over IRC, Events API will implement JWT(JSON Web Tokens). Additional argument will be added to webhook-add command to accept the secret which is required to generate JWT.
gluster-eventsapi webhook-add <url> [--token <TOKEN>] \
For shared secret approach use, `--secret` and for shared token approach use `--token`. With `--token` argument, Token header will be added as is.
Authorization: Bearer <TOKEN>
In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header.
Authorization: Bearer <GENERATED_TOKEN>
Secret/Token can be updated using `webhook-mod` command.
Generated token will include the following payload,
Where: iss - Issuer, exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time
Upstream patch posted https://review.gluster.org/#/c/18405
Another patch sent to Upstream which fixes the external library dependency issue.
Root caused the issue, issue is due to secret stored as Unicode string. I will work on it and send patch by tomorrow.
upstream patch : https://review.gluster.org/#/c/19900/
Updated the doc text. Kindly review and confirm.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.