Red Hat Bugzilla – Bug 1466129
Add generated HMAC token in header for webhook calls
Last modified: 2018-02-26 08:37:08 EST
Description of problem:
Currently, there's no way to ascertain the identity/validity of a webhook requests sent by gluster-eventsd. If a Header was added that contains an HMAC token generated using content and secret key, this would ensure that server can validate the request is genuine before processing the event.
Version-Release number of selected component (if applicable):
As discussed over IRC, Events API will implement JWT(JSON Web Tokens). Additional argument will be added to webhook-add command to accept the secret which is required to generate JWT.
gluster-eventsapi webhook-add <url> [--token <TOKEN>] \
For shared secret approach use, `--secret` and for shared token approach use `--token`. With `--token` argument, Token header will be added as is.
Authorization: Bearer <TOKEN>
In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header.
Authorization: Bearer <GENERATED_TOKEN>
Secret/Token can be updated using `webhook-mod` command.
Generated token will include the following payload,
Where: iss - Issuer, exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time
Upstream patch posted https://review.gluster.org/#/c/18405
Another patch sent to Upstream which fixes the external library dependency issue.