feat: add SendGrid Event Webhook signature verifier#26
Merged
Conversation
Adds a `sendgrid` verifier type that authenticates SendGrid Event Webhook (and Inbound Parse) deliveries using ECDSA P-256 over SHA-256 of `timestamp + payload`. The public key is supplied as PEM or as the base64-encoded DER (SubjectPublicKeyInfo) shown in the SendGrid UI. An optional `max_timestamp_age` enables replay protection. Closes #25
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Docker Images BuiltImages are available for testing: # gatekeeperd
docker pull ghcr.io/tight-line/gatekeeperd:pr-26-6318176
# gatekeeper-relay
docker pull ghcr.io/tight-line/gatekeeper-relay:pr-26-6318176docker-compose.ymlGATEKEEPERD_IMAGE=ghcr.io/tight-line/gatekeeperd:pr-26-6318176 \
RELAY_IMAGE=ghcr.io/tight-line/gatekeeper-relay:pr-26-6318176 \
docker-compose --profile relay upHelm (values override)image:
repository: ghcr.io/tight-line/gatekeeperd # or gatekeeper-relay
tag: "pr-26-6318176"Images expire ~15 days after PR closes. |
|
Same fix sgotel just got. Previously every gatekeeperd/gatekeeper-relay
image (0.1.0 through 0.2.11) reported "0.1.0" at startup because:
- The Dockerfile and Dockerfile.relay built with `go build` and no ldflags.
- Neither release.yml nor pr-images.yml passed any build-args.
- cmd/gatekeeperd/main.go (and the relay equivalent) hard-coded
`var version = "0.1.0"`.
So `make-tag` would tag, Chart.yaml would bump, but the resulting binary
would lie about its version forever after.
Changes:
- Dockerfile / Dockerfile.relay: ARG VERSION=dev plus
-trimpath -ldflags="-s -w -X main.version=${VERSION}" on the go build.
- release.yml: pass build-args VERSION=${{steps.meta.outputs.VERSION}}
on all 4 docker/build-push-action steps (gatekeeperd + relay, amd64-
fast + multi-arch).
- pr-images.yml: same, using TAG (pr-N-<sha>) so PR builds also report
a useful version string.
- cmd/{gatekeeperd,gatekeeper-relay}/main.go: default `var version` to
"dev" so an unset-ldflags build is honest about being unstamped.
Verified locally:
go build -ldflags "-X main.version=test-0.2.12" -o /tmp/gatekeeperd ./cmd/gatekeeperd
/tmp/gatekeeperd → "gatekeeperd test-0.2.12"
Bundled with the SendGrid verifier PR since both want to ship together;
this PR's title remains accurate.
…ings Snyk flagged a critical vulnerability in golang.org/x/net/idna@0.48.0 (Improper Authentication, SNYK-GOLANG-GOLANGORGXNETIDNA-17116876, fixed in 0.54.0). Pulled in transitively through golang.org/x/crypto/acme/autocert. Bumps: - golang.org/x/net 0.48.0 → 0.56.0 - golang.org/x/crypto 0.47.0 → 0.53.0 - golang.org/x/sys 0.40.0 → 0.46.0 - golang.org/x/text 0.33.0 → 0.38.0 `make check` still passes (98.9% coverage, 0 lint, build OK).
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sendgridverifier type for SendGrid Event Webhook (and Inbound Parse) authenticationSHA256(timestamp + raw_body), base64(ASN.1 DER) encoded inX-Twilio-Email-Event-Webhook-Signaturemax_timestamp_ageenables replay protectionconfigmap.yaml, the example config, and theconfigure-routeskillCloses #25
Test plan
make check— lint, 100% coverage in touched packages, both binaries buildhelm lint charts/gatekeeperdcleanmax_timestamp_age=0skip path, and key-parsing error branches (empty, garbage, non-DER, RSA, wrong curve)Bundled: VERSION binding fix
Alongside the SendGrid verifier this PR now also threads the build-time VERSION through to both binaries so released images stop reporting
0.1.0regardless of their tag.Files touched by this second commit (
d008531):Dockerfile,Dockerfile.relay: addARG VERSION=devand-trimpath -ldflags="-s -w -X main.version=${VERSION}"ongo build..github/workflows/release.yml: passbuild-args: VERSION=${{ steps.meta.outputs.VERSION }}on all fourdocker/build-push-actionsteps..github/workflows/pr-images.yml: same, using the existingTAGoutput (pr-N-<sha>).cmd/gatekeeperd/main.go,cmd/gatekeeper-relay/main.go: defaultvar versionto"dev"(was"0.1.0").Verified locally:
make checkpasses at 98.9% coverage.