make it generic

mathieuancelin · mathieuancelin · commit 6ad760d33d8e · 2026-02-26T11:13:19.000+01:00
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -1,23 +1,23 @@
-# Contributing to otoroshi-plugin-yousign-webhook-validator
+# Contributing to otoroshi-plugin-webhook-validator
 
-These guidelines apply to all projects living in the the `cloud-apim/otoroshi-plugin-yousign-webhook-validator` repository.
+These guidelines apply to all projects living in the the `cloud-apim/otoroshi-plugin-webhook-validator` repository.
 
 These guidelines are meant to be a living document that should be changed and adapted as needed.
 We encourage changes that make it easier to achieve our goals in an efficient way.
 
 ## Codebase
 
-* [src](https://github.com/cloud-apim/otoroshi-plugin-yousign-webhook-validator/src): contains the otoroshi-plugin-yousign-webhook-validator sources and tests
+* [src](https://github.com/cloud-apim/otoroshi-plugin-webhook-validator/src): contains the otoroshi-plugin-webhook-validator sources and tests
 
 ## Workflow
 
 The steps below describe how to get a patch into a main development branch (e.g. `maon`). 
 The steps are exactly the same for everyone involved in the project (be it core team, or first time contributor).
 We follow the standard GitHub [fork & pull](https://help.github.com/articles/using-pull-requests/#fork--pull) approach to pull requests. Just fork the official repo, develop in a branch, and submit a PR!
 
-1. To avoid duplicated effort, it might be good to check the [issue tracker](https://github.com/cloud-apim/otoroshi-plugin-yousign-webhook-validator/issues) and [existing pull requests](https://github.com/cloud-apim/otoroshi-plugin-yousign-webhook-validator/pulls) for existing work.
-   - If there is no ticket yet, feel free to [create one](https://github.com/cloud-apim/otoroshi-plugin-yousign-webhook-validator/issues/new) to discuss the problem and the approach you want to take to solve it.
-1. [Fork the project](https://github.com/cloud-apim/otoroshi-plugin-yousign-webhook-validator#fork-destination-box) on GitHub. You'll need to create a feature-branch for your work on your fork, as this way you'll be able to submit a pull request against the mainline otoroshi-plugin-yousign-webhook-validator.
+1. To avoid duplicated effort, it might be good to check the [issue tracker](https://github.com/cloud-apim/otoroshi-plugin-webhook-validator/issues) and [existing pull requests](https://github.com/cloud-apim/otoroshi-plugin-webhook-validator/pulls) for existing work.
+   - If there is no ticket yet, feel free to [create one](https://github.com/cloud-apim/otoroshi-plugin-webhook-validator/issues/new) to discuss the problem and the approach you want to take to solve it.
+1. [Fork the project](https://github.com/cloud-apim/otoroshi-plugin-webhook-validator#fork-destination-box) on GitHub. You'll need to create a feature-branch for your work on your fork, as this way you'll be able to submit a pull request against the mainline otoroshi-plugin-webhook-validator.
 1. Create a branch on your fork and work on the feature. For example: `git checkout -b wip-awesome-new-feature`
    - Please make sure to follow the general quality guidelines (specified below) when developing your patch.
    - Please write additional tests covering your feature and adjust existing ones if needed before submitting your pull request. 
@@ -32,7 +32,7 @@ We follow the standard GitHub [fork & pull](https://help.github.com/articles/usi
 
 The TL;DR; of the above very precise workflow version is:
 
-1. Fork otoroshi-plugin-yousign-webhook-validator
+1. Fork otoroshi-plugin-webhook-validator
 2. Hack and test on your feature (on a branch)
 3. Document it 
 4. Submit a PR
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,4 +1,4 @@
-name: release-otoroshi-plugin-yousign-webhook-validator
+name: release-otoroshi-plugin-webhook-validator
 
 on: 
   workflow_dispatch:
@@ -26,15 +26,15 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           sbt ';compile;package;assembly'
-          rm ./target/scala-2.12/otoroshi-plugin-yousign-webhook-validator_2.12-${{ inputs.version }}.jar 
-          mv ./target/scala-2.12/otoroshi-plugin-yousign-webhook-validator-assembly_2.12-dev.jar ./target/scala-2.12/otoroshi-plugin-yousign-webhook-validator_2.12-${{ inputs.version }}.jar
+          rm ./target/scala-2.12/otoroshi-plugin-webhook-validator_2.12-${{ inputs.version }}.jar 
+          mv ./target/scala-2.12/otoroshi-plugin-webhook-validator-assembly_2.12-dev.jar ./target/scala-2.12/otoroshi-plugin-webhook-validator_2.12-${{ inputs.version }}.jar
       - name: Generate SHA-256
         run: |
-          shasum -a 256 ./target/scala-2.12/otoroshi-plugin-yousign-webhook-validator_2.12-${{ inputs.version }}.jar | cut -d ' ' -f 1 > ./target/scala-2.12/otoroshi-plugin-yousign-webhook-validator_2.12-${{ inputs.version }}.jar.sha256
+          shasum -a 256 ./target/scala-2.12/otoroshi-plugin-webhook-validator_2.12-${{ inputs.version }}.jar | cut -d ' ' -f 1 > ./target/scala-2.12/otoroshi-plugin-webhook-validator_2.12-${{ inputs.version }}.jar.sha256
       - name: Release binary and SHA-256 checksum to GitHub
         uses: softprops/action-gh-release@v1
         with:
           tag_name: ${{ inputs.version }}
           files: |
-            ./target/scala-2.12/otoroshi-plugin-yousign-webhook-validator_2.12-${{ inputs.version }}.jar
-            ./target/scala-2.12/otoroshi-plugin-yousign-webhook-validator_2.12-${{ inputs.version }}.jar.sha256
+            ./target/scala-2.12/otoroshi-plugin-webhook-validator_2.12-${{ inputs.version }}.jar
+            ./target/scala-2.12/otoroshi-plugin-webhook-validator_2.12-${{ inputs.version }}.jar.sha256
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,11 +1,11 @@
 # Security Policy
 
-We strongly advise you to update your otoroshi-plugin-yousign-webhook-validator usage as soon as a new version is released.
+We strongly advise you to update your otoroshi-plugin-webhook-validator usage as soon as a new version is released.
 
 ## Supported Versions
 
 Each version is supported until the next one is released
 
 ## Reporting a Vulnerability
 
-We want to keep otoroshi-plugin-yousign-webhook-validator safe for everyone. If you've discovered a security vulnerability in otoroshi-plugin-yousign-webhook-validator, we appreciate your help in disclosing it to us in a responsible manner by using the dedicated [github form](https://github.com/cloud-apim/otoroshi-plugin-yousign-webhook-validator/security) or by sending an email to [security@cloud-apim.com](mailto:security@cloud-apim.com) containing your name, an email address, a description of the vulnerability, the impacted versions of otoroshi-plugin-yousign-webhook-validator. You can encrypt the email content using [this pgp key](https://mathieuancelin.keybase.pub/pgp_key.asc)
+We want to keep otoroshi-plugin-webhook-validator safe for everyone. If you've discovered a security vulnerability in otoroshi-plugin-webhook-validator, we appreciate your help in disclosing it to us in a responsible manner by using the dedicated [github form](https://github.com/cloud-apim/otoroshi-plugin-webhook-validator/security) or by sending an email to [security@cloud-apim.com](mailto:security@cloud-apim.com) containing your name, an email address, a description of the vulnerability, the impacted versions of otoroshi-plugin-webhook-validator. You can encrypt the email content using [this pgp key](https://mathieuancelin.keybase.pub/pgp_key.asc)
diff --git a/build.sbt b/build.sbt
@@ -11,9 +11,9 @@ lazy val excludesSlf4j = Seq(
 
 lazy val root = (project in file("."))
   .settings(
-    name := "otoroshi-plugin-yousign-webhook-validator",
+    name := "otoroshi-plugin-webhook-validator",
     assembly / test  := {},
-    assembly / assemblyJarName := "otoroshi-plugin-yousign-webhook-validator-assembly_2.12-dev.jar",
+    assembly / assemblyJarName := "otoroshi-plugin-webhook-validator-assembly_2.12-dev.jar",
     libraryDependencies ++= Seq(
       "fr.maif" %% "otoroshi" % "17.13.0" % "provided",
       munit % Test
diff --git a/readme.md b/readme.md
@@ -1,10 +1,10 @@
-# Cloud APIM – YouSign Webhook Validator – Otoroshi plugin
+# Cloud APIM – Webhook Validator – Otoroshi plugin
 
-An [Otoroshi](https://github.com/MAIF/otoroshi) plugin that validates [YouSign](https://developers.yousign.com/docs/use-webhooks-in-your-app) webhook payloads before they reach your backend.
+An [Otoroshi](https://github.com/MAIF/otoroshi) plugin that validates webhook payloads before they reach your backend using body payload signature validation.
 
 ## How it works
 
-The plugin is provider-agnostic: the signature header, HMAC algorithm and prefix are all configurable. Out of the box it is pre-configured for YouSign, whose webhooks include an `X-Yousign-Signature-256` header containing an HMAC-SHA256 hash of the raw request body prefixed with `sha256=`.
+The plugin is provider-agnostic: the signature header, HMAC algorithm and prefix are all configurable.
 
 The plugin:
 
@@ -50,10 +50,10 @@ $ curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
 
 ## Plugin configuration
 
-| Field              | Type     | Required | Default                    | Description                                                                          |
-|--------------------|----------|----------|----------------------------|--------------------------------------------------------------------------------------|
-| `secret`           | `string` | yes      | –                          | The HMAC secret shared with the webhook provider (e.g. YouSign webhook secret).      |
-| `signature_header` | `string` | no       | `X-Yousign-Signature-256`  | Name of the HTTP header that carries the signature.                                  |
+| Field              | Type     | Required | Default                    | Description                                                                         |
+|--------------------|----------|----------|----------------------------|-------------------------------------------------------------------------------------|
+| `secret`           | `string` | yes      | –                          | The HMAC secret shared with the webhook provider.      |
+| `signature_header` | `string` | no       | `X-Yousign-Signature-256`  | Name of the HTTP header that carries the signature.                                 |
 | `algorithm`        | `string` | no       | `HmacSHA256`               | Java HMAC algorithm name. Supported values: `HmacSHA256`, `HmacSHA512`, `HmacSHA384`, `HmacSHA1`. |
 | `prefix`           | `string` | no       | derived from `algorithm`   | String prepended to the hex hash before comparison (e.g. `sha256=`). Defaults are derived automatically from the chosen algorithm. |
 
@@ -84,30 +84,17 @@ $ curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
 | `401 Unauthorized` | `{ "error": "invalid signature" }` | The computed HMAC does not match the header value. |
 | `401 Unauthorized` | `{ "error": "webhook secret not configured" }` | The plugin `secret` field is empty. |
 
-## YouSign webhook headers
-
-The following headers are sent by YouSign on every webhook call:
-
-| Header | Description |
-|--------|-------------|
-| `X-Yousign-Signature-256` | `sha256=<hmac-sha256 hex>` – used by this plugin for payload authentication |
-| `X-Yousign-Retry` | Retry attempt counter (0 for the first delivery) |
-| `X-Yousign-Issued-At` | Timestamp of webhook transmission |
-| `Content-Type` | Always `application/json` |
-| `User-Agent` | Always `Yousign Webhook Bot` |
 
 ## Security notes
 
 - The plugin uses **constant-time byte comparison** (`MessageDigest.isEqual`) to prevent timing-based side-channel attacks.
-- YouSign only delivers webhooks over **HTTPS**; make sure your Otoroshi route is exposed on a TLS-enabled domain.
-- YouSign webhooks originate from the following CIDRs: `5.39.7.128/28`, `52.143.162.31`, `51.103.81.166`. You can add an Otoroshi IP allowlist plugin alongside this one for defence-in-depth.
 
 ## Build
 
 ```shell
 sbt assembly
 ```
 
-The resulting jar is placed in `target/scala-2.12/otoroshi-plugin-yousign-webhook-validator-assembly_2.12-dev.jar`.
+The resulting jar is placed in `target/scala-2.12/otoroshi-plugin-webhook-validator-assembly_2.12-dev.jar`.
 
 Copy it to your Otoroshi `plugins/` directory (or reference it via the classpath loader) and restart Otoroshi.
diff --git a/src/main/scala/com/cloud/apim/otoroshi/plugins/webhook/validator.scala b/src/main/scala/com/cloud/apim/otoroshi/plugins/webhook/validator.scala
@@ -1,4 +1,4 @@
-package otoroshi_plugins.com.cloud.apim.otoroshi.plugins.yousign
+package otoroshi_plugins.com.cloud.apim.otoroshi.plugins.webhook
 
 import akka.stream.Materializer
 import akka.stream.scaladsl.Source
@@ -17,31 +17,31 @@ import javax.crypto.spec.SecretKeySpec
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success, Try}
 
-case class YouSignWebhookValidatorConfig(
+case class WebhookValidatorConfig(
   secret: String          = "",
   signatureHeader: String = "X-Yousign-Signature-256",
   algorithm: String       = "HmacSHA256",
   prefix: String          = "sha256=",
 ) extends NgPluginConfig {
-  def json: JsValue = YouSignWebhookValidatorConfig.format.writes(this)
+  def json: JsValue = WebhookValidatorConfig.format.writes(this)
 }
 
-object YouSignWebhookValidatorConfig {
-  val default: YouSignWebhookValidatorConfig = YouSignWebhookValidatorConfig()
-  val format: Format[YouSignWebhookValidatorConfig] = new Format[YouSignWebhookValidatorConfig] {
-    override def writes(o: YouSignWebhookValidatorConfig): JsValue = Json.obj(
+object WebhookValidatorConfig {
+  val default: WebhookValidatorConfig = WebhookValidatorConfig()
+  val format: Format[WebhookValidatorConfig] = new Format[WebhookValidatorConfig] {
+    override def writes(o: WebhookValidatorConfig): JsValue = Json.obj(
       "secret"           -> o.secret,
       "signature_header" -> o.signatureHeader,
       "algorithm"        -> o.algorithm,
       "prefix"           -> o.prefix,
     )
-    override def reads(json: JsValue): JsResult[YouSignWebhookValidatorConfig] = Try {
+    override def reads(json: JsValue): JsResult[WebhookValidatorConfig] = Try {
       val algo = json.select("algorithm").asOpt[String].getOrElse("HmacSHA256")
-      YouSignWebhookValidatorConfig(
+      WebhookValidatorConfig(
         secret          = json.select("secret").asOpt[String].getOrElse(""),
         signatureHeader = json.select("signature_header").asOpt[String].getOrElse("X-Yousign-Signature-256"),
         algorithm       = algo,
-        prefix          = json.select("prefix").asOpt[String].getOrElse(YouSignWebhookValidatorConfig.defaultPrefix(algo)),
+        prefix          = json.select("prefix").asOpt[String].getOrElse(WebhookValidatorConfig.defaultPrefix(algo)),
       )
     } match {
       case Failure(e) => JsError(e.getMessage)
@@ -78,21 +78,21 @@ object YouSignWebhookValidatorConfig {
   ))
 }
 
-class YouSignWebhookValidator extends NgRequestTransformer {
+class WebhookPayloadValidator extends NgRequestTransformer {
 
-  private val logger = Logger("otoroshi-cloud-apim-yousign-webhook-validator")
+  private val logger = Logger("otoroshi-cloud-apim-webhook-payload-validator")
 
   override def steps: Seq[NgStep]                          = Seq(NgStep.TransformRequest)
   override def categories: Seq[NgPluginCategory]           = Seq(NgPluginCategory.AccessControl, NgPluginCategory.Custom("Cloud APIM"))
   override def visibility: NgPluginVisibility              = NgPluginVisibility.NgUserLand
   override def multiInstance: Boolean                      = true
   override def core: Boolean                               = false
-  override def name: String                                = "Cloud APIM - YouSign Webhook Validator"
-  override def description: Option[String]                 = Some("This plugin validates webhook payloads by verifying an HMAC signature. The header name, algorithm and prefix are all configurable (defaults to YouSign's X-Yousign-Signature-256 / HmacSHA256 / sha256=).")
-  override def defaultConfigObject: Option[NgPluginConfig] = Some(YouSignWebhookValidatorConfig.default)
+  override def name: String                                = "Cloud APIM - Webhook Payload Validator"
+  override def description: Option[String]                 = Some("This plugin validates webhook payloads by verifying an HMAC signature. The header name, algorithm and prefix are all configurable.")
+  override def defaultConfigObject: Option[NgPluginConfig] = Some(WebhookValidatorConfig.default)
   override def noJsForm: Boolean                           = false
-  override def configFlow: Seq[String]                     = YouSignWebhookValidatorConfig.configFlow
-  override def configSchema: Option[JsObject]              = YouSignWebhookValidatorConfig.configSchema
+  override def configFlow: Seq[String]                     = WebhookValidatorConfig.configFlow
+  override def configSchema: Option[JsObject]              = WebhookValidatorConfig.configSchema
 
   override def isTransformRequestAsync: Boolean            = true
   override def usesCallbacks: Boolean                      = false
@@ -101,7 +101,7 @@ class YouSignWebhookValidator extends NgRequestTransformer {
   override def transformsError: Boolean                    = false
 
   override def start(env: Env): Future[Unit] = {
-    env.logger.info("[Cloud APIM] the 'YouSign Webhook Validator' plugin is available !")
+    env.logger.info("[Cloud APIM] the 'Webhook Validator' plugin is available !")
     ().vfuture
   }
 
@@ -113,8 +113,7 @@ class YouSignWebhookValidator extends NgRequestTransformer {
   }
 
   override def transformRequest(ctx: NgTransformerRequestContext)(implicit env: Env, ec: ExecutionContext, mat: Materializer): Future[Either[Result, NgPluginHttpRequest]] = {
-    val config = ctx.cachedConfig(internalName)(YouSignWebhookValidatorConfig.format).getOrElse(YouSignWebhookValidatorConfig.default)
-
+    val config = ctx.cachedConfig(internalName)(WebhookValidatorConfig.format).getOrElse(WebhookValidatorConfig.default)
     if (config.secret.isEmpty) {
       logger.warn("[Webhook Validator] no secret configured, rejecting request")
       Left(Results.Unauthorized(Json.obj("error" -> "webhook secret not configured"))).vfuture
@@ -123,7 +122,6 @@ class YouSignWebhookValidator extends NgRequestTransformer {
         case None =>
           if (logger.isDebugEnabled) logger.debug(s"[Webhook Validator] missing ${config.signatureHeader} header")
           Left(Results.Unauthorized(Json.obj("error" -> s"missing ${config.signatureHeader} header"))).vfuture
-
         case Some(receivedSignature) =>
           ctx.otoroshiRequest.body.runFold(ByteString.empty)(_ ++ _).map { bodyBytes =>
             val computedHash      = computeHmac(config.algorithm, config.secret, bodyBytes)
@@ -133,7 +131,6 @@ class YouSignWebhookValidator extends NgRequestTransformer {
               logger.debug(s"[Webhook Validator] expected : $expectedSignature")
               logger.debug(s"[Webhook Validator] received : $receivedSignature")
             }
-
             // Constant-time comparison to prevent timing-attack side channels
             val expected = expectedSignature.getBytes("UTF-8")
             val received = receivedSignature.getBytes("UTF-8")
