feat(api): add webhook validation and parsing (#111)

* add webhook helpers

* add webhook helpers

* pr comments

* Apply suggestions from code review

Co-authored-by: Tomer Aberbach <tomer@aberba.ch>

* refactor tests

---------

Co-authored-by: David Meadows <dtmeadows@stainlessapi.com>
Co-authored-by: Tomer Aberbach <tomer@aberba.ch>

Author: 3 people

README.md

@@ -224,6 +224,18 @@ while (page != null) {
 
 ---
 
+## Webhook Verification
+
+We provide helper methods for verifying that a webhook request came from Orb, and not a malicious third party.
+
+You can use `orb.webhooks().verifySignature(body, headers, secret?)` or `orb.webhooks().unwrap(body, headers, secret?)`,
+both of which will raise an error if the signature is invalid.
+
+Note that the `body` parameter must be the raw JSON string sent from the server (do not parse it first).
+The `.unwrap()` method can parse this JSON for you.
+
+---
+
 ## Error handling
 
 This library throws exceptions in a single hierarchy for easy handling:

orb-java-core/src/main/kotlin/com/withorb/api/client/OrbClient.kt

@@ -34,4 +34,6 @@ interface OrbClient {
     fun subscriptions(): SubscriptionService
 
     fun alerts(): AlertService
+
+    fun webhooks(): WebhookService
 }

orb-java-core/src/main/kotlin/com/withorb/api/client/OrbClientImpl.kt

@@ -59,6 +59,8 @@ constructor(
 
     private val alerts: AlertService by lazy { AlertServiceImpl(clientOptionsWithUserAgent) }
 
+    private val webhooks: WebhookService by lazy { WebhookServiceImpl(clientOptions) }
+
     override fun async(): OrbClientAsync = async
 
     override fun topLevel(): TopLevelService = topLevel
@@ -86,4 +88,6 @@ constructor(
     override fun subscriptions(): SubscriptionService = subscriptions
 
     override fun alerts(): AlertService = alerts
+
+    override fun webhooks(): WebhookService = webhooks
 }

orb-java-core/src/main/kotlin/com/withorb/api/core/Utils.kt

@@ -2,6 +2,7 @@
 
 package com.withorb.api.core
 
+import com.withorb.api.core.http.Headers
 import com.withorb.api.errors.OrbInvalidDataException
 import java.util.Collections
 import java.util.SortedMap
@@ -23,4 +24,8 @@ internal fun <K : Comparable<K>, V> SortedMap<K, V>.toImmutable(): SortedMap<K,
     if (isEmpty()) Collections.emptySortedMap()
     else Collections.unmodifiableSortedMap(toSortedMap(comparator()))
 
+@JvmSynthetic
+internal fun Headers.getRequiredHeader(name: String): String =
+    values(name).firstOrNull() ?: throw OrbInvalidDataException("Could not find $name header")
+
 internal interface Enum

orb-java-core/src/main/kotlin/com/withorb/api/services/blocking/WebhookService.kt

@@ -0,0 +1,13 @@
+// File generated from our OpenAPI spec by Stainless.
+
+package com.withorb.api.services.blocking
+
+import com.withorb.api.core.JsonValue
+import com.withorb.api.core.http.Headers
+
+interface WebhookService {
+
+    fun unwrap(payload: String, headers: Headers, secret: String?): JsonValue
+
+    fun verifySignature(payload: String, headers: Headers, secret: String?)
+}

orb-java-core/src/main/kotlin/com/withorb/api/services/blocking/WebhookServiceImpl.kt

@@ -0,0 +1,98 @@
+// File generated from our OpenAPI spec by Stainless.
+
+package com.withorb.api.services.blocking
+
+import com.fasterxml.jackson.core.JsonProcessingException
+import com.withorb.api.core.ClientOptions
+import com.withorb.api.core.JsonValue
+import com.withorb.api.core.getRequiredHeader
+import com.withorb.api.core.http.Headers
+import com.withorb.api.errors.OrbException
+import java.security.MessageDigest
+import java.time.Duration
+import java.time.Instant
+import java.time.LocalDateTime
+import java.time.ZoneOffset
+import java.util.*
+import javax.crypto.Mac
+import javax.crypto.spec.SecretKeySpec
+
+private const val SIGNATURE_HEADER = "X-Orb-Signature"
+private const val TIMESTAMP_HEADER = "X-Orb-Timestamp"
+private const val MAX_TIMESTAMP_AGE_MINUTES = 5L
+private const val SIGNATURE_ALGORITHM = "HmacSHA256"
+private const val SIGNATURE_VERSION = "v1"
+private const val SIGNATURE_DELIMITER = " "
+private const val SIGNATURE_KEY_VALUE_DELIMITER = "="
+
+class WebhookServiceImpl
+constructor(
+    private val clientOptions: ClientOptions,
+) : WebhookService {
+    @kotlin.ExperimentalStdlibApi
+    override fun unwrap(payload: String, headers: Headers, secret: String?): JsonValue {
+        verifySignature(payload, headers, secret)
+        return try {
+            clientOptions.jsonMapper.readValue(payload, JsonValue::class.java)
+        } catch (e: JsonProcessingException) {
+            throw OrbException("Invalid event payload", e)
+        }
+    }
+
+    @kotlin.ExperimentalStdlibApi
+    override fun verifySignature(payload: String, headers: Headers, secret: String?) {
+        val webhookSecret =
+            secret
+                ?: clientOptions.webhookSecret
+                ?: throw OrbException(
+                    "The webhook secret must either be set using the env var, ORB_WEBHOOK_SECRET, on the client class, or passed to this method"
+                )
+
+        val msgSignature = headers.getRequiredHeader(SIGNATURE_HEADER)
+        val msgTimestamp = headers.getRequiredHeader(TIMESTAMP_HEADER)
+
+        val timestamp =
+            try {
+                LocalDateTime.parse(msgTimestamp).toInstant(ZoneOffset.UTC)
+            } catch (e: RuntimeException) {
+                throw OrbException("Invalid timestamp header", e)
+            }
+        val now = Instant.now(clientOptions.clock)
+
+        if (timestamp.isBefore(now.minus(Duration.ofMinutes(MAX_TIMESTAMP_AGE_MINUTES)))) {
+            throw OrbException("Webhook timestamp too old")
+        }
+        if (timestamp.isAfter(now.plus(Duration.ofMinutes(MAX_TIMESTAMP_AGE_MINUTES)))) {
+            throw OrbException("Webhook timestamp too new")
+        }
+
+        val mac = Mac.getInstance(SIGNATURE_ALGORITHM)
+        mac.init(SecretKeySpec(webhookSecret.toByteArray(Charsets.UTF_8), SIGNATURE_ALGORITHM))
+
+        val expectedSignature =
+            mac.doFinal("v1:${msgTimestamp}:$payload".toByteArray(Charsets.UTF_8)).toHexString()
+
+        msgSignature.splitToSequence(SIGNATURE_DELIMITER).forEach {
+            val parts = it.split(SIGNATURE_KEY_VALUE_DELIMITER)
+            if (parts.size != 2) {
+                return@forEach
+            }
+
+            if (parts[0] != SIGNATURE_VERSION) {
+                return@forEach
+            }
+            val actualSignature = parts[1].toByteArray(Charsets.UTF_8)
+
+            if (
+                MessageDigest.isEqual(
+                    actualSignature,
+                    expectedSignature.toByteArray(Charsets.UTF_8)
+                )
+            ) {
+                return
+            }
+        }
+
+        throw OrbException("None of the given webhook signatures match the expected signature")
+    }
+}

orb-java-core/src/test/kotlin/com/withorb/api/services/blocking/WebhookServiceTest.kt

@@ -0,0 +1,177 @@
+package com.withorb.api.services.blocking
+
+import com.withorb.api.client.okhttp.OrbOkHttpClient
+import com.withorb.api.core.http.Headers
+import com.withorb.api.errors.OrbException
+import com.withorb.api.models.*
+import java.time.Clock
+import java.time.Instant
+import java.time.LocalDateTime
+import java.time.ZoneOffset
+import java.time.format.DateTimeFormatter
+import org.assertj.core.api.Assertions.*
+import org.junit.jupiter.api.Test
+
+internal class WebhookServiceTest {
+    companion object {
+        const val API_KEY = "test-api-key"
+        const val WEBHOOK_SECRET =
+            "9d25de966891ab0bc18754faf8d83d0980b44ae330fcc130b41a6cf3daf1f391"
+        const val SIGNATURE = "9d25de966891ab0bc18754faf8d83d0980b44ae330fcc130b41a6cf3daf1f391"
+        const val SECRET = "c-UGKYdnhHh436B_sMouYAPUvXyWpzOdunZBV5dFSD8"
+        const val WEBHOOK_TIMESTAMP = "2024-03-27T15:42:29.551"
+        val FIXED_CLOCK = Clock.fixed(Instant.parse("2024-03-27T15:42:29+00:00"), ZoneOffset.UTC)
+        val WEBHOOK_TIMESTAMP_INSTANT =
+            LocalDateTime.parse(WEBHOOK_TIMESTAMP).toInstant(ZoneOffset.UTC)
+
+        const val PAYLOAD =
+            "{\"id\": \"o4mmewpfNNTnjfZc\", \"created_at\": \"2024-03-27T15:42:29+00:00\", \"type\": \"resource_event.test\", \"properties\": {\"message\": \"A test webhook from Orb. Happy testing!\"}}"
+    }
+
+    private fun buildClient() =
+        OrbOkHttpClient.builder()
+            .apiKey(API_KEY)
+            .webhookSecret(WEBHOOK_SECRET)
+            .clock(FIXED_CLOCK)
+            .build()
+
+    private fun buildHeaders(signature: String = SIGNATURE, timestamp: String = WEBHOOK_TIMESTAMP) =
+        Headers.builder()
+            .put("X-Orb-Timestamp", timestamp)
+            .put("X-Orb-Signature", "v1=$signature")
+            .build()
+
+    @Test
+    fun unwrap() {
+        val client = buildClient()
+        val headers = buildHeaders()
+        val event = client.webhooks().unwrap(PAYLOAD, headers, SECRET)
+
+        assertThat(event).isNotNull()
+    }
+
+    @Test
+    fun verifySignatureHappyPath() {
+        val client = buildClient()
+        val headers = buildHeaders()
+
+        // Happy path
+        assertThatCode { client.webhooks().verifySignature(PAYLOAD.trimIndent(), headers, SECRET) }
+            .doesNotThrowAnyException()
+    }
+
+    @Test
+    fun verifySignatureFailsWhenTimestampIsTooOld() {
+        val client = buildClient()
+        // Timestamp too old
+        assertThatThrownBy {
+                client
+                    .webhooks()
+                    .verifySignature(
+                        PAYLOAD.trimIndent(),
+                        buildHeaders(
+                            timestamp =
+                                WEBHOOK_TIMESTAMP_INSTANT.minusSeconds(1000)
+                                    .atOffset(ZoneOffset.UTC)
+                                    .format(DateTimeFormatter.ISO_LOCAL_DATE_TIME)
+                        ),
+                        SECRET
+                    )
+            }
+            .isInstanceOf(OrbException::class.java)
+            .hasMessage("Webhook timestamp too old")
+    }
+
+    @Test
+    fun verifySignatureFailsWhenTimestampIsTooNew() {
+        val client = buildClient()
+        // Timestamp too new
+        assertThatThrownBy {
+                client
+                    .webhooks()
+                    .verifySignature(
+                        PAYLOAD.trimIndent(),
+                        buildHeaders(
+                            timestamp =
+                                WEBHOOK_TIMESTAMP_INSTANT.plusSeconds(1000)
+                                    .atOffset(ZoneOffset.UTC)
+                                    .format(DateTimeFormatter.ISO_LOCAL_DATE_TIME)
+                        ),
+                        SECRET
+                    )
+            }
+            .isInstanceOf(OrbException::class.java)
+            .hasMessage("Webhook timestamp too new")
+    }
+
+    @Test
+    fun verifySignatureFailsWithIncorrectSecret() {
+        val client = buildClient()
+        val headers = buildHeaders()
+        // Invalid secrets
+        assertThatThrownBy {
+                client.webhooks().verifySignature(PAYLOAD.trimIndent(), headers, "invalid-secret")
+            }
+            .isInstanceOf(OrbException::class.java)
+            .hasMessage("None of the given webhook signatures match the expected signature")
+
+        assertThatThrownBy {
+                client.webhooks().verifySignature(PAYLOAD.trimIndent(), headers, "Zm9v")
+            }
+            .isInstanceOf(OrbException::class.java)
+            .hasMessage("None of the given webhook signatures match the expected signature")
+    }
+
+    fun verifySignatureSucceedsWithMultipleSignatures() {
+        val client = buildClient()
+        // Multiple signatures
+        assertThatCode {
+                client
+                    .webhooks()
+                    .verifySignature(
+                        PAYLOAD.trimIndent(),
+                        buildHeaders(signature = "$SIGNATURE v1=Zm9v"),
+                        SECRET
+                    )
+            }
+            .doesNotThrowAnyException()
+        assertThatCode {
+                client
+                    .webhooks()
+                    .verifySignature(
+                        PAYLOAD.trimIndent(),
+                        buildHeaders(signature = "v1=$SIGNATURE v2=$SIGNATURE"),
+                        SECRET
+                    )
+            }
+            .doesNotThrowAnyException()
+    }
+
+    @Test
+    fun verifySignatureFailsWithIncorrectSignatureVersion() {
+        val client = buildClient()
+        assertThatThrownBy {
+                client
+                    .webhooks()
+                    .verifySignature(
+                        PAYLOAD.trimIndent(),
+                        buildHeaders(signature = "v2=$SIGNATURE"),
+                        SECRET
+                    )
+            }
+            .isInstanceOf(OrbException::class.java)
+            .hasMessage("None of the given webhook signatures match the expected signature")
+    }
+
+    @Test
+    fun verifySignatureFailsWithMissingHeaders() {
+        val client = buildClient()
+
+        val headers = Headers.builder().put("X-Orb-Signature", "v1=$SIGNATURE").build()
+        assertThatThrownBy {
+                client.webhooks().verifySignature(PAYLOAD.trimIndent(), headers, SECRET)
+            }
+            .isInstanceOf(OrbException::class.java)
+            .hasMessage("Could not find X-Orb-Timestamp header")
+    }
+}