add acceptance test for tailscale style webhooks

GrantBirki · GrantBirki · commit 401d85985ac2 · 2025-06-16T21:48:42.000-07:00
diff --git a/spec/acceptance/acceptance_tests.rb b/spec/acceptance/acceptance_tests.rb
@@ -52,6 +52,12 @@ def generate_slack_signature(payload, secret, timestamp)
     "v0=#{digest}"
   end
 
+  def generate_tailscale_signature(payload, secret, timestamp = unix_timestamp)
+    signing_payload = "#{timestamp}.#{payload}"
+    signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), secret, signing_payload)
+    "t=#{timestamp},v1=#{signature}"
+  end
+
   def current_timestamp
     Time.now.utc.iso8601
   end
@@ -520,5 +526,47 @@ def expired_unix_timestamp(seconds_ago = 600)
         expect(response.code).to eq("500")
       end
     end
+
+    describe "tailscale" do
+      it "successfully processes a valid POST request from a tailscale style webhook" do
+        payload = { event: "user.login", user: { id: "12345" } }
+        json_payload = payload.to_json
+        timestamp = unix_timestamp
+        signature = generate_tailscale_signature(json_payload, FAKE_ALT_HMAC_SECRET, timestamp)
+        headers = json_headers("Tailscale-Webhook-Signature" => signature)
+        response = make_request(:post, "/webhooks/tailscale", json_payload, headers)
+        expect_response(response, Net::HTTPSuccess)
+
+        body = parse_json_response(response)
+        expect(body["status"]).to eq("success")
+      end
+
+      it "rejects request with invalid signature" do
+        payload = { event: "user.login", user: { id: "12345" } }
+        json_payload = payload.to_json
+        headers = json_headers("Tailscale-Webhook-Signature" => "t=1663781880,v1=invalidsignature")
+        response = make_request(:post, "/webhooks/tailscale", json_payload, headers)
+        expect_response(response, Net::HTTPUnauthorized, "authentication failed")
+      end
+
+      it "rejects request with missing signature header" do
+        payload = { event: "user.login", user: { id: "12345" } }
+        json_payload = payload.to_json
+        response = make_request(:post, "/webhooks/tailscale", json_payload, json_headers)
+        expect_response(response, Net::HTTPUnauthorized, "authentication failed")
+      end
+
+      it "rejects request with wrong signature algorithm" do
+        payload = { event: "user.login", user: { id: "12345" } }
+        json_payload = payload.to_json
+        timestamp = unix_timestamp
+        # Generate with sha1 instead of sha256
+        signing_payload = "#{timestamp}.#{json_payload}"
+        wrong_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), FAKE_ALT_HMAC_SECRET, signing_payload)
+        headers = json_headers("Tailscale-Webhook-Signature" => "t=#{timestamp},v1=#{wrong_signature}")
+        response = make_request(:post, "/webhooks/tailscale", json_payload, headers)
+        expect_response(response, Net::HTTPUnauthorized, "authentication failed")
+      end
+    end
   end
 end
diff --git a/spec/acceptance/config/endpoints/tailscale.yaml b/spec/acceptance/config/endpoints/tailscale.yaml
@@ -0,0 +1,14 @@
+path: /tailscale
+handler: Hello
+
+auth:
+  type: hmac
+  secret_env_key: ALT_WEBHOOK_SECRET
+  header: Tailscale-Webhook-Signature
+  algorithm: sha256
+  format: "signature_only"  # produces "abc123..." (no prefix)
+  header_format: "structured"  # enables parsing of "t=123,v1=abc" format, this is what tailscale uses
+  signature_key: "v1"  # key for signature in structured header
+  timestamp_key: "t"   # key for timestamp in structured header
+  payload_template: "{timestamp}.{body}"  # dot-separated format
+  timestamp_tolerance: 300  # 5 minutes
