feat: s2s webhook expansion

Author: evansims

Cargo.toml

@@ -79,6 +79,7 @@ jsonwebtoken = { version = "10.1", default-features = false, features = [
   "ed25519-dalek",
   "use_pem",
 ] }
+pem = "3.0"
 secrecy = "0.10"
 sha2 = "0.10"
 uuid = { version = "1.0", features = ["serde", "v4"] }
@@ -109,6 +110,9 @@ time = { version = "0.3", features = ["macros", "formatting"] }
 # Regular expressions
 regex = "1.11"
 
+# URL parsing
+url = "2.5"
+
 # Validation
 validator = { version = "0.20", features = ["derive"] }
 

config.integration.yaml

@@ -49,3 +49,13 @@ id_generation:
 server_api:
   grpc_endpoint: "http://server:8080" # Docker service name
   tls_enabled: false
+
+management_identity:
+  management_id: "management-integration-test"
+  kid: "mgmt-test-2024"
+
+cache_invalidation:
+  http_endpoints:
+    - "http://server:8080"
+  timeout_ms: 5000
+  retry_attempts: 0

crates/infera-management-api/Cargo.toml

@@ -21,6 +21,7 @@ axum = { workspace = true }
 axum-extra = { workspace = true }
 base64 = { workspace = true }
 chrono = { workspace = true }
+ed25519-dalek = { workspace = true }
 jsonwebtoken = { workspace = true }
 metrics-exporter-prometheus = { workspace = true }
 once_cell = "1.20"
@@ -35,5 +36,6 @@ tokio = { workspace = true }
 tower = { workspace = true }
 tower-http = { workspace = true }
 tracing = { workspace = true }
+uuid = { version = "1.11", features = ["v4", "serde"] }
 
 [dev-dependencies]

crates/infera-management-api/src/handlers/auth.rs

@@ -36,6 +36,8 @@ pub struct AppState {
     pub start_time: std::time::SystemTime,
     pub leader: Option<Arc<infera_management_core::LeaderElection<Backend>>>,
     pub email_service: Option<Arc<infera_management_core::EmailService>>,
+    pub webhook_client: Option<Arc<infera_management_core::WebhookClient>>,
+    pub management_identity: Option<Arc<infera_management_types::ManagementIdentity>>,
 }
 
 impl AppState {
@@ -46,6 +48,8 @@ impl AppState {
         worker_id: u16,
         leader: Option<Arc<infera_management_core::LeaderElection<Backend>>>,
         email_service: Option<Arc<infera_management_core::EmailService>>,
+        webhook_client: Option<Arc<infera_management_core::WebhookClient>>,
+        management_identity: Option<Arc<infera_management_types::ManagementIdentity>>,
     ) -> Self {
         Self {
             storage,
@@ -55,6 +59,8 @@ impl AppState {
             start_time: std::time::SystemTime::now(),
             leader,
             email_service,
+            webhook_client,
+            management_identity,
         }
     }
 
@@ -128,6 +134,8 @@ server_api:
             start_time: std::time::SystemTime::now(),
             leader: None,
             email_service: Some(Arc::new(email_service)),
+            webhook_client: None, // No webhook client in tests
+            management_identity: None, // No management identity in tests
         }
     }
 }

crates/infera-management-api/src/handlers/jwks.rs

@@ -163,6 +163,49 @@ pub async fn get_org_jwks(
     Ok(Json(JwksResponse { keys }))
 }
 
+/// Get Management API's public JWKS (for server-to-server authentication)
+///
+/// GET /.well-known/management-jwks.json
+/// Public endpoint - no authentication required
+///
+/// This endpoint returns the Management API's own public key, which servers use
+/// to validate JWTs signed by the Management API when receiving webhook callbacks.
+pub async fn get_management_jwks(
+    State(state): State<AppState>,
+) -> Result<Json<JwksResponse>, (StatusCode, String)> {
+    // Get the management identity from AppState
+    let identity = state
+        .management_identity
+        .as_ref()
+        .ok_or_else(|| {
+            (
+                StatusCode::SERVICE_UNAVAILABLE,
+                "Management identity not configured".to_string(),
+            )
+        })?;
+
+    let jwks = identity.to_jwks();
+
+    // Convert from infera_management_types::identity::Jwks to our JwksResponse
+    // The types are structurally identical, so we can convert the fields
+    let keys = jwks
+        .keys
+        .into_iter()
+        .map(|k| Jwk {
+            kty: k.kty,
+            crv: k.crv,
+            kid: k.kid,
+            x: k.x,
+            key_use: k.key_use,
+            alg: k.alg,
+        })
+        .collect();
+
+    let response = JwksResponse { keys };
+
+    Ok(Json(response))
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

crates/infera-management-api/src/handlers/organizations.rs

@@ -374,6 +374,11 @@ pub async fn delete_organization(
     // Finally, soft delete the organization
     repos.org.delete(org_ctx.organization_id).await?;
 
+    // Invalidate caches on all servers
+    if let Some(ref webhook_client) = state.webhook_client {
+        webhook_client.invalidate_organization(org_ctx.organization_id).await;
+    }
+
     Ok(Json(DeleteOrganizationResponse {
         message: "Organization deleted successfully".to_string(),
     }))

crates/infera-management-api/src/handlers/vaults.rs

@@ -289,6 +289,11 @@ pub async fn update_vault(
     // Save changes
     repos.vault.update(vault.clone()).await?;
 
+    // Invalidate caches on all servers (vault metadata changed)
+    if let Some(ref webhook_client) = state.webhook_client {
+        webhook_client.invalidate_vault(vault_id).await;
+    }
+
     Ok(Json(UpdateVaultResponse {
         vault: VaultDetail {
             id: vault.id,
@@ -363,6 +368,11 @@ pub async fn delete_vault(
     vault.mark_deleted();
     repos.vault.update(vault).await?;
 
+    // Invalidate caches on all servers
+    if let Some(ref webhook_client) = state.webhook_client {
+        webhook_client.invalidate_vault(vault_id).await;
+    }
+
     Ok(StatusCode::NO_CONTENT)
 }
 

crates/infera-management-api/src/lib.rs

@@ -13,6 +13,7 @@ pub mod pagination;
 pub mod routes;
 
 pub use handlers::AppState;
+pub use infera_management_types::identity::{ManagementIdentity, SharedManagementIdentity};
 pub use infera_management_types::dto::ErrorResponse;
 pub use middleware::{
     extract_session_context, get_user_vault_role, require_admin, require_admin_or_owner,
@@ -62,6 +63,8 @@ pub async fn serve(
     worker_id: u16,
     leader: Option<Arc<infera_management_core::LeaderElection<Backend>>>,
     email_service: Option<Arc<infera_management_core::EmailService>>,
+    webhook_client: Option<Arc<infera_management_core::WebhookClient>>,
+    management_identity: Option<Arc<ManagementIdentity>>,
 ) -> anyhow::Result<()> {
     // Create AppState with services
     let state = AppState::new(
@@ -71,6 +74,8 @@ pub async fn serve(
         worker_id,
         leader,
         email_service,
+        webhook_client,
+        management_identity,
     );
 
     let app = create_router_with_state(state);

crates/infera-management-api/src/routes.rs

@@ -299,6 +299,10 @@ pub fn create_router_with_state(state: AppState) -> axum::Router {
         .route("/v1/auth/cli/token", post(cli_auth::cli_token_exchange))
         // JWKS endpoints (public, no authentication required)
         .route("/.well-known/jwks.json", get(jwks::get_global_jwks))
+        .route(
+            "/.well-known/management-jwks.json",
+            get(jwks::get_management_jwks),
+        )
         .route("/v1/organizations/{org}/jwks.json", get(jwks::get_org_jwks))
         .route(
             "/v1/organizations/{org}/.well-known/jwks.json",

crates/infera-management-core/Cargo.toml

@@ -49,6 +49,10 @@ webauthn-rs = { workspace = true }
 regex = { workspace = true }
 validator = { workspace = true }
 
+# HTTP client (for webhook notifications)
+reqwest = { workspace = true }
+url = { workspace = true }
+
 # Metrics
 metrics = { workspace = true }