Merge pull request #363 from MateSaary/OSD-27752

openshift-merge-bot[bot] · web-flow · commit eca56bf68b85 · 2025-03-07T09:44:46.000Z
OSD-27752: Add PD_SIGNATURE verification to interceptor
diff --git a/interceptor/pkg/interceptor/pdinterceptor.go b/interceptor/pkg/interceptor/pdinterceptor.go
@@ -11,6 +11,7 @@ import (
 	"os"
 	"time"
 
+	"github.com/PagerDuty/go-pagerduty/webhookv3"
 	investigations "github.com/openshift/configuration-anomaly-detection/pkg/investigations"
 	"github.com/openshift/configuration-anomaly-detection/pkg/pagerduty"
 	triggersv1 "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1"
@@ -39,6 +40,7 @@ func (pdi PagerDutyInterceptor) ServeHTTP(w http.ResponseWriter, r *http.Request
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		}
 	}
+
 	w.Header().Add("Content-Type", "application/json")
 	if _, err := w.Write(b); err != nil {
 		pdi.Logger.Errorf("failed to write response: %s", err)
@@ -86,7 +88,17 @@ func (pdi *PagerDutyInterceptor) executeInterceptor(r *http.Request) ([]byte, er
 	if _, err := io.Copy(&body, r.Body); err != nil {
 		return nil, internal(fmt.Errorf("failed to read body: %w", err))
 	}
+	r.Body = io.NopCloser(bytes.NewReader(body.Bytes()))
+
 	var ireq triggersv1.InterceptorRequest
+
+	token, _ := os.LookupEnv("PD_SIGNATURE")
+
+	err := webhookv3.VerifySignature(r, token)
+	if err != nil {
+		return nil, badRequest(fmt.Errorf("failed to verify signature: %w", err))
+	}
+
 	if err := json.Unmarshal(body.Bytes(), &ireq); err != nil {
 		return nil, badRequest(fmt.Errorf("failed to parse body as InterceptorRequest: %w", err))
 	}
diff --git a/interceptor/test/e2e.sh b/interceptor/test/e2e.sh
@@ -19,7 +19,11 @@ temp_log_file=$(mktemp)
 function test_interceptor {
     # Run the interceptor and print logs to temporary log file
     CAD_PD_TOKEN=$(echo $pd_test_token) CAD_SILENT_POLICY=$(echo $pd_test_silence_policy) ./../bin/interceptor > $temp_log_file  2>&1 &
-    
+    PD_SIGNATURE="test"
+    PAYLOAD="{\"body\":\"{\\\"__pd_metadata\\\":{\\\"incident\\\":{\\\"id\\\":\\\"$incident_id\\\"}}}\",\"header\":{\"Content-Type\":[\"application/json\"]},\"extensions\":{},\"interceptor_params\":{},\"context\":null}"
+    SIGN=$(echo -n "$PAYLOAD" | sha256hmac -K $PD_SIGNATURE | tr -d "[:space:]-")
+    echo "Sign: $SIGN"
+
     # Store the PID of the interceptor process
     INTERCEPTOR_PID=$!
 
@@ -32,8 +36,8 @@ function test_interceptor {
     # Send an interceptor request to localhost:8080
     # See https://pkg.go.dev/github.com/tektoncd/triggers/pkg/apis/triggers/v1alpha1#InterceptorRequest
     CURL_EXITCODE=0
-    CURL_OUTPUT=$(curl -s -X POST -H "Content-Type: application/json" \
-        -d "{\"body\":\"{\\\"__pd_metadata\\\":{\\\"incident\\\":{\\\"id\\\":\\\"$incident_id\\\"}}}\",\"header\":{\"Content-Type\":[\"application/json\"]},\"extensions\":{},\"interceptor_params\":{},\"context\":null}" \
+    CURL_OUTPUT=$(curl -s -X POST -H "X-PagerDuty-Signature:v1=${SIGN}" -H "Content-Type: application/json" \
+        -d "$PAYLOAD" \
         http://localhost:8080) || CURL_EXITCODE=$?
 
     # Check if the curl output matches the expected response
@@ -69,5 +73,9 @@ echo "Test 1: alert with existing handling returns a 'continue: true' response"
 test_interceptor "Q12WO44XJLR3H3" "$EXPECTED_RESPONSE_CONTINUE"
 
 # Test for an alert we don't handle (alert called unhandled)
-echo "Test 1: unhandled alerts returns a 'continue: false' response"
+echo "Test 2: unhandled alerts returns a 'continue: false' response"
 test_interceptor "Q3722KGCG12ZWD" "$EXPECTED_RESPONSE_STOP"
+
+echo "Test 3: expected failure due to invalid signature"
+PD_SIGNATURE="invalid-signature"
+test_interceptor "Q12WO44XJLR3H3" "$EXPECTED_RESPONSE_STOP"
