Skip signature check for webhook optionally (#51)

Author: aliabbasrizvi

config.yaml

@@ -112,16 +112,18 @@ func (h *OptlyWebhookHandler) HandleWebhook(w http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	// Check signature
-	requestSignature := r.Header.Get(signatureHeader)
-	isValid := h.validateSignature(requestSignature, body, webhookMsg.ProjectID)
-	if !isValid {
-		log.Error().Msg("Computed signature does not match signature in request. Ignoring message.")
-		render.Status(r, http.StatusBadRequest)
-		render.JSON(w, r, render.M{
-			"error": "Computed signature does not match signature in request. Ignoring message.",
-		})
-		return
+	// Check signature if check is not skipped
+	if !webhookConfig.SkipSignatureCheck {
+		requestSignature := r.Header.Get(signatureHeader)
+		isValid := h.validateSignature(requestSignature, body, webhookMsg.ProjectID)
+		if !isValid {
+			log.Error().Msg("Computed signature does not match signature in request. Ignoring message.")
+			render.Status(r, http.StatusBadRequest)
+			render.JSON(w, r, render.M{
+				"error": "Computed signature does not match signature in request. Ignoring message.",
+			})
+			return
+		}
 	}
 
 	// Iterate through all SDK keys and update config

pkg/webhook/handlers/optimizely.go

@@ -99,6 +99,42 @@ func TestHandleWebhookValidMessageInvalidSignature(t *testing.T) {
 	assert.Regexp(t, "Computed signature does not match signature in request. Ignoring message.", rec.Body.String())
 }
 
+func TestHandleWebhookSkippedCheckInvalidSignature(t *testing.T) {
+	testCache := optlytest.NewCache()
+	var testWebhookConfigs = []models.OptlyWebhookConfig {
+		{
+			ProjectID: 42,
+			SDKKeys: []string{"myDatafile"},
+			Secret:  "I am secret",
+			SkipSignatureCheck: true,
+		},
+	}
+	optlyHandler := NewWebhookHandler(testCache, testWebhookConfigs)
+	webhookMsg := models.OptlyMessage{
+		ProjectID: 42,
+		Timestamp: 42424242,
+		Event:     "project.datafile_updated",
+		Data:      models.DatafileUpdateData{
+			Revision:    101,
+			OriginURL:   "origin.optimizely.com/datafiles/myDatafile",
+			CDNUrl:      "cdn.optimizely.com/datafiles/myDatafile",
+			Environment: "Production",
+		},
+	}
+
+	validWebhookMessage, _ := json.Marshal(webhookMsg)
+
+	req := httptest.NewRequest("POST", "/webhooks/optimizely", bytes.NewBuffer(validWebhookMessage))
+	req.Header.Set(signatureHeader, "sha1=some_random_signature_in_header")
+
+	rec := httptest.NewRecorder()
+	handler := http.HandlerFunc(optlyHandler.HandleWebhook)
+	handler.ServeHTTP(rec, req)
+
+	// Message is processed as usual with invalid signature as check is skipped
+	assert.Equal(t, http.StatusNoContent, rec.Code)
+}
+
 func TestHandleWebhookValidMessage(t *testing.T) {
 	testCache := optlytest.NewCache()
 	var testWebhookConfigs = []models.OptlyWebhookConfig{

pkg/webhook/handlers/optimizely_test.go

@@ -35,7 +35,8 @@ type OptlyMessage struct {
 
 // OptlyWebhookConfig represents configuration of a single Optimizely webhook
 type OptlyWebhookConfig struct {
-	ProjectID int64    `yaml:"projectId"`
-	SDKKeys   []string `yaml:"sdkKeys"`
-	Secret    string   `yaml:"secret"`
+    ProjectID           int64                   `yaml:"projectId"`
+    SDKKeys             []string                `yaml:"sdkKeys"`
+    Secret              string                  `yaml:"secret"`
+    SkipSignatureCheck  bool                    `yaml:"skipSignatureCheck" default:"false"`
 }