enhance: webhooks: add password authentication (#233)

Signed-off-by: Grant Linville <[email protected]>

pkg/api/handlers/webhooks.go

@@ -15,17 +15,28 @@ import (
 	"github.com/otto8-ai/otto8/pkg/api/server"
 	v1 "github.com/otto8-ai/otto8/pkg/storage/apis/otto.gptscript.ai/v1"
 	"github.com/otto8-ai/otto8/pkg/system"
+	"golang.org/x/crypto/bcrypt"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+const (
+	PasswordHTTPHeader = "X-Otto8-Webhook-Password"
+	PasswordQueryParam = "webhookPassword"
+)
+
 type WebhookHandler struct{}
 
 func NewWebhookHandler() *WebhookHandler {
 	return new(WebhookHandler)
 }
 
+type webhookRequest struct {
+	types.WebhookManifest `json:",inline"`
+	Password              string `json:"password"`
+}
+
 func (a *WebhookHandler) Update(req api.Context) error {
 	var (
 		id = req.PathValue("id")
@@ -36,16 +47,25 @@ func (a *WebhookHandler) Update(req api.Context) error {
 		return err
 	}
 
-	var manifest types.WebhookManifest
-	if err := req.Read(&manifest); err != nil {
+	var webhookReq webhookRequest
+	if err := req.Read(&webhookReq); err != nil {
 		return err
 	}
 
-	if err := validateManifest(req, manifest); err != nil {
+	if err := validateManifest(req, webhookReq.WebhookManifest); err != nil {
 		return err
 	}
 
-	wh.Spec.WebhookManifest = manifest
+	if webhookReq.Password != "" {
+		hash, err := bcrypt.GenerateFromPassword([]byte(webhookReq.Password), bcrypt.DefaultCost)
+		if err != nil {
+			return fmt.Errorf("failed to hash password: %w", err)
+		}
+		wh.Spec.PasswordHash = hash
+		webhookReq.Password = ""
+	}
+
+	wh.Spec.WebhookManifest = webhookReq.WebhookManifest
 	for i, h := range wh.Spec.Headers {
 		wh.Spec.Headers[i] = textproto.CanonicalMIMEHeaderKey(h)
 	}
@@ -71,12 +91,12 @@ func (a *WebhookHandler) Delete(req api.Context) error {
 }
 
 func (a *WebhookHandler) Create(req api.Context) error {
-	var manifest types.WebhookManifest
-	if err := req.Read(&manifest); err != nil {
+	var webhookReq webhookRequest
+	if err := req.Read(&webhookReq); err != nil {
 		return err
 	}
 
-	if err := validateManifest(req, manifest); err != nil {
+	if err := validateManifest(req, webhookReq.WebhookManifest); err != nil {
 		return err
 	}
 
@@ -86,10 +106,19 @@ func (a *WebhookHandler) Create(req api.Context) error {
 			Namespace:    req.Namespace(),
 		},
 		Spec: v1.WebhookSpec{
-			WebhookManifest: manifest,
+			WebhookManifest: webhookReq.WebhookManifest,
 		},
 	}
 
+	if webhookReq.Password != "" {
+		hash, err := bcrypt.GenerateFromPassword([]byte(webhookReq.Password), bcrypt.DefaultCost)
+		if err != nil {
+			return fmt.Errorf("failed to hash password: %w", err)
+		}
+		webhookReq.Password = ""
+		wh.Spec.PasswordHash = hash
+	}
+
 	for i, h := range wh.Spec.Headers {
 		wh.Spec.Headers[i] = textproto.CanonicalMIMEHeaderKey(h)
 	}
@@ -167,6 +196,18 @@ func (a *WebhookHandler) Execute(req api.Context) error {
 		}
 	}
 
+	if webhook.Spec.PasswordHash != nil {
+		password := req.Request.Header.Get(PasswordHTTPHeader)
+		if password == "" {
+			password = req.Request.URL.Query().Get(PasswordQueryParam)
+		}
+
+		if err := bcrypt.CompareHashAndPassword(webhook.Spec.PasswordHash, []byte(password)); err != nil {
+			req.WriteHeader(http.StatusForbidden)
+			return nil
+		}
+	}
+
 	var input strings.Builder
 	_, _ = input.WriteString("You are being called from a webhook.\n\n")
 	if len(body) > 0 {

pkg/storage/apis/otto.gptscript.ai/v1/webhook.go

@@ -43,6 +43,7 @@ func (w *Webhook) GetConditions() *[]metav1.Condition {
 
 type WebhookSpec struct {
 	types.WebhookManifest `json:",inline"`
+	PasswordHash          []byte `json:"passwordHash,omitempty"`
 }
 
 type WebhookStatus struct {