add okta acceptance test case using shared secrets

GrantBirki · GrantBirki · commit eb634bb93dfa · 2025-06-10T13:31:52.000-07:00
diff --git a/lib/hooks/plugins/request_validator/base.rb b/lib/hooks/plugins/request_validator/base.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "rack/utils"
+
 module Hooks
   module Plugins
     module RequestValidator
diff --git a/lib/hooks/plugins/request_validator/hmac.rb b/lib/hooks/plugins/request_validator/hmac.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "openssl"
-require "rack/utils"
 require "time"
 require_relative "base"
 
diff --git a/lib/hooks/plugins/request_validator/shared_secret.rb b/lib/hooks/plugins/request_validator/shared_secret.rb
@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "rack/utils"
 require_relative "base"
 
 module Hooks
@@ -16,11 +15,13 @@ module RequestValidator
       # @example Basic configuration
       #   request_validator:
       #     type: shared_secret
+      #     secret_env_key: WEBHOOK_SECRET
       #     header: Authorization
       #
       # @example Custom header configuration
       #   request_validator:
       #     type: shared_secret
+      #     secret_env_key: SOME_OTHER_WEBHOOK_SECRET
       #     header: X-API-Key
       #
       # @note This validator performs direct string comparison of the shared secret.
@@ -78,7 +79,6 @@ def self.valid?(payload:, headers:, secret:, config:)
 
           return false if raw_secret.nil? || raw_secret.empty?
 
-          # Cache the stripped value of raw_secret
           stripped_secret = raw_secret.strip
 
           # Security: Reject secrets with leading/trailing whitespace
diff --git a/spec/acceptance/acceptance_tests.rb b/spec/acceptance/acceptance_tests.rb
@@ -2,6 +2,7 @@
 
 FAKE_HMAC_SECRET = "octoawesome-secret"
 FAKE_ALT_HMAC_SECRET = "octoawesome-2-secret"
+FAKE_SHARED_SECRET = "octoawesome-shared-secret"
 
 require "rspec"
 require "net/http"
@@ -126,5 +127,26 @@
         expect(response.body).to include("request validation failed")
       end
     end
+
+    describe "okta" do
+      it "receives a POST request but contains an invalid shared secret" do
+        payload = { event: "user.login", user: { id: "12345" } }
+        headers = { "Content-Type" => "application/json", "Authorization" => "badvalue" }
+        response = http.post("/webhooks/okta", payload.to_json, headers)
+
+        expect(response).to be_a(Net::HTTPUnauthorized)
+        expect(response.body).to include("request validation failed")
+      end
+
+      it "successfully processes a valid POST request with shared secret" do
+        payload = { event: "user.login", user: { id: "12345" } }
+        headers = { "Content-Type" => "application/json", "Authorization" => FAKE_SHARED_SECRET }
+        response = http.post("/webhooks/okta", payload.to_json, headers)
+
+        expect(response).to be_a(Net::HTTPSuccess)
+        body = JSON.parse(response.body)
+        expect(body["status"]).to eq("success")
+      end
+    end
   end
 end
diff --git a/spec/acceptance/config/endpoints/okta.yaml b/spec/acceptance/config/endpoints/okta.yaml
@@ -0,0 +1,7 @@
+path: /okta
+handler: OktaHandler
+
+request_validator:
+  type: shared_secret
+  secret_env_key: SHARED_SECRET # the name of the environment variable containing the shared secret
+  header: Authorization
diff --git a/spec/acceptance/docker-compose.yml b/spec/acceptance/docker-compose.yml
@@ -10,6 +10,7 @@ services:
       LOG_LEVEL: DEBUG
       GITHUB_WEBHOOK_SECRET: "octoawesome-secret"
       ALT_WEBHOOK_SECRET: "octoawesome-too-secret"
+      SHARED_SECRET: "octoawesome-shared-secret"
     command: ["script/server"]
     healthcheck:
       test: ["CMD", "curl", "-f", "http://0.0.0.0:8080/health"]
diff --git a/spec/acceptance/handlers/okta_handler.rb b/spec/acceptance/handlers/okta_handler.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class OktaHandler < Hooks::Handlers::Base
+  def call(payload:, headers:, config:)
+    return {
+      status: "success"
+    }
+  end
+end
