TODO.md

TODO

• Fuller example with webserver and mux
• How do we step through the contraints to show which rule failed?
• Reloading config on signal
• Make eq constant time

Configuration File Feature Parity with webhook v1

Hook Properties

Most assume a service.hook prefix:

• id = .id as hook block label
• execute-command = .task.cmd
• command-working-directory = .task.workdir
• response-message = .response.success.body
• response-headers = .response.success.headers
• success-http-response-code = .response.success.status_code
• incoming-payload-content-type = .request.content_type
• http-methods = n/a; solve with contraints
• include-command-output-in-response = .response.success.body = "${result.CombinedOutput}"
• include-command-output-in-response-on-error = .response.error.body = "${result.CombinedOutput}"
• parse-parameters-as-json = .request.json_parameters
• pass-arguments-to-command = .task.cmd
• pass-environment-to-command = .task.cmd
• pass-file-to-command =
• trigger-rule = .contraints
• trigger-rule-mismatch-http-response-code = .response.unsatisfied.status_code
• trigger-signature-soft-failures = n/a; solve with contraints

CLI Parameters

Most assume a service prefix:

• -cert = .tls_certificate
• -cipher-suites = .tls_ciphers
• -debug = .debug
• -header = deprecate
• -hotreload = n/a for config, but we need to support config reloading
• -ip = .ip
• -key = .tls_certificate_key
• -logfile = .logfile
• -nopanic = .nopanic
• -pidfile = .pidfile
• -port = .port
• -secure = .secure
• -setgid = .user
• -setuid = .group
• -template = .deprecate; use "${env("foo")}"
• -tls-min-version = .tls_protocols
• -urlprefix = hook.id
• -verbose = .verbose
• -version = n/a
• -x-request-id = .enable_xrequestid
• -x-request-id-limit = .xrequestid_limit

Rules

• And = all() or and(); constraints[] evals as and()
• Or = or() or any()
• Not = not()
• Multi-level = yep
• Match value = eq(), ne()
• Match regex = match(), find()
• Match payload-hmac-sha1 = eq(sha1(payload, "secret"), header("X-Signature"))
• Match payload-hmac-sha256 = eq(sha256(payload, "secret"), header("X-Signature"))
• Match payload-hmac-sha512 = eq(sha512(payload, "secret"), header("X-Signature"))
• Match ip-whitelist = cidr("10/8", "10.0.0.1")
• Match scalr-signature = and(le(since(header("Date")), duration("5m")), eq(sha256(payload, "secret"), header("X-Signature")))

Sources

• header = header("X-Foo")
• url = url("foo")
• payload = payload("foo.bar")
• request = request.method, .remote_ip, host, proto
• string = n/a
• entire-payload = payloadBytes or string(payloadBytes)
• entire-query = queryBytes or string(queryBytes)
• entire-headers = headersBytes or string(headersBytes)

Enhancement Requests

• #505 X-forwarded-for in whitelist = Use header() and cidr()

• #406 string formatting of cmd arguments = Add format() with printf libc syntax

• #336 concat params in cmd = Add concat()

• #422 dynamic URL paths = Can use {variable} substitution in the hook ID

• #358 pass temp file name to cmd = Should be trivial for config to support it

• #349 response-message-failed = See hook.response sub-blocks

• #267 time-based match rule = Use since() and duration()

• #263 use cmd exit code as response code = Use result.exit_code

• #152 PROXY protocol support = Add service.proxy_protocol on the config side

• #148 allow limiting hook concurrency = Add service[.hook].max_concurrency on the config side

• #190 pass stdin to cmd = Add hook.stdin = payload

• #468 read value from file = Add readfile() function; security implications?

• #512 MS Teams HMAC header = eq(concat("HMAC ", sha256(payload, "secret")), header("Authorization")),

• #504 Reference to any array element with match = Have payload("foo.*.bar") return an array? May need a contains for collections (stdlib) Can we have a cty func that handles both strings and collections?

• #326 Support setting flags from config = Surely we can figure this out; see hashicorp projects