secrets plumbing

Author: hawkw

nexus/db-model/src/schema.rs

@@ -2126,8 +2126,8 @@ table! {
 table! {
     webhook_rx_secret (rx_id, signature_id) {
         rx_id -> Uuid,
-        signature_id -> Text,
-        secret -> Binary,
+        signature_id -> Uuid,
+        secret -> Text,
         time_created -> Timestamptz,
         time_deleted -> Nullable<Timestamptz>,
     }

nexus/db-model/src/webhook_rx.rs

@@ -12,13 +12,60 @@ use crate::Generation;
 use crate::WebhookDelivery;
 use chrono::{DateTime, Utc};
 use db_macros::Resource;
+use nexus_types::external_api::views;
 use omicron_common::api::external::Error;
-use omicron_uuid_kinds::{WebhookReceiverKind, WebhookReceiverUuid};
+use omicron_uuid_kinds::{
+    WebhookReceiverKind, WebhookReceiverUuid, WebhookSecretKind,
+    WebhookSecretUuid,
+};
 use serde::{Deserialize, Serialize};
 use std::str::FromStr;
 use uuid::Uuid;
 
-/// A webhook receiver configuration.
+/// The full configuration of a webhook receiver, including the
+/// [`WebhookReceiver`] itself and its subscriptions and secrets.
+pub struct WebhookReceiverConfig {
+    pub rx: WebhookReceiver,
+    pub secrets: Vec<WebhookRxSecret>,
+    pub events: Vec<WebhookSubscriptionKind>,
+}
+
+impl TryFrom<WebhookReceiverConfig> for views::Webhook {
+    type Error = Error;
+    fn try_from(
+        WebhookReceiverConfig { rx, secrets, events }: WebhookReceiverConfig,
+    ) -> Result<views::Webhook, Self::Error> {
+        let secrets = secrets
+            .iter()
+            .map(|WebhookRxSecret { signature_id, .. }| {
+                views::WebhookSecretId { id: signature_id.to_string() }
+            })
+            .collect();
+        let events = events
+            .into_iter()
+            .map(WebhookSubscriptionKind::into_event_class_string)
+            .collect();
+        let WebhookReceiver { identity, endpoint, probes_enabled, rcgen: _ } =
+            rx;
+        let WebhookReceiverIdentity { id, name, description, .. } = identity;
+        let endpoint = endpoint.parse().map_err(|e| Error::InternalError {
+            // This is an internal error, as we should not have ever allowed
+            // an invalid URL to be inserted into the database...
+            internal_message: format!("invalid webhook URL {endpoint:?}: {e}",),
+        })?;
+        Ok(views::Webhook {
+            id: id.into(),
+            name: name.to_string(),
+            description,
+            endpoint,
+            secrets,
+            events,
+            disable_probes: !probes_enabled,
+        })
+    }
+}
+
+/// A row in the `webhook_rx` table.
 #[derive(
     Clone,
     Debug,
@@ -78,12 +125,24 @@ impl DatastoreCollectionConfig<WebhookDelivery> for WebhookReceiver {
 #[diesel(table_name = webhook_rx_secret)]
 pub struct WebhookRxSecret {
     pub rx_id: DbTypedUuid<WebhookReceiverKind>,
-    pub signature_id: String,
-    pub secret: Vec<u8>,
+    pub signature_id: DbTypedUuid<WebhookSecretKind>,
+    pub secret: String,
     pub time_created: DateTime<Utc>,
     pub time_deleted: Option<DateTime<Utc>>,
 }
 
+impl WebhookRxSecret {
+    pub fn new(rx_id: WebhookReceiverUuid, secret: String) -> Self {
+        Self {
+            rx_id: rx_id.into(),
+            signature_id: WebhookSecretUuid::new_v4().into(),
+            secret,
+            time_created: Utc::now(),
+            time_deleted: None,
+        }
+    }
+}
+
 #[derive(
     Clone, Debug, Queryable, Selectable, Insertable, Serialize, Deserialize,
 )]
@@ -132,6 +191,13 @@ impl WebhookSubscriptionKind {
             Ok(Self::Exact(value))
         }
     }
+
+    fn into_event_class_string(self) -> String {
+        match self {
+            Self::Exact(class) => class,
+            Self::Glob(WebhookGlob { glob, .. }) => glob,
+        }
+    }
 }
 
 #[derive(

nexus/db-queries/src/db/datastore/webhook_rx.rs

@@ -14,6 +14,7 @@ use crate::db::error::public_error_from_diesel;
 use crate::db::error::ErrorHandler;
 use crate::db::model::Generation;
 use crate::db::model::WebhookReceiver;
+use crate::db::model::WebhookReceiverConfig;
 use crate::db::model::WebhookReceiverIdentity;
 use crate::db::model::WebhookRxEventGlob;
 use crate::db::model::WebhookRxSecret;
@@ -41,7 +42,7 @@ impl DataStore {
         opctx: &OpContext,
         params: params::WebhookCreate,
         event_classes: &[&str],
-    ) -> CreateResult<WebhookReceiver> {
+    ) -> CreateResult<WebhookReceiverConfig> {
         // TODO(eliza): someday we gotta allow creating webhooks with more
         // restrictive permissions...
         opctx.authorize(authz::Action::CreateChild, &authz::FLEET).await?;
@@ -59,7 +60,6 @@ impl DataStore {
             .into_iter()
             .map(WebhookSubscriptionKind::new)
             .collect::<Result<Vec<_>, _>>()?;
-
         let err = OptionalError::new();
         let rx = self
             .transaction_retry_wrapper("webhook_rx_create")
@@ -79,6 +79,7 @@ impl DataStore {
                     rcgen: Generation::new(),
                 };
                 let subscriptions = subscriptions.clone();
+                let secret_keys = secrets.clone();
                 let err = err.clone();
                 async move {
                     let rx = diesel::insert_into(rx_dsl::webhook_rx)
@@ -100,8 +101,21 @@ impl DataStore {
                             TransactionError::Database(e) => e,
                         })?;
                     }
-                    // TODO(eliza): secrets?
-                    Ok(rx)
+                    let mut secrets = Vec::with_capacity(secret_keys.len());
+                    for secret in secret_keys {
+                        let secret = self
+                            .add_secret_on_conn(
+                                WebhookRxSecret::new(id, secret),
+                                &conn,
+                            )
+                            .await
+                            .map_err(|e| match e {
+                                TransactionError::CustomError(e) => err.bail(e),
+                                TransactionError::Database(e) => e,
+                            })?;
+                        secrets.push(secret);
+                    }
+                    Ok(WebhookReceiverConfig { rx, subscriptions, secrets })
                 }
             })
             .await

nexus/types/src/external_api/views.rs

@@ -1047,11 +1047,9 @@ pub struct Webhook {
     pub id: WebhookReceiverUuid,
     /// The identifier assigned to this webhook receiver upon creation.
     pub name: String,
+    pub description: String,
     /// The URL that webhook notification requests are sent to.
     pub endpoint: Url,
-    /// The UUID of the user associated with this webhook receiver for
-    /// role-based ccess control.
-    pub actor_id: Uuid,
     // A list containing the IDs of the secret keys used to sign payloads sent
     // to this receiver.
     pub secrets: Vec<WebhookSecretId>,

schema/crdb/dbinit.sql

@@ -4713,9 +4713,9 @@ CREATE TABLE IF NOT EXISTS omicron.public.webhook_rx_secret (
     -- `omicron.public.webhook_rx`)
     rx_id UUID NOT NULL,
     -- ID of this secret.
-    signature_id STRING(63) NOT NULL,
+    signature_id UUID NOT NULL,
     -- Secret value.
-    secret BYTES NOT NULL,
+    secret STRING(512) NOT NULL,
     time_created TIMESTAMPTZ NOT NULL,
     time_deleted TIMESTAMPTZ,
 

uuid-kinds/src/lib.rs

@@ -75,5 +75,6 @@ impl_typed_uuid_kind! {
     WebhookEvent => "webhook_event",
     WebhookReceiver => "webhook_receiver",
     WebhookDelivery => "webhook_delivery",
+    WebhookSecret => "webhook_secret",
     Zpool => "zpool",
 }