189 lines
5.9 KiB
Python
189 lines
5.9 KiB
Python
"""HMAC-signed HTTP POST delivery for webhook events.
|
|
|
|
The delivery function is shared between the worker's normal dispatch
|
|
loop and the `/webhooks/{uuid}/test` admin route — same payload shape,
|
|
same signing, same headers. Retry policy is configurable by the caller
|
|
so manual tests can skip retries entirely while the worker retries
|
|
with backoff.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import asyncio
|
|
import hashlib
|
|
import hmac
|
|
import random
|
|
from dataclasses import dataclass
|
|
from datetime import datetime, timezone
|
|
from typing import Any, Optional
|
|
from uuid import uuid4
|
|
|
|
import httpx
|
|
import orjson
|
|
|
|
from decnet.logging import get_logger
|
|
|
|
log = get_logger("webhook.client")
|
|
|
|
|
|
_DEFAULT_TIMEOUT_S = 10.0
|
|
_DEFAULT_RETRY_SCHEDULE = (1.0, 2.0, 4.0)
|
|
_JITTER_LOW = 0.8
|
|
_JITTER_HIGH = 1.2
|
|
_PAYLOAD_VERSION = 1
|
|
|
|
|
|
@dataclass(frozen=True)
|
|
class SyntheticEvent:
|
|
"""Structural match for decnet.bus.base.Event — avoids importing the
|
|
bus dependency into the HTTP egress layer."""
|
|
|
|
topic: str
|
|
type: str
|
|
ts: str
|
|
id: str
|
|
payload: dict[str, Any]
|
|
|
|
|
|
@dataclass
|
|
class DeliveryResult:
|
|
ok: bool
|
|
status_code: Optional[int] = None
|
|
error: Optional[str] = None
|
|
attempts: int = 0
|
|
|
|
|
|
def _canonical_ts(value: Any) -> str:
|
|
"""Normalize bus-event ts (epoch float / ISO str / None) to ISO-8601 UTC."""
|
|
if isinstance(value, str) and value:
|
|
return value
|
|
if isinstance(value, (int, float)):
|
|
return datetime.fromtimestamp(float(value), tz=timezone.utc).isoformat()
|
|
return datetime.now(timezone.utc).isoformat()
|
|
|
|
|
|
def _event_id(event: Any) -> str:
|
|
explicit = getattr(event, "id", None)
|
|
if isinstance(explicit, str) and explicit:
|
|
return explicit
|
|
return str(uuid4())
|
|
|
|
|
|
def build_payload(event: Any) -> bytes:
|
|
"""Serialize an event to the canonical JSON body sent on the wire.
|
|
|
|
Stable key order (`orjson.OPT_SORT_KEYS`) matters because the HMAC
|
|
signs the exact byte sequence — receivers recomputing the hash must
|
|
see the same bytes we did.
|
|
"""
|
|
body = {
|
|
"v": _PAYLOAD_VERSION,
|
|
"id": _event_id(event),
|
|
"ts": _canonical_ts(getattr(event, "ts", None)),
|
|
"topic": getattr(event, "topic", ""),
|
|
"type": getattr(event, "type", "") or "",
|
|
"payload": getattr(event, "payload", None) or {},
|
|
}
|
|
return orjson.dumps(body, option=orjson.OPT_SORT_KEYS)
|
|
|
|
|
|
def sign(secret: str, body: bytes) -> str:
|
|
"""Return `sha256=<hex>` — the value of the `X-DECNET-Signature` header."""
|
|
digest = hmac.new(
|
|
secret.encode("utf-8"), body, hashlib.sha256
|
|
).hexdigest()
|
|
return f"sha256={digest}"
|
|
|
|
|
|
def _build_headers(secret: str, body: bytes, topic: str, event_id: str) -> dict[str, str]:
|
|
return {
|
|
"Content-Type": "application/json",
|
|
"User-Agent": "decnet-webhook/1.0",
|
|
"X-DECNET-Signature": sign(secret, body),
|
|
"X-DECNET-Event-Id": event_id,
|
|
"X-DECNET-Event-Topic": topic,
|
|
"X-DECNET-Timestamp": str(int(datetime.now(timezone.utc).timestamp())),
|
|
}
|
|
|
|
|
|
def _should_retry(status_code: int) -> bool:
|
|
"""Retry on network error, 5xx, and 429. 4xx (other) is terminal —
|
|
the receiver is telling us the request itself is wrong; retrying
|
|
won't help."""
|
|
if status_code == 429:
|
|
return True
|
|
return status_code >= 500
|
|
|
|
|
|
def _jittered(delay: float) -> float:
|
|
# Jitter is a load-smoothing knob, not a secret — non-crypto random is
|
|
# fine. Using secrets.SystemRandom here would burn entropy for no gain.
|
|
return delay * random.uniform(_JITTER_LOW, _JITTER_HIGH) # nosec B311
|
|
|
|
|
|
async def deliver(
|
|
sub: dict[str, Any],
|
|
event: Any,
|
|
*,
|
|
retry_schedule: Optional[list[float] | tuple[float, ...]] = None,
|
|
timeout_s: float = _DEFAULT_TIMEOUT_S,
|
|
client: Optional[httpx.AsyncClient] = None,
|
|
) -> DeliveryResult:
|
|
"""POST *event* to *sub['url']* with HMAC signing and bounded retries.
|
|
|
|
*sub* is a subscription row dict (from `repo.get_webhook_subscription`).
|
|
*retry_schedule* is the between-attempt delays in seconds; `None` uses
|
|
the default `(1, 2, 4)`, `[]` disables retries entirely (one attempt).
|
|
*client* allows tests to inject a mock `httpx.AsyncClient`.
|
|
"""
|
|
schedule = (
|
|
list(retry_schedule) if retry_schedule is not None
|
|
else list(_DEFAULT_RETRY_SCHEDULE)
|
|
)
|
|
max_attempts = 1 + len(schedule)
|
|
|
|
body = build_payload(event)
|
|
topic = getattr(event, "topic", "")
|
|
eid = _event_id(event)
|
|
headers = _build_headers(sub["secret"], body, topic, eid)
|
|
url = sub["url"]
|
|
|
|
owns_client = client is None
|
|
if owns_client:
|
|
client = httpx.AsyncClient(timeout=timeout_s)
|
|
|
|
last_status: Optional[int] = None
|
|
last_error: Optional[str] = None
|
|
try:
|
|
for attempt in range(1, max_attempts + 1):
|
|
try:
|
|
resp = await client.post(url, content=body, headers=headers)
|
|
last_status = resp.status_code
|
|
if 200 <= resp.status_code < 300:
|
|
return DeliveryResult(
|
|
ok=True, status_code=resp.status_code, attempts=attempt
|
|
)
|
|
if not _should_retry(resp.status_code):
|
|
return DeliveryResult(
|
|
ok=False,
|
|
status_code=resp.status_code,
|
|
error=f"non-retryable {resp.status_code}",
|
|
attempts=attempt,
|
|
)
|
|
last_error = f"http {resp.status_code}"
|
|
except (httpx.RequestError, asyncio.TimeoutError) as e:
|
|
last_error = f"{type(e).__name__}: {e}"
|
|
last_status = None
|
|
|
|
if attempt < max_attempts:
|
|
await asyncio.sleep(_jittered(schedule[attempt - 1]))
|
|
|
|
return DeliveryResult(
|
|
ok=False,
|
|
status_code=last_status,
|
|
error=last_error or "exhausted retries",
|
|
attempts=max_attempts,
|
|
)
|
|
finally:
|
|
if owns_client:
|
|
await client.aclose()
|