gitlab-org--gitlab-foss/app/controllers/members/mailgun/permanent_failures_controller.rb

# frozen_string_literal: true

module Members
  module Mailgun
    class PermanentFailuresController < ApplicationController
      respond_to :json

      skip_before_action :authenticate_user!
      skip_before_action :verify_authenticity_token

      before_action :ensure_feature_enabled!
      before_action :authenticate_signature!
      before_action :validate_invite_email!

      feature_category :authentication_and_authorization

      def create
        webhook_processor.execute

        head :ok
      end

      private

      def ensure_feature_enabled!
        render_406 unless Gitlab::CurrentSettings.mailgun_events_enabled?
      end

      def authenticate_signature!
        access_denied! unless valid_signature?
      end

      def valid_signature?
        return false if Gitlab::CurrentSettings.mailgun_signing_key.blank?

        # per this guide: https://documentation.mailgun.com/en/latest/user_manual.html#webhooks
        digest = OpenSSL::Digest.new('SHA256')
        data = [params.dig(:signature, :timestamp), params.dig(:signature, :token)].join

        hmac_digest = OpenSSL::HMAC.hexdigest(digest, Gitlab::CurrentSettings.mailgun_signing_key, data)

        ActiveSupport::SecurityUtils.secure_compare(params.dig(:signature, :signature), hmac_digest)
      end

      def validate_invite_email!
        # permanent_failures webhook does not provide a way to filter failures, so we'll get them all on this endpoint
        # and we only care about our invite_emails
        render_406 unless payload[:tags]&.include?(::Members::Mailgun::INVITE_EMAIL_TAG)
      end

      def webhook_processor
        ::Members::Mailgun::ProcessWebhookService.new(payload)
      end

      def payload
        @payload ||= params.permit!['event-data']
      end

      def render_406
        # failure to stop retries per https://documentation.mailgun.com/en/latest/user_manual.html#webhooks
        head :not_acceptable
      end
    end
  end
end
Add latest changes from gitlab-org/gitlab@master 2021-09-02 23:11:19 -04:00			`# frozen_string_literal: true`

			`module Members`
			`module Mailgun`
			`class PermanentFailuresController < ApplicationController`
			`respond_to :json`

			`skip_before_action :authenticate_user!`
			`skip_before_action :verify_authenticity_token`

			`before_action :ensure_feature_enabled!`
			`before_action :authenticate_signature!`
			`before_action :validate_invite_email!`

			`feature_category :authentication_and_authorization`

			`def create`
			`webhook_processor.execute`

			`head :ok`
			`end`

			`private`

			`def ensure_feature_enabled!`
			`render_406 unless Gitlab::CurrentSettings.mailgun_events_enabled?`
			`end`

			`def authenticate_signature!`
			`access_denied! unless valid_signature?`
			`end`

			`def valid_signature?`
			`return false if Gitlab::CurrentSettings.mailgun_signing_key.blank?`

			`# per this guide: https://documentation.mailgun.com/en/latest/user_manual.html#webhooks`
			`digest = OpenSSL::Digest.new('SHA256')`
			`data = [params.dig(:signature, :timestamp), params.dig(:signature, :token)].join`

			`hmac_digest = OpenSSL::HMAC.hexdigest(digest, Gitlab::CurrentSettings.mailgun_signing_key, data)`

			`ActiveSupport::SecurityUtils.secure_compare(params.dig(:signature, :signature), hmac_digest)`
			`end`

			`def validate_invite_email!`
			`# permanent_failures webhook does not provide a way to filter failures, so we'll get them all on this endpoint`
			`# and we only care about our invite_emails`
			`render_406 unless payload[:tags]&.include?(::Members::Mailgun::INVITE_EMAIL_TAG)`
			`end`

			`def webhook_processor`
			`::Members::Mailgun::ProcessWebhookService.new(payload)`
			`end`

			`def payload`
			`@payload \|\|= params.permit!['event-data']`
			`end`

			`def render_406`
			`# failure to stop retries per https://documentation.mailgun.com/en/latest/user_manual.html#webhooks`
			`head :not_acceptable`
			`end`
			`end`
			`end`
			`end`