diff --git a/inngest/src/main/kotlin/com/inngest/Comm.kt b/inngest/src/main/kotlin/com/inngest/Comm.kt index 33d3ddd7..d31c4a36 100644 --- a/inngest/src/main/kotlin/com/inngest/Comm.kt +++ b/inngest/src/main/kotlin/com/inngest/Comm.kt @@ -4,8 +4,11 @@ import com.beust.klaxon.Json import com.beust.klaxon.Klaxon import com.fasterxml.jackson.databind.ObjectMapper import com.fasterxml.jackson.databind.SerializationFeature +import com.inngest.signingkey.checkHeadersAndValidateSignature import com.inngest.signingkey.getAuthorizationHeader +import com.inngest.signingkey.hashedSigningKey import java.io.IOException +import java.security.MessageDigest data class ExecutionRequestPayload( val ctx: ExecutionContext, @@ -166,8 +169,50 @@ class CommHandler( // TODO // fun sync(): Result = Result.success(InngestSyncResult.None) - fun introspect(origin: String): String { - val requestPayload = getRegistrationRequestPayload(origin) + fun introspect( + signature: String?, + requestBody: String, + serverKind: String?, + ): String { + val insecureIntrospection = + InsecureIntrospection( + functionCount = functions.size, + hasEventKey = Environment.isInngestEventKeySet(client.eventKey), + hasSigningKey = config.hasSigningKey(), + mode = if (client.env == InngestEnv.Dev) "dev" else "cloud", + ) + + val requestPayload = + when (client.env) { + InngestEnv.Dev -> insecureIntrospection + + else -> + runCatching { + checkHeadersAndValidateSignature(signature, requestBody, serverKind, config) + + SecureIntrospection( + functionCount = functions.size, + hasEventKey = Environment.isInngestEventKeySet(client.eventKey), + hasSigningKey = config.hasSigningKey(), + authenticationSucceeded = true, + mode = "cloud", + env = client.env.value, + appId = config.appId(), + apiOrigin = "${config.baseUrl()}/", + framework = framework.value, + sdkVersion = Version.getVersion(), + sdkLanguage = "java", + servePath = config.servePath(), + serveOrigin = config.serveOrigin(), + signingKeyHash = hashedSigningKey(config.signingKey()), + eventApiOrigin = "${Environment.inngestEventApiBaseUrl(client.env)}/", + eventKeyHash = if (config.hasSigningKey()) hashedEventKey(client.eventKey) else null, + ) + }.getOrElse { + insecureIntrospection.apply { authenticationSucceeded = false } + } + } + return serializePayload(requestPayload) } @@ -187,4 +232,14 @@ class CommHandler( val servePath = config.servePath() ?: "/api/inngest" return "$serveOrigin$servePath" } + + private fun hashedEventKey(eventKey: String): String? = + eventKey + .takeIf { Environment.isInngestEventKeySet(it) } + ?.let { + MessageDigest + .getInstance("SHA-256") + .digest(it.toByteArray()) + .joinToString("") { byte -> "%02x".format(byte) } + } } diff --git a/inngest/src/main/kotlin/com/inngest/signingkey/BearerToken.kt b/inngest/src/main/kotlin/com/inngest/signingkey/BearerToken.kt index b0d162e5..101b31c3 100644 --- a/inngest/src/main/kotlin/com/inngest/signingkey/BearerToken.kt +++ b/inngest/src/main/kotlin/com/inngest/signingkey/BearerToken.kt @@ -15,7 +15,7 @@ val SIGNING_KEY_REGEX = Regex("""(?^signkey-\w+-)(?.*)""") * @throws InvalidSigningKeyException If signingKey is not in the form "signkey--" */ @OptIn(ExperimentalStdlibApi::class) -private fun hashedSigningKey(signingKey: String): String { +internal fun hashedSigningKey(signingKey: String): String { val matchResult = SIGNING_KEY_REGEX.matchEntire(signingKey) ?: throw InvalidSigningKeyException() // We aggressively assert non-null here because if `matchEntire` had failed (and thus these capture groups didn't