From 6465be217840214ea1613692282bfd8d0c69cbac Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Sat, 7 Sep 2024 02:24:34 +0200 Subject: [PATCH 1/9] Implement `isInngestEventKeySet` helper function --- .../src/main/kotlin/com/inngest/Environment.kt | 11 ++++++++++- .../test/kotlin/com/inngest/EnvironmentTest.kt | 15 +++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/inngest/src/main/kotlin/com/inngest/Environment.kt b/inngest/src/main/kotlin/com/inngest/Environment.kt index 542e7974..b92d343d 100644 --- a/inngest/src/main/kotlin/com/inngest/Environment.kt +++ b/inngest/src/main/kotlin/com/inngest/Environment.kt @@ -11,11 +11,20 @@ object Environment { ).filterValues { (it is String) }.entries.associate { (k, v) -> k to v!! } } + private const val DUMMY_KEY_EVENT = "NO_EVENT_KEY_SET" + fun inngestEventKey(key: String? = null): String { if (key != null) return key - return System.getenv(InngestSystem.EventKey.value) ?: "NO_EVENT_KEY_SET" + return System.getenv(InngestSystem.EventKey.value) ?: DUMMY_KEY_EVENT } + fun isInngestEventKeySet(value: String?): Boolean = + when { + value.isNullOrEmpty() -> false + value == DUMMY_KEY_EVENT -> false + else -> true + } + fun inngestEventApiBaseUrl( env: InngestEnv, url: String? = null, diff --git a/inngest/src/test/kotlin/com/inngest/EnvironmentTest.kt b/inngest/src/test/kotlin/com/inngest/EnvironmentTest.kt index 746bd66e..fc9ddfaa 100644 --- a/inngest/src/test/kotlin/com/inngest/EnvironmentTest.kt +++ b/inngest/src/test/kotlin/com/inngest/EnvironmentTest.kt @@ -16,6 +16,21 @@ internal class EnvironmentTest { assertEquals(key, Environment.inngestEventKey(key)) } + @Test + fun `test isInngestEventKeySet returns false when it's null`() { + assertFalse(Environment.isInngestEventKeySet(null)) + } + + @Test + fun `test isInngestEventKeySet returns false when it's set to the dummy event key`() { + assertFalse(Environment.isInngestEventKeySet("NO_EVENT_KEY_SET")) + } + + @Test + fun `test isInngestEventKeySet returns true when it's set to a valid event key`() { + assertTrue(Environment.isInngestEventKeySet("event")) + } + // @Test // fun `test inngestEventKey with INNGEST_EVENT_KEY value`() {} From 00a4adf2525684d00b32d6e81a77dd244ccdc110 Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Sat, 7 Sep 2024 02:44:33 +0200 Subject: [PATCH 2/9] Implement `hasSigningKey` helper function I also added junit-pioneer as a test dependency to be able to set environment variables in certain tests. I followed this guide for now but we can look into mocking the environment ourselves later on: https://www.baeldung.com/java-unit-testing-environment-variables#setting-environment-variables-with-junit-pioneer --- inngest/build.gradle.kts | 1 + .../src/main/kotlin/com/inngest/ServeConfig.kt | 6 +++++- .../test/kotlin/com/inngest/ServeConfigTest.kt | 16 ++++++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/inngest/build.gradle.kts b/inngest/build.gradle.kts index c627f72d..3b341992 100644 --- a/inngest/build.gradle.kts +++ b/inngest/build.gradle.kts @@ -34,6 +34,7 @@ dependencies { implementation("io.ktor:ktor-server-core:2.3.5") testImplementation(kotlin("test")) + testImplementation("org.junit-pioneer:junit-pioneer:1.9.1") } publishing { diff --git a/inngest/src/main/kotlin/com/inngest/ServeConfig.kt b/inngest/src/main/kotlin/com/inngest/ServeConfig.kt index a9a0352e..46841fbf 100644 --- a/inngest/src/main/kotlin/com/inngest/ServeConfig.kt +++ b/inngest/src/main/kotlin/com/inngest/ServeConfig.kt @@ -1,5 +1,7 @@ package com.inngest +const val DUMMY_SIGNING_KEY = "test" + class ServeConfig @JvmOverloads constructor( @@ -21,7 +23,7 @@ class ServeConfig if (signingKey != null) return signingKey return when (client.env) { - InngestEnv.Dev -> "test" + InngestEnv.Dev -> DUMMY_SIGNING_KEY else -> { val signingKey = System.getenv(InngestSystem.SigningKey.value) @@ -31,6 +33,8 @@ class ServeConfig } } + fun hasSigningKey() = signingKey() !in listOf(DUMMY_SIGNING_KEY, "") + fun baseUrl(): String { if (baseUrl != null) return baseUrl diff --git a/inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt b/inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt index f93c4783..b2776878 100644 --- a/inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt +++ b/inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt @@ -1,5 +1,6 @@ package com.inngest +import org.junitpioneer.jupiter.SetEnvironmentVariable import kotlin.test.* internal class ServeConfigTest { @@ -35,6 +36,21 @@ internal class ServeConfigTest { ) } + // hasSigningKey() + @Test + fun `should return false if not set - dev`() { + val config = ServeConfig(client = client) + assertFalse(config.hasSigningKey()) + } + + @Test + @SetEnvironmentVariable(key = "INNGEST_SIGNING_KEY", value = "signkey-prod-b2ed992186a5cb19f6668aade821f502c1d00970dfd0e35128d51bac4649916c") + fun `should return true if set - prod`() { + val prodClient = Inngest(appId = client.appId, env = "prod") + val config = ServeConfig(client = prodClient) + assertTrue(config.hasSigningKey()) + } + // @Test // fun `should return INNGEST_SIGNING_KEY value - prod`() {} From 60e0248ccd7107b902086a0650f729aba8430ded Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Sat, 7 Sep 2024 02:47:48 +0200 Subject: [PATCH 3/9] Add the Introspection classes I also left a few TODOs for unsupported fields: - capabilities - signing key fallback The `extra` field was also left out, the spec says it's optional and I think only the JS SDK uses it: https://github.com/inngest/inngest/blob/main/docs/SDK_SPEC.md#45-introspection-requests --- .../main/kotlin/com/inngest/Introspection.kt | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 inngest/src/main/kotlin/com/inngest/Introspection.kt diff --git a/inngest/src/main/kotlin/com/inngest/Introspection.kt b/inngest/src/main/kotlin/com/inngest/Introspection.kt new file mode 100644 index 00000000..a6bc1fbe --- /dev/null +++ b/inngest/src/main/kotlin/com/inngest/Introspection.kt @@ -0,0 +1,44 @@ +package com.inngest + +import com.beust.klaxon.Json + +abstract class Introspection( + open val functionCount: Int, + open val hasEventKey: Boolean, + open val hasSigningKey: Boolean, + open val mode: String, + @Json("authentication_succeeded") open val authenticationSucceeded: Boolean?, + @Json("schema_version") val schemaVersion: String = "2024-05-24", +) + +internal data class InsecureIntrospection( + @Json("function_count") override val functionCount: Int, + @Json("has_event_key") override val hasEventKey: Boolean, + @Json("has_signing_key") override val hasSigningKey: Boolean, + override val mode: String, + @Json("authentication_succeeded") override var authenticationSucceeded: Boolean? = null, +) : Introspection(functionCount, hasEventKey, hasSigningKey, mode, authenticationSucceeded) + +internal data class SecureIntrospection( + @Json("authentication_succeeded") override val authenticationSucceeded: Boolean?, + @Json("function_count") override val functionCount: Int, + @Json("has_event_key") override val hasEventKey: Boolean, + @Json("has_signing_key") override val hasSigningKey: Boolean, + override val mode: String, + @Json("api_origin") val apiOrigin: String, + @Json("app_id") val appId: String, + // TODO: Add capabilities when adding the trust probe +// @Json("capabilities") val capabilities: Capabilities, + val env: String?, + @Json("event_api_origin") val eventApiOrigin: String, + @Json("event_key_hash") val eventKeyHash: String?, + val framework: String, + @Json("sdk_language") val sdkLanguage: String, + @Json("sdk_version") val sdkVersion: String, + @Json("serve_origin") val serveOrigin: String?, + @Json("serve_path") val servePath: String?, + // TODO: Remove the default value when implementing signing key fallback + @Json("signing_key_fallback_hash") val signingKeyFallbackHash: String? = null, + @Json("has_signing_key_fallback") val hasSigningKeyFallback: Boolean = false, + @Json("signing_key_hash") val signingKeyHash: String?, +) : Introspection(functionCount, hasEventKey, hasSigningKey, mode, authenticationSucceeded) From feec6559e45e19bf551ee0e977455d34d31b7f9c Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Sat, 7 Sep 2024 02:50:43 +0200 Subject: [PATCH 4/9] Repurpose `introspect` to return the correct introspection payload --- inngest/src/main/kotlin/com/inngest/Comm.kt | 59 ++++++++++++++++++- .../com/inngest/signingkey/BearerToken.kt | 2 +- 2 files changed, 58 insertions(+), 3 deletions(-) diff --git a/inngest/src/main/kotlin/com/inngest/Comm.kt b/inngest/src/main/kotlin/com/inngest/Comm.kt index e27e3cc2..0324302a 100644 --- a/inngest/src/main/kotlin/com/inngest/Comm.kt +++ b/inngest/src/main/kotlin/com/inngest/Comm.kt @@ -4,8 +4,11 @@ import com.beust.klaxon.Json import com.beust.klaxon.Klaxon import com.fasterxml.jackson.databind.ObjectMapper import com.fasterxml.jackson.databind.SerializationFeature +import com.inngest.signingkey.checkHeadersAndValidateSignature import com.inngest.signingkey.getAuthorizationHeader +import com.inngest.signingkey.hashedSigningKey import java.io.IOException +import java.security.MessageDigest data class ExecutionRequestPayload( val ctx: ExecutionContext, @@ -177,8 +180,50 @@ class CommHandler( // TODO // fun sync(): Result = Result.success(InngestSyncResult.None) - fun introspect(origin: String): String { - val requestPayload = getRegistrationRequestPayload(origin) + fun introspect( + signature: String?, + requestBody: String, + serverKind: String?, + ): String { + val insecureIntrospection = + InsecureIntrospection( + functionCount = functions.size, + hasEventKey = Environment.isInngestEventKeySet(client.eventKey), + hasSigningKey = config.hasSigningKey(), + mode = if (client.env == InngestEnv.Dev) "dev" else "cloud", + ) + + val requestPayload = + when (client.env) { + InngestEnv.Dev -> insecureIntrospection + + else -> + runCatching { + checkHeadersAndValidateSignature(signature, requestBody, serverKind, config) + + SecureIntrospection( + functionCount = functions.size, + hasEventKey = Environment.isInngestEventKeySet(client.eventKey), + hasSigningKey = config.hasSigningKey(), + authenticationSucceeded = true, + mode = "cloud", + env = client.env.value, + appId = config.appId(), + apiOrigin = "${config.baseUrl()}/", + framework = framework.value, + sdkVersion = Version.getVersion(), + sdkLanguage = "java", + servePath = config.servePath(), + serveOrigin = config.serveOrigin(), + signingKeyHash = hashedSigningKey(config.signingKey()), + eventApiOrigin = "${Environment.inngestEventApiBaseUrl(client.env)}/", + eventKeyHash = if (config.hasSigningKey()) hashedEventKey(client.eventKey) else null, + ) + }.getOrElse { + insecureIntrospection.apply { authenticationSucceeded = false } + } + } + return serializePayload(requestPayload) } @@ -198,4 +243,14 @@ class CommHandler( val servePath = config.servePath() ?: "/api/inngest" return "$serveOrigin$servePath" } + + private fun hashedEventKey(eventKey: String): String? = + eventKey + .takeIf { Environment.isInngestEventKeySet(it) } + ?.let { + MessageDigest + .getInstance("SHA-256") + .digest(it.toByteArray()) + .joinToString("") { byte -> "%02x".format(byte) } + } } diff --git a/inngest/src/main/kotlin/com/inngest/signingkey/BearerToken.kt b/inngest/src/main/kotlin/com/inngest/signingkey/BearerToken.kt index b0d162e5..101b31c3 100644 --- a/inngest/src/main/kotlin/com/inngest/signingkey/BearerToken.kt +++ b/inngest/src/main/kotlin/com/inngest/signingkey/BearerToken.kt @@ -15,7 +15,7 @@ val SIGNING_KEY_REGEX = Regex("""(?^signkey-\w+-)(?.*)""") * @throws InvalidSigningKeyException If signingKey is not in the form "signkey--" */ @OptIn(ExperimentalStdlibApi::class) -private fun hashedSigningKey(signingKey: String): String { +internal fun hashedSigningKey(signingKey: String): String { val matchResult = SIGNING_KEY_REGEX.matchEntire(signingKey) ?: throw InvalidSigningKeyException() // We aggressively assert non-null here because if `matchEntire` had failed (and thus these capture groups didn't From 3d1dd294365117ca8dd72191ae2704f68cee1860 Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Sat, 7 Sep 2024 02:52:10 +0200 Subject: [PATCH 5/9] Adapt both adapters according to the new `introspect` signature --- .../inngest/springboot/InngestController.java | 21 +++++++------------ ...ontrollerTest.java => IntrospectTest.java} | 15 ++++++------- .../src/main/kotlin/com/inngest/ktor/Route.kt | 14 ++++++------- 3 files changed, 22 insertions(+), 28 deletions(-) rename inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/{DemoControllerTest.java => IntrospectTest.java} (65%) diff --git a/inngest-spring-boot-adapter/src/main/java/com/inngest/springboot/InngestController.java b/inngest-spring-boot-adapter/src/main/java/com/inngest/springboot/InngestController.java index 46c2678f..b0831305 100644 --- a/inngest-spring-boot-adapter/src/main/java/com/inngest/springboot/InngestController.java +++ b/inngest-spring-boot-adapter/src/main/java/com/inngest/springboot/InngestController.java @@ -8,6 +8,7 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; +import org.springframework.http.MediaType; import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.*; @@ -27,22 +28,16 @@ private HttpHeaders getHeaders() { @Value("${inngest.serveOrigin:}") private String serveOrigin; - @GetMapping() + @GetMapping public ResponseEntity index( @RequestHeader(HttpHeaders.HOST) String hostHeader, - HttpServletRequest request + HttpServletRequest request, + @RequestHeader(name = "X-Inngest-Signature", required = false) String signature, + @RequestHeader(name = "X-Inngest-Server-Kind", required = false) String serverKind ) { - if (commHandler.getClient().getEnv() != InngestEnv.Dev) { - // TODO: Return an UnauthenticatedIntrospection instead when app diagnostics are implemented - return ResponseEntity.status(HttpStatus.FORBIDDEN) - .body("Introspect endpoint is only available in development mode"); - } - String origin = String.format("%s://%s", request.getScheme(), hostHeader); - if (this.serveOrigin != null && !this.serveOrigin.isEmpty()) { - origin = this.serveOrigin; - } - String response = commHandler.introspect(origin); - return ResponseEntity.ok().headers(getHeaders()).body(response); + String requestBody = ""; + String response = commHandler.introspect(signature, requestBody, serverKind); + return ResponseEntity.ok().headers(getHeaders()).contentType(MediaType.APPLICATION_JSON).body(response); } @PutMapping() diff --git a/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/DemoControllerTest.java b/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/IntrospectTest.java similarity index 65% rename from inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/DemoControllerTest.java rename to inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/IntrospectTest.java index b4816ec4..b7c340ed 100644 --- a/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/DemoControllerTest.java +++ b/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/IntrospectTest.java @@ -13,21 +13,22 @@ @Import(DemoTestConfiguration.class) @WebMvcTest(DemoController.class) -public class DemoControllerTest { +public class IntrospectTest { @Autowired private MockMvc mockMvc; @Test - public void shouldReturnSyncPayload() throws Exception { + public void shouldReturnInsecureIntrospectPayload() throws Exception { mockMvc.perform(get("/api/inngest").header("Host", "localhost:8080")) .andExpect(status().isOk()) .andExpect(content().contentType("application/json")) .andExpect(header().string(InngestHeaderKey.Framework.getValue(), "springboot")) - .andExpect(jsonPath("$.appName").value("spring_test_demo")) - .andExpect(jsonPath("$.framework").value("springboot")) - .andExpect(jsonPath("$.v").value("0.1")) - .andExpect(jsonPath("$.url").value("http://localhost:8080/api/inngest")) - .andExpect(jsonPath("$.sdk").value(String.format("java:v%s", Version.Companion.getVersion()))); + .andExpect(jsonPath("$.authentication_succeeded").isEmpty()) + .andExpect(jsonPath("$.function_count").isNumber()) + .andExpect(jsonPath("$.has_event_key").value(false)) + .andExpect(jsonPath("$.has_signing_key").value(false)) + .andExpect(jsonPath("$.mode").value("dev")) + .andExpect(jsonPath("$.schema_version").value("2024-05-24")); } } diff --git a/inngest/src/main/kotlin/com/inngest/ktor/Route.kt b/inngest/src/main/kotlin/com/inngest/ktor/Route.kt index e21b397a..297d04a7 100644 --- a/inngest/src/main/kotlin/com/inngest/ktor/Route.kt +++ b/inngest/src/main/kotlin/com/inngest/ktor/Route.kt @@ -43,15 +43,13 @@ fun Route.serve( route(path) { get("") { - if (client.env != InngestEnv.Dev) { - // TODO: Return an UnauthenticatedIntrospection instead when app diagnostics are implemented - call.respond(HttpStatusCode.Forbidden, "Introspect endpoint is only available in development mode") - return@get - } + val signature = call.request.headers[InngestHeaderKey.Signature.value] + val serverKind = call.request.headers[InngestHeaderKey.ServerKind.value] - val origin = getOrigin(call) - val resp = comm.introspect(origin) - call.respond(HttpStatusCode.OK, resp) + val requestBody = call.receiveText() + + val resp = comm.introspect(signature, requestBody, serverKind) + call.respondText(resp, ContentType.Application.Json, HttpStatusCode.OK) } post("") { From ee19cda85c7bda90b4b833a994e21db542793e3c Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Sun, 8 Sep 2024 00:17:06 +0200 Subject: [PATCH 6/9] Add tests for cloud mode introspection It's a pain to mock the environment variables in the tests. I introduced a different `system-stubs-jupiter` library to help with that because `org.junitpioneer.jupiter` did not work as expected in a Spring Boot environment. Ideally I think we should have a mockable custom `Environment` interface that we use throughout the application, instead of reaching for `System.getenv()` directly. The method for mocking that worked is described in this guide: https://www.baeldung.com/java-system-stubs#environment-and-property-overrides-for-junit-5-spring-tests --- inngest-spring-boot-demo/build.gradle.kts | 9 ++ .../CloudModeIntrospectionTest.java | 139 ++++++++++++++++++ ...est.java => DevModeIntrospectionTest.java} | 4 +- 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/CloudModeIntrospectionTest.java rename inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/{IntrospectTest.java => DevModeIntrospectionTest.java} (88%) diff --git a/inngest-spring-boot-demo/build.gradle.kts b/inngest-spring-boot-demo/build.gradle.kts index ec94a5be..06c0dc62 100644 --- a/inngest-spring-boot-demo/build.gradle.kts +++ b/inngest-spring-boot-demo/build.gradle.kts @@ -26,6 +26,12 @@ dependencies { implementation("com.squareup.okhttp3:okhttp:4.12.0") testImplementation("org.springframework.boot:spring-boot-starter-test") + + if (JavaVersion.current().isJava11Compatible) { + testImplementation("uk.org.webcompere:system-stubs-jupiter:2.1.6") + } else { + testImplementation("uk.org.webcompere:system-stubs-jupiter:1.2.1") + } } dependencyManagement { @@ -39,6 +45,9 @@ dependencyManagement { tasks.withType { useJUnitPlatform() systemProperty("junit.jupiter.execution.parallel.enabled", true) + systemProperty("test-group", "unit-test") + + jvmArgs = listOf("-Dnet.bytebuddy.experimental=true") testLogging { events = setOf( diff --git a/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/CloudModeIntrospectionTest.java b/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/CloudModeIntrospectionTest.java new file mode 100644 index 00000000..9363a031 --- /dev/null +++ b/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/CloudModeIntrospectionTest.java @@ -0,0 +1,139 @@ +package com.inngest.springbootdemo; + +import com.inngest.*; +import com.inngest.signingkey.BearerTokenKt; +import com.inngest.signingkey.SignatureVerificationKt; +import com.inngest.springboot.InngestConfiguration; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.condition.EnabledIfSystemProperty; +import org.junit.jupiter.api.extension.ExtendWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Import; +import org.springframework.test.web.servlet.MockMvc; +import uk.org.webcompere.systemstubs.environment.EnvironmentVariables; +import uk.org.webcompere.systemstubs.jupiter.SystemStub; +import uk.org.webcompere.systemstubs.jupiter.SystemStubsExtension; + +import java.util.HashMap; + +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; + +class ProductionConfiguration extends InngestConfiguration { + + public static final String INNGEST_APP_ID = "spring_test_prod_demo"; + + @Override + protected HashMap functions() { + return new HashMap<>(); + } + + @Override + protected Inngest inngestClient() { + return new Inngest(INNGEST_APP_ID); + } + + @Override + protected ServeConfig serve(Inngest client) { + return new ServeConfig(client); + } + + @Bean + protected CommHandler commHandler(@Autowired Inngest inngestClient) { + ServeConfig serveConfig = new ServeConfig(inngestClient); + return new CommHandler(functions(), inngestClient, serveConfig, SupportedFrameworkName.SpringBoot); + } +} + +@ExtendWith(SystemStubsExtension.class) +public class CloudModeIntrospectionTest { + + private static final String productionSigningKey = "signkey-prod-2a89e554826a40672684e75eee6e34909b45aa4fd04fff5ff49bbe28c24ef424"; + private static final String productionEventKey = "test"; + @SystemStub + private static EnvironmentVariables environmentVariables; + + @BeforeAll + static void beforeAll() { + environmentVariables.set("INNGEST_DEV", "0"); + environmentVariables.set("INNGEST_SIGNING_KEY", productionSigningKey); + environmentVariables.set("INNGEST_EVENT_KEY", productionEventKey); + } + + // The nested class is useful for setting the environment variables before the configuration class (Beans) runs. + // https://www.baeldung.com/java-system-stubs#environment-and-property-overrides-for-junit-5-spring-tests + @Import(ProductionConfiguration.class) + @WebMvcTest(DemoController.class) + @Nested + @EnabledIfSystemProperty(named = "test-group", matches = "unit-test") + class InnerSpringTest { + @Autowired + private MockMvc mockMvc; + + @Test + public void shouldReturnInsecureIntrospectionWhenSignatureIsMissing() throws Exception { + mockMvc.perform(get("/api/inngest").header("Host", "localhost:8080")) + .andExpect(status().isOk()) + .andExpect(content().contentType("application/json")) + .andExpect(header().string(InngestHeaderKey.Framework.getValue(), "springboot")) + .andExpect(jsonPath("$.authentication_succeeded").value(false)) + .andExpect(jsonPath("$.function_count").isNumber()) + .andExpect(jsonPath("$.has_event_key").value(true)) + .andExpect(jsonPath("$.has_signing_key").value(true)) + .andExpect(jsonPath("$.mode").value("cloud")) + .andExpect(jsonPath("$.schema_version").value("2024-05-24")); + } + + @Test + public void shouldReturnInsecureIntrospectionWhenSignatureIsInvalid() throws Exception { + mockMvc.perform(get("/api/inngest") + .header("Host", "localhost:8080") + .header(InngestHeaderKey.Signature.getValue(), "invalid-signature")) + .andExpect(status().isOk()) + .andExpect(content().contentType("application/json")) + .andExpect(header().string(InngestHeaderKey.Framework.getValue(), "springboot")) + .andExpect(jsonPath("$.authentication_succeeded").value(false)) + .andExpect(jsonPath("$.function_count").isNumber()) + .andExpect(jsonPath("$.has_event_key").value(true)) + .andExpect(jsonPath("$.has_signing_key").value(true)) + .andExpect(jsonPath("$.mode").value("cloud")) + .andExpect(jsonPath("$.schema_version").value("2024-05-24")); + } + + @Test + public void shouldReturnSecureIntrospectionWhenSignatureIsValid() throws Exception { + long currentTimestamp = System.currentTimeMillis() / 1000; + + String signature = SignatureVerificationKt.signRequest("", currentTimestamp, productionSigningKey); + String formattedSignature = String.format("s=%s&t=%d", signature, currentTimestamp); + + String expectedSigningKeyHash = BearerTokenKt.hashedSigningKey(productionSigningKey); + + mockMvc.perform(get("/api/inngest") + .header("Host", "localhost:8080") + .header(InngestHeaderKey.Signature.getValue(), formattedSignature)) + .andExpect(status().isOk()) + .andExpect(content().contentType("application/json")) + .andExpect(header().string(InngestHeaderKey.Framework.getValue(), "springboot")) + .andExpect(jsonPath("$.authentication_succeeded").value(true)) + .andExpect(jsonPath("$.function_count").isNumber()) + .andExpect(jsonPath("$.has_event_key").value(true)) + .andExpect(jsonPath("$.has_signing_key").value(true)) + .andExpect(jsonPath("$.mode").value("cloud")) + .andExpect(jsonPath("$.schema_version").value("2024-05-24")) + .andExpect(jsonPath("$.api_origin").value("https://api.inngest.com/")) + .andExpect(jsonPath("$.app_id").value(ProductionConfiguration.INNGEST_APP_ID)) + .andExpect(jsonPath("$.env").value("prod")) + .andExpect(jsonPath("$.event_api_origin").value("https://inn.gs/")) + .andExpect(jsonPath("$.framework").value("springboot")) + .andExpect(jsonPath("$.sdk_language").value("java")) + .andExpect(jsonPath("$.event_key_hash").value("9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08")) + .andExpect(jsonPath("$.sdk_version").value(Version.Companion.getVersion())) + .andExpect(jsonPath("$.signing_key_hash").value(expectedSigningKeyHash)); + } + } +} diff --git a/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/IntrospectTest.java b/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/DevModeIntrospectionTest.java similarity index 88% rename from inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/IntrospectTest.java rename to inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/DevModeIntrospectionTest.java index b7c340ed..628c5779 100644 --- a/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/IntrospectTest.java +++ b/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/DevModeIntrospectionTest.java @@ -3,6 +3,7 @@ import com.inngest.InngestHeaderKey; import com.inngest.Version; import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.condition.EnabledIfSystemProperty; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.context.annotation.Import; @@ -13,12 +14,13 @@ @Import(DemoTestConfiguration.class) @WebMvcTest(DemoController.class) -public class IntrospectTest { +public class DevModeIntrospectionTest { @Autowired private MockMvc mockMvc; @Test + @EnabledIfSystemProperty(named = "test-group", matches = "unit-test") public void shouldReturnInsecureIntrospectPayload() throws Exception { mockMvc.perform(get("/api/inngest").header("Host", "localhost:8080")) .andExpect(status().isOk()) From ad202ccf9c4aaefd0ae570cbae01f560917c2a22 Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Thu, 12 Sep 2024 02:18:09 +0200 Subject: [PATCH 7/9] Use the same signing key that was used by other tests --- .../com/inngest/springbootdemo/CloudModeIntrospectionTest.java | 2 +- inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/CloudModeIntrospectionTest.java b/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/CloudModeIntrospectionTest.java index 9363a031..baa2c4d4 100644 --- a/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/CloudModeIntrospectionTest.java +++ b/inngest-spring-boot-demo/src/test/java/com/inngest/springbootdemo/CloudModeIntrospectionTest.java @@ -52,7 +52,7 @@ protected CommHandler commHandler(@Autowired Inngest inngestClient) { @ExtendWith(SystemStubsExtension.class) public class CloudModeIntrospectionTest { - private static final String productionSigningKey = "signkey-prod-2a89e554826a40672684e75eee6e34909b45aa4fd04fff5ff49bbe28c24ef424"; + private static final String productionSigningKey = "signkey-prod-b2ed992186a5cb19f6668aade821f502c1d00970dfd0e35128d51bac4649916c"; private static final String productionEventKey = "test"; @SystemStub private static EnvironmentVariables environmentVariables; diff --git a/inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt b/inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt index b2776878..1fed1ddd 100644 --- a/inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt +++ b/inngest/src/test/kotlin/com/inngest/ServeConfigTest.kt @@ -36,7 +36,6 @@ internal class ServeConfigTest { ) } - // hasSigningKey() @Test fun `should return false if not set - dev`() { val config = ServeConfig(client = client) From c2804efd3bd3ddf3fe939c72d615d8f803b7e1a5 Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Thu, 12 Sep 2024 02:45:34 +0200 Subject: [PATCH 8/9] Change order of introspection fields to alphabetical order --- .../main/kotlin/com/inngest/Introspection.kt | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/inngest/src/main/kotlin/com/inngest/Introspection.kt b/inngest/src/main/kotlin/com/inngest/Introspection.kt index a6bc1fbe..095e8244 100644 --- a/inngest/src/main/kotlin/com/inngest/Introspection.kt +++ b/inngest/src/main/kotlin/com/inngest/Introspection.kt @@ -3,42 +3,41 @@ package com.inngest import com.beust.klaxon.Json abstract class Introspection( + @Json("authentication_succeeded") open val authenticationSucceeded: Boolean?, open val functionCount: Int, open val hasEventKey: Boolean, open val hasSigningKey: Boolean, open val mode: String, - @Json("authentication_succeeded") open val authenticationSucceeded: Boolean?, @Json("schema_version") val schemaVersion: String = "2024-05-24", ) internal data class InsecureIntrospection( + @Json("authentication_succeeded") override var authenticationSucceeded: Boolean? = null, @Json("function_count") override val functionCount: Int, @Json("has_event_key") override val hasEventKey: Boolean, @Json("has_signing_key") override val hasSigningKey: Boolean, override val mode: String, - @Json("authentication_succeeded") override var authenticationSucceeded: Boolean? = null, -) : Introspection(functionCount, hasEventKey, hasSigningKey, mode, authenticationSucceeded) +) : Introspection(authenticationSucceeded, functionCount, hasEventKey, hasSigningKey, mode) internal data class SecureIntrospection( - @Json("authentication_succeeded") override val authenticationSucceeded: Boolean?, - @Json("function_count") override val functionCount: Int, - @Json("has_event_key") override val hasEventKey: Boolean, - @Json("has_signing_key") override val hasSigningKey: Boolean, - override val mode: String, @Json("api_origin") val apiOrigin: String, @Json("app_id") val appId: String, + @Json("authentication_succeeded") override val authenticationSucceeded: Boolean?, // TODO: Add capabilities when adding the trust probe -// @Json("capabilities") val capabilities: Capabilities, - val env: String?, + // @Json("capabilities") val capabilities: Capabilities, @Json("event_api_origin") val eventApiOrigin: String, @Json("event_key_hash") val eventKeyHash: String?, + val env: String?, val framework: String, + @Json("function_count") override val functionCount: Int, + @Json("has_event_key") override val hasEventKey: Boolean, + @Json("has_signing_key") override val hasSigningKey: Boolean, + @Json("has_signing_key_fallback") val hasSigningKeyFallback: Boolean = false, + override val mode: String, @Json("sdk_language") val sdkLanguage: String, @Json("sdk_version") val sdkVersion: String, @Json("serve_origin") val serveOrigin: String?, @Json("serve_path") val servePath: String?, - // TODO: Remove the default value when implementing signing key fallback @Json("signing_key_fallback_hash") val signingKeyFallbackHash: String? = null, - @Json("has_signing_key_fallback") val hasSigningKeyFallback: Boolean = false, @Json("signing_key_hash") val signingKeyHash: String?, -) : Introspection(functionCount, hasEventKey, hasSigningKey, mode, authenticationSucceeded) +) : Introspection(authenticationSucceeded, functionCount, hasEventKey, hasSigningKey, mode) From 7da679e2e132d7049fc74c5f9b512c67b20f8d8e Mon Sep 17 00:00:00 2001 From: Riadh <22998716+KiKoS0@users.noreply.github.com> Date: Fri, 13 Sep 2024 02:43:43 +0200 Subject: [PATCH 9/9] Address PR feedback --- .../java/com/inngest/springboot/InngestController.java | 1 - inngest-spring-boot-demo/build.gradle.kts | 2 ++ inngest/src/main/kotlin/com/inngest/Environment.kt | 2 +- inngest/src/main/kotlin/com/inngest/ServeConfig.kt | 7 ++++++- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/inngest-spring-boot-adapter/src/main/java/com/inngest/springboot/InngestController.java b/inngest-spring-boot-adapter/src/main/java/com/inngest/springboot/InngestController.java index b0831305..d43fd355 100644 --- a/inngest-spring-boot-adapter/src/main/java/com/inngest/springboot/InngestController.java +++ b/inngest-spring-boot-adapter/src/main/java/com/inngest/springboot/InngestController.java @@ -31,7 +31,6 @@ private HttpHeaders getHeaders() { @GetMapping public ResponseEntity index( @RequestHeader(HttpHeaders.HOST) String hostHeader, - HttpServletRequest request, @RequestHeader(name = "X-Inngest-Signature", required = false) String signature, @RequestHeader(name = "X-Inngest-Server-Kind", required = false) String serverKind ) { diff --git a/inngest-spring-boot-demo/build.gradle.kts b/inngest-spring-boot-demo/build.gradle.kts index 06c0dc62..dcd6a283 100644 --- a/inngest-spring-boot-demo/build.gradle.kts +++ b/inngest-spring-boot-demo/build.gradle.kts @@ -47,6 +47,8 @@ tasks.withType { systemProperty("junit.jupiter.execution.parallel.enabled", true) systemProperty("test-group", "unit-test") + // Required by `system-stubs-jupiter` for JDK 21+ compatibility + // https://github.com/raphw/byte-buddy/issues/1396 jvmArgs = listOf("-Dnet.bytebuddy.experimental=true") testLogging { events = diff --git a/inngest/src/main/kotlin/com/inngest/Environment.kt b/inngest/src/main/kotlin/com/inngest/Environment.kt index b92d343d..ed0d0584 100644 --- a/inngest/src/main/kotlin/com/inngest/Environment.kt +++ b/inngest/src/main/kotlin/com/inngest/Environment.kt @@ -18,7 +18,7 @@ object Environment { return System.getenv(InngestSystem.EventKey.value) ?: DUMMY_KEY_EVENT } - fun isInngestEventKeySet(value: String?): Boolean = + fun isInngestEventKeySet(value: String?) = when { value.isNullOrEmpty() -> false value == DUMMY_KEY_EVENT -> false diff --git a/inngest/src/main/kotlin/com/inngest/ServeConfig.kt b/inngest/src/main/kotlin/com/inngest/ServeConfig.kt index 46841fbf..321357e5 100644 --- a/inngest/src/main/kotlin/com/inngest/ServeConfig.kt +++ b/inngest/src/main/kotlin/com/inngest/ServeConfig.kt @@ -33,7 +33,12 @@ class ServeConfig } } - fun hasSigningKey() = signingKey() !in listOf(DUMMY_SIGNING_KEY, "") + fun hasSigningKey() = + when (signingKey()) { + DUMMY_SIGNING_KEY -> false + "" -> false + else -> true + } fun baseUrl(): String { if (baseUrl != null) return baseUrl