feat: http provider signing key addition (#10641)

# Which Problems Are Solved HTTP Request to HTTP providers for Email or SMS are not signed. # How the Problems Are Solved Add a Signing Key to the HTTP Provider resources, which is then used to generate a header to sign the payload. # Additional Changes Additional tests for query side of the SMTP provider. # Additional Context Closes #10067 --------- Co-authored-by: Marco A. <marco@zitadel.com> (cherry picked from commit 8909b9a2a6)
2025-12-06 17:22:28 +00:00 · 2025-09-08 13:00:04 +02:00
parent d2d94ea088
commit 1a7cd6e1af
36 changed files with 2113 additions and 132 deletions
--- a/internal/notification/channels/webhook/channel.go
+++ b/internal/notification/channels/webhook/channel.go
@@ -12,6 +12,11 @@ import (
 	"github.com/zitadel/zitadel/internal/notification/channels"
 	"github.com/zitadel/zitadel/internal/notification/messages"
 	"github.com/zitadel/zitadel/internal/zerrors"
+	"github.com/zitadel/zitadel/pkg/actions"
+)
+
+const (
+	SigningHeader = "ZITADEL-Signature"
 )

 func InitChannel(ctx context.Context, cfg Config) (channels.NotificationChannel, error) {
@@ -39,6 +44,10 @@ func InitChannel(ctx context.Context, cfg Config) (channels.NotificationChannel,
 			req.Header = cfg.Headers
 		}
 		req.Header.Set("Content-Type", "application/json")
+		if cfg.SigningKey != "" {
+			req.Header.Set(SigningHeader, actions.ComputeSignatureHeader(time.Now(), []byte(payload), cfg.SigningKey))
+		}
+
 		resp, err := http.DefaultClient.Do(req)
 		if err != nil {
 			return err
--- a/internal/notification/channels/webhook/config.go
+++ b/internal/notification/channels/webhook/config.go
@@ -6,9 +6,10 @@ import (
 )

 type Config struct {
-	CallURL string
-	Method  string
-	Headers http.Header
+	CallURL    string
+	Method     string
+	Headers    http.Header
+	SigningKey string
 }

 func (w *Config) Validate() error {
--- a/internal/notification/handlers/config_email.go
+++ b/internal/notification/handlers/config_email.go
@@ -49,9 +49,10 @@ func (n *NotificationQueries) GetActiveEmailConfig(ctx context.Context) (*email.
 		return &email.Config{
 			ProviderConfig: provider,
 			WebhookConfig: &webhook.Config{
-				CallURL: config.HTTPConfig.Endpoint,
-				Method:  http.MethodPost,
-				Headers: nil,
+				CallURL:    config.HTTPConfig.Endpoint,
+				Method:     http.MethodPost,
+				Headers:    nil,
+				SigningKey: config.HTTPConfig.SigningKey,
 			},
 		}, nil
 	}
--- a/internal/notification/handlers/config_sms.go
+++ b/internal/notification/handlers/config_sms.go
@@ -45,9 +45,10 @@ func (n *NotificationQueries) GetActiveSMSConfig(ctx context.Context) (*sms.Conf
 		return &sms.Config{
 			ProviderConfig: provider,
 			WebhookConfig: &webhook.Config{
-				CallURL: config.HTTPConfig.Endpoint,
-				Method:  http.MethodPost,
-				Headers: nil,
+				CallURL:    config.HTTPConfig.Endpoint,
+				Method:     http.MethodPost,
+				Headers:    nil,
+				SigningKey: config.HTTPConfig.SigningKey,
 			},
 		}, nil
 	}