Add webhook domain exclusion config for notification channels (#172)

* Add webhook domain exclusion config for notification channels

Author: pavan-traceable

alerting-config-service-api/build.gradle.kts

@@ -31,6 +31,11 @@ protobuf {
 
 dependencies {
   api(libs.bundles.grpc.api)
+  constraints {
+    implementation("com.google.guava:guava:32.0.1-jre") {
+      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
+    }
+  }
 }
 
 sourceSets {

config-proto-converter/build.gradle.kts

@@ -11,4 +11,9 @@ dependencies {
       because("https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327")
     }
   }
+  constraints {
+    implementation("com.google.guava:guava:32.0.1-jre") {
+      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
+    }
+  }
 }

config-service-api/build.gradle.kts

@@ -73,4 +73,9 @@ dependencies {
   testFixturesImplementation(libs.guava)
   testFixturesAnnotationProcessor(libs.lombok)
   testFixturesCompileOnly(libs.lombok)
+  constraints {
+    implementation("com.google.guava:guava:32.0.1-jre") {
+      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
+    }
+  }
 }

config-service-factory/src/main/java/org/hypertrace/config/service/ConfigServiceFactory.java

@@ -65,7 +65,8 @@ public List<GrpcPlatformService> buildServices(
                 localChannel, config, configChangeEventGenerator),
             new EventConditionConfigServiceImpl(localChannel, configChangeEventGenerator),
             new NotificationRuleConfigServiceImpl(localChannel, configChangeEventGenerator),
-            new NotificationChannelConfigServiceImpl(localChannel, configChangeEventGenerator),
+            new NotificationChannelConfigServiceImpl(
+                localChannel, config, configChangeEventGenerator),
             SpanProcessingConfigServiceFactory.build(localChannel, config))
         .map(GrpcPlatformService::new)
         .collect(Collectors.toUnmodifiableList());

gradle/libs.versions.toml

@@ -1,6 +1,6 @@
 [versions]
-protoc = "3.21.12"
-grpc = "1.56.0"
+protoc = "3.23.2"
+grpc = "1.56.1"
 gson = "2.9.0"
 hypertrace-grpcutils = "0.12.1"
 hypertrace-framework = "0.1.52"

label-application-rule-config-service-api/build.gradle.kts

@@ -31,6 +31,11 @@ protobuf {
 
 dependencies {
   api(libs.bundles.grpc.api)
+  constraints {
+    implementation("com.google.guava:guava:32.0.1-jre") {
+      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
+    }
+  }
 }
 
 sourceSets {

labels-config-service-api/build.gradle.kts

@@ -31,6 +31,11 @@ protobuf {
 
 dependencies {
   api(libs.bundles.grpc.api)
+  constraints {
+    implementation("com.google.guava:guava:32.0.1-jre") {
+      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
+    }
+  }
 }
 
 sourceSets {

notification-channel-config-service-api/build.gradle.kts

@@ -31,6 +31,11 @@ protobuf {
 
 dependencies {
   api(libs.bundles.grpc.api)
+  constraints {
+    implementation("com.google.guava:guava:32.0.1-jre") {
+      because("https://nvd.nist.gov/vuln/detail/CVE-2023-2976")
+    }
+  }
 }
 
 sourceSets {

notification-channel-config-service-impl/src/main/java/org/hypertrace/notification/config/service/NotificationChannelConfigServiceImpl.java

@@ -1,5 +1,6 @@
 package org.hypertrace.notification.config.service;
 
+import com.typesafe.config.Config;
 import io.grpc.Channel;
 import io.grpc.Status;
 import io.grpc.stub.StreamObserver;
@@ -27,11 +28,18 @@
 public class NotificationChannelConfigServiceImpl
     extends NotificationChannelConfigServiceGrpc.NotificationChannelConfigServiceImplBase {
 
+  static final String NOTIFICATION_CHANNEL_CONFIG_SERVICE_CONFIG =
+      "notification.channel.config.service";
+
   private final NotificationChannelStore notificationChannelStore;
   private final NotificationChannelConfigServiceRequestValidator validator;
+  private Config notificationChannelConfig = null;
 
   public NotificationChannelConfigServiceImpl(
-      Channel channel, ConfigChangeEventGenerator configChangeEventGenerator) {
+      Channel channel, Config config, ConfigChangeEventGenerator configChangeEventGenerator) {
+    if (config.hasPath(NOTIFICATION_CHANNEL_CONFIG_SERVICE_CONFIG)) {
+      this.notificationChannelConfig = config.getConfig(NOTIFICATION_CHANNEL_CONFIG_SERVICE_CONFIG);
+    }
     this.notificationChannelStore =
         new NotificationChannelStore(channel, configChangeEventGenerator);
     this.validator = new NotificationChannelConfigServiceRequestValidator();
@@ -43,7 +51,8 @@ public void createNotificationChannel(
       StreamObserver<CreateNotificationChannelResponse> responseObserver) {
     try {
       RequestContext requestContext = RequestContext.CURRENT.get();
-      validator.validateCreateNotificationChannelRequest(requestContext, request);
+      validator.validateCreateNotificationChannelRequest(
+          requestContext, request, notificationChannelConfig);
       NotificationChannel.Builder builder =
           NotificationChannel.newBuilder()
               .setId(UUID.randomUUID().toString())
@@ -66,7 +75,8 @@ public void updateNotificationChannel(
       StreamObserver<UpdateNotificationChannelResponse> responseObserver) {
     try {
       RequestContext requestContext = RequestContext.CURRENT.get();
-      validator.validateUpdateNotificationChannelRequest(requestContext, request);
+      validator.validateUpdateNotificationChannelRequest(
+          requestContext, request, notificationChannelConfig);
       responseObserver.onNext(
           UpdateNotificationChannelResponse.newBuilder()
               .setNotificationChannel(

notification-channel-config-service-impl/src/main/java/org/hypertrace/notification/config/service/NotificationChannelConfigServiceRequestValidator.java

@@ -3,7 +3,11 @@
 import static org.hypertrace.config.validation.GrpcValidatorUtils.validateNonDefaultPresenceOrThrow;
 import static org.hypertrace.config.validation.GrpcValidatorUtils.validateRequestContextOrThrow;
 
+import com.typesafe.config.Config;
 import io.grpc.Status;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.List;
 import org.hypertrace.core.grpcutils.context.RequestContext;
 import org.hypertrace.notification.config.service.v1.AwsS3BucketChannelConfig;
 import org.hypertrace.notification.config.service.v1.AwsS3BucketChannelConfig.WebIdentityAuthenticationCredential;
@@ -20,17 +24,86 @@
 
 public class NotificationChannelConfigServiceRequestValidator {
 
+  public static final String WEBHOOK_EXCLUSION_DOMAINS = "webhook.exclusion.domains";
+  public static final String WEBHOOK_HTTP_SUPPORT_ENABLED = "webhook.http.support.enabled";
+
   public void validateCreateNotificationChannelRequest(
-      RequestContext requestContext, CreateNotificationChannelRequest request) {
+      RequestContext requestContext,
+      CreateNotificationChannelRequest request,
+      Config notificationChannelConfig) {
     validateRequestContextOrThrow(requestContext);
     validateNotificationChannelMutableData(request.getNotificationChannelMutableData());
+    validateWebhookConfigExclusionDomains(
+        request.getNotificationChannelMutableData(), notificationChannelConfig);
+    validateWebhookHttpSupport(
+        request.getNotificationChannelMutableData(), notificationChannelConfig);
+  }
+
+  void validateWebhookHttpSupport(
+      NotificationChannelMutableData notificationChannelMutableData,
+      Config notificationChannelConfig) {
+    if (notificationChannelConfig == null
+        || notificationChannelMutableData.getWebhookChannelConfigList().isEmpty()) {
+      return;
+    }
+    for (WebhookChannelConfig webhookChannelConfig :
+        notificationChannelMutableData.getWebhookChannelConfigList()) {
+      if (notificationChannelConfig.hasPath(WEBHOOK_HTTP_SUPPORT_ENABLED)
+          && notificationChannelConfig.getBoolean(WEBHOOK_HTTP_SUPPORT_ENABLED)) {
+        continue;
+      }
+      validateHttpsUrl(webhookChannelConfig.getUrl());
+    }
+  }
+
+  private void validateHttpsUrl(String urlString) {
+    try {
+      URL url = new URL(urlString);
+      String protocol = url.getProtocol();
+      if (!protocol.equals("https")) {
+        throw Status.INVALID_ARGUMENT
+            .withDescription("URL configured in webhook is not https ")
+            .asRuntimeException();
+      }
+    } catch (MalformedURLException e) {
+      throw Status.INVALID_ARGUMENT
+          .withDescription("URL configured in webhook is malformed ")
+          .asRuntimeException();
+    }
+  }
+
+  void validateWebhookConfigExclusionDomains(
+      NotificationChannelMutableData notificationChannelMutableData,
+      Config notificationChannelConfig) {
+    if (notificationChannelConfig == null
+        || notificationChannelMutableData.getWebhookChannelConfigList().isEmpty()) {
+      return;
+    }
+    if (notificationChannelConfig.hasPath(WEBHOOK_EXCLUSION_DOMAINS)) {
+      List<String> exclusionDomains =
+          notificationChannelConfig.getStringList(WEBHOOK_EXCLUSION_DOMAINS);
+      for (WebhookChannelConfig webhookChannelConfig :
+          notificationChannelMutableData.getWebhookChannelConfigList()) {
+        for (String exclusionDomain : exclusionDomains) {
+          if (webhookChannelConfig.getUrl().contains(exclusionDomain)) {
+            throw Status.INVALID_ARGUMENT
+                .withDescription("URL configured in webhook contains excluded domain")
+                .asRuntimeException();
+          }
+        }
+      }
+    }
   }
 
   public void validateUpdateNotificationChannelRequest(
-      RequestContext requestContext, UpdateNotificationChannelRequest request) {
+      RequestContext requestContext,
+      UpdateNotificationChannelRequest request,
+      Config notificationChannelConfig) {
     validateRequestContextOrThrow(requestContext);
     validateNonDefaultPresenceOrThrow(request, UpdateNotificationChannelRequest.ID_FIELD_NUMBER);
     validateNotificationChannelMutableData(request.getNotificationChannelMutableData());
+    validateWebhookConfigExclusionDomains(
+        request.getNotificationChannelMutableData(), notificationChannelConfig);
   }
 
   private void validateNotificationChannelMutableData(NotificationChannelMutableData data) {