"""Webhook components for gnexus-gauth.""" import hashlib import hmac from datetime import datetime, timezone from gnexus_gauth.config import GAuthConfig from gnexus_gauth.contracts import ( ClockInterface, WebhookParserInterface, WebhookVerifierInterface, ) from gnexus_gauth.dto import VerifiedWebhook, WebhookEvent from gnexus_gauth.exceptions import ( WebhookPayloadException, WebhookVerificationException, ) from gnexus_gauth.support import SystemClock class HmacWebhookVerifier(WebhookVerifierInterface): """HMAC-SHA256 webhook signature verifier.""" def __init__( self, config: GAuthConfig, clock: ClockInterface | None = None, ) -> None: self._config = config self._clock = clock or SystemClock() def verify(self, raw_body: str, headers: dict, secret: str) -> VerifiedWebhook: normalized = self._normalize_headers(headers) for required in ("x-gnexus-event-id", "x-gnexus-event-type", "x-gnexus-event-timestamp", "x-gnexus-signature"): if not normalized.get(required): raise WebhookVerificationException(f"Missing webhook header: {required}.") signature = self._parse_signature_header(normalized["x-gnexus-signature"]) timestamp = signature["timestamp"] expected = hmac.new( secret.encode(), f"{timestamp}.{raw_body}".encode(), hashlib.sha256, ).hexdigest() if not hmac.compare_digest(expected, signature["hash"]): raise WebhookVerificationException("Invalid webhook signature.") tolerance = self._config.webhook_tolerance_seconds if tolerance > 0: now_ts = int(self._clock.now().timestamp()) if abs(now_ts - timestamp) > tolerance: raise WebhookVerificationException("Webhook timestamp is outside the allowed tolerance window.") return VerifiedWebhook( raw_body=raw_body, normalized_headers=normalized, signature_id=normalized["x-gnexus-event-id"], verified_at=self._clock.now(), ) @staticmethod def _normalize_headers(headers: dict) -> dict[str, str]: normalized: dict[str, str] = {} for name, value in headers.items(): normalized_name = str(name).lower().replace("_", "-") if isinstance(value, list): value = value[0] if value else "" normalized[normalized_name] = str(value).strip() return normalized @staticmethod def _parse_signature_header(header: str) -> dict: parts: dict[str, str] = {} for chunk in header.split(","): chunk = chunk.strip() if "=" not in chunk: continue key, sep, value = chunk.partition("=") if sep: parts[key] = value if "t" not in parts or "v1" not in parts: raise WebhookVerificationException("Malformed webhook signature header.") if not parts["t"].isdigit(): raise WebhookVerificationException("Webhook timestamp must be numeric.") return { "timestamp": int(parts["t"]), "hash": parts["v1"].lower(), } class JsonWebhookParser(WebhookParserInterface): """JSON webhook payload parser.""" def parse(self, raw_body: str) -> WebhookEvent: import json try: payload = json.loads(raw_body) except (ValueError, TypeError) as exc: raise WebhookPayloadException("Webhook payload is not valid JSON.") from exc if not isinstance(payload, dict): raise WebhookPayloadException("Webhook payload is not valid JSON.") event_type = payload.get("type") if not isinstance(event_type, str) or not event_type: raise WebhookPayloadException("Webhook payload is missing event type.") occurred_at: datetime | None = None raw_occurred = payload.get("occurred_at") if isinstance(raw_occurred, str) and raw_occurred: try: occurred_at = datetime.fromisoformat(raw_occurred) if occurred_at.tzinfo is None: occurred_at = occurred_at.replace(tzinfo=timezone.utc) except ValueError as exc: raise WebhookPayloadException("Webhook payload contains invalid occurred_at.") from exc return WebhookEvent( event_id=str(payload["id"]) if "id" in payload else None, event_type=event_type, occurred_at=occurred_at, target_identifiers=payload["target"] if isinstance(payload.get("target"), dict) else {}, actor_identifiers=payload["actor"] if isinstance(payload.get("actor"), dict) else {}, metadata=payload["data"] if isinstance(payload.get("data"), dict) else {}, raw_payload=payload, )