Failing to verify the signature for a Outpost request

[soranoo]

As I mentioned in #565 , I failed to validate the signature for an Outpost request in version 0.7.0. I have been stuck in it for a while, looking for someone to help.

Sample

Request Object (Sensitive information is masked)

Request {
    method: 'POST',
    url: 'https://localhost:3000/api/v1/callbacks/upload-confirmed',
    headers: Headers {
      host: 'example.com',
      'user-agent': 'Outpost/0.7.0',
      'content-length': '545',
      'accept-encoding': 'gzip, br',
      'cdn-loop': 'cloudflare; loops=1',
      'cf-connecting-ip': 'xxx.xxx.xxx.xxx',
      'cf-ipcountry': 'GB',
      'cf-ray': 'xxxxxxxxxx',
      'cf-visitor': '{"scheme":"https"}',
      'cf-warp-tag-id': 'xxxxxxxxxxxxxxxxxx',
      connection: 'keep-alive',
      'content-type': 'application/json',
      'x-forwarded-for': 'xxx.xxx.xxx.xxx',
      'x-forwarded-proto': 'https',
      'x-outpost-event-id': 'd9241d9b-8166-4cdf-8f21-06ca7064efac',
      'x-outpost-signature': 't=1763038508,v0=6ac8e778e6b2658158a479b49b71d0c19e0b9115b849c5dc4274dc3664cdad44',
      'x-outpost-source': 's3-antivirus-scanner',
      'x-outpost-timestamp': '1763038508',
      'x-outpost-topic': 's3.upload-confirmed',
      'x-forwarded-host': 'example.com',
      'x-forwarded-port': '3000'
    },
    destination: '',
    referrer: 'about:client',
    referrerPolicy: '',
    mode: 'cors',
    credentials: 'same-origin',
    cache: 'default',
    redirect: 'follow',
    integrity: '',
    keepalive: false,
    isReloadNavigation: false,
    isHistoryNavigation: false,
    signal: AbortSignal { aborted: false }
  }

Request's Body

{"antivirus_result":"safe","bucket":"private","content_type":"image/jpeg","creation_datetime":"2008-07-31T10:38:11Z","height":68,"is_included_dimensions":true,"meta":{"DateTime":"2008:07:31 10:38:11","ExifTag":[214],"GPSTag":[978],"Make":"Canon","Model":"Canon EOS 40D","Orientation":[1],"ResolutionUnit":[2],"Software":"GIMP 2.4.5","XResolution":[{"Denominator":1,"Numerator":72}],"YCbCrPositioning":[2],"YResolution":[{"Denominator":1,"Numerator":72}]},"object_key":"c35f2bed-d5db-48b9-be46-a0d9db2cd8e4-Canon_40D.jpg","size":7958,"width":100}

AES secret (Will be changed)

5f676d196c3e49763780162994df98e66d0917976bf0554dba9859e6d6105530

My manual validation steps

const {hmacSha256} = require("@se-oss/sha256")
var hmac=hmacSha256("5f676d196c3e49763780162994df98e66d0917976bf0554dba9859e6d6105530", '1763038508.{"antivirus_result":"safe","bucket":"private","content_type":"image/jpeg","creation_datetime":"2008-07-31T10:38:11Z","height":68,"is_included_dimensions":true,"meta":{"DateTime":"2008:07:31 10:38:11","ExifTag":[214],"GPSTag":[978],"Make":"Canon","Model":"Canon EOS 40D","Orientation":[1],"ResolutionUnit":[2],"Software":"GIMP 2.4.5","XResolution":[{"Denominator":1,"Numerator":72}],"YCbCrPositioning":[2],"YResolution":[{"Denominator":1,"Numerator":72}]},"object_key":"c35f2bed-d5db-48b9-be46-a0d9db2cd8e4-Canon_40D.jpg","size":7958,"width":100}')
Buffer.from(hmac).toString("hex");

// d58501b1aac62d84c86ddcf020c6cad81447240ef4e248481a1f2a6ecad0f9d7 != 6ac8e778e6b2658158a479b49b71d0c19e0b9115b849c5dc4274dc3664cdad44

Env

Running Environment: Docker
OS: Ubuntu
Outpost Version: 0.7.0

Docker Compose

services:
  outpost_api:
    image: hookdeck/outpost:v0.7.0 # Port 3333
    networks:
      - outpost
      - backbone
      - external
    environment:
      - "SERVICE: api"
      - RABBITMQ_SERVER_URL=amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@rabbitmq:5672
      - POSTGRES_URL=postgres://${OUTPOST_POSTGRES_USERNAME}:${OUTPOST_POSTGRES_PASSWORD}@postgres:5432/outpost?sslmode=disable
      - REDIS_HOST=redis-simple
      - REDIS_PASSWORD=${OUTPOST_REDIS_PASSWORD}
      - AES_ENCRYPTION_SECRET=${OUTPOST_AES_ENCRYPTION_SECRET}
      - ALERT_AUTO_DISABLE_DESTINATION=false

      # API only env
      - API_KEY=${OUTPOST_API_KEY}
      - API_PORT=3333
      - API_JWT_SECRET=${OUTPOST_API_JWT_SECRET}
      - PORTAL_REFERER_URL=${OUTPOST_PORTAL_REFERER_URL:-https://google.com} # redirect URL when the user trying to access the Outpost portal unauthenticated
    # labels:
    #   - "traefik.enable=true"
    depends_on:
      redis-simple:
        condition: service_started
      rabbitmq:
        condition: service_healthy
      postgres-init:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
    volumes:
      - ../outpost/configs:/config/outpost
    #! The healthcheck section not working properly, no curl/wget installed in the image
    # healthcheck:
    #   test: ["CMD", "wget", "--spider", "-q", "http://localhost:3333/api/v1/healthz"]
    #   interval: 30s
    #   timeout: 10s
    #   retries: 3
    security_opt:
      - no-new-privileges:true

  outpost_delivery:
    image: hookdeck/outpost:v0.7.0
    networks:
      - outpost
      - backbone
    environment:
      - "SERVICE: delivery"
      - RABBITMQ_SERVER_URL=amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@rabbitmq:5672
      - POSTGRES_URL=postgres://${OUTPOST_POSTGRES_USERNAME}:${OUTPOST_POSTGRES_PASSWORD}@postgres:5432/outpost?sslmode=disable
      - REDIS_HOST=redis-simple
      - REDIS_PASSWORD=${OUTPOST_REDIS_PASSWORD}
      - AES_ENCRYPTION_SECRET=${OUTPOST_AES_ENCRYPTION_SECRET}
      - ALERT_AUTO_DISABLE_DESTINATION=false
    depends_on:
      redis-simple:
        condition: service_started
      rabbitmq:
        condition: service_healthy
      postgres-init:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
    volumes:
      - ../outpost/configs:/config/outpost
    # healthcheck:
    #   test: ["CMD", "wget", "--spider", "-q", "http://localhost:3333/api/v1/healthz"]
    #   interval: 30s
    #   timeout: 10s
    #   retries: 3
    security_opt:
      - no-new-privileges:true

  outpost_log:
    image: hookdeck/outpost:v0.7.0
    networks:
      - outpost
      - backbone
    environment:
      - "SERVICE: log"
      - RABBITMQ_SERVER_URL=amqp://${RABBITMQ_DEFAULT_USER}:${RABBITMQ_DEFAULT_PASS}@rabbitmq:5672
      - POSTGRES_URL=postgres://${OUTPOST_POSTGRES_USERNAME}:${OUTPOST_POSTGRES_PASSWORD}@postgres:5432/outpost?sslmode=disable
      - REDIS_HOST=redis-simple
      - REDIS_PASSWORD=${OUTPOST_REDIS_PASSWORD}
      - AES_ENCRYPTION_SECRET=${OUTPOST_AES_ENCRYPTION_SECRET}
      - ALERT_AUTO_DISABLE_DESTINATION=false
    depends_on:
      redis-simple:
        condition: service_started
      rabbitmq:
        condition: service_healthy
      postgres-init:
        condition: service_completed_successfully
      postgres:
        condition: service_healthy
    volumes:
      - ../outpost/configs:/config/outpost
    # healthcheck:
    #   test: ["CMD", "wget", "--spider", "-q", "http://localhost:3333/api/v1/healthz"]
    #   interval: 30s
    #   timeout: 10s
    #   retries: 3
    security_opt:
      - no-new-privileges:true

networks:
  outpost:

Config

topics:
  - s3.upload-intention
  - s3.upload-confirmed

mqs:
  delivery_retry_limit: 10
  log_retry_limit: 10

portal:
  organization_name: "playground"

destinations:
  webhook:
    header_prefix: "x-outpost-"

[alexluong]

Can you clarify what you mean by "AES secret"?

If possible, would be great if you can share more about your usage & your tenant/destination setup.

In Outpost, you want to create tenant & webhook destination. From there, you can see the webhook signing key from the destination. That's the key you need to use to verify signature. Excuse me if you already know this, just wasn't sure if that's the case since you mentioned AES.

[soranoo]

ohhhh my bad, I misunderstood the docs, I just read it again and found that the secret should be found from the destination https://outpost.hookdeck.com/docs/api/destinations?lang=shell

Thank you sooo much for pointing out the correct direction

[alexluong]

Great, glad it's resolved, happy to help! Let us know if there's anything else

[soranoo]

Sorry for out of topic, is there any method to do health check within the container? I tried curl and wget, unfortunately, the image didn't include them. Thank you in advance.

[alexluong]

@soranoo can you share more about the context of your health check? Outpost is designed to rely on external health check by the orchestrator. As we use distroless images, there's no other way to perform health check from within the container. If that is necessary, we can potentially implement a simple health check mechanism within the outpost CLI itself. Would love to understand the context first in case there's another approach we can go with, if you're open to sharing more.

[soranoo]

Yes, having a cli for health check is a good idea!!!

As you can see, I am using Docker Compose instead of K8S or Docker Swarm. For Outpost users with a small project(eg. proof of concept) like me, utilising external monitoring maybe overkill and cause unnecessary overhead. Therefore, monitoring via Docker Compose health check is always the first choice for me.

[alexluong]

Gotchu, that makes sense. I think maybe we can support outpost healthcheck as a CLI command so you can use that for healthcheck. Let me know if you have any feedback here. Created this issue to track it further #568