Additional security controls for webhooks for multi-tenancy

[tbloomfi]

trafficstars

We have a security requirement for tenants to rotate keys for all inbound API calls including webhooks. For webhooks, this would be challenging to manage centrally and is better managed by the tenant. Posting here for feedback on the planned approach before submitting a PR.

The approach is as follows:

1. Add an ACA-Py API endpoint to enable the tenant to create and manage a webhook secret. Note: Inbound API calls will be secured via OIDC via an external API gateway as part of our deployment.
2. Create a hash signature (SHA-256?) for the webhook messages using the webhook secret
3. Include the hash in the HTTP header for the message
4. The tenant would then be responsible for validating webhook messages as authentic using the secret managed by their controller. The controller would update the secret based on the tenant's security policy.

This is a pattern used by Github and others to secure webhooks - https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks

[swcurran]

@andrewwhitehead @ianco @TimoGlastra ^^^ Thoughts on this approach?

[ianco]

Makes sense to me, if it's a common pattern. For backward compatibility, this should be optional, with a default to the existing "static" api key.

Note that the mines team has developed some self-serve functionality for tenants as well, which they've implemented as a plug-in. tagging @usingtechnology

[usingtechnology]

we can do a prototype of this when we add some enhancements for our tenants in the innkeeper plugin.

[swcurran]

@esune -- is this issue addressed with #2860?

[esune]

@esune -- is this issue addressed with #2860?

No, this is a different thing. I wonder, however, if this issue and #2542 should be consolidated into one.