caduceus delivers events to hooks registered with https + ip address #154

ilawjr · 2019-08-21T21:33:07Z

Caduceus will deliver events using https with an ip address e.g. https://96.118.136.239:443/api/v3/notify. This should fail as the cert won't match an ip address. Or, this should fail at the registration step. We do allow http + ip address - which is expected.

To reproduce

set up https listener with proper certs and route 53 path
register a webhook using the ip address of the server in step 1. e.g. https://96.118.136.239:443/api/v3/notify.
send the event to caduceus
the event is received

schmidtw · 2019-08-22T06:11:12Z

We originally decided to explicitly allow this pattern, but times have changed since 3d2f26a

The thinking is for non-globally route-able addresses requiring a matching hostname may be an issue.

This seems like something we should control via configuration.

kristinapathak · 2020-05-07T22:20:10Z

This seems like it could be fixed as a part of this issue:
https://github.com/xmidt-org/webpa-common/issues/475

kristinapathak added this to To do in XMiDT via automation Sep 19, 2019

kristinapathak added the enhancement label Sep 19, 2019

ilawjr moved this from To do to To review in XMiDT Apr 6, 2020

joe94 moved this from To review to Reviewed in XMiDT May 11, 2020

joe94 added the argus-webhooks Securing webhooks for the switch to argus label May 21, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

caduceus delivers events to hooks registered with https + ip address #154

caduceus delivers events to hooks registered with https + ip address #154

ilawjr commented Aug 21, 2019

schmidtw commented Aug 22, 2019

kristinapathak commented May 7, 2020

caduceus delivers events to hooks registered with https + ip address #154

caduceus delivers events to hooks registered with https + ip address #154

Comments

ilawjr commented Aug 21, 2019

schmidtw commented Aug 22, 2019

kristinapathak commented May 7, 2020