MS_TEAMS webhook ?

[jjh74]

Hello,

I'm interested in writing a msteams webhook (so it would be possible to add "possibleactions" (ack, close, blackout buttons) to msteams messages). Adding the buttons is fairly easy (probably needs few helper functions to pymsteams(issues 45 and 44)), but I have few questions about the alerta webhook part:

• Does the webhook incoming -function have access to http request headers ? (AFAIK msteams sends Bearer header that can be used for authenticating requests).
• msteams expects response from webhook with "CARD-ACTION-STATUS" header, for example: CARD-ACTION-STATUS: Alert ack'd
  • Is it possible to return custom headers from "incoming" ? something like:

    resp = make_response('dummy body', 201)
    resp.headers['CARD-ACTION-STATUS'] = 'Alert ackd'
    return resp

• Is there any existing generic way to "authenticate" webhook requests to make sure that they're coming from msteams ? I was thinking about adding (if I'm unable to verify the bearer header) for example msteams_qid=some_random_string query string to webhook url and checking this query_string in "incoming" and/or adding HMAC to the webhook body: something like:

  team_hmac = hmac.new(MS_TEAMS_HMACKEY, digestmod=hashlib.sha256)
  team_hmac.update('ack')
  team_hmac.update(alert_id)
  digest  = base64.urlsafe_b64encode(team_hmac.digest())
  msteams_body = '{ "action": "ack", "alert_id": alert_id, "hmac": digest }'

  and then in "incoming" checking that hmac(action/alert_id) matches the hmac from body.

[satterly]

Webhooks can return anything that flask supports so yes, you can return custom headers. See the description of this PR https://github.com/alerta/alerta/pull/844

Webhooks can authenticate using basic auth, API key or Bearer token. I suggest an API key passed as a header X-API-Key

[jjh74]

Thanks, I'll take a look at the PR.

One follow up question, I'm assuming that alerta/webhooks/custom.py L19 (@permission(Scope.write_webhooks)) takes care of checking X-API-Key and the webhook doesn't have to do it ?

I see one possible problem with alerta/auth/decorators.py: MSteams sends Authorization: Bearer ... header so permission() doesn't look for X-API-Key if it first sees Authorization header ? Perhaps L27 could be: if 'Authorization' in request.headers and request.headers['Authorization'].find('Key ', 0, 4) == 0:

[satterly]

Alerta does the work of verifying the request before calling the custom webhook.

Yes, I see a potential problem there if an Authorization header is passed but should be ignored. Perhaps L32 could be if not key and ...

[jjh74]

Thanks, L32 change should also work. I'll create a PR if/when I have something usable. I'll close this issue for now.