Improvements to webhooks endpoints

[j616]

Details

While developing fine-grained auth approaches in #115 , several deficiencies were noticed with the Webhooks endpoints:

• The CRUD patterns on the Webhooks endpoint do not match the rest of the API
• The use of a secret attribute for auth on this endpoint is vulnerable to the loss of that secret. This would prevent editing or deleting of a webhook.
• The BBC R&D (internal experimental) implementation and AWS implementation of TAMS differed in their interpretation of what is the primary key
• Strict interpretation of the spec, and hiding of the secret api_key_value in the Webhooks listing, could result in multiple identical looking Webhooks being returned
• The existing approach prevents "matrixing" of event types and filters (e.g. to receive all flows/created events, but only flows/segments_added for specific flows)

This PR proposes changes to the Webhooks endpoint to fix these issues.

Jira Issue (if relevant)

Jira URL: https://jira.dev.bbc.co.uk/browse/CLOUDFIT-5461

Related PRs

If merged before #115, add the new endpoints to the auth logic listings in that PR. If merged after, add that logic in this PR

Submitter PR Checks

(tick as appropriate)

• PR completes task/fixes bug
• API version has been incremented if necessary
• ADR status has been updated, and ADR implementation has been recorded
• Documentation updated (README, etc.)
• PR added to Jira Issue (if relevant)
• Follow-up stories added to Jira

Reviewer PR Checks

(tick as appropriate)

• PR completes task/fixes bug
• Design makes sense, and fits with our current code base
• Code is easy to follow
• PR size is sensible
• Commit history is sensible and tidy

Info on PRs

The checks above are guidelines. They don't all have to be ticked, but they should all have been considered.

[samdbmg]

Changes LGTM - couple of docs nits inlined

[samdbmg]

I think this might need a tweak to match this being an update endpoint now

[j616]

Tweaked in fdcd744

[danjhd]

Something that came up in a conversation today and may be something to include in this PR. Should we be supplying more "data" in the deleted events payload, for flows and sources? We had a use case where we wanted to be notified if a "multi" Source is deleted. Since the payload for deleted events only has the id this is not currently easy/possible.

[j616]

Something that came up in a conversation today and may be something to include in this PR. Should we be supplying more "data" in the deleted events payload, for flows and sources? We had a use case where we wanted to be notified if a "multi" Source is deleted. Since the payload for deleted events only has the id this is not currently easy/possible.

I think that sounds reasonable. Would you be able to provide some user stories/use cases we can use to inform the change? I'm mainly wondering if that data should be the whole Source/Flow metadata, or just a subset. I wonder if it should be a separate ADR and/or PR to avoid adding even more to this very large change set!

[danjhd]

Something that came up in a conversation today and may be something to include in this PR. Should we be supplying more "data" in the deleted events payload, for flows and sources? We had a use case where we wanted to be notified if a "multi" Source is deleted. Since the payload for deleted events only has the id this is not currently easy/possible.

I think that sounds reasonable. Would you be able to provide some user stories/use cases we can use to inform the change? I'm mainly wondering if that data should be the whole Source/Flow metadata, or just a subset. I wonder if it should be a separate ADR and/or PR to avoid adding even more to this very large change set!

Separate PR is best plan. I just figured it was worth "sounding out" the idea here first in case it was considered "silly" ;)

[danjhd]

Since we don't have a read-only field on the webhook, like we do on Flows i was just wondering if this 403 is needed explicitly? Since i guess this will be produced by the RBAC/ABAC/Coarse access rules? Unless i have missed something. Feels like if we are including a 403 here we should go back and add 403 to all methods?

[j616]

Yes. This was added for access control use cases. We should make sure we're consistent with this.

[danjhd]

I think it might be a good idea to have a status field (values of enabled and disabled) on a webhook. This would serve 2 purposes:

1. It would be updateable on the PUT endpoint so that a client can disable a webhook for a period if needed without deleting it and without the need to alter it in any other way.
2. It would allow the implementation to automatically disable webhooks after a defined number of failures so avoid continuously loading the system with POSTs that will fail. The addition of an optional error field (readonly) would be useful to give feedback to the client on the reason for the disablement if it was done by the system rather than the client.

In our implementation i need to solve the problem of repeated failures and thought about adding a disabled flag but it think this might be useful in the main spec, and also worth adding as part of this PR as it is the same schema?

[j616]

Rebased

[j616]

I think it might be a good idea to have a status field (values of enabled and disabled) on a webhook. This would serve 2 purposes:

1. It would be updateable on the PUT endpoint so that a client can disable a webhook for a period if needed without deleting it and without the need to alter it in any other way.
2. It would allow the implementation to automatically disable webhooks after a defined number of failures so avoid continuously loading the system with POSTs that will fail. The addition of an optional error field (readonly) would be useful to give feedback to the client on the reason for the disablement if it was done by the system rather than the client.

In our implementation i need to solve the problem of repeated failures and thought about adding a disabled flag but it think this might be useful in the main spec, and also worth adding as part of this PR as it is the same schema?

Initial solution proposed in #150 was merged into this PR. This was expanded on in 087510c

[j616]

Rebased

[samdbmg]

One question, but LGTM

[j616]

Rebasing again