bullet_train-outgoing_webhooks 1.0.4 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4186cf970999d91997f2410efeba593f422788cec8452978544796176d7ea47
-  data.tar.gz: 9700fff07690d45d249e966e29cd233f894b0f77fbffbc4cacf47a637ebb7be6
+  metadata.gz: a4d3884adf8d199b92ccf09ca749e8237e86a421224de5b8b81cf5ab0d9f4329
+  data.tar.gz: cec7b468644c484f8bcb0f4064b74764ab3e7b8873cb72ba5c8944009b95a576
 SHA512:
-  metadata.gz: 7b971859d534310367961541028daef0b95286d02d1bbe202ac954228ed092dacf6180277193d8b4822547838c20d3d60a7efb0eab1e56160eecf48fe7ac6606
-  data.tar.gz: 268648e2e285ca1398f4b526529c6a7de6a8e8efd461e73fc68003dd579fb75a335a77d3b461efd9d46b906aebc93bdd0f3fdbd6f8191dd60774deada233c491
+  metadata.gz: 98d7265e65165a0c2b55a0b2880063f00c72292e0a461e4bde667d54f077860f1b4861873f5131bd203e45b85ab03868822970071e626c34e2ed640059e5cc11
+  data.tar.gz: f36d57ccd33ba9268a106ef22c1457560f9b171ff0533b4f8102301e5962691f827ffa437c7f13d3fd7ab847b1b626a9c6374cca45efbbcab228caf7c265d2a9

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2022 Andrew Culver
+Copyright 2022 Bullet Train, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/app/controllers/account/webhooks/outgoing/endpoints_controller.rb

@@ -1,5 +1,6 @@
 class Account::Webhooks::Outgoing::EndpointsController < Account::ApplicationController
-  account_load_and_authorize_resource :endpoint, through: :team, through_association: :webhooks_outgoing_endpoints
+  account_load_and_authorize_resource :endpoint, through: BulletTrain::OutgoingWebhooks.parent_association, through_association: :webhooks_outgoing_endpoints
+  before_action { @parent = instance_variable_get("@#{BulletTrain::OutgoingWebhooks.parent_association}") }
 
   # GET /account/teams/:team_id/webhooks/outgoing/endpoints
   # GET /account/teams/:team_id/webhooks/outgoing/endpoints.json
@@ -26,7 +27,7 @@ class Account::Webhooks::Outgoing::EndpointsController < Account::ApplicationCon
   def create
     respond_to do |format|
       if @endpoint.save
-        format.html { redirect_to [:account, @team, :webhooks_outgoing_endpoints], notice: I18n.t("webhooks/outgoing/endpoints.notifications.created") }
+        format.html { redirect_to [:account, @parent, :webhooks_outgoing_endpoints], notice: I18n.t("webhooks/outgoing/endpoints.notifications.created") }
         format.json { render :show, status: :created, location: [:account, @endpoint] }
       else
         format.html { render :new, status: :unprocessable_entity }
@@ -54,7 +55,7 @@ class Account::Webhooks::Outgoing::EndpointsController < Account::ApplicationCon
   def destroy
     @endpoint.destroy
     respond_to do |format|
-      format.html { redirect_to [:account, @team, :webhooks_outgoing_endpoints], notice: I18n.t("webhooks/outgoing/endpoints.notifications.destroyed") }
+      format.html { redirect_to [:account, @parent, :webhooks_outgoing_endpoints], notice: I18n.t("webhooks/outgoing/endpoints.notifications.destroyed") }
       format.json { head :no_content }
     end
   end

data/app/controllers/api/v1/webhooks/outgoing/endpoints_endpoint.rb

@@ -1,7 +1,7 @@
 class Api::V1::Webhooks::Outgoing::EndpointsEndpoint < Api::V1::Root
   helpers do
-    params :team_id do
-      requires :team_id, type: Integer, allow_blank: false, desc: "Team ID"
+    params BulletTrain::OutgoingWebhooks.parent_association_id do
+      requires BulletTrain::OutgoingWebhooks.parent_association_id, type: Integer, allow_blank: false, desc: "#{BulletTrain::OutgoingWebhooks.parent_class} ID"
     end
 
     params :id do
@@ -19,7 +19,7 @@ class Api::V1::Webhooks::Outgoing::EndpointsEndpoint < Api::V1::Root
     end
   end
 
-  resource "teams", desc: Api.title(:collection_actions) do
+  resource BulletTrain::OutgoingWebhooks.parent_resource, desc: Api.title(:collection_actions) do
     after_validation do
       load_and_authorize_api_resource Webhooks::Outgoing::Endpoint
     end
@@ -30,11 +30,11 @@ class Api::V1::Webhooks::Outgoing::EndpointsEndpoint < Api::V1::Root
 
     desc Api.title(:index), &Api.index_desc
     params do
-      use :team_id
+      use BulletTrain::OutgoingWebhooks.parent_association_id
     end
     oauth2
     paginate per_page: 100
-    get "/:team_id/webhooks/outgoing/endpoints" do
+    get "/:#{BulletTrain::OutgoingWebhooks.parent_association_id}/webhooks/outgoing/endpoints" do
       @paginated_endpoints = paginate @endpoints
       render @paginated_endpoints, serializer: Api.serializer
     end
@@ -45,12 +45,12 @@ class Api::V1::Webhooks::Outgoing::EndpointsEndpoint < Api::V1::Root
 
     desc Api.title(:create), &Api.create_desc
     params do
-      use :team_id
+      use BulletTrain::OutgoingWebhooks.parent_association_id
       use :endpoint
     end
     route_setting :api_resource_options, permission: :create
     oauth2 "write"
-    post "/:team_id/webhooks/outgoing/endpoints" do
+    post "/:#{BulletTrain::OutgoingWebhooks.parent_association_id}/webhooks/outgoing/endpoints" do
       if @endpoint.save
         render @endpoint, serializer: Api.serializer
       else

data/app/jobs/webhooks/outgoing/generate_job.rb

@@ -0,0 +1,7 @@
+class Webhooks::Outgoing::GenerateJob < ApplicationJob
+  queue_as :default
+
+  def perform(obj, action)
+    obj.generate_webhook_perform(action)
+  end
+end

data/app/models/concerns/webhooks/outgoing/delivery_attempt_support.rb

@@ -0,0 +1,64 @@
+module Webhooks::Outgoing::DeliveryAttemptSupport
+  extend ActiveSupport::Concern
+  include Webhooks::Outgoing::UriFiltering
+
+  SUCCESS_RESPONSE_CODES = [200, 201, 202, 203, 204, 205, 206, 207, 226].freeze
+
+  included do
+    belongs_to :delivery
+    has_one :team, through: :delivery unless BulletTrain::OutgoingWebhooks.parent_class_specified?
+    scope :successful, -> { where(response_code: SUCCESS_RESPONSE_CODES) }
+
+    before_create do
+      self.attempt_number = delivery.attempt_count + 1
+    end
+
+    validates :response_code, presence: true
+  end
+
+  def still_attempting?
+    error_message.nil? && response_code.nil?
+  end
+
+  def successful?
+    SUCCESS_RESPONSE_CODES.include?(response_code)
+  end
+
+  def failed?
+    !(successful? || still_attempting?)
+  end
+
+  def attempt
+    uri = URI.parse(delivery.endpoint_url)
+
+    unless allowed_uri?(uri)
+      self.response_code = 0
+      self.error_message = "URI is not allowed: " + uri
+      return false
+    end
+
+    http = Net::HTTP.new(resolve_ip_from_authoritative(uri.hostname.downcase), uri.port)
+    http.use_ssl = true if uri.scheme == "https"
+    request = Net::HTTP::Post.new(uri.path)
+    request.add_field("Host", uri.host)
+    request.add_field("Content-Type", "application/json")
+    request.body = delivery.event.payload.to_json
+
+    begin
+      response = http.request(request)
+      self.response_message = response.message
+      self.response_code = response.code
+      self.response_body = response.body
+    rescue => exception
+      self.response_code = 0
+      self.error_message = exception.message
+    end
+
+    save
+    successful?
+  end
+
+  def label_string
+    "#{attempt_number.ordinalize} Attempt"
+  end
+end

data/app/models/concerns/webhooks/outgoing/delivery_support.rb

@@ -0,0 +1,66 @@
+module Webhooks::Outgoing::DeliverySupport
+  extend ActiveSupport::Concern
+
+  included do
+    belongs_to :endpoint, class_name: "Webhooks::Outgoing::Endpoint"
+    belongs_to :event, class_name: "Webhooks::Outgoing::Event"
+
+    has_one :team, through: :endpoint unless BulletTrain::OutgoingWebhooks.parent_class_specified?
+    has_many :delivery_attempts, class_name: "Webhooks::Outgoing::DeliveryAttempt", dependent: :destroy, foreign_key: :delivery_id
+  end
+
+  ATTEMPT_SCHEDULE = {
+    1 => 15.seconds,
+    2 => 1.minute,
+    3 => 5.minutes,
+    4 => 15.minutes,
+    5 => 1.hour,
+  }
+
+  def label_string
+    event.short_uuid
+  end
+
+  def next_reattempt_delay
+    ATTEMPT_SCHEDULE[attempt_count]
+  end
+
+  def deliver_async
+    if still_attempting?
+      Webhooks::Outgoing::DeliveryJob.set(wait: next_reattempt_delay).perform_later(self)
+    end
+  end
+
+  def deliver
+    if delivery_attempts.create.attempt
+      touch(:delivered_at)
+    else
+      deliver_async
+    end
+  end
+
+  def attempt_count
+    delivery_attempts.count
+  end
+
+  def delivered?
+    delivered_at.present?
+  end
+
+  def still_attempting?
+    return false if delivered?
+    attempt_count < max_attempts
+  end
+
+  def failed?
+    !(delivered? || still_attempting?)
+  end
+
+  def name
+    event.short_uuid
+  end
+
+  def max_attempts
+    ATTEMPT_SCHEDULE.keys.max
+  end
+end

data/app/models/concerns/webhooks/outgoing/endpoint_support.rb

@@ -0,0 +1,37 @@
+module Webhooks::Outgoing::EndpointSupport
+  extend ActiveSupport::Concern
+  include Webhooks::Outgoing::UriFiltering
+
+  included do
+    belongs_to BulletTrain::OutgoingWebhooks.parent_association
+
+    has_many :deliveries, class_name: "Webhooks::Outgoing::Delivery", dependent: :destroy, foreign_key: :endpoint_id
+    has_many :events, -> { distinct }, through: :deliveries
+
+    scope :listening_for_event_type_id, ->(event_type_id) { where("event_type_ids @> ? OR event_type_ids = '[]'::jsonb", "\"#{event_type_id}\"") }
+
+    validates :name, presence: true
+
+    before_validation { url&.strip! }
+
+    validates :url, presence: true, allowed_uri: true
+
+    after_initialize do
+      self.event_type_ids ||= []
+    end
+
+    after_save :touch_parent
+  end
+
+  def valid_event_types
+    Webhooks::Outgoing::EventType.all
+  end
+
+  def event_types
+    event_type_ids.map { |id| Webhooks::Outgoing::EventType.find(id) }
+  end
+
+  def touch_parent
+    send(BulletTrain::OutgoingWebhooks.parent_association).touch
+  end
+end

data/app/models/concerns/webhooks/outgoing/event_support.rb

@@ -0,0 +1,45 @@
+module Webhooks::Outgoing::EventSupport
+  extend ActiveSupport::Concern
+  include HasUuid
+
+  included do
+    belongs_to BulletTrain::OutgoingWebhooks.parent_association
+    belongs_to :event_type, class_name: "Webhooks::Outgoing::EventType"
+    belongs_to :subject, polymorphic: true
+    has_many :deliveries, dependent: :destroy
+
+    before_create do
+      self.payload = generate_payload
+    end
+  end
+
+  def generate_payload
+    {
+      event_id: uuid,
+      event_type: event_type_id,
+      subject_id: subject_id,
+      subject_type: subject_type,
+      data: data
+    }
+  end
+
+  def event_type_name
+    payload.dig("event_type")
+  end
+
+  def endpoints
+    send(BulletTrain::OutgoingWebhooks.parent_association).webhooks_outgoing_endpoints.listening_for_event_type_id(event_type_id)
+  end
+
+  def deliver
+    endpoints.each do |endpoint|
+      unless endpoint.deliveries.where(event: self).any?
+        endpoint.deliveries.create(event: self, endpoint_url: endpoint.url).deliver_async
+      end
+    end
+  end
+
+  def label_string
+    short_uuid
+  end
+end

data/app/models/concerns/webhooks/outgoing/issuing_model.rb

@@ -9,41 +9,59 @@ module Webhooks::Outgoing::IssuingModel
     has_many :webhooks_outgoing_events, as: :subject, class_name: "Webhooks::Outgoing::Event", dependent: :nullify
   end
 
-  # define class methods.
-  module ClassMethods
+  def skip_generate_webhook?(action)
+    false
   end
 
-  def generate_webhook(action)
-    # we can only generate webhooks for objects that return their team.
-    return unless respond_to? :team
+  def parent
+    return unless respond_to? BulletTrain::OutgoingWebhooks.parent_association
+    send(BulletTrain::OutgoingWebhooks.parent_association)
+  end
+
+  def generate_webhook(action, async: true)
+    # allow individual models to opt out of generating webhooks
+    return if skip_generate_webhook?(action)
+
+    # we can only generate webhooks for objects that return their their team / parent.
+    return unless parent.present?
 
     # Try to find an event type definition for this action.
     event_type = Webhooks::Outgoing::EventType.find_by(id: "#{self.class.name.underscore}.#{action}")
 
     # If the event type is defined as one that people can be subscribed to,
-    # and this object has a team where an associated outgoing webhooks endpoint could be registered.
-    if event_type && team
-
+    # and this object has a parent where an associated outgoing webhooks endpoint could be registered.
+    if event_type
       # Only generate an event record if an endpoint is actually listening for this event type.
-      if team.webhooks_outgoing_endpoints.listening_for_event_type_id(event_type.id).any?
-        data = "Api::V1::#{self.class.name}Serializer".constantize.new(self).serializable_hash[:data]
-        webhook = team.webhooks_outgoing_events.create(event_type_id: event_type.id, subject: self, data: data)
-        webhook.deliver
+      if parent.endpoints_listening_for_event_type?(event_type)
+        if async
+          # serialization can be heavy so run it as a job
+          Webhooks::Outgoing::GenerateJob.perform_later(self, action)
+        else
+          generate_webhook_perform(action)
+        end
       end
     end
   end
 
+  def generate_webhook_perform(action)
+    event_type = Webhooks::Outgoing::EventType.find_by(id: "#{self.class.name.underscore}.#{action}")
+    data = "Api::V1::#{self.class.name}Serializer".constantize.new(self).serializable_hash[:data]
+    webhook = send(BulletTrain::OutgoingWebhooks.parent_association).webhooks_outgoing_events.create(event_type_id: event_type.id, subject: self, data: data)
+    webhook.deliver
+  end
+
   def generate_created_webhook
-    generate_webhook("created")
+    generate_webhook(:created)
   end
 
   def generate_updated_webhook
-    generate_webhook("updated")
+    generate_webhook(:updated)
   end
 
   def generate_deleted_webhook
-    return false unless respond_to?(:team)
-    return false if team&.being_destroyed?
-    generate_webhook("deleted")
+    return false unless parent.present?
+    return false if parent.being_destroyed?
+
+    generate_webhook(:deleted, async: false)
   end
 end

data/app/models/concerns/webhooks/outgoing/team_support.rb

@@ -8,6 +8,22 @@ module Webhooks::Outgoing::TeamSupport
     before_destroy :mark_for_destruction, prepend: true
   end
 
+  def should_cache_endpoints_listening_for_event_type?
+    true
+  end
+
+  def endpoints_listening_for_event_type?(event_type)
+    if should_cache_endpoints_listening_for_event_type?
+      key = "#{cache_key_with_version}/endpoints_for_event_type/#{event_type.cache_key}"
+
+      Rails.cache.fetch(key, expires_in: 24.hours, race_condition_ttl: 5.seconds) do
+        webhooks_outgoing_endpoints.listening_for_event_type_id(event_type.id).any?
+      end
+    else
+      webhooks_outgoing_endpoints.listening_for_event_type_id(event_type.id).any?
+    end
+  end
+
   def mark_for_destruction
     # This allows downstream logic to check whether a team is being destroyed in order to bypass webhook issuance.
     update_column(:being_destroyed, true)

data/app/models/concerns/webhooks/outgoing/uri_filtering.rb

@@ -0,0 +1,149 @@
+require "resolv"
+require "public_suffix"
+
+module Webhooks::Outgoing::UriFiltering
+  extend ActiveSupport::Concern
+
+  # WEBHOOK SECURITY PRIMER
+  # =============================================================================
+  # Outgoing webhooks can be dangerous. By allowing your users to set
+  # up outgoing webhooks, you"re giving them permission to call arbitrary
+  # URLs from your server, including URLs that could represent resources
+  # internal to your company. Malicious actors can use this permission to
+  # examine your infrastructure, call internal APIs, and generally cause
+  # havok.
+
+  # This module attempts to block malicious actors with the following algorithm
+  #   1. Block anything but http and https requests
+  #   2. Block or allow defined hostnames, both regex and strings
+  #   3. Block if `custom_block_callback` returns true (args: self, uri)
+  #   4. Allow if `custom_allow_callback` returns true (args: self, uri)
+  #   5. Resolve the IP associated with the webhook"s host directly from
+  #      the authoritative name server for the host"s domain. This IP
+  #      is cached for the returned DNS TTL
+  #   6. Match the given IP against lists of allowed and blocked cidr ranges.
+  #      The blocked list by default includes all of the defined private address
+  #      ranges, localhost, the private IPv6 prefix, and the AWS metadata
+  #      API endpoint.
+
+  # If at any point a URI is determined to be blocked we call `audit_callback`
+  # (args: self, uri) so it can be logged for auditing.
+
+  # We resolve the IP from the authoritative name server directly so we can avoid
+  # certain classes of DNS poisoning attacks.
+
+  # Users of this gem are _strongly_ enouraged to add additional cidr ranges
+  # and hostnames to the appropriate lists and/or implement `custom_block_callback`.
+  # At the very least you should add the public hostname that your
+  # application uses to the blocked_hostnames list.
+
+  class AllowedUriValidator < ActiveModel::EachValidator
+    def validate_each(record, attribute, value)
+      uri = URI.parse(value)
+      unless record.allowed_uri?(uri)
+        record.errors.add attribute, "is not an allowed uri"
+      end
+    end
+  end
+
+  def resolve_ip_from_authoritative(hostname)
+    begin
+      ip = IPAddr.new(hostname)
+      return ip.to_s
+    rescue IPAddr::InvalidAddressError
+      # this is fine, proceed with resolver path
+    end
+
+    cache_key = "#{cache_key_with_version}/uri_ip/#{Digest::SHA2.hexdigest(hostname)}"
+
+    cached = Rails.cache.read(cache_key)
+    if cached
+      return cached == "invalid" ? nil : cached
+    end
+
+    begin
+      # This is sort of a half-recursive DNS resolver.
+      # We can't implement a full recursive resolver using just Resolv::DNS so instead
+      # this asks a public cache for the NS record for the given domain. Then it asks
+      # the authoritative nameserver directly for the address and caches it according
+      # to the returned TTL.
+
+      config = Rails.configuration.outgoing_webhooks
+      ns_resolver = Resolv::DNS.new(nameserver: config[:public_resolvers])
+      ns_resolver.timeouts = 1
+
+      domain = PublicSuffix.domain(hostname)
+      authoritative = ns_resolver.getresource(domain, Resolv::DNS::Resource::IN::NS)
+
+      authoritative_resolver = Resolv::DNS.new(nameserver: [authoritative.name.to_s])
+      authoritative_resolver.timeouts = 1
+
+      resource = authoritative_resolver.getresource(hostname, Resolv::DNS::Resource::IN::A)
+      Rails.cache.write(cache_key, resource.address.to_s, expires_in: resource.ttl, race_condition_ttl: 5)
+      resource.address.to_s
+    rescue IPAddr::InvalidAddressError, ArgumentError # standard:disable Lint/ShadowedException
+      Rails.cache.write(cache_key, "invalid", expires_in: 10.minutes, race_condition_ttl: 5)
+      nil
+    end
+  end
+
+  def allowed_uri?(uri)
+    unless _allowed_uri?(uri)
+      config = Rails.configuration.outgoing_webhooks
+      if config[:audit_callback].present?
+        config[:audit_callback].call(self, uri)
+      end
+      return false
+    end
+
+    true
+  end
+
+  def _allowed_uri?(uri)
+    config = Rails.configuration.outgoing_webhooks
+    hostname = uri.hostname.downcase
+
+    return false unless config[:allowed_schemes].include?(uri.scheme)
+
+    config[:blocked_hostnames].each do |blocked|
+      if blocked.is_a?(Regexp)
+        return false if blocked.match?(hostname)
+      end
+
+      return false if blocked == hostname
+    end
+
+    config[:allowed_hostnames].each do |allowed|
+      if allowed.is_a?(Regexp)
+        return true if allowed.match?(hostname)
+      end
+
+      return true if allowed == hostname
+    end
+
+    if config[:custom_allow_callback].present?
+      return true if config[:custom_allow_callback].call(self, uri)
+    end
+
+    if config[:custom_block_callback].present?
+      return false if config[:custom_block_callback].call(self, uri)
+    end
+
+    resolved_ip = resolve_ip_from_authoritative(hostname)
+    return false if resolved_ip.nil?
+
+    begin
+      config[:allowed_cidrs].each do |cidr|
+        return true if IPAddr.new(cidr).include?(resolved_ip)
+      end
+
+      config[:blocked_cidrs].each do |cidr|
+        return false if IPAddr.new(cidr).include?(resolved_ip)
+      end
+    rescue IPAddr::InvalidAddressError
+      return false
+    end
+
+    true
+  end
+end

data/app/models/webhooks/outgoing/delivery.rb

@@ -1,21 +1,9 @@
-class Webhooks::Outgoing::Delivery < ApplicationRecord
+class Webhooks::Outgoing::Delivery < BulletTrain::OutgoingWebhooks.base_class.constantize
+  include Webhooks::Outgoing::DeliverySupport
   # 🚅 add concerns above.
 
-  belongs_to :endpoint, class_name: "Webhooks::Outgoing::Endpoint"
-  belongs_to :event, class_name: "Webhooks::Outgoing::Event"
-  has_one :team, through: :endpoint
-
-  ATTEMPT_SCHEDULE = {
-    1 => 15.seconds,
-    2 => 1.minute,
-    3 => 5.minutes,
-    4 => 15.minutes,
-    5 => 1.hour,
-  }
-
   # 🚅 add belongs_to associations above.
 
-  has_many :delivery_attempts, class_name: "Webhooks::Outgoing::DeliveryAttempt", dependent: :destroy, foreign_key: :delivery_id
   # 🚅 add has_many associations above.
 
   # 🚅 add has_one associations above.
@@ -28,52 +16,5 @@ class Webhooks::Outgoing::Delivery < ApplicationRecord
 
   # 🚅 add delegations above.
 
-  def label_string
-    event.short_uuid
-  end
-
-  def next_reattempt_delay
-    ATTEMPT_SCHEDULE[attempt_count]
-  end
-
-  def deliver_async
-    if still_attempting?
-      Webhooks::Outgoing::DeliveryJob.set(wait: next_reattempt_delay).perform_later(self)
-    end
-  end
-
-  def deliver
-    if delivery_attempts.create.attempt
-      touch(:delivered_at)
-    else
-      deliver_async
-    end
-  end
-
-  def attempt_count
-    delivery_attempts.count
-  end
-
-  def delivered?
-    delivered_at.present?
-  end
-
-  def still_attempting?
-    return false if delivered?
-    attempt_count < max_attempts
-  end
-
-  def failed?
-    !(delivered? || still_attempting?)
-  end
-
-  def name
-    event.short_uuid
-  end
-
-  def max_attempts
-    ATTEMPT_SCHEDULE.keys.max
-  end
-
   # 🚅 add methods above.
 end

data/app/models/webhooks/outgoing/delivery_attempt.rb

@@ -1,51 +1,7 @@
-class Webhooks::Outgoing::DeliveryAttempt < ApplicationRecord
+class Webhooks::Outgoing::DeliveryAttempt < BulletTrain::OutgoingWebhooks.base_class.constantize
+  include Webhooks::Outgoing::DeliveryAttemptSupport
   # 🚅 add concerns above.
 
-  belongs_to :delivery
-  has_one :team, through: :delivery
-  scope :successful, -> { where(response_code: 200) }
-
-  before_create do
-    self.attempt_number = delivery.attempt_count + 1
-  end
-
-  def still_attempting?
-    error_message.nil? && response_code.nil?
-  end
-
-  def successful?
-    [200, 201, 202, 203, 204, 205, 206, 207, 226].include?(response_code)
-  end
-
-  def failed?
-    !(successful? || still_attempting?)
-  end
-
-  def attempt
-    uri = URI.parse(delivery.endpoint_url)
-    http = Net::HTTP.new(uri.host, uri.port)
-    http.use_ssl = true if uri.scheme == "https"
-    request = Net::HTTP::Post.new(uri.path)
-    request.add_field("Content-Type", "application/json")
-    request.body = delivery.event.payload.to_json
-
-    begin
-      response = http.request(request)
-      self.response_message = response.message
-      self.response_code = response.code
-      self.response_body = response.body
-    rescue Exception => exception
-      self.response_code = 0
-      self.error_message = exception.message
-    end
-
-    save
-    successful?
-  end
-
-  def label_string
-    "#{attempt_number.ordinalize} Attempt"
-  end
   # 🚅 add belongs_to associations above.
 
   # 🚅 add has_many associations above.
@@ -54,7 +10,6 @@ class Webhooks::Outgoing::DeliveryAttempt < ApplicationRecord
 
   # 🚅 add scopes above.
 
-  validates :response_code, presence: true
   # 🚅 add validations above.
 
   # 🚅 add callbacks above.

data/app/models/webhooks/outgoing/endpoint.rb

@@ -1,32 +1,20 @@
-class Webhooks::Outgoing::Endpoint < ApplicationRecord
+class Webhooks::Outgoing::Endpoint < BulletTrain::OutgoingWebhooks.base_class.constantize
+  include Webhooks::Outgoing::EndpointSupport
   # 🚅 add concerns above.
 
-  belongs_to :team
   # 🚅 add belongs_to associations above.
 
-  has_many :deliveries, class_name: "Webhooks::Outgoing::Delivery", dependent: :destroy, foreign_key: :endpoint_id
-  has_many :events, -> { distinct }, through: :deliveries
   # 🚅 add has_many associations above.
 
   # 🚅 add has_one associations above.
 
-  scope :listening_for_event_type_id, ->(event_type_id) { where("event_type_ids @> ? OR event_type_ids = '[]'::jsonb", "\"#{event_type_id}\"") }
   # 🚅 add scopes above.
 
-  validates :name, presence: true
   # 🚅 add validations above.
 
   # 🚅 add callbacks above.
 
   # 🚅 add delegations above.
 
-  def valid_event_types
-    Webhooks::Outgoing::EventType.all
-  end
-
-  def event_types
-    event_type_ids.map { |id| Webhooks::Outgoing::EventType.find(id) }
-  end
-
   # 🚅 add methods above.
 end

data/app/models/webhooks/outgoing/event.rb

@@ -1,41 +1,3 @@
-class Webhooks::Outgoing::Event < ApplicationRecord
-  include HasUuid
-  belongs_to :team
-  belongs_to :event_type, class_name: "Webhooks::Outgoing::EventType"
-  belongs_to :subject, polymorphic: true
-  has_many :deliveries, dependent: :destroy
-
-  before_create do
-    self.payload = generate_payload
-  end
-
-  def generate_payload
-    {
-      event_id: uuid,
-      event_type: event_type_id,
-      subject_id: subject_id,
-      subject_type: subject_type,
-      data: data
-    }
-  end
-
-  def event_type_name
-    payload.dig("event_type")
-  end
-
-  def endpoints
-    team.webhooks_outgoing_endpoints.listening_for_event_type_id(event_type_id)
-  end
-
-  def deliver
-    endpoints.each do |endpoint|
-      unless endpoint.deliveries.where(event: self).any?
-        endpoint.deliveries.create(event: self, endpoint_url: endpoint.url).deliver_async
-      end
-    end
-  end
-
-  def label_string
-    short_uuid
-  end
+class Webhooks::Outgoing::Event < BulletTrain::OutgoingWebhooks.base_class.constantize
+  include Webhooks::Outgoing::EventSupport
 end

data/app/views/account/webhooks/outgoing/deliveries/_menu_item.html.erb

@@ -1,6 +1,6 @@
-<% if can? :read, Webhooks::Outgoing::Delivery.new(team: current_team) %>
+<% if can? :read, Webhooks::Outgoing::Delivery.new(BulletTrain::OutgoingWebhooks.parent_association => send(BulletTrain::OutgoingWebhooks.current_parent_method)) %>
   <%= render 'account/shared/menu/item', {
-    url: main_app.polymorphic_path([:account, current_team, :webhooks_outgoing_deliveries]),
+    url: main_app.polymorphic_path([:account, send(BulletTrain::OutgoingWebhooks.current_parent_method), :webhooks_outgoing_deliveries]),
     label: t('webhooks/outgoing/deliveries.navigation.label'),
   } do |p| %>
     <% p.content_for :icon do %>

data/app/views/account/webhooks/outgoing/delivery_attempts/_menu_item.html.erb

@@ -1,6 +1,6 @@
-<% if can? :read, Webhooks::Outgoing::DeliveryAttempt.new(team: current_team) %>
+<% if can? :read, Webhooks::Outgoing::DeliveryAttempt.new(BulletTrain::OutgoingWebhooks.parent_association => send(BulletTrain::OutgoingWebhooks.current_parent_method)) %>
   <%= render 'account/shared/menu/item', {
-    url: main_app.polymorphic_path([:account, current_team, :webhooks_outgoing_delivery_attempts]),
+    url: main_app.polymorphic_path([:account, send(BulletTrain::OutgoingWebhooks.current_parent_method), :webhooks_outgoing_delivery_attempts]),
     label: t('webhooks/outgoing/delivery_attempts.navigation.label'),
   } do |p| %>
     <% p.content_for :icon do %>

data/app/views/account/webhooks/outgoing/endpoints/_breadcrumbs.html.erb

@@ -1,5 +1,5 @@
 <% endpoint ||= @endpoint %>
-<% team ||= @team || endpoint&.team %>
+<% team ||= @parent || endpoint&.send(BulletTrain::OutgoingWebhooks.parent_association) %>
 <%= render 'account/teams/breadcrumbs', team: team %>
 <%= render 'account/shared/breadcrumb', label: t('.label'), url: [:account, team, :webhooks_outgoing_endpoints] %>
 <% if endpoint&.persisted? %>

data/app/views/account/webhooks/outgoing/endpoints/_form.html.erb

@@ -1,4 +1,4 @@
-<%= form_with model: endpoint, url: (endpoint.persisted? ? [:account, endpoint] : [:account, @team, :webhooks_outgoing_endpoints]), local: true, class: 'form' do |form| %>
+<%= form_with model: endpoint, url: (endpoint.persisted? ? [:account, endpoint] : [:account, @parent, :webhooks_outgoing_endpoints]), local: true, class: 'form' do |form| %>
   <%= render 'account/shared/forms/errors', form: form %>
 
   <% with_field_settings form: form do %>
@@ -14,7 +14,7 @@
     <% if form.object.persisted? %>
     <%= link_to t('global.buttons.cancel'), [:account, endpoint], class: "button-secondary" %>
     <% else %>
-    <%= link_to t('global.buttons.cancel'), [:account, @team, :webhooks_outgoing_endpoints], class: "button-secondary" %>
+    <%= link_to t('global.buttons.cancel'), [:account, @parent, :webhooks_outgoing_endpoints], class: "button-secondary" %>
     <% end %>
   </div>
 

data/app/views/account/webhooks/outgoing/endpoints/_index.html.erb

@@ -1,4 +1,4 @@
-<% team = @team || @team %>
+<% team = @parent %>
 <% context ||= team %>
 <% collection ||= :webhooks_outgoing_endpoints %>
 <% hide_actions ||= false %>
@@ -49,8 +49,8 @@
   <% p.content_for :actions do %>
     <% unless hide_actions %>
       <% if context == team %>
-        <% if can? :create, Webhooks::Outgoing::Endpoint.new(team: team) %>
-          <%= link_to t('.buttons.new'), [:new, :account, team, :webhooks_outgoing_endpoint], class: "#{first_button_primary(:webhooks_outgoing_endpoint)} new" %>
+        <% if can? :create, Webhooks::Outgoing::Endpoint.new(BulletTrain::OutgoingWebhooks.parent_association => @parent) %>
+          <%= link_to t('.buttons.new'), [:new, :account, @parent, :webhooks_outgoing_endpoint], class: "#{first_button_primary(:webhooks_outgoing_endpoint)} new" %>
         <% end %>
       <% end %>
 

data/app/views/account/webhooks/outgoing/endpoints/_menu_item.html.erb

@@ -1,6 +1,6 @@
-<% if can? :read, Webhooks::Outgoing::Endpoint.new(team: current_team) %>
+<% if can? :read, Webhooks::Outgoing::Endpoint.new(BulletTrain::OutgoingWebhooks.parent_association => send(BulletTrain::OutgoingWebhooks.current_parent_method)) %>
   <%= render 'account/shared/menu/item', {
-    url: main_app.polymorphic_path([:account, current_team, :webhooks_outgoing_endpoints]),
+    url: main_app.polymorphic_path([:account, send(BulletTrain::OutgoingWebhooks.current_parent_method), :webhooks_outgoing_endpoints]),
     label: t('webhooks/outgoing/endpoints.navigation.label'),
   } do |p| %>
     <% p.content_for :icon do %>

data/app/views/account/webhooks/outgoing/endpoints/show.html.erb

@@ -32,7 +32,7 @@
       <% p.content_for :actions do %>
         <%= link_to t('.buttons.edit'), [:edit, :account, @endpoint], class: first_button_primary if can? :edit, @endpoint %>
         <%= button_to t('.buttons.destroy'), [:account, @endpoint], method: :delete, class: first_button_primary, data: { confirm: t('.buttons.confirmations.destroy', model_locales(@endpoint)) } if can? :destroy, @endpoint %>
-        <%= link_to t('global.buttons.back'), [:account, @team, :webhooks_outgoing_endpoints], class: first_button_primary %>
+        <%= link_to t('global.buttons.back'), [:account, @parent, :webhooks_outgoing_endpoints], class: first_button_primary %>
       <% end %>
     <% end %>
 

data/config/routes.rb

@@ -1,7 +1,7 @@
 Rails.application.routes.draw do
   namespace :account do
     shallow do
-      resources :teams do
+      resources BulletTrain::OutgoingWebhooks.parent_resource do
         namespace :webhooks do
           namespace :outgoing do
             resources :events

data/lib/bullet_train/outgoing_webhooks/engine.rb

@@ -1,8 +1,33 @@
 module BulletTrain
   module OutgoingWebhooks
     class Engine < ::Rails::Engine
+      config.before_configuration do
+        default_blocked_cidrs = %w[
+          10.0.0.0/8
+          172.16.0.0/12
+          192.168.0.0/16
+          100.64.0.0/10
+          127.0.0.0/8
+          169.254.169.254/32
+          fc00::/7
+          ::1
+        ]
+
+        config.outgoing_webhooks = {
+          blocked_cidrs: default_blocked_cidrs,
+          allowed_cidrs: [],
+          blocked_hostnames: %w[localhost],
+          allowed_hostnames: [],
+          public_resolvers: %w[8.8.8.8 1.1.1.1],
+          allowed_schemes: %w[http https],
+          custom_block_callback: nil,
+          custom_allow_callback: nil,
+          audit_callback: ->(obj, uri) { Rails.logger.error("BlockedURI obj=#{obj.persisted? ? obj.to_global_id : "New #{obj.class}"} uri=#{uri}") }
+        }
+      end
+
       initializer "bullet_train.outgoing_webhooks.register_api_endpoints" do |app|
-        if BulletTrain::Api
+        if Object.const_defined?("BulletTrain::Api")
           BulletTrain::Api.endpoints << "Api::V1::Webhooks::Outgoing::EndpointsEndpoint"
           BulletTrain::Api.endpoints << "Api::V1::Webhooks::Outgoing::DeliveriesEndpoint"
           BulletTrain::Api.endpoints << "Api::V1::Webhooks::Outgoing::DeliveryAttemptsEndpoint"

data/lib/bullet_train/outgoing_webhooks/version.rb

@@ -1,5 +1,5 @@
 module BulletTrain
   module OutgoingWebhooks
-    VERSION = "1.0.4"
+    VERSION = "1.0.5"
   end
 end

data/lib/bullet_train/outgoing_webhooks.rb

@@ -3,6 +3,31 @@ require "bullet_train/outgoing_webhooks/engine"
 
 module BulletTrain
   module OutgoingWebhooks
-    # Your code goes here...
+    def self.default_for(klass, method, default_value)
+      klass.respond_to?(method) ? klass.send(method) || default_value : default_value
+    end
+
+    mattr_accessor :parent_class, default: default_for(BulletTrain, :parent_class, "Team")
+    mattr_accessor :base_class, default: default_for(BulletTrain, :base_class, "ApplicationRecord")
+
+    def self.parent_association
+      parent_class.underscore.to_sym
+    end
+
+    def self.parent_resource
+      parent_class.underscore.pluralize.to_sym
+    end
+
+    def self.parent_class_specified?
+      parent_class != "Team"
+    end
+
+    def self.current_parent_method
+      "current_#{parent_association}"
+    end
+
+    def self.parent_association_id
+      "#{parent_association}_id".to_sym
+    end
   end
 end

metadata

@@ -1,29 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: bullet_train-outgoing_webhooks
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Andrew Culver
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-16 00:00:00.000000000 Z
+date: 2022-08-24 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: standard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 7.0.0
+        version: 6.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.0
+- !ruby/object:Gem::Dependency
+  name: public_suffix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 7.0.0
+        version: '0'
 description: Allow users of your Rails application to subscribe and receive webhooks
   when activity takes place in your application.
 email:
@@ -43,8 +71,14 @@ files:
 - app/controllers/api/v1/webhooks/outgoing/delivery_attempts_endpoint.rb
 - app/controllers/api/v1/webhooks/outgoing/endpoints_endpoint.rb
 - app/jobs/webhooks/outgoing/delivery_job.rb
+- app/jobs/webhooks/outgoing/generate_job.rb
+- app/models/concerns/webhooks/outgoing/delivery_attempt_support.rb
+- app/models/concerns/webhooks/outgoing/delivery_support.rb
+- app/models/concerns/webhooks/outgoing/endpoint_support.rb
+- app/models/concerns/webhooks/outgoing/event_support.rb
 - app/models/concerns/webhooks/outgoing/issuing_model.rb
 - app/models/concerns/webhooks/outgoing/team_support.rb
+- app/models/concerns/webhooks/outgoing/uri_filtering.rb
 - app/models/webhooks.rb
 - app/models/webhooks/outgoing.rb
 - app/models/webhooks/outgoing/delivery.rb
@@ -141,7 +175,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.22
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Allow users of your Rails application to subscribe and receive webhooks when