grafana/pkg/services/notifications/webhook.go

package notifications

import (
	"bytes"
	"context"
	"crypto/tls"
	"errors"
	"fmt"
	"io"
	"net"
	"net/http"
	"net/url"
	"time"

	"github.com/grafana/grafana/pkg/util"
)

type Webhook struct {
	Url         string
	User        string
	Password    string
	Body        string
	HttpMethod  string
	HttpHeader  map[string]string
	ContentType string
	TLSConfig   *tls.Config

	// Validation is a function that will validate the response body and statusCode of the webhook. Any returned error will cause the webhook request to be considered failed.
	// This can be useful when a webhook service communicates failures in creative ways, such as using the response body instead of the status code.
	Validation func(body []byte, statusCode int) error
}

// WebhookClient exists to mock the client in tests.
type WebhookClient interface {
	Do(req *http.Request) (*http.Response, error)
}

func (ns *NotificationService) sendWebRequestSync(ctx context.Context, webhook *Webhook) error {
	if webhook.HttpMethod == "" {
		webhook.HttpMethod = http.MethodPost
	}

	ns.log.Debug("Sending webhook", "url", webhook.Url, "http method", webhook.HttpMethod)

	if webhook.HttpMethod != http.MethodPost && webhook.HttpMethod != http.MethodPut {
		return fmt.Errorf("webhook only supports HTTP methods PUT or POST")
	}

	request, err := http.NewRequestWithContext(ctx, webhook.HttpMethod, webhook.Url, bytes.NewReader([]byte(webhook.Body)))
	if err != nil {
		return err
	}
	url, err := url.Parse(webhook.Url)
	if err != nil {
		// Should not be possible - NewRequestWithContext should also err if the URL is bad.
		return err
	}

	if webhook.ContentType == "" {
		webhook.ContentType = "application/json"
	}

	request.Header.Set("Content-Type", webhook.ContentType)
	request.Header.Set("User-Agent", "Grafana")

	if webhook.User != "" && webhook.Password != "" {
		request.Header.Set("Authorization", util.GetBasicAuthHeader(webhook.User, webhook.Password))
	}

	for k, v := range webhook.HttpHeader {
		request.Header.Set(k, v)
	}

	resp, err := NewTLSClient(webhook.TLSConfig).Do(request)
	if err != nil {
		return redactURL(err)
	}
	defer func() {
		if err := resp.Body.Close(); err != nil {
			ns.log.Warn("Failed to close response body", "err", err)
		}
	}()

	body, err := io.ReadAll(resp.Body)
	if err != nil {
		return err
	}

	if webhook.Validation != nil {
		err := webhook.Validation(body, resp.StatusCode)
		if err != nil {
			ns.log.Debug("Webhook failed validation", "url", url.Redacted(), "statuscode", resp.Status, "body", string(body), "error", err)
			return fmt.Errorf("webhook failed validation: %w", err)
		}
	}

	if resp.StatusCode/100 == 2 {
		ns.log.Debug("Webhook succeeded", "url", url.Redacted(), "statuscode", resp.Status)
		return nil
	}

	ns.log.Debug("Webhook failed", "url", url.Redacted(), "statuscode", resp.Status, "body", string(body))
	return fmt.Errorf("webhook response status %v", resp.Status)
}

func redactURL(err error) error {
	var e *url.Error
	if !errors.As(err, &e) {
		return err
	}
	e.URL = "<redacted>"
	return e
}

// NewTLSClient creates a new HTTP client with the provided TLS configuration or with default settings.
func NewTLSClient(tlsConfig *tls.Config) *http.Client {
	nc := func(tlsConfig *tls.Config) *http.Client {
		return &http.Client{
			Timeout: time.Second * 30,
			Transport: &http.Transport{
				TLSClientConfig: tlsConfig,
				Proxy:           http.ProxyFromEnvironment,
				Dial: (&net.Dialer{
					Timeout: 30 * time.Second,
				}).Dial,
				TLSHandshakeTimeout: 5 * time.Second,
			},
		}
	}

	if tlsConfig == nil {
		return nc(&tls.Config{Renegotiation: tls.RenegotiateFreelyAsClient})
	}

	return nc(tlsConfig)
}
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00			`package notifications`

			`import (`
tech(alerting): enforce POST for webhooks 2016-06-16 14:15:48 +08:00			`"bytes"`
Make alerting notifcations sync (#6158) * tech(routines): move the async logic from notification to alerting notifier * tech(notification): reduce code dupe * fix(notification): dont touch the response unless its an error * feat(alerting): make alerting exeuction async but flow sync * tech(alerting): remove commented code * tech(alerting): remove unused code * tech(alerting): fix typo * tech(alerting): implement Context on EvalContext * tech(alerting): wait for all alerts to return * feat(alerting): dont allow alert responses to cancel * Revert "feat(alerting): dont allow alert responses to cancel" This reverts commit 324b006c96687da18a542942f39c10c99119430c. * feat(alerting): give alerts some time to finish before closing down 2016-10-03 15:38:03 +08:00			`"context"`
Fix bug tls renegociation problem in Notification channel (webhook) #14800 2019-01-11 15:56:50 +08:00			`"crypto/tls"`
Notifications: Redact URL from errors (#85687) * Remove url logs and redact * Reinclude redacted URL 2024-06-19 05:02:33 +08:00			`"errors"`
feat(alerting): lots of progress on notifications, refactored them out to their own package, restored webhook notitication and added slack notification 2016-07-27 18:09:55 +08:00			`"fmt"`
Handle ioutil deprecations (#53526) * replace ioutil.ReadFile -> os.ReadFile * replace ioutil.ReadAll -> io.ReadAll * replace ioutil.TempFile -> os.CreateTemp * replace ioutil.NopCloser -> io.NopCloser * replace ioutil.WriteFile -> os.WriteFile * replace ioutil.TempDir -> os.MkdirTemp * replace ioutil.Discard -> io.Discard 2022-08-10 21:37:51 +08:00			`"io"`
Alerting: Update grafana/alerting from de176b4a0309 to 83b6de6b0a35 (#105157) * Update grafana alerting from de176b4a0309 to 83b6de6b0a35 Includes: - https://github.com/grafana/alerting/pull/319 - https://github.com/grafana/alerting/pull/317 * Remove unused SendWebhook method from sender struct grafana/alerting hasn't used the grafana webhook sender for a while now, so this method is no longer used anywhere. - Removed SendWebhook from the sender struct and rename it to emailSender so that its use is clearer. - Also, for similar reasons, the Webhook method on Grafana's webhook sender `sendWebRequestSync` should not call grafana/alerting code for NewTLSClient. The previous grafana/alerting function is vendored into grafana. * Use BuildReceiverIntegrations new func signature 2025-05-10 00:26:20 +08:00			`"net"`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00			`"net/http"`
Notifications: Redact URL from errors (#85687) * Remove url logs and redact * Reinclude redacted URL 2024-06-19 05:02:33 +08:00			`"net/url"`
Alerting: Update grafana/alerting from de176b4a0309 to 83b6de6b0a35 (#105157) * Update grafana alerting from de176b4a0309 to 83b6de6b0a35 Includes: - https://github.com/grafana/alerting/pull/319 - https://github.com/grafana/alerting/pull/317 * Remove unused SendWebhook method from sender struct grafana/alerting hasn't used the grafana webhook sender for a while now, so this method is no longer used anywhere. - Removed SendWebhook from the sender struct and rename it to emailSender so that its use is clearer. - Also, for similar reasons, the Webhook method on Grafana's webhook sender `sendWebRequestSync` should not call grafana/alerting code for NewTLSClient. The previous grafana/alerting function is vendored into grafana. * Use BuildReceiverIntegrations new func signature 2025-05-10 00:26:20 +08:00			`"time"`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00
tech(alerting): enforce POST for webhooks 2016-06-16 14:15:48 +08:00			`"github.com/grafana/grafana/pkg/util"`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00			`)`

			`type Webhook struct {`
Sending image 2017-03-24 04:53:54 +08:00			`Url string`
			`User string`
			`Password string`
			`Body string`
			`HttpMethod string`
			`HttpHeader map[string]string`
			`ContentType string`
Alerting: Support tls config for webhook receiver (#93513) Adds the ability to configure tls settings on the webhook receiver (e.g. to skip server certificate validation) 2024-10-22 18:44:32 +08:00			`TLSConfig *tls.Config`
Alerting: Fix Teams notifier not failing on 200 response with error (#52254) Team's webhook API does not always use the status code to communicate errors. There are cases where it returns 200 and an error message in the body. For example, 429 - Too Many Requests or when the message is too large. Instead, what we should be looking for is a response body = "1". https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using?tabs=cURL#send-messages-using-curl-and-powershell 2022-07-15 01:15:18 +08:00
			`// Validation is a function that will validate the response body and statusCode of the webhook. Any returned error will cause the webhook request to be considered failed.`
			`// This can be useful when a webhook service communicates failures in creative ways, such as using the response body instead of the status code.`
			`Validation func(body []byte, statusCode int) error`
			`}`

			`// WebhookClient exists to mock the client in tests.`
			`type WebhookClient interface {`
			`Do(req http.Request) (http.Response, error)`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00			`}`

refactor: refactoring notification service to use new service registry hooks 2018-04-27 19:01:32 +08:00			`func (ns NotificationService) sendWebRequestSync(ctx context.Context, webhook Webhook) error {`
feat(webhook): add httpmethod to webhook closes #6255 2016-10-18 22:18:16 +08:00			`if webhook.HttpMethod == "" {`
			`webhook.HttpMethod = http.MethodPost`
			`}`

Fix empty contact point URLs when template parsing fails (#47029) * fix empty URLs * leave URL templating, use fallback * better fix, new tests cases * fix linting errors 2022-04-01 02:57:48 +08:00			`ns.log.Debug("Sending webhook", "url", webhook.Url, "http method", webhook.HttpMethod)`

Security: Fixes minor security issue with alert notification webhooks that allowed GET & DELETE requests #29330 2020-11-24 17:42:54 +08:00			`if webhook.HttpMethod != http.MethodPost && webhook.HttpMethod != http.MethodPut {`
			`return fmt.Errorf("webhook only supports HTTP methods PUT or POST")`
			`}`

chore: remove golang.org/x/net/context in favor of stdlib (#47532) This PR removes golang.org context imports under pkg/services/* and replaces them with the stdlib context. Closes #44178 2022-04-11 20:46:21 +08:00			`request, err := http.NewRequestWithContext(ctx, webhook.HttpMethod, webhook.Url, bytes.NewReader([]byte(webhook.Body)))`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00			`if err != nil {`
			`return err`
			`}`
Notifications: Redact URL from errors (#85687) * Remove url logs and redact * Reinclude redacted URL 2024-06-19 05:02:33 +08:00			`url, err := url.Parse(webhook.Url)`
			`if err != nil {`
			`// Should not be possible - NewRequestWithContext should also err if the URL is bad.`
			`return err`
			`}`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00
Sending image 2017-03-24 04:53:54 +08:00			`if webhook.ContentType == "" {`
			`webhook.ContentType = "application/json"`
			`}`

Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 22:13:01 +08:00			`request.Header.Set("Content-Type", webhook.ContentType)`
			`request.Header.Set("User-Agent", "Grafana")`
merge: fixed conflicts in discord PR 2018-05-07 21:40:43 +08:00
webhook: adds json content-type closes #6822 2016-12-05 17:44:31 +08:00			`if webhook.User != "" && webhook.Password != "" {`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 22:13:01 +08:00			`request.Header.Set("Authorization", util.GetBasicAuthHeader(webhook.User, webhook.Password))`
webhook: adds json content-type closes #6822 2016-12-05 17:44:31 +08:00			`}`

tech(webhook): remove redundant if statement 2017-01-19 16:29:40 +08:00			`for k, v := range webhook.HttpHeader {`
			`request.Header.Set(k, v)`
(feature) add LINE notify to notifier 2017-01-19 15:25:21 +08:00			`}`

Alerting: Update grafana/alerting from de176b4a0309 to 83b6de6b0a35 (#105157) * Update grafana alerting from de176b4a0309 to 83b6de6b0a35 Includes: - https://github.com/grafana/alerting/pull/319 - https://github.com/grafana/alerting/pull/317 * Remove unused SendWebhook method from sender struct grafana/alerting hasn't used the grafana webhook sender for a while now, so this method is no longer used anywhere. - Removed SendWebhook from the sender struct and rename it to emailSender so that its use is clearer. - Also, for similar reasons, the Webhook method on Grafana's webhook sender `sendWebRequestSync` should not call grafana/alerting code for NewTLSClient. The previous grafana/alerting function is vendored into grafana. * Use BuildReceiverIntegrations new func signature 2025-05-10 00:26:20 +08:00			`resp, err := NewTLSClient(webhook.TLSConfig).Do(request)`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00			`if err != nil {`
Notifications: Redact URL from errors (#85687) * Remove url logs and redact * Reinclude redacted URL 2024-06-19 05:02:33 +08:00			`return redactURL(err)`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00			`}`
Chore: Disable default golangci-lint filter (#29751) * Disable default golangci-lint filter Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: Fix linter warnings Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-15 16:32:06 +08:00			`defer func() {`
			`if err := resp.Body.Close(); err != nil {`
			`ns.log.Warn("Failed to close response body", "err", err)`
			`}`
			`}()`
closes the body properly on successful webhooks this commit also adds a test docker container for receiving alerting web hook requests 2018-12-27 20:16:58 +08:00
Handle ioutil deprecations (#53526) * replace ioutil.ReadFile -> os.ReadFile * replace ioutil.ReadAll -> io.ReadAll * replace ioutil.TempFile -> os.CreateTemp * replace ioutil.NopCloser -> io.NopCloser * replace ioutil.WriteFile -> os.WriteFile * replace ioutil.TempDir -> os.MkdirTemp * replace ioutil.Discard -> io.Discard 2022-08-10 21:37:51 +08:00			`body, err := io.ReadAll(resp.Body)`
Make alerting notifcations sync (#6158) * tech(routines): move the async logic from notification to alerting notifier * tech(notification): reduce code dupe * fix(notification): dont touch the response unless its an error * feat(alerting): make alerting exeuction async but flow sync * tech(alerting): remove commented code * tech(alerting): remove unused code * tech(alerting): fix typo * tech(alerting): implement Context on EvalContext * tech(alerting): wait for all alerts to return * feat(alerting): dont allow alert responses to cancel * Revert "feat(alerting): dont allow alert responses to cancel" This reverts commit 324b006c96687da18a542942f39c10c99119430c. * feat(alerting): give alerts some time to finish before closing down 2016-10-03 15:38:03 +08:00			`if err != nil {`
			`return err`
feat(alerting): lots of progress on notifications, refactored them out to their own package, restored webhook notitication and added slack notification 2016-07-27 18:09:55 +08:00			`}`
Make alerting notifcations sync (#6158) * tech(routines): move the async logic from notification to alerting notifier * tech(notification): reduce code dupe * fix(notification): dont touch the response unless its an error * feat(alerting): make alerting exeuction async but flow sync * tech(alerting): remove commented code * tech(alerting): remove unused code * tech(alerting): fix typo * tech(alerting): implement Context on EvalContext * tech(alerting): wait for all alerts to return * feat(alerting): dont allow alert responses to cancel * Revert "feat(alerting): dont allow alert responses to cancel" This reverts commit 324b006c96687da18a542942f39c10c99119430c. * feat(alerting): give alerts some time to finish before closing down 2016-10-03 15:38:03 +08:00
Alerting: Fix Teams notifier not failing on 200 response with error (#52254) Team's webhook API does not always use the status code to communicate errors. There are cases where it returns 200 and an error message in the body. For example, 429 - Too Many Requests or when the message is too large. Instead, what we should be looking for is a response body = "1". https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using?tabs=cURL#send-messages-using-curl-and-powershell 2022-07-15 01:15:18 +08:00			`if webhook.Validation != nil {`
			`err := webhook.Validation(body, resp.StatusCode)`
			`if err != nil {`
Notifications: Redact URL from errors (#85687) * Remove url logs and redact * Reinclude redacted URL 2024-06-19 05:02:33 +08:00			`ns.log.Debug("Webhook failed validation", "url", url.Redacted(), "statuscode", resp.Status, "body", string(body), "error", err)`
Alerting: Fix Teams notifier not failing on 200 response with error (#52254) Team's webhook API does not always use the status code to communicate errors. There are cases where it returns 200 and an error message in the body. For example, 429 - Too Many Requests or when the message is too large. Instead, what we should be looking for is a response body = "1". https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using?tabs=cURL#send-messages-using-curl-and-powershell 2022-07-15 01:15:18 +08:00			`return fmt.Errorf("webhook failed validation: %w", err)`
			`}`
			`}`

			`if resp.StatusCode/100 == 2 {`
Notifications: Redact URL from errors (#85687) * Remove url logs and redact * Reinclude redacted URL 2024-06-19 05:02:33 +08:00			`ns.log.Debug("Webhook succeeded", "url", url.Redacted(), "statuscode", resp.Status)`
Alerting: Fix Teams notifier not failing on 200 response with error (#52254) Team's webhook API does not always use the status code to communicate errors. There are cases where it returns 200 and an error message in the body. For example, 429 - Too Many Requests or when the message is too large. Instead, what we should be looking for is a response body = "1". https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using?tabs=cURL#send-messages-using-curl-and-powershell 2022-07-15 01:15:18 +08:00			`return nil`
			`}`

Notifications: Redact URL from errors (#85687) * Remove url logs and redact * Reinclude redacted URL 2024-06-19 05:02:33 +08:00			`ns.log.Debug("Webhook failed", "url", url.Redacted(), "statuscode", resp.Status, "body", string(body))`
Alerting: Fix Teams notifier not failing on 200 response with error (#52254) Team's webhook API does not always use the status code to communicate errors. There are cases where it returns 200 and an error message in the body. For example, 429 - Too Many Requests or when the message is too large. Instead, what we should be looking for is a response body = "1". https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using?tabs=cURL#send-messages-using-curl-and-powershell 2022-07-15 01:15:18 +08:00			`return fmt.Errorf("webhook response status %v", resp.Status)`
feat(alerting): skeleton commit for webhook 2016-06-15 20:45:05 +08:00			`}`
Notifications: Redact URL from errors (#85687) * Remove url logs and redact * Reinclude redacted URL 2024-06-19 05:02:33 +08:00
			`func redactURL(err error) error {`
			`var e *url.Error`
			`if !errors.As(err, &e) {`
			`return err`
			`}`
			`e.URL = "<redacted>"`
			`return e`
			`}`
Alerting: Update grafana/alerting from de176b4a0309 to 83b6de6b0a35 (#105157) * Update grafana alerting from de176b4a0309 to 83b6de6b0a35 Includes: - https://github.com/grafana/alerting/pull/319 - https://github.com/grafana/alerting/pull/317 * Remove unused SendWebhook method from sender struct grafana/alerting hasn't used the grafana webhook sender for a while now, so this method is no longer used anywhere. - Removed SendWebhook from the sender struct and rename it to emailSender so that its use is clearer. - Also, for similar reasons, the Webhook method on Grafana's webhook sender `sendWebRequestSync` should not call grafana/alerting code for NewTLSClient. The previous grafana/alerting function is vendored into grafana. * Use BuildReceiverIntegrations new func signature 2025-05-10 00:26:20 +08:00
			`// NewTLSClient creates a new HTTP client with the provided TLS configuration or with default settings.`
			`func NewTLSClient(tlsConfig tls.Config) http.Client {`
			`nc := func(tlsConfig tls.Config) http.Client {`
			`return &http.Client{`
			`Timeout: time.Second * 30,`
			`Transport: &http.Transport{`
			`TLSClientConfig: tlsConfig,`
			`Proxy: http.ProxyFromEnvironment,`
			`Dial: (&net.Dialer{`
			`Timeout: 30 * time.Second,`
			`}).Dial,`
			`TLSHandshakeTimeout: 5 * time.Second,`
			`},`
			`}`
			`}`

			`if tlsConfig == nil {`
			`return nc(&tls.Config{Renegotiation: tls.RenegotiateFreelyAsClient})`
			`}`

			`return nc(tlsConfig)`
			`}`