social/mail_tracking_mailgun/controllers/main.py

# Copyright 2021 Tecnativa - Jairo Llopis
# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).

import hashlib
import hmac
import logging
from datetime import datetime, timedelta

from werkzeug.exceptions import NotAcceptable

from odoo import _
from odoo.exceptions import ValidationError
from odoo.http import request, route

from ...mail_tracking.controllers import main
from ...web.controllers.main import ensure_db

_logger = logging.getLogger(__name__)


class MailTrackingController(main.MailTrackingController):
    def _mail_tracking_mailgun_webhook_verify(self, timestamp, token, signature):
        """Avoid mailgun webhook attacks.

        See https://documentation.mailgun.com/en/latest/user_manual.html#securing-webhooks
        """  # noqa: E501
        # Request cannot be old
        processing_time = datetime.utcnow() - datetime.utcfromtimestamp(int(timestamp))
        if not timedelta() < processing_time < timedelta(minutes=10):
            raise ValidationError(_("Request is too old"))
        # Avoid replay attacks
        try:
            processed_tokens = (
                request.env.registry._mail_tracking_mailgun_processed_tokens
            )
        except AttributeError:
            processed_tokens = (
                request.env.registry._mail_tracking_mailgun_processed_tokens
            ) = set()
        if token in processed_tokens:
            raise ValidationError(_("Request was already processed"))
        processed_tokens.add(token)
        params = request.env["mail.tracking.email"]._mailgun_values()
        # Assert signature
        if not params.webhook_signing_key:
            _logger.warning(
                "Skipping webhook payload verification. "
                "Set `mailgun.webhook_signing_key` config parameter to enable"
            )
            return
        hmac_digest = hmac.new(
            key=params.webhook_signing_key.encode(),
            msg=("{}{}".format(timestamp, token)).encode(),
            digestmod=hashlib.sha256,
        ).hexdigest()
        if not hmac.compare_digest(str(signature), str(hmac_digest)):
            raise ValidationError(_("Wrong signature"))

    @route(["/mail/tracking/mailgun/all"], auth="none", type="json", csrf=False)
    def mail_tracking_mailgun_webhook(self):
        """Process webhooks from Mailgun."""
        ensure_db()
        # Verify and return 406 in case of failure, to avoid retries
        # See https://documentation.mailgun.com/en/latest/user_manual.html#routes
        try:
            self._mail_tracking_mailgun_webhook_verify(
                **request.jsonrequest["signature"]
            )
        except ValidationError as error:
            raise NotAcceptable from error
        # Process event
        request.env["mail.tracking.email"].sudo()._mailgun_event_process(
            request.jsonrequest["event-data"],
            self._request_metadata(),
        )
[IMP] mail_tracking_mailgun: refactor to support modern webhooks Before this patch, the module was designed after the [deprecated Mailgun webhooks][3]. However Mailgun had the [events API][2] which was quite different. Modern Mailgun has deprecated those webhooks and instead uses new ones that include the same payload as the events API, so you can reuse code. However, this was incorrectly reusing the code inversely: trying to process the events API through the same code prepared for the deprecated webhooks. Besides, both `failed` and `rejected` mailgun events were mapped to `error` state, but that was also wrong because [`mail_tracking` doesn't have an `error` state][1]. So the logic of the whole module is changed, adapting it to process the events API payload, both through controllers (prepared for the new webhooks) and manual updates that directly call the events API. Also, `rejected` is now translated into `reject`, and `failed` is translated into `hard_bounce` or `soft_bounce` depending on the severity, as specified by [mailgun docs][2]. Also, `bounced` and `dropped` mailgun states are removed because they don't exist, and instead `failed` and `rejected` properly get their metadata. Of course, to know the severity, now the method to obtain that info must change, it' can't be a simple dict anymore. Added more parameters because for example modern Mailgun uses different keys for signing payload than for accessing the API. As there are so many parameters, configuration is now possible through `res.config.settings`. Go there to autoregister webhooks too. Since the new webhooks are completely incompatible with the old supposedly-abstract webhooks controllers (that were never really that abstract), support for old webhooks is removed, and it will be removed in the future from `mail_tracking` directly. There is a migration script that attempts to unregister old webhooks and register new ones automatically. [1]: https://github.com/OCA/social/blob/f73de421e28a43d018176f61725a3a59665f715d/mail_tracking/models/mail_tracking_event.py#L31-L42 [2]: https://documentation.mailgun.com/en/latest/api-events.html#event-types [3]: https://documentation.mailgun.com/en/latest/api-webhooks-deprecated.html 2021-10-28 12:33:59 +02:00			`# Copyright 2021 Tecnativa - Jairo Llopis`
			`# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).`

			`import hashlib`
			`import hmac`
			`import logging`
			`from datetime import datetime, timedelta`

			`from werkzeug.exceptions import NotAcceptable`

			`from odoo import _`
			`from odoo.exceptions import ValidationError`
			`from odoo.http import request, route`

			`from ...mail_tracking.controllers import main`
			`from ...web.controllers.main import ensure_db`

			`_logger = logging.getLogger(__name__)`


			`class MailTrackingController(main.MailTrackingController):`
			`def _mail_tracking_mailgun_webhook_verify(self, timestamp, token, signature):`
			`"""Avoid mailgun webhook attacks.`

			`See https://documentation.mailgun.com/en/latest/user_manual.html#securing-webhooks`
			`""" # noqa: E501`
			`# Request cannot be old`
			`processing_time = datetime.utcnow() - datetime.utcfromtimestamp(int(timestamp))`
			`if not timedelta() < processing_time < timedelta(minutes=10):`
			`raise ValidationError(_("Request is too old"))`
			`# Avoid replay attacks`
			`try:`
			`processed_tokens = (`
			`request.env.registry._mail_tracking_mailgun_processed_tokens`
			`)`
			`except AttributeError:`
			`processed_tokens = (`
			`request.env.registry._mail_tracking_mailgun_processed_tokens`
			`) = set()`
			`if token in processed_tokens:`
			`raise ValidationError(_("Request was already processed"))`
			`processed_tokens.add(token)`
			`params = request.env["mail.tracking.email"]._mailgun_values()`
			`# Assert signature`
			`if not params.webhook_signing_key:`
			`_logger.warning(`
			`"Skipping webhook payload verification. "`
			"Set `mailgun.webhook_signing_key` config parameter to enable"
			`)`
			`return`
			`hmac_digest = hmac.new(`
			`key=params.webhook_signing_key.encode(),`
			`msg=("{}{}".format(timestamp, token)).encode(),`
			`digestmod=hashlib.sha256,`
			`).hexdigest()`
			`if not hmac.compare_digest(str(signature), str(hmac_digest)):`
			`raise ValidationError(_("Wrong signature"))`

			`@route(["/mail/tracking/mailgun/all"], auth="none", type="json", csrf=False)`
			`def mail_tracking_mailgun_webhook(self):`
			`"""Process webhooks from Mailgun."""`
			`ensure_db()`
			`# Verify and return 406 in case of failure, to avoid retries`
			`# See https://documentation.mailgun.com/en/latest/user_manual.html#routes`
			`try:`
			`self._mail_tracking_mailgun_webhook_verify(`
			`**request.jsonrequest["signature"]`
			`)`
			`except ValidationError as error:`
			`raise NotAcceptable from error`
			`# Process event`
			`request.env["mail.tracking.email"].sudo()._mailgun_event_process(`
			`request.jsonrequest["event-data"],`
			`self._request_metadata(),`
			`)`