fix: webhook kms decrypt auth key (#332)

crates/experimentation_platform/src/api/experiments/handlers.rs

@@ -295,7 +295,9 @@ async fn create(
             &config_version_id,
             &tenant,
             WebhookEvent::ExperimentCreated,
+            &state.app_env,
             &state.http_client,
+            &state.kms_client,
         )
         .await?;
     }
@@ -338,7 +340,9 @@ async fn conclude_handler(
             &config_version_id,
             &tenant,
             WebhookEvent::ExperimentConcluded,
+            &state.app_env,
             &state.http_client,
+            &state.kms_client,
         )
         .await?;
     }
@@ -711,7 +715,9 @@ async fn ramp(
             &config_version_id,
             &tenant,
             webhook_event,
+            &data.app_env,
             &data.http_client,
+            &data.kms_client,
         )
         .await?;
     }
@@ -948,7 +954,9 @@ async fn update_overrides(
             &config_version_id,
             &tenant,
             WebhookEvent::ExperimentUpdated,
+            &state.app_env,
             &state.http_client,
+            &state.kms_client,
         )
         .await?;
     }

crates/service_utils/src/helpers.rs

@@ -1,4 +1,7 @@
-use crate::service::types::{AppState, Tenant};
+use crate::{
+    aws::kms,
+    service::types::{AppEnv, AppState, Tenant},
+};
 use actix_web::{error::ErrorInternalServerError, web::Data, Error};
 use anyhow::anyhow;
 use chrono::Utc;
@@ -23,6 +26,7 @@ use superposition_types::{
     },
     Condition,
 };
+use urlencoding::encode;
 
 const CONFIG_TAG_REGEX: &str = "^[a-zA-Z0-9_-]{1,64}$";
 
@@ -381,7 +385,9 @@ pub async fn execute_webhook_call<T>(
     config_version_opt: &Option<String>,
     tenant: &Tenant,
     event: WebhookEvent,
+    app_env: &AppEnv,
     http_client: &reqwest::Client,
+    kms_client: &Option<aws_sdk_kms::Client>,
 ) -> Result<(), AppError>
 where
     T: Serialize,
@@ -411,13 +417,20 @@ where
         .for_each(|(key, value)| header_array.push((key, value)));
 
     if let Some(auth) = &webhook_config.authorization {
-        let auth_token_value: String =
-                get_from_env_unsafe(&auth.value).map_err(|err| {
-                    log::error!("Failed to retrieve authentication token for the webhook with error: {}", err);
-                    AppError::WebhookError(
-                        String::from("Failed to retrieve authentication token for the webhook. Please verify the credentials in TenantConfig.")
-                    )
+        let auth_token_value: String = match app_env {
+            AppEnv::DEV | AppEnv::TEST => {
+                get_from_env_or_default(&auth.value, "1234".into())
+            }
+            _ => {
+                let kms_client = kms_client.clone().ok_or_else(|| {
+                    log::error!("Failed to retrieve kms client: KMS client is None");
+                    AppError::WebhookError(String::from(
+                        "Something went wrong. Please check the logs.",
+                    ))
                 })?;
+                kms::decrypt(kms_client, &auth.value).await
+            }
+        };
         header_array.push((auth.key.clone(), auth_token_value));
     }
 

crates/service_utils/src/service/types.rs

@@ -7,6 +7,7 @@ use std::{
 };
 
 use actix_web::{error, web::Data, Error, FromRequest, HttpMessage};
+use aws_sdk_kms::Client;
 use derive_more::{Deref, DerefMut};
 use jsonschema::JSONSchema;
 use serde_json::json;
@@ -54,6 +55,7 @@ pub struct AppState {
     #[cfg(feature = "high-performance-mode")]
     pub redis: fred::clients::RedisPool,
     pub http_client: reqwest::Client,
+    pub kms_client: Option<Client>,
 }
 
 impl FromStr for AppEnv {

crates/superposition/src/app_state.rs

@@ -141,5 +141,6 @@ pub async fn get(
         #[cfg(feature = "high-performance-mode")]
         redis: redis_pool,
         http_client: reqwest::Client::new(),
+        kms_client: kms_client.clone(),
     }
 }