Skip to content

feat: add SendGrid Event Webhook signature verifier#26

Open
nickmarden wants to merge 1 commit into
mainfrom
feat/sendgrid-verifier
Open

feat: add SendGrid Event Webhook signature verifier#26
nickmarden wants to merge 1 commit into
mainfrom
feat/sendgrid-verifier

Conversation

@nickmarden
Copy link
Copy Markdown
Contributor

@nickmarden nickmarden commented May 11, 2026

Summary

  • Adds sendgrid verifier type for SendGrid Event Webhook (and Inbound Parse) authentication
  • Verifies ECDSA P-256 signature over SHA256(timestamp + raw_body), base64(ASN.1 DER) encoded in X-Twilio-Email-Event-Webhook-Signature
  • Public key accepted as PEM or as the base64-encoded DER (SPKI) that the SendGrid UI displays; optional max_timestamp_age enables replay protection
  • Wired through config validation, the handler builder, the Helm configmap.yaml, the example config, and the configure-route skill
  • SendGrid does not publish stable webhook source IPs, so routes rely on signature verification rather than an IP allowlist

Closes #25

Test plan

  • make check — lint, 100% coverage in touched packages, both binaries build
  • helm lint charts/gatekeeperd clean
  • Verifier unit tests cover: valid signature (PEM + base64 DER keys), missing/expired/unparseable timestamp, missing/invalid signature, wrong signing key, tampered payload, max_timestamp_age=0 skip path, and key-parsing error branches (empty, garbage, non-DER, RSA, wrong curve)
  • Handler tests cover successful sendgrid build path and invalid-key error path
  • Live test against a real SendGrid Event Webhook (cannot run from CI)

@nickmarden
feat: add SendGrid Event Webhook signature verifier
4f9dc71 
Adds a `sendgrid` verifier type that authenticates SendGrid Event Webhook
(and Inbound Parse) deliveries using ECDSA P-256 over SHA-256 of
`timestamp + payload`. The public key is supplied as PEM or as the
base64-encoded DER (SubjectPublicKeyInfo) shown in the SendGrid UI. An
optional `max_timestamp_age` enables replay protection.

Closes #25
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 11, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link
Copy Markdown

codecov Bot commented May 11, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

Docker Images Built

Images are available for testing:

# gatekeeperd
docker pull ghcr.io/tight-line/gatekeeperd:pr-26-4f9dc71

# gatekeeper-relay
docker pull ghcr.io/tight-line/gatekeeper-relay:pr-26-4f9dc71

docker-compose.yml

GATEKEEPERD_IMAGE=ghcr.io/tight-line/gatekeeperd:pr-26-4f9dc71 \
RELAY_IMAGE=ghcr.io/tight-line/gatekeeper-relay:pr-26-4f9dc71 \
docker-compose --profile relay up

Helm (values override)

image:
  repository: ghcr.io/tight-line/gatekeeperd  # or gatekeeper-relay
  tag: "pr-26-4f9dc71"

Images expire ~15 days after PR closes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add SendGrid Event Webhook signature verification

1 participant

@nickmarden