feat(webhooks): [APLAT-589] wire PagerDuty webhook end-to-end#51
Merged
Conversation
shivanshtamrakar-s1
commented
May 21, 2026
shivanshtamrakar-s1
commented
shivanshtamrakar-s1
force-pushed
the
pd-slack-int
branch
from
07e13e6 to
ac8ba33
Compare
martiner
requested changes
May 29, 2026
| fun send(incident: MatchedIncident) { | ||
| val subject = ":pager: Escalation policy $watchedPolicyId added to incident — ${incident.title}" | ||
| val email = Email( | ||
| recipient = InternetAddress(channelEmail), |
Owner
There was a problem hiding this comment.
this could throw an exception - better move it into the try block
Author
There was a problem hiding this comment.
moved this to try block
| properties = [ | ||
| "pagerduty.webhook.secret=test-secret", | ||
| "pagerduty.escalation-policy.watch-id=PQ5P8WD", | ||
| "slack.webhook.url=http://slack.test/hook", |
| spring.mail.properties[mail.smtp.starttls.enable]=true | ||
|
|
||
| pagerduty.webhook.secret=${PAGERDUTY_WEBHOOK_SECRET:} | ||
| pagerduty.escalation-policy.watch-id=${WATCH_ID:} |
Owner
There was a problem hiding this comment.
Suggested change
| pagerduty.escalation-policy.watch-id=${WATCH_ID:} | |
| pagerduty.escalation-policy.watch-id=${PAGERDUTY_WATCH_ID:} |
for consistency
martiner
reviewed
Jun 1, 2026
martiner
reviewed
Jun 2, 2026
Comment on lines
+29
to
+31
| pagerduty.webhook.secret=${PAGERDUTY_WEBHOOK_SECRET:} | ||
| pagerduty.escalation-policy.watch-id=${PAGERDUTY_WATCH_ID:} | ||
| slack.channel.email=${SLACK_CHANNEL_EMAIL:} |
Owner
There was a problem hiding this comment.
Suggested change
| pagerduty.webhook.secret=${PAGERDUTY_WEBHOOK_SECRET:} | |
| pagerduty.escalation-policy.watch-id=${PAGERDUTY_WATCH_ID:} | |
| slack.channel.email=${SLACK_CHANNEL_EMAIL:} | |
| pagerduty.webhook.secret=${PAGERDUTY_WEBHOOK_SECRET} | |
| pagerduty.escalation-policy.watch-id=${PAGERDUTY_WATCH_ID} | |
| slack.channel.email=${SLACK_CHANNEL_EMAIL} |
shivanshtamrakar-s1
force-pushed
the
pd-slack-int
branch
5 times, most recently
from
fcfbeea to
ce4e0ce
Compare
martiner
reviewed
Jun 7, 2026
| private fun sendEmail(subject: String, htmlBody: String, logContext: String) { | ||
| try { | ||
| val email = Email( | ||
| recipient = InternetAddress(channelEmail), |
Owner
There was a problem hiding this comment.
It seems a different exception AddressException is thrown here. Maybe we can move it to constructor:
private val channelEmail: InternetAddress = InternetAddress(slackProperties.channel.email)
and throw the error right on the app start
martiner
reviewed
Jun 7, 2026
| ) { | ||
|
|
||
| private val keySpec: SecretKeySpec? = if (properties.webhook.secret.isEmpty()) { | ||
| logger.info { "pagerduty.webhook.secret is empty; all PagerDuty webhook deliveries will be rejected with 401" } |
Owner
There was a problem hiding this comment.
this is now unreachable code, with @ConfigurationProperties the "missing" value would be ${PAGERDUTY_WEBHOOK_SECRET}. There is a test, but it tests artificial behaviour that doesn't happen in the real world 😄
Author
There was a problem hiding this comment.
my bad , removing this one. thanks
shivanshtamrakar-s1
force-pushed
the
pd-slack-int
branch
3 times, most recently
from
94ef613 to
d0941f7
Compare
Add POST /webhooks/pagerduty/incident — verifies the X-PagerDuty-
Signature, parses the v3 incident.responder.added payload, filters for
the watched escalation policy, and posts a Slack notification when it
matches. Returns 401 on bad/missing signature, 200 on signed bodies
regardless of match (200-on-no-match prevents PagerDuty retry storms).
Components: PagerDutyWebhookController (HTTP entrypoint),
PagerDutyWebhookService (verify-parse-filter-notify orchestration),
WebhookBodySizeFilter (rejects /webhooks/* POSTs >64KB with 413 to
mitigate DoS via large bodies).
Security wiring: WebSecurityConfig CSRF-exempts the single exact path
/webhooks/pagerduty/incident (tighter than a wildcard). Controller
reads raw bytes and decodes UTF-8 explicitly so signature verification
matches what PagerDuty signed regardless of Content-Type charset.
PagerDutySignatureVerifier now logs ERROR (was WARN) when the secret
is unconfigured and rejects all requests instead of throwing during
context initialization.
application.properties adds three properties with empty env-var
defaults so the application context still starts when secrets are not
provisioned locally.
5 web slice tests (200 match, 200 no-match, 401 missing sig, 401 bad
sig, CSRF-exempt path), 3 filter unit tests, plus one new verifier
case covering the empty-secret behavior. Full suite goes from a
pre-existing failure to 81/81 green — the empty-secret tolerance
also fixes SpdreportApplicationTests.contextLoads.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
shivanshtamrakar-s1
force-pushed
the
pd-slack-int
branch
from
d0941f7 to
9f900a9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.