From a1b01c8f355f0b443588af55ae16e376803caf51 Mon Sep 17 00:00:00 2001 From: Hans Glad Date: Wed, 25 Jun 2025 14:40:05 +0200 Subject: [PATCH 1/2] IS-18432: add support for accessing global secrets in validation_expression --- hub/changelog.rst | 7 +++++++ .../pipes/configuration-sources-http.rst | 7 +++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/hub/changelog.rst b/hub/changelog.rst index a8e8dde667..754c199492 100644 --- a/hub/changelog.rst +++ b/hub/changelog.rst @@ -1,6 +1,13 @@ Changelog ========= +.. _changelog_2025-06-25: + +2025-06-25 +---------- +- The ``validation_expression`` :ref:`property ` now supports looking up global secrets. + If the secret used in the expression is set on both the system and as a global secret, the system secret takes priority. + .. _changelog_2025-06-17: 2025-06-17 diff --git a/hub/documentation/service-configuration/pipes/configuration-sources-http.rst b/hub/documentation/service-configuration/pipes/configuration-sources-http.rst index 6909c1f68a..97f46dcc2f 100644 --- a/hub/documentation/service-configuration/pipes/configuration-sources-http.rst +++ b/hub/documentation/service-configuration/pipes/configuration-sources-http.rst @@ -150,14 +150,17 @@ Properties - 100 - No + .. _validation_expression: * - ``validation_expression`` - String - This property allows custom request validation for receiver endpoints. This is particularly useful when clients cannot use JWT tokens for authentication. The string must be a `Jinja template `_. The Jinja template is rendered for each incoming request. If it renders as an empty string then the request is accepted, otherwise the rendered string will be reported as an error in the response. The context allows using - the ``secret`` function to access values of secrets. The named variables ``url``, ``request_params`` and - ``request_headers`` are available to the template. Example: + the ``secret`` function to access values of secrets. System secrets (if the pipe has a system) and global secrets + can both be accessed. If the secret used in the expression is set on both the system and as a global secret, + the system secret takes priority. If using system secrets, the pipe must have permission to read from that system. + The named variables ``url``, ``request_params`` and ``request_headers`` are available to the template. Example: ``"{{ '' if request_headers['X-Sesam-Authorization'] == secret('webhook_secret') else 'Invalid authorization header value' }}"``. Our :ref:`custom Jinja filters ` can also be used for more advanced validation, such as From 999beca56b9699bf63fdaa30300d9b4be6ad33c5 Mon Sep 17 00:00:00 2001 From: Hans Glad Date: Wed, 25 Jun 2025 14:49:32 +0200 Subject: [PATCH 2/2] IS-18432: fix indent --- .../service-configuration/pipes/configuration-sources-http.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hub/documentation/service-configuration/pipes/configuration-sources-http.rst b/hub/documentation/service-configuration/pipes/configuration-sources-http.rst index 97f46dcc2f..a1bd44f78f 100644 --- a/hub/documentation/service-configuration/pipes/configuration-sources-http.rst +++ b/hub/documentation/service-configuration/pipes/configuration-sources-http.rst @@ -150,7 +150,7 @@ Properties - 100 - No - .. _validation_expression: + .. _validation_expression: * - ``validation_expression`` - String - This property allows custom request validation for receiver endpoints. This is particularly useful when clients