Mailglass.Webhook.Providers.SES (Mailglass v1.0.0)

Copy Markdown View Source

AWS SES webhook verifier via Amazon SNS.

Implements Mailglass.Webhook.Provider for SES events delivered through SNS HTTP subscriptions. Handles all three SNS message types on the same endpoint per D-01:

  • Notification — SES event payload; returns :ok for the ingest pipeline
  • SubscriptionConfirmation — auto-confirms after verification; returns {:ok, :control_plane, :subscription_confirmed} (D-03)
  • UnsubscribeConfirmation — verifies and no-ops; returns {:ok, :control_plane, :unsubscribe_confirmed} (D-04)

Verification algorithm

  1. Parse raw body as JSON (SNS delivers text/plain but body is valid JSON)
  2. Validate SigningCertURL with TrustPolicy.valid_cert_url?/1 before network I/O (D-06)
  3. Fetch X.509 public key from CertCache (ETS hit) or :httpc (cache miss) (D-10)
  4. Build canonical string from message fields (byte-sorted per AWS spec)
  5. Verify RSA-SHA1 (SignatureVersion 1) or RSA-SHA256 (SignatureVersion 2) signature
  6. Dispatch on MessageType:
    • Notification → return :ok
    • SubscriptionConfirmation → validate SubscribeURL, construct ConfirmSubscription URL from TopicArn + Token, :httpc GET with redirects disabled (D-07)
    • UnsubscribeConfirmation → log telemetry, return control-plane no-op

Configuration (Application env)

config :mailglass, :ses,
  cert_cache_ttl_seconds: 86_400   # default 24 hours