adk-server 1.0.0

HTTP server and A2A protocol for Rust Agent Development Kit (ADK-Rust) agents
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284

//! OpenAI webhook event handler.
//!
//! Receives signed webhook events from OpenAI for background task completion
//! and other asynchronous notifications. Validates HMAC-SHA256 signatures,
//! parses event payloads, and broadcasts parsed events to subscribers.
//!
//! # Example
//!
//! ```rust,ignore
//! use adk_server::webhooks::{OpenAIWebhookConfig, OpenAIWebhookHandler};
//!
//! let config = OpenAIWebhookConfig {
//!     webhook_secret: "whsec_abc123".to_string(),
//!     path: "/webhooks/openai".to_string(),
//! };
//!
//! let handler = OpenAIWebhookHandler::new(config);
//! let mut rx = handler.subscribe();
//! let router = handler.router();
//!
//! // Mount router in your Axum app
//! // Events will be delivered via rx
//! ```

use std::sync::Arc;

use axum::{
    Router,
    body::Bytes,
    extract::State,
    http::{HeaderMap, StatusCode},
    routing::post,
};
use hmac::{Hmac, Mac};
use sha2::Sha256;
use tokio::sync::broadcast;
use tracing::{debug, warn};

/// Configuration for the OpenAI webhook handler.
#[derive(Debug, Clone)]
pub struct OpenAIWebhookConfig {
    /// Webhook signing secret for HMAC-SHA256 validation.
    pub webhook_secret: String,
    /// Path to mount the webhook endpoint (e.g., "/webhooks/openai").
    pub path: String,
}

/// A parsed webhook event from OpenAI.
#[derive(Debug, Clone)]
pub struct WebhookEvent {
    /// The type of event (e.g., "response.completed", "response.failed").
    pub event_type: String,
    /// The response ID associated with this event.
    pub response_id: String,
    /// The raw response payload as JSON, if present.
    /// Consumers with access to `adk-model` can convert this to `LlmResponse`
    /// via `responses_convert::from_response`.
    pub response: Option<serde_json::Value>,
    /// Error information, if the event represents a failure.
    pub error: Option<String>,
}

/// OpenAI webhook event handler.
///
/// Provides an Axum router that receives POST requests at the configured path,
/// validates HMAC-SHA256 signatures, parses event payloads, and broadcasts
/// parsed events to subscribers via a tokio broadcast channel.
#[derive(Clone)]
pub struct OpenAIWebhookHandler {
    config: Arc<OpenAIWebhookConfig>,
    tx: broadcast::Sender<WebhookEvent>,
}

impl OpenAIWebhookHandler {
    /// Create a new webhook handler with the given configuration.
    ///
    /// The broadcast channel has a capacity of 64 events. If subscribers
    /// fall behind, older events will be dropped.
    pub fn new(config: OpenAIWebhookConfig) -> Self {
        let (tx, _) = broadcast::channel(64);
        Self { config: Arc::new(config), tx }
    }

    /// Create an Axum router for the webhook endpoint.
    ///
    /// The router handles POST requests at the configured path.
    /// It validates the HMAC-SHA256 signature from the `X-OpenAI-Signature`
    /// header, returning HTTP 401 for invalid signatures and HTTP 400 for
    /// parse errors.
    pub fn router(&self) -> Router {
        let handler_state = self.clone();
        Router::new().route(&self.config.path, post(handle_webhook).with_state(handler_state))
    }

    /// Subscribe to webhook events.
    ///
    /// Returns a broadcast receiver that will receive all parsed webhook events.
    /// Multiple subscribers can be active simultaneously.
    pub fn subscribe(&self) -> broadcast::Receiver<WebhookEvent> {
        self.tx.subscribe()
    }

    /// Validate HMAC-SHA256 signature of a webhook payload.
    ///
    /// The signature is expected to be a hex-encoded HMAC-SHA256 digest
    /// computed using the webhook secret.
    pub fn validate_signature(&self, payload: &[u8], signature: &str) -> bool {
        type HmacSha256 = Hmac<Sha256>;

        let Ok(mut mac) = HmacSha256::new_from_slice(self.config.webhook_secret.as_bytes()) else {
            warn!("invalid webhook secret length for HMAC");
            return false;
        };

        mac.update(payload);

        // Try hex-encoded signature
        let Ok(signature_bytes) = hex::decode(signature) else {
            debug!("webhook signature is not valid hex");
            return false;
        };

        mac.verify_slice(&signature_bytes).is_ok()
    }
}

/// The header name for the OpenAI webhook signature.
const SIGNATURE_HEADER: &str = "x-openai-signature";

/// Axum handler for incoming webhook POST requests.
async fn handle_webhook(
    State(handler): State<OpenAIWebhookHandler>,
    headers: HeaderMap,
    body: Bytes,
) -> StatusCode {
    // Extract signature from headers
    let signature = match headers.get(SIGNATURE_HEADER).and_then(|v| v.to_str().ok()) {
        Some(sig) => sig,
        None => {
            warn!("webhook request missing signature header");
            return StatusCode::UNAUTHORIZED;
        }
    };

    // Validate HMAC-SHA256 signature
    if !handler.validate_signature(&body, signature) {
        warn!("webhook signature validation failed");
        return StatusCode::UNAUTHORIZED;
    }

    // Parse the JSON payload
    let payload: serde_json::Value = match serde_json::from_slice(&body) {
        Ok(v) => v,
        Err(e) => {
            warn!("webhook payload parse error: {e}");
            return StatusCode::BAD_REQUEST;
        }
    };

    // Extract event_type and response_id
    let event_type = match payload.get("type").and_then(|v| v.as_str()) {
        Some(t) => t.to_string(),
        None => {
            warn!("webhook payload missing 'type' field");
            return StatusCode::BAD_REQUEST;
        }
    };

    let response_id = payload
        .get("response")
        .and_then(|r| r.get("id"))
        .and_then(|v| v.as_str())
        .or_else(|| payload.get("response_id").and_then(|v| v.as_str()))
        .unwrap_or("")
        .to_string();

    // Extract response data for completed events
    let response = payload.get("response").cloned();

    // Extract error information for failed events
    let error = payload
        .get("error")
        .or_else(|| payload.get("response").and_then(|r| r.get("error")))
        .map(|e| e.to_string());

    let event = WebhookEvent { event_type, response_id, response, error };

    debug!(
        event_type = %event.event_type,
        response_id = %event.response_id,
        "webhook event received"
    );

    // Broadcast to subscribers (ignore send errors — no subscribers is fine)
    let _ = handler.tx.send(event);

    StatusCode::OK
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_validate_signature_valid() {
        let config = OpenAIWebhookConfig {
            webhook_secret: "test_secret".to_string(),
            path: "/webhooks/openai".to_string(),
        };
        let handler = OpenAIWebhookHandler::new(config);

        let payload = b"hello world";

        // Compute expected signature
        type HmacSha256 = Hmac<Sha256>;
        let mut mac = HmacSha256::new_from_slice(b"test_secret").unwrap();
        mac.update(payload);
        let expected = hex::encode(mac.finalize().into_bytes());

        assert!(handler.validate_signature(payload, &expected));
    }

    #[test]
    fn test_validate_signature_invalid() {
        let config = OpenAIWebhookConfig {
            webhook_secret: "test_secret".to_string(),
            path: "/webhooks/openai".to_string(),
        };
        let handler = OpenAIWebhookHandler::new(config);

        let payload = b"hello world";
        let bad_signature = "deadbeef0000000000000000000000000000000000000000000000000000000000";

        assert!(!handler.validate_signature(payload, bad_signature));
    }

    #[test]
    fn test_validate_signature_invalid_hex() {
        let config = OpenAIWebhookConfig {
            webhook_secret: "test_secret".to_string(),
            path: "/webhooks/openai".to_string(),
        };
        let handler = OpenAIWebhookHandler::new(config);

        assert!(!handler.validate_signature(b"payload", "not-valid-hex!@#$"));
    }

    #[test]
    fn test_subscribe_returns_receiver() {
        let config = OpenAIWebhookConfig {
            webhook_secret: "secret".to_string(),
            path: "/webhooks/openai".to_string(),
        };
        let handler = OpenAIWebhookHandler::new(config);

        let _rx1 = handler.subscribe();
        let _rx2 = handler.subscribe();
        // Multiple subscribers should work
    }

    #[tokio::test]
    async fn test_broadcast_event() {
        let config = OpenAIWebhookConfig {
            webhook_secret: "secret".to_string(),
            path: "/webhooks/openai".to_string(),
        };
        let handler = OpenAIWebhookHandler::new(config);

        let mut rx = handler.subscribe();

        let event = WebhookEvent {
            event_type: "response.completed".to_string(),
            response_id: "resp_123".to_string(),
            response: Some(serde_json::json!({"id": "resp_123", "status": "completed"})),
            error: None,
        };

        handler.tx.send(event.clone()).unwrap();

        let received = rx.recv().await.unwrap();
        assert_eq!(received.event_type, "response.completed");
        assert_eq!(received.response_id, "resp_123");
    }
}