validate ACR via Authorization header instead of query param

Signed-off-by: ruturaj220 <ruturajvaskar220@gmail.com>

Author: ruturaj220

cmd/webhook.go

@@ -44,6 +44,7 @@ Supported registries:
 - Quay
 - Harbor
 - Aliyun ACR
+- Azure Container Registry (ACR)
 - AWS ECR (via EventBridge CloudEvents)
 `,
 		RunE: func(cmd *cobra.Command, args []string) error {

docs/configuration/webhook.md

@@ -129,14 +129,26 @@ https://app1.example.com/webhook?type=aliyun-acr&registry_url=my-instance-regist
 
 ### Azure Container Registry (ACR) Specifics
 
-Azure Container Registry has **no built-in HMAC signing** for webhooks. The webhook
-creation form in the Azure portal only exposes a Service URI and free-form custom
-headers, neither of which can be used for signing. ACR therefore uses the
-[parameter secret](#parameter-secrets) pattern: include the secret as a query
-parameter in the Service URI you configure in Azure.
+Azure Container Registry has **no built-in HMAC signing** for webhooks, but it lets
+you attach arbitrary [custom HTTP headers](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-webhook-reference#http-headers)
+to its notifications. ACR therefore uses the same mechanism as the registries with
+[preexisting secret support](#registries-with-preexisting-support-for-secrets):
+configure an `Authorization` header on the webhook, and the handler validates it
+against the configured secret (constant-time comparison).
+
+Set the header when creating or updating the webhook with the Azure CLI
+([reference](https://learn.microsoft.com/en-us/cli/azure/acr/webhook?view=azure-cli-latest#az-acr-webhook-update-examples)):
+
+```bash
+az acr webhook update -n <webhook> -r <registry> --headers "Authorization=<YOUR_SECRET>"
+```
+
+The value you set for the `Authorization` header must match the secret configured in
+`argocd-image-updater-secret` (`webhook.acr-secret`) / the `--acr-webhook-secret`
+flag. The webhook URL itself only needs the registry type:
 
 ```text
-https://app1.example.com/webhook?type=acr&secret=<YOUR_SECRET>
+https://app1.example.com/webhook?type=acr
 ```
 
 The registry hostname, repository, tag and digest are taken directly from the
@@ -274,6 +286,7 @@ Supported Registries That Use This:
 
 - GitHub Container Registry
 - Harbor
+- Azure Container Registry (ACR)
 
 ### Parameter Secrets
 
@@ -296,7 +309,6 @@ Supported Registries That Use This:
 - Docker Hub
 - Quay
 - Aliyun ACR
-- Azure Container Registry (ACR)
 - AWS ECR (via CloudEvents/EventBridge)
 
 Also be aware that if the container registry has a built-in secrets method you will

docs/install/cmd/webhook.md

@@ -15,10 +15,19 @@ Supported Registries:
 - Quay
 - Harbor
 - Aliyun ACR (Alibaba Cloud Container Registry)
+- Azure Container Registry (ACR)
 - AWS EventBridge (CloudEvents)
 
 ### Flags
 
+**--acr-webhook-secret *secret***
+
+Secret for validating Azure ACR webhooks. ACR has no built-in signing, so the
+secret is sent as the `Authorization` header value, which you configure on the
+webhook with `az acr webhook update --headers "Authorization=<secret>"`.
+
+Can also be set with the `ACR_WEBHOOK_SECRET` environment variable.
+
 **--aliyun-acr-webhook-secret *secret***
 
 Secret for validating Aliyun ACR webhooks.

pkg/webhook/acr.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strings"
 
 	"github.com/argoproj-labs/argocd-image-updater/pkg/argocd"
 )
@@ -33,17 +34,28 @@ func (a *ACRWebhook) Validate(r *http.Request) error {
 		return fmt.Errorf("invalid HTTP method: %s", r.Method)
 	}
 
-	// Azure ACR has no built-in HMAC signing. If a secret is configured, validate
-	// it from the query parameter (parameter secret pattern).
-	// !! This query param method is NOT secure, use at own risk
+	// ACR sends a Content-Type of application/json unless a custom Content-Type
+	// header is configured for the webhook.
+	// See: https://learn.microsoft.com/en-us/azure/container-registry/container-registry-webhook-reference#http-headers
+	contentType := r.Header.Get("Content-Type")
+	if !strings.Contains(contentType, "application/json") {
+		return fmt.Errorf("invalid content type: %s", contentType)
+	}
+
+	// ACR has no built-in HMAC signing, but it lets you attach arbitrary custom
+	// headers to webhook notifications via the Azure CLI, e.g.:
+	//   az acr webhook update -n <webhook> -r <registry> --headers "Authorization=Basic <token>"
+	// We therefore validate the configured secret against the Authorization
+	// header value. The secret configured in argocd-image-updater must match the full Authorization header value.
+	// See: https://learn.microsoft.com/en-us/cli/azure/acr/webhook?view=azure-cli-latest#az-acr-webhook-update-examples
 	if a.secret != "" {
-		secret := r.URL.Query().Get("secret")
-		if secret == "" {
-			return fmt.Errorf("missing webhook secret")
+		authHeader := r.Header.Get("Authorization")
+		if authHeader == "" {
+			return fmt.Errorf("missing Authorization header when secret is configured")
 		}
 
-		if subtle.ConstantTimeCompare([]byte(secret), []byte(a.secret)) != 1 {
-			return fmt.Errorf("invalid webhook secret")
+		if subtle.ConstantTimeCompare([]byte(authHeader), []byte(a.secret)) != 1 {
+			return fmt.Errorf("incorrect webhook secret")
 		}
 	}
 

pkg/webhook/acr_test.go

@@ -31,38 +31,51 @@ func TestACRWebhook_Validate(t *testing.T) {
 	tests := []struct {
 		name        string
 		method      string
-		secret      string
+		contentType string
+		authHeader  string
 		noSecret    bool
 		expectError bool
 	}{
 		{
 			name:        "valid POST request with correct secret",
 			method:      "POST",
-			secret:      "test-secret",
+			contentType: "application/json",
+			authHeader:  "test-secret",
 			expectError: false,
 		},
 		{
 			name:        "valid POST request without secret",
 			method:      "POST",
+			contentType: "application/json",
 			noSecret:    true,
 			expectError: false,
 		},
 		{
 			name:        "invalid HTTP method",
 			method:      "GET",
-			secret:      "test-secret",
+			contentType: "application/json",
+			authHeader:  "test-secret",
 			expectError: true,
 		},
 		{
-			name:        "missing secret when secret is configured",
+			name:        "invalid content type",
 			method:      "POST",
-			secret:      "",
+			contentType: "text/plain",
+			authHeader:  "test-secret",
 			expectError: true,
 		},
 		{
-			name:        "invalid secret",
+			name:        "missing Authorization header when secret is configured",
 			method:      "POST",
-			secret:      "not-the-secret",
+			contentType: "application/json",
+			authHeader:  "",
+			expectError: true,
+		},
+		{
+			name:        "incorrect secret",
+			method:      "POST",
+			contentType: "application/json",
+			authHeader:  "not-the-secret",
 			expectError: true,
 		},
 	}
@@ -75,10 +88,11 @@ func TestACRWebhook_Validate(t *testing.T) {
 			}
 
 			req := httptest.NewRequest(tt.method, "/webhook", nil)
-			if tt.secret != "" {
-				query := req.URL.Query()
-				query.Set("secret", tt.secret)
-				req.URL.RawQuery = query.Encode()
+			if tt.contentType != "" {
+				req.Header.Set("Content-Type", tt.contentType)
+			}
+			if tt.authHeader != "" {
+				req.Header.Set("Authorization", tt.authHeader)
 			}
 
 			err := testWebhook.Validate(req)