feat(flags): support Statsig webhook provider and secrets format

[aliu39]

Closes https://github.com/getsentry/team-replay/issues/537

Ref

• https://docs.statsig.com/integrations/event_webhook/#webhook-signature (Statsig has a unique signing scheme explained here)
• https://docs.statsig.com/integrations/event_webhook/#config-change-webhooks

Test coverage is based on these docs and an actual statsig webhook setup, using ngrok + devserver. I also used this setup to verify the signing scheme and secret format/lengths.

Decisions:
Only statsig::config_change events are relevant for change tracking. This is subclassed by flag type in metadata.type. The choices are "Gate" (boolean release flags), "Experiment" (JSON) and more.
-> I decided to only track gate changes for now, since we don't record non-bool flag evaluations.

FlagWebhookSigningSecretValidator: Statsig secrets have format "webhook-". There's no documentation on min/max length but I've seen 48, 50, 51 so it's variable. I've chosen to enforce a min/max of 32-64. Validation for other providers is unchanged (exactly 32 characters)

TODO:

• get an example of an archive event and handle it as a delete action -> both archive and unarchive use the archived action, which is annoying since we can't categorize as create/delete. Deciding to drop these events.

[codecov]

Codecov Report

Attention: Patch coverage is 98.98477% with 2 lines in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/sentry/flags/providers.py	97.29%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #85132      +/-   ##
==========================================
+ Coverage   87.97%   87.98%   +0.01%     
==========================================
  Files        9620     9619       -1     
  Lines      543130   543933     +803     
  Branches    21021    21021              
==========================================
+ Hits       477800   478575     +775     
- Misses      65025    65053      +28     
  Partials      305      305              

[michellewzhang]

I've chosen to enforce a min/max of 32-64.

this will need to be updated in the frontend because the input box for provider secrets is limited to 32 char to pass backend validation (since prev secrets were all 32 char). i think it might be best to standardize all of them to 32 char for simplicity, but not tied to this

[aliu39]

i think it might be best to standardize all of them to 32 char for simplicity, but not tied to this

This won't be possible for Statsig since all the secrets I've gotten from creating a webhook are >32 chars.
I can try special casing the input box so >32 is allowed for Statsig only. For FE and BE, all other providers' secrets should still be enforced to 32

[michellewzhang]

i think it might be best to standardize all of them to 32 char for simplicity, but not tied to this

This won't be possible for Statsig since all the secrets I've gotten from creating a webhook are >32 chars. I can try special casing the input box so >32 is allowed for Statsig only. For FE and BE, all other providers' secrets should still be enforced to 32

ohh ok i see - yeah try casing on the input box (applies to both the sidebar input box & also the settings input box, maybe somewhere else too but i forget the exact places) and see if that works

two spots i can find:

sentry/static/app/views/settings/featureFlags/newProviderForm.tsx

Lines 144 to 153 in 3bc8ccf

	<TextField
	name="secret"
	label={t('Secret')}
	maxLength={32}
	minLength={32}
	required
	help={t(
	'Paste the signing secret given by your provider when creating the webhook.'
	)}
	/>

sentry/static/app/components/events/featureFlags/onboardingIntegrationSection.tsx

Lines 178 to 180 in 3bc8ccf

	<StyledAlert showIcon type="warning" icon={<IconWarning />}>
	{t('Make sure the secret is 32 characters long.')}
	</StyledAlert>

[aliu39]

Oo great thanks for the refs!

[cmanallen]

Looks good. Did you test with ngrok?

[aliu39]

@cmanallen yeah I tested with ngrok and based the coverage here on some sample events