From a40e38300e87f5a09053c68f1f308a12e017939b Mon Sep 17 00:00:00 2001
From: Michael Derynck <michael.derynck@grafana.com>
Date: Fri, 14 Jul 2023 16:52:41 -0600
Subject: [PATCH] Fix authorization header masked (#2541)

# What this PR does
Fix authorization header was being masked in the requests instead of
only in logs

## Which issue(s) this PR fixes

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)
---
 CHANGELOG.md                                  |  4 ++++
 engine/apps/webhooks/tasks/trigger_webhook.py | 11 ++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc678497..1614a6ff 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Add `page_size`, `current_page_number`, and `total_pages` attributes to paginated API responses by @joeyorlando ([#2471](https://github.com/grafana/oncall/pull/2471))
 
+### Fixed
+
+- New webhooks incorrectly masking authorization header by @mderynck ([#2541](https://github.com/grafana/oncall/pull/2541))
+
 ## v1.3.11 (2023-07-13)
 
 ### Added
diff --git a/engine/apps/webhooks/tasks/trigger_webhook.py b/engine/apps/webhooks/tasks/trigger_webhook.py
index 75585c3b..86662d25 100644
--- a/engine/apps/webhooks/tasks/trigger_webhook.py
+++ b/engine/apps/webhooks/tasks/trigger_webhook.py
@@ -96,9 +96,10 @@ def _build_payload(webhook, alert_group, user):
 
 
 def mask_authorization_header(headers):
-    if "Authorization" in headers:
-        headers["Authorization"] = WEBHOOK_FIELD_PLACEHOLDER
-    return headers
+    masked_headers = headers.copy()
+    if "Authorization" in masked_headers:
+        masked_headers["Authorization"] = WEBHOOK_FIELD_PLACEHOLDER
+    return masked_headers
 
 
 def make_request(webhook, alert_group, data):
@@ -123,8 +124,8 @@ def make_request(webhook, alert_group, data):
         if triggered:
             status["url"] = webhook.build_url(data)
             request_kwargs = webhook.build_request_kwargs(data, raise_data_errors=True)
-            headers = mask_authorization_header(request_kwargs.get("headers", {}))
-            status["request_headers"] = json.dumps(headers)
+            display_headers = mask_authorization_header(request_kwargs.get("headers", {}))
+            status["request_headers"] = json.dumps(display_headers)
             if "json" in request_kwargs:
                 status["request_data"] = json.dumps(request_kwargs["json"])
             else: