Properly set webhook secret
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This commit is contained in:
Gabriel Adrian Samfira
parent
6a168ba813
commit
bb798a288a
5 changed files with 21 additions and 8 deletions
|
|
@ -103,7 +103,6 @@ func (a *APIController) handleWorkflowJobEvent(ctx context.Context, w http.Respo
|
|||
handleError(ctx, w, gErrors.NewBadRequestError("invalid post body: %s", err))
|
||||
return
|
||||
}
|
||||
slog.Debug("received workflow job event", "body", string(body))
|
||||
|
||||
signature := r.Header.Get("X-Hub-Signature-256")
|
||||
hookType := r.Header.Get("X-Github-Hook-Installation-Target-Type")
|
||||
|
|
@ -162,9 +161,6 @@ func (a *APIController) WebhookHandler(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
headers := r.Header.Clone()
|
||||
for k, v := range headers {
|
||||
slog.Debug("header", "key", k, "value", v)
|
||||
}
|
||||
|
||||
event := runnerParams.Event(headers.Get("X-Github-Event"))
|
||||
switch event {
|
||||
|
|
|
|||
|
|
@ -171,7 +171,9 @@ type WorkflowJob struct {
|
|||
DefaultBranch string `json:"default_branch"`
|
||||
} `json:"repository"`
|
||||
Organization struct {
|
||||
Login string `json:"login"`
|
||||
Login string `json:"login"`
|
||||
// Name is a gitea specific field
|
||||
Name string `json:"name"`
|
||||
ID int64 `json:"id"`
|
||||
NodeID string `json:"node_id"`
|
||||
URL string `json:"url"`
|
||||
|
|
@ -218,6 +220,13 @@ type WorkflowJob struct {
|
|||
} `json:"sender"`
|
||||
}
|
||||
|
||||
func (w WorkflowJob) GetOrgName(forgeType EndpointType) string {
|
||||
if forgeType == GiteaEndpointType {
|
||||
return w.Organization.Name
|
||||
}
|
||||
return w.Organization.Login
|
||||
}
|
||||
|
||||
type RunnerSetting struct {
|
||||
Ephemeral bool `json:"ephemeral,omitempty"`
|
||||
IsElastic bool `json:"isElastic,omitempty"`
|
||||
|
|
|
|||
|
|
@ -152,6 +152,7 @@ func (r *basePoolManager) getProviderBaseParams(pool params.Pool) common.Provide
|
|||
|
||||
func (r *basePoolManager) HandleWorkflowJob(job params.WorkflowJob) error {
|
||||
if err := r.ValidateOwner(job); err != nil {
|
||||
slog.ErrorContext(r.ctx, "failed to validate owner", "error", err)
|
||||
return errors.Wrap(err, "validating owner")
|
||||
}
|
||||
|
||||
|
|
@ -164,6 +165,7 @@ func (r *basePoolManager) HandleWorkflowJob(job params.WorkflowJob) error {
|
|||
|
||||
jobParams, err := r.paramsWorkflowJobToParamsJob(job)
|
||||
if err != nil {
|
||||
slog.ErrorContext(r.ctx, "failed to convert job to params", "error", err)
|
||||
return errors.Wrap(err, "converting job to params")
|
||||
}
|
||||
|
||||
|
|
@ -1962,7 +1964,7 @@ func (r *basePoolManager) ValidateOwner(job params.WorkflowJob) error {
|
|||
return runnerErrors.NewBadRequestError("job not meant for this pool manager")
|
||||
}
|
||||
case params.ForgeEntityTypeOrganization:
|
||||
if !strings.EqualFold(job.Organization.Login, r.entity.Owner) {
|
||||
if !strings.EqualFold(job.GetOrgName(r.entity.Credentials.ForgeType), r.entity.Owner) {
|
||||
return runnerErrors.NewBadRequestError("job not meant for this pool manager")
|
||||
}
|
||||
case params.ForgeEntityTypeEnterprise:
|
||||
|
|
|
|||
|
|
@ -668,8 +668,8 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType
|
|||
case OrganizationHook:
|
||||
slog.DebugContext(
|
||||
r.ctx, "got hook for organization",
|
||||
"organization", util.SanitizeLogEntry(job.Organization.Login))
|
||||
poolManager, err = r.findOrgPoolManager(job.Organization.Login, endpoint.Name)
|
||||
"organization", util.SanitizeLogEntry(job.GetOrgName(forgeType)))
|
||||
poolManager, err = r.findOrgPoolManager(job.GetOrgName(forgeType), endpoint.Name)
|
||||
case EnterpriseHook:
|
||||
slog.DebugContext(
|
||||
r.ctx, "got hook for enterprise",
|
||||
|
|
@ -679,7 +679,9 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType
|
|||
return runnerErrors.NewBadRequestError("cannot handle hook target type %s", hookTargetType)
|
||||
}
|
||||
|
||||
slog.DebugContext(r.ctx, "found pool manager", "pool_manager", poolManager.ID())
|
||||
if err != nil {
|
||||
slog.ErrorContext(r.ctx, "failed to find pool manager", "error", err, "hook_target_type", hookTargetType)
|
||||
// We don't have a repository or organization configured that
|
||||
// can handle this workflow job.
|
||||
return errors.Wrap(err, "fetching poolManager")
|
||||
|
|
@ -689,10 +691,12 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType
|
|||
// we make sure that the source of this workflow job is valid.
|
||||
secret := poolManager.WebhookSecret()
|
||||
if err := r.validateHookBody(signature, secret, jobData); err != nil {
|
||||
slog.ErrorContext(r.ctx, "failed to validate webhook data", "error", err)
|
||||
return errors.Wrap(err, "validating webhook data")
|
||||
}
|
||||
|
||||
if err := poolManager.HandleWorkflowJob(job); err != nil {
|
||||
slog.ErrorContext(r.ctx, "failed to handle workflow job", "error", err)
|
||||
return errors.Wrap(err, "handling workflow job")
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ func (g *githubClient) createGiteaRepoHook(ctx context.Context, owner, name stri
|
|||
"content_type": hook.GetConfig().GetContentType(),
|
||||
"url": hook.GetConfig().GetURL(),
|
||||
"http_method": "post",
|
||||
"secret": hook.GetConfig().GetSecret(),
|
||||
},
|
||||
}
|
||||
|
||||
|
|
@ -59,6 +60,7 @@ func (g *githubClient) createGiteaOrgHook(ctx context.Context, owner string, hoo
|
|||
"content_type": hook.GetConfig().GetContentType(),
|
||||
"url": hook.GetConfig().GetURL(),
|
||||
"http_method": "post",
|
||||
"secret": hook.GetConfig().GetSecret(),
|
||||
},
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue