From bb798a288a263d6f482b5baf0905696a872b018c Mon Sep 17 00:00:00 2001 From: Gabriel Adrian Samfira Date: Fri, 16 May 2025 23:58:39 +0000 Subject: [PATCH] Properly set webhook secret Signed-off-by: Gabriel Adrian Samfira --- apiserver/controllers/controllers.go | 4 ---- params/github.go | 11 ++++++++++- runner/pool/pool.go | 4 +++- runner/runner.go | 8 ++++++-- util/github/gitea.go | 2 ++ 5 files changed, 21 insertions(+), 8 deletions(-) diff --git a/apiserver/controllers/controllers.go b/apiserver/controllers/controllers.go index 32da79b3..2a57f9cf 100644 --- a/apiserver/controllers/controllers.go +++ b/apiserver/controllers/controllers.go @@ -103,7 +103,6 @@ func (a *APIController) handleWorkflowJobEvent(ctx context.Context, w http.Respo handleError(ctx, w, gErrors.NewBadRequestError("invalid post body: %s", err)) return } - slog.Debug("received workflow job event", "body", string(body)) signature := r.Header.Get("X-Hub-Signature-256") hookType := r.Header.Get("X-Github-Hook-Installation-Target-Type") @@ -162,9 +161,6 @@ func (a *APIController) WebhookHandler(w http.ResponseWriter, r *http.Request) { } headers := r.Header.Clone() - for k, v := range headers { - slog.Debug("header", "key", k, "value", v) - } event := runnerParams.Event(headers.Get("X-Github-Event")) switch event { diff --git a/params/github.go b/params/github.go index 0f963090..9859f717 100644 --- a/params/github.go +++ b/params/github.go @@ -171,7 +171,9 @@ type WorkflowJob struct { DefaultBranch string `json:"default_branch"` } `json:"repository"` Organization struct { - Login string `json:"login"` + Login string `json:"login"` + // Name is a gitea specific field + Name string `json:"name"` ID int64 `json:"id"` NodeID string `json:"node_id"` URL string `json:"url"` @@ -218,6 +220,13 @@ type WorkflowJob struct { } `json:"sender"` } +func (w WorkflowJob) GetOrgName(forgeType EndpointType) string { + if forgeType == GiteaEndpointType { + return w.Organization.Name + } + return w.Organization.Login +} + type RunnerSetting struct { Ephemeral bool `json:"ephemeral,omitempty"` IsElastic bool `json:"isElastic,omitempty"` diff --git a/runner/pool/pool.go b/runner/pool/pool.go index 8b02b593..86ce52f0 100644 --- a/runner/pool/pool.go +++ b/runner/pool/pool.go @@ -152,6 +152,7 @@ func (r *basePoolManager) getProviderBaseParams(pool params.Pool) common.Provide func (r *basePoolManager) HandleWorkflowJob(job params.WorkflowJob) error { if err := r.ValidateOwner(job); err != nil { + slog.ErrorContext(r.ctx, "failed to validate owner", "error", err) return errors.Wrap(err, "validating owner") } @@ -164,6 +165,7 @@ func (r *basePoolManager) HandleWorkflowJob(job params.WorkflowJob) error { jobParams, err := r.paramsWorkflowJobToParamsJob(job) if err != nil { + slog.ErrorContext(r.ctx, "failed to convert job to params", "error", err) return errors.Wrap(err, "converting job to params") } @@ -1962,7 +1964,7 @@ func (r *basePoolManager) ValidateOwner(job params.WorkflowJob) error { return runnerErrors.NewBadRequestError("job not meant for this pool manager") } case params.ForgeEntityTypeOrganization: - if !strings.EqualFold(job.Organization.Login, r.entity.Owner) { + if !strings.EqualFold(job.GetOrgName(r.entity.Credentials.ForgeType), r.entity.Owner) { return runnerErrors.NewBadRequestError("job not meant for this pool manager") } case params.ForgeEntityTypeEnterprise: diff --git a/runner/runner.go b/runner/runner.go index e02ee698..186799f6 100644 --- a/runner/runner.go +++ b/runner/runner.go @@ -668,8 +668,8 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType case OrganizationHook: slog.DebugContext( r.ctx, "got hook for organization", - "organization", util.SanitizeLogEntry(job.Organization.Login)) - poolManager, err = r.findOrgPoolManager(job.Organization.Login, endpoint.Name) + "organization", util.SanitizeLogEntry(job.GetOrgName(forgeType))) + poolManager, err = r.findOrgPoolManager(job.GetOrgName(forgeType), endpoint.Name) case EnterpriseHook: slog.DebugContext( r.ctx, "got hook for enterprise", @@ -679,7 +679,9 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType return runnerErrors.NewBadRequestError("cannot handle hook target type %s", hookTargetType) } + slog.DebugContext(r.ctx, "found pool manager", "pool_manager", poolManager.ID()) if err != nil { + slog.ErrorContext(r.ctx, "failed to find pool manager", "error", err, "hook_target_type", hookTargetType) // We don't have a repository or organization configured that // can handle this workflow job. return errors.Wrap(err, "fetching poolManager") @@ -689,10 +691,12 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType // we make sure that the source of this workflow job is valid. secret := poolManager.WebhookSecret() if err := r.validateHookBody(signature, secret, jobData); err != nil { + slog.ErrorContext(r.ctx, "failed to validate webhook data", "error", err) return errors.Wrap(err, "validating webhook data") } if err := poolManager.HandleWorkflowJob(job); err != nil { + slog.ErrorContext(r.ctx, "failed to handle workflow job", "error", err) return errors.Wrap(err, "handling workflow job") } diff --git a/util/github/gitea.go b/util/github/gitea.go index 4c83846c..0359836e 100644 --- a/util/github/gitea.go +++ b/util/github/gitea.go @@ -32,6 +32,7 @@ func (g *githubClient) createGiteaRepoHook(ctx context.Context, owner, name stri "content_type": hook.GetConfig().GetContentType(), "url": hook.GetConfig().GetURL(), "http_method": "post", + "secret": hook.GetConfig().GetSecret(), }, } @@ -59,6 +60,7 @@ func (g *githubClient) createGiteaOrgHook(ctx context.Context, owner string, hoo "content_type": hook.GetConfig().GetContentType(), "url": hook.GetConfig().GetURL(), "http_method": "post", + "secret": hook.GetConfig().GetSecret(), }, }