switch from url to secret to detect hook

2019-02-14 03:18:55 +01:00 · 2019-02-14 03:18:55 +01:00 · 67edb83e15
parent cad2441716
commit 67edb83e15
5 changed files with 32 additions and 12 deletions
--- a/circleci/main.go
+++ b/circleci/main.go
@ -52,7 +52,7 @@ func init() {

 			ok := false
 			for _, hook := range hooks {
-				if request.Payload.VCSURL != hook.URL {
+				if request.Payload.VCSURL != hook.Secret {
 					continue
 				}
 				logger.Infof("run hook")
--- a/config_example.conf
+++ b/config_example.conf
@ -9,5 +9,5 @@ startup_notify_user = ["geno@fireorbit.de"]
 startup_notify_muc = []

 [[hooks.git]]
+secret = "github-FreifunkBremen-yanic-notShared-Secret"
 notify_user = ["geno@fireorbit.de"]
-url = "https://github.com/FreifunkBremen/yanic"
--- a/git/main.go
+++ b/git/main.go
@ -13,7 +13,11 @@ import (
 	"dev.sum7.eu/genofire/hook2xmpp/runtime"
 )

-var eventHeader = []string{"X-GitHub-Event", "X-Gogs-Event", "X-Gitlab-Event"}
+var eventHeader = map[string]string{
+	"X-GitHub-Event": "X-Hub-Signature",
+	"X-Gogs-Event": "X-Gogs-Delivery",
+	"X-Gitlab-Event": "X-Gitlab-Token",
+}

 const hookType = "git"

@ -24,21 +28,29 @@ func init() {
 			logger := log.WithField("type", hookType)

 			event := ""
-			for _, head := range eventHeader {
+			secret := ""
+			for head, headSecret := range eventHeader {
 				event = r.Header.Get(head)

 				if event != "" {
+					secret = r.Header.Get(headSecret)
 					break
 				}
 			}

-			if event == "" || event == "status" {
-				return
-			}
-
 			var body map[string]interface{}
 			libHTTP.Read(r, &body)

+			if s, ok := body["secret"]; ok && secret == "" {
+				secret = s.(string)
+			}
+
+			if event == "" || secret == "" {
+				logger.Warnf("no secret or event found")
+				http.Error(w, fmt.Sprintf("no secret or event found"), http.StatusNotFound)
+				return
+			}
+
 			var request requestBody
 			if err := mapstructure.Decode(body, &request); err != nil {
 				logger.Errorf("no readable payload: %s", err)
@ -52,7 +64,7 @@ func init() {

 			ok := false
 			for _, hook := range hooks {
-				if request.Repository.URL != hook.URL {
+				if secret != hook.Secret {
 					continue
 				}
 				logger.Infof("run hook")
--- a/grafana/main.go
+++ b/grafana/main.go
@ -46,6 +46,14 @@ func init() {
 		return func(w http.ResponseWriter, r *http.Request) {
 			logger := log.WithField("type", hookType)

+			_, secret, ok := r.BasicAuth()
+
+			if ok {
+				logger.Errorf("no secret found")
+				http.Error(w, fmt.Sprintf("no secret found (basic-auth password)"), http.StatusNotFound)
+				return
+			}
+
 			var body interface{}
 			libHTTP.Read(r, &body)

@ -68,9 +76,9 @@ func init() {
 				return
 			}

-			ok := false
+			ok = false
 			for _, hook := range hooks {
-				if ruleURL.Hostname() != hook.URL {
+				if secret != hook.Secret {
 					continue
 				}

--- a/runtime/config.go
+++ b/runtime/config.go
@ -28,7 +28,7 @@ type Config struct {
 }

 type Hook struct {
-	URL        string   `toml:"url"`
+	Secret        string   `toml:"secret"`
 	NotifyUser []string `toml:"notify_user"`
 	NotifyMuc  []string `toml:"notify_muc"`
 }