-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathwebhook.go
96 lines (81 loc) · 2.79 KB
/
webhook.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
// Copyright 2024 Stacklok, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package manager
import (
"errors"
"fmt"
"net/http"
"strings"
"github.com/google/uuid"
"github.com/rs/zerolog"
"github.com/stacklok/minder/internal/providers/gitlab/webhooksecret"
)
// GetWebhookHandler implements the ProviderManager interface
// Note that this is where the whole webhook handler is defined and
// will live.
func (m *providerClassManager) GetWebhookHandler() http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
l := zerolog.Ctx(m.parentContext).With().
Str("webhook", "gitlab").
Str("method", r.Method).
Str("path", r.URL.Path).
Str("remote", r.RemoteAddr).
Str("user-agent", r.UserAgent()).
Str("content-type", r.Header.Get("Content-Type")).
Logger()
// Validate the webhook secret
if err := m.validateRequest(r); err != nil {
l.Error().Err(err).Msg("invalid webhook request")
http.Error(w, "invalid webhook request", http.StatusUnauthorized)
return
}
l.Debug().Msg("received webhook")
})
}
func (m *providerClassManager) validateRequest(r *http.Request) error {
// Validate the webhook secret
gltok := r.Header.Get("X-Gitlab-Token")
if gltok == "" {
return errors.New("missing X-Gitlab-Token header")
}
if err := m.validateToken(gltok, r); err != nil {
return fmt.Errorf("invalid X-Gitlab-Token header: %w", err)
}
return nil
}
// validateToken validates the incoming GitLab webhook token
// Validation takes the secret from the GitLab webhook configuration
// appens the last element of the path to the URL (which is unique per entity)
func (m *providerClassManager) validateToken(token string, req *http.Request) error {
// Extract the unique ID from the URL path
path := req.URL.Path
uniq := path[strings.LastIndex(path, "/")+1:]
// uniq must be a valid UUID
_, err := uuid.Parse(uniq)
if err != nil {
return errors.New("invalid unique ID")
}
// Generate the expected secret
if valid := webhooksecret.Verify(m.currentWebhookSecret, uniq, token); valid {
// If the secret is valid, we can return
return nil
}
// Check the previous secrets
for _, prev := range m.previousWebhookSecrets {
if valid := webhooksecret.Verify(prev, uniq, token); valid {
return nil
}
}
return errors.New("invalid webhook token")
}