feat: introduce organization whitelist

README.md

@@ -21,6 +21,7 @@ At goci.io we use this Webhook Server for our external Provider-Integrations to
 2. Configure Environment
 ```
 export WEBHOOK_SECRET=my-secret
+export ORGANIZATION_WHITELIST=org1,org2
 ```
 3. Run
 ```
@@ -29,18 +30,26 @@ export WEBHOOK_SECRET=my-secret
 
 You can also use our Docker Release:
 ```
-docker run -e WEBHOOK_SECRET=my-secret -it gocidocker/k8s-deployment-webhook:v0.1.0
+docker run \
+    -e WEBHOOK_SECRET=my-secret \
+    -e ORGANIZATION_WHITELIST=org1,org2 \
+    -it gocidocker/k8s-deployment-webhook:v0.1.0
 ```
 
 ### Deploy
 
 Using [goci-service-chart](https://github.com/goci-io/goci-service-chart) with the following **example config**: 
 
 1. Create a Secret containing the `WEBHOOK_SECRET` environment variable
+2. Ensure following config environment variables are set as well: `ORGANIZATION_WHITELIST`
 2. Configure the following `values.yaml`:  
 ```yaml
 port: 8443
 
+configMap:
+  data:
+    ORGANIZATION_WHITELIST: org1,org2
+
 envFrom:
 - secretRef:
     name: <YOUR_SECRET_NAME>

cmd/server/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"os"
 	"log"
+	"strings"
 	"net/http"
 	"path/filepath"
 )
@@ -16,6 +17,7 @@ const (
 func main() {
 	handler := &WebhookHandler{
 		Secret: []byte(os.Getenv("WEBHOOK_SECRET")),
+		OrganizationWhitelist: strings.Split(os.Getenv("ORGANIZATION_WHITELIST"), ","),
 	}
 
 	if len(handler.Secret) == 0 {
@@ -52,7 +54,7 @@ func validateAndParseRequest(w http.ResponseWriter, r *http.Request, handler *We
 		return
 	}
 
-	if !webhook.isEligible() {
+	if !handler.isEligible(webhook) {
 		succeedRequest(w)
 		return
 	}

cmd/server/webhook.go

@@ -23,9 +23,15 @@ type Repository struct {
 type WebhookContext struct {
 	Action string 		  `json:"action"`
 	Repository Repository `json:"repository"`
+	Organization string   `json:"organization"`
 }
 
-func (webhook *WebhookContext) isEligible() bool {
+type WebhookHandler struct {
+	Secret []byte
+	OrganizationWhitelist []string
+}
+
+func (handler *WebhookHandler) isEligible(webhook *WebhookContext) bool {
 	if webhook.Action != "published" {
 		return false
 	}
@@ -34,11 +40,11 @@ func (webhook *WebhookContext) isEligible() bool {
 		return false
 	}
 
-	return true
-}  
+	if findIndex(handler.OrganizationWhitelist, webhook.Organization) < 0 {
+		return false
+	}
 
-type WebhookHandler struct {
-	Secret []byte
+	return true
 }
 
 func (handler *WebhookHandler) validateRequest(w http.ResponseWriter, r *http.Request) ([]byte, error) {
@@ -104,3 +110,12 @@ func signBody(secret, body []byte) []byte {
 	computed.Write(body)
 	return []byte(computed.Sum(nil))
 }
+
+func findIndex(arr []string, search string) int {
+    for i, n := range arr {
+        if search == n {
+            return i
+        }
+    }
+    return -1
+}

cmd/server/webhook_test.go

@@ -88,3 +88,19 @@ func TestWebhookValidateRequestSucceeds(t *testing.T) {
 		t.Error("wrong content received")
 	}
 }
+
+func TestWebhookIsEligibleForNonWhitelistedOrgFails(t *testing.T) {
+	handler := &WebhookHandler{
+		OrganizationWhitelist: []string{"goci-io", "goci-io-dev"},
+	}
+
+	webhook := &WebhookContext{
+		Organization: "another-org",
+	}
+
+	eligible := handler.isEligible(webhook)
+
+	if eligible {
+		t.Error("expected another-org to be ineligible as its not a whitelisted org")
+	}
+}