Endpoint for post-receive requests from GitHub/GitLab which replaces githooks
The security for this is fairly basic, there can be many "users" like a Github accont or repo. That "user" has a key that both identifies them and authorizes them to hit the endpoint. The key is put in the URL as a get parameter identified by the letter "k". Since different hosts (GitHub, GitLab, etc.) use different layouts, etc. get parameter "t" specifies the type (currently "github", "gitlab", or "bitbucket"). An example URL: https://localhost/githooks/?k=5aef35982fb2d356789d4502f6ede1072793222d&t=github
Also, each user has a list of ip addresses that they can access the endpoint from or you can put in a "*" to let them access it from anywhere. The IP address whitelist combined with SSL use to keep sniffers from seeing the key in the URL should be good enough security for this type of application. If you have suggestions for better security let me know.
The user definition is in the config.php file and like like this:
# one user in the array of users array( # the name of the user - this is only used in the logging 'name' => 'gitlab', # the key this user should put in their URL 'key' => '5aef35982fb2d34e9d9d4502f6ede1072793222d', # the ip addresses this user is authorized to connect from 'ip_addresses' => array('10.9.8.7','22.214.171.124'), ),
When a user successfully connects and sends the post-recieve data the PHP calls a bash script called "script_runner.sh" and includes some variables like:
- $REPOSITORY -- the name of the repo the recieve was for
- $BRANCH -- the name of the branch the commit was for
- $USER -- the full name of the user that committed
- $MESSAGE -- the commit message
- $COMMITID -- the ID of the commit so you can checkout that specific revision if needed
Within "script_runner.sh" you have access to all these variables, so you can either do something like call another script located in hooks/$REPOSITORY/$BRANCH.sh or do if statements looking for commits to specific repo/branches or whatever you want.
NOTE: If you use php5-fpm to run it you will need a few packages to use json_decode() and you need to allow the *.sh files to execute:
sudo apt-get install php5-json chmod +x ./script_runner.sh chmod +x ./hooks/<repo name>.sh