/
gitlab.go
99 lines (82 loc) · 2.97 KB
/
gitlab.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
/*
Copyright 2019 The Tekton Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package gitlab
import (
"context"
"crypto/subtle"
triggersv1 "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1"
"github.com/tektoncd/triggers/pkg/interceptors"
"google.golang.org/grpc/codes"
)
var _ triggersv1.InterceptorInterface = (*InterceptorImpl)(nil)
type InterceptorImpl struct {
SecretGetter interceptors.SecretGetter
}
func NewInterceptor(sg interceptors.SecretGetter) *InterceptorImpl {
return &InterceptorImpl{
SecretGetter: sg,
}
}
// InterceptorParams provides a webhook to intercept and pre-process events
type InterceptorParams struct {
SecretRef *triggersv1.SecretRef `json:"secretRef,omitempty"`
// +listType=atomic
EventTypes []string `json:"eventTypes,omitempty"`
}
func (w *InterceptorImpl) Process(ctx context.Context, r *triggersv1.InterceptorRequest) *triggersv1.InterceptorResponse {
p := InterceptorParams{}
if err := interceptors.UnmarshalParams(r.InterceptorParams, &p); err != nil {
return interceptors.Failf(codes.InvalidArgument, "failed to parse interceptor params: %v", err)
}
headers := interceptors.Canonical(r.Header)
// Check if the event type is in the allow-list
if p.EventTypes != nil {
actualEvent := headers.Get("X-GitLab-Event")
isAllowed := false
for _, allowedEvent := range p.EventTypes {
if actualEvent == allowedEvent {
isAllowed = true
break
}
}
if !isAllowed {
return interceptors.Failf(codes.FailedPrecondition, "event type %s is not allowed", actualEvent)
}
}
// Next validate secrets
if p.SecretRef != nil {
// Check the secret to see if it is empty
if p.SecretRef.SecretKey == "" {
return interceptors.Fail(codes.FailedPrecondition, "gitlab interceptor secretRef.secretKey is empty")
}
header := headers.Get("X-GitLab-Token")
if header == "" {
return interceptors.Fail(codes.InvalidArgument, "no X-GitLab-Token header set")
}
if r.Context == nil {
return interceptors.Failf(codes.InvalidArgument, "no request context passed")
}
ns, _ := triggersv1.ParseTriggerID(r.Context.TriggerID)
secretToken, err := w.SecretGetter.Get(ctx, ns, p.SecretRef)
if err != nil {
return interceptors.Failf(codes.FailedPrecondition, "error getting secret: %v", err)
}
// Make sure to use a constant time comparison here.
if subtle.ConstantTimeCompare([]byte(header), secretToken) == 0 {
return interceptors.Fail(codes.InvalidArgument, "Invalid X-GitLab-Token")
}
}
return &triggersv1.InterceptorResponse{
Continue: true,
}
}