-
Notifications
You must be signed in to change notification settings - Fork 413
/
github.go
101 lines (83 loc) · 3.17 KB
/
github.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/*
Copyright 2019 The Tekton Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package github
import (
"context"
"errors"
"google.golang.org/grpc/codes"
gh "github.com/google/go-github/v31/github"
triggersv1 "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1"
"github.com/tektoncd/triggers/pkg/interceptors"
"go.uber.org/zap"
corev1lister "k8s.io/client-go/listers/core/v1"
)
var _ triggersv1.InterceptorInterface = (*Interceptor)(nil)
// ErrInvalidContentType is returned when the content-type is not a JSON body.
var ErrInvalidContentType = errors.New("form parameter encoding not supported, please change the hook to send JSON payloads")
type Interceptor struct {
SecretLister corev1lister.SecretLister
Logger *zap.SugaredLogger
}
func NewInterceptor(s corev1lister.SecretLister, l *zap.SugaredLogger) *Interceptor {
return &Interceptor{
SecretLister: s,
Logger: l,
}
}
func (w *Interceptor) Process(ctx context.Context, r *triggersv1.InterceptorRequest) *triggersv1.InterceptorResponse {
headers := interceptors.Canonical(r.Header)
if v := headers.Get("Content-Type"); v == "application/x-www-form-urlencoded" {
return interceptors.Fail(codes.InvalidArgument, ErrInvalidContentType.Error())
}
p := triggersv1.GitHubInterceptor{}
if err := interceptors.UnmarshalParams(r.InterceptorParams, &p); err != nil {
return interceptors.Failf(codes.InvalidArgument, "failed to parse interceptor params: %v", err)
}
// Check if the event type is in the allow-list
if p.EventTypes != nil {
actualEvent := headers.Get("X-GitHub-Event")
isAllowed := false
for _, allowedEvent := range p.EventTypes {
if actualEvent == allowedEvent {
isAllowed = true
break
}
}
if !isAllowed {
return interceptors.Failf(codes.FailedPrecondition, "event type %s is not allowed", actualEvent)
}
}
// Next validate secrets
if p.SecretRef != nil {
// Check the secret to see if it is empty
if p.SecretRef.SecretKey == "" {
return interceptors.Fail(codes.FailedPrecondition, "github interceptor secretRef.secretKey is empty")
}
header := headers.Get("X-Hub-Signature")
if header == "" {
return interceptors.Fail(codes.FailedPrecondition, "no X-Hub-Signature header set")
}
ns, _ := triggersv1.ParseTriggerID(r.Context.TriggerID)
secret, err := w.SecretLister.Secrets(ns).Get(p.SecretRef.SecretName)
if err != nil {
return interceptors.Failf(codes.FailedPrecondition, "error getting secret: %v", err)
}
secretToken := secret.Data[p.SecretRef.SecretKey]
if err := gh.ValidateSignature(header, []byte(r.Body), secretToken); err != nil {
return interceptors.Fail(codes.FailedPrecondition, err.Error())
}
}
return &triggersv1.InterceptorResponse{
Continue: true,
}
}