b6e81357bd
_This is a different approach to #20267, I took the liberty of adapting some parts, see below_ ## Context In some cases, a weebhook endpoint requires some kind of authentication. The usual way is by sending a static `Authorization` header, with a given token. For instance: - Matrix expects a `Bearer <token>` (already implemented, by storing the header cleartext in the metadata - which is buggy on retry #19872) - TeamCity #18667 - Gitea instances #20267 - SourceHut https://man.sr.ht/graphql.md#authentication-strategies (this is my actual personal need :) ## Proposed solution Add a dedicated encrypt column to the webhook table (instead of storing it as meta as proposed in #20267), so that it gets available for all present and future hook types (especially the custom ones #19307). This would also solve the buggy matrix retry #19872. As a first step, I would recommend focusing on the backend logic and improve the frontend at a later stage. For now the UI is a simple `Authorization` field (which could be later customized with `Bearer` and `Basic` switches): ![2022-08-23-142911](https://user-images.githubusercontent.com/3864879/186162483-5b721504-eef5-4932-812e-eb96a68494cc.png) The header name is hard-coded, since I couldn't fine any usecase justifying otherwise. ## Questions - What do you think of this approach? @justusbunsi @Gusted @silverwind - ~~How are the migrations generated? Do I have to manually create a new file, or is there a command for that?~~ - ~~I started adding it to the API: should I complete it or should I drop it? (I don't know how much the API is actually used)~~ ## Done as well: - add a migration for the existing matrix webhooks and remove the `Authorization` logic there _Closes #19872_ Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: delvh <dev.lh@web.de>
81 lines
2.3 KiB
Go
81 lines
2.3 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package webhook
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"testing"
|
|
"time"
|
|
|
|
"code.gitea.io/gitea/models/db"
|
|
"code.gitea.io/gitea/models/unittest"
|
|
webhook_model "code.gitea.io/gitea/models/webhook"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestWebhookProxy(t *testing.T) {
|
|
setting.Webhook.ProxyURL = "http://localhost:8080"
|
|
setting.Webhook.ProxyURLFixed, _ = url.Parse(setting.Webhook.ProxyURL)
|
|
setting.Webhook.ProxyHosts = []string{"*.discordapp.com", "discordapp.com"}
|
|
|
|
kases := map[string]string{
|
|
"https://discordapp.com/api/webhooks/xxxxxxxxx/xxxxxxxxxxxxxxxxxxx": "http://localhost:8080",
|
|
"http://s.discordapp.com/assets/xxxxxx": "http://localhost:8080",
|
|
"http://github.com/a/b": "",
|
|
}
|
|
|
|
for reqURL, proxyURL := range kases {
|
|
req, err := http.NewRequest("POST", reqURL, nil)
|
|
assert.NoError(t, err)
|
|
|
|
u, err := webhookProxy()(req)
|
|
assert.NoError(t, err)
|
|
if proxyURL == "" {
|
|
assert.Nil(t, u)
|
|
} else {
|
|
assert.EqualValues(t, proxyURL, u.String())
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestWebhookDeliverAuthorizationHeader(t *testing.T) {
|
|
assert.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
done := make(chan struct{}, 1)
|
|
s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
assert.Equal(t, "/webhook", r.URL.Path)
|
|
assert.Equal(t, "Bearer s3cr3t-t0ken", r.Header.Get("Authorization"))
|
|
w.WriteHeader(200)
|
|
done <- struct{}{}
|
|
}))
|
|
t.Cleanup(s.Close)
|
|
|
|
hook := &webhook_model.Webhook{
|
|
RepoID: 3,
|
|
URL: s.URL + "/webhook",
|
|
ContentType: webhook_model.ContentTypeJSON,
|
|
IsActive: true,
|
|
Type: webhook_model.GITEA,
|
|
}
|
|
err := hook.SetHeaderAuthorization("Bearer s3cr3t-t0ken")
|
|
assert.NoError(t, err)
|
|
assert.NoError(t, webhook_model.CreateWebhook(db.DefaultContext, hook))
|
|
|
|
hookTask := &webhook_model.HookTask{HookID: hook.ID, EventType: webhook_model.HookEventPush}
|
|
|
|
assert.NoError(t, Deliver(context.Background(), hookTask))
|
|
select {
|
|
case <-done:
|
|
case <-time.After(5 * time.Second):
|
|
t.Fatal("waited to long for request to happen")
|
|
}
|
|
|
|
assert.True(t, hookTask.IsSucceed)
|
|
}
|