Merge branch 'feature/backport-safewebhooks' into 'master'

Backported minimal safewebhook implementation to GitLab CE This brings a minimal implementation for gitlab-org/gitlab-ce#13478 backported from EE (gitlab-org/gitlab-ee!334). Also added UI to configure Secret Token Fixes #15365. See merge request !3940

Merge branch 'feature/backport-safewebhooks' into 'master'
Backported minimal safewebhook implementation to GitLab CE This brings a minimal implementation for gitlab-org/gitlab-ce#13478 backported from EE (gitlab-org/gitlab-ee!334). Also added UI to configure Secret Token Fixes #15365. See merge request !3940
ec2710d0 · Robert Speicher · 15a2c558 · 00ced598 · ec2710d0 · ec2710d0
Commit ec2710d0 authored May 02, 2016 by Robert Speicher
12 changed files
--- a/app/controllers/admin/hooks_controller.rb
+++ b/app/controllers/admin/hooks_controller.rb
@@ -39,6 +39,12 @@ class Admin::HooksController < Admin::ApplicationController
  end
  def hook_params
-    params.require(:hook).permit(:url, :enable_ssl_verification, :push_events, :tag_push_events)
+    params.require(:hook).permit(
+      :enable_ssl_verification,
+      :push_events,
+      :tag_push_events,
+      :token,
+      :url
+    )
  end
 end
--- a/app/controllers/projects/hooks_controller.rb
+++ b/app/controllers/projects/hooks_controller.rb
@@ -52,8 +52,16 @@ class Projects::HooksController < Projects::ApplicationController
  end
  def hook_params
-    params.require(:hook).permit(:url, :push_events, :issues_events,
+    params.require(:hook).permit(
-      :merge_requests_events, :tag_push_events, :note_events,
+      :build_events,
-      :build_events, :enable_ssl_verification)
+      :enable_ssl_verification,
+      :issues_events,
+      :merge_requests_events,
+      :note_events,
+      :push_events,
+      :tag_push_events,
+      :token,
+      :url
+    )
  end
 end
--- a/app/models/hooks/project_hook.rb
+++ b/app/models/hooks/project_hook.rb
@@ -16,6 +16,7 @@
 #  note_events             :boolean          default(FALSE), not null
 #  enable_ssl_verification :boolean          default(TRUE)
 #  build_events            :boolean          default(FALSE), not null
+#  token                   :string
 #
 class ProjectHook < WebHook

--- a/app/models/hooks/service_hook.rb
+++ b/app/models/hooks/service_hook.rb
@@ -16,6 +16,7 @@
 #  note_events             :boolean          default(FALSE), not null
 #  enable_ssl_verification :boolean          default(TRUE)
 #  build_events            :boolean          default(FALSE), not null
+#  token                   :string
 #
 class ServiceHook < WebHook

--- a/app/models/hooks/system_hook.rb
+++ b/app/models/hooks/system_hook.rb
@@ -16,6 +16,7 @@
 #  note_events             :boolean          default(FALSE), not null
 #  enable_ssl_verification :boolean          default(TRUE)
 #  build_events            :boolean          default(FALSE), not null
+#  token                   :string
 #
 class SystemHook < WebHook

--- a/app/models/hooks/web_hook.rb
+++ b/app/models/hooks/web_hook.rb
@@ -16,6 +16,7 @@
 #  note_events             :boolean          default(FALSE), not null
 #  enable_ssl_verification :boolean          default(TRUE)
 #  build_events            :boolean          default(FALSE), not null
+#  token                   :string
 #
 class WebHook < ActiveRecord::Base
@@ -43,23 +44,17 @@ class WebHook < ActiveRecord::Base
    if parsed_url.userinfo.blank?
      response = WebHook.post(url,
                              body: data.to_json,
-                              headers: {
+                              headers: build_headers(hook_name),
-                                  "Content-Type" => "application/json",
-                                  "X-Gitlab-Event" => hook_name.singularize.titleize
-                              },
                              verify: enable_ssl_verification)
    else
-      post_url = url.gsub("#{parsed_url.userinfo}@", "")
+      post_url = url.gsub("#{parsed_url.userinfo}@", '')
      auth = {
        username: CGI.unescape(parsed_url.user),
        password: CGI.unescape(parsed_url.password),
      }
      response = WebHook.post(post_url,
                              body: data.to_json,
-                              headers: {
+                              headers: build_headers(hook_name),
-                                  "Content-Type" => "application/json",
-                                  "X-Gitlab-Event" => hook_name.singularize.titleize
-                              },
                              verify: enable_ssl_verification,
                              basic_auth: auth)
    end
@@ -73,4 +68,15 @@ class WebHook < ActiveRecord::Base
  def async_execute(data, hook_name)
    Sidekiq::Client.enqueue(ProjectWebHookWorker, id, data, hook_name)
  end
+  private
+  def build_headers(hook_name)
+    headers = {
+      'Content-Type' => 'application/json',
+      'X-Gitlab-Event' => hook_name.singularize.titleize
+    }
+    headers['X-Gitlab-Token'] = token if token.present?
+    headers
+  end
 end
--- a/app/views/admin/hooks/index.html.haml
+++ b/app/views/admin/hooks/index.html.haml
@@ -13,9 +13,15 @@
  = form_errors(@hook)
  .form-group
-    = f.label :url, "URL:", class: 'control-label'
+    = f.label :url, 'URL', class: 'control-label'
    .col-sm-10
-      = f.text_field :url, class: "form-control"
+      = f.text_field :url, class: 'form-control'
+  .form-group
+    = f.label :token, 'Secret Token', class: 'control-label'
+    .col-sm-10
+      = f.text_field :token, class: 'form-control'
+      %p.help-block
+        Use this token to validate received payloads
  .form-group
    = f.label :url, "Trigger", class: 'control-label'
    .col-sm-10.prepend-top-10

--- a/app/views/projects/hooks/index.html.haml
+++ b/app/views/projects/hooks/index.html.haml
@@ -15,6 +15,11 @@
      .form-group
        = f.label :url, "URL", class: "label-light"
        = f.text_field :url, class: "form-control", placeholder: "http://example.com/trigger-ci.json"
+      .form-group
+        = f.label :token, "Secret Token", class: 'label-light'
+        = f.text_field :token, class: "form-control", placeholder: ''
+        %p.help-block
+          Use this token to validate received payloads
      .form-group
        = f.label :url, "Trigger", class: "label-light"
        %div

--- a/db/migrate/20160413115152_add_token_to_web_hooks.rb
+++ b/db/migrate/20160413115152_add_token_to_web_hooks.rb
+class AddTokenToWebHooks < ActiveRecord::Migration
+  def change
+    add_column :web_hooks, :token, :string
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1025,6 +1025,7 @@ ActiveRecord::Schema.define(version: 20160421130527) do
    t.boolean  "enable_ssl_verification",              default: true
    t.boolean  "build_events",                         default: false,         null: false
    t.boolean  "wiki_page_events",                     default: false,         null: false
+    t.string   "token"
  end
  add_index "web_hooks", ["created_at", "id"], name: "index_web_hooks_on_created_at_and_id", using: :btree

--- a/spec/factories/project_hooks.rb
+++ b/spec/factories/project_hooks.rb
 FactoryGirl.define do
  factory :project_hook do
    url { FFaker::Internet.uri('http') }
+    trait :token do
+      token { SecureRandom.hex(10) }
+    end
  end
 end
--- a/spec/models/hooks/web_hook_spec.rb
+++ b/spec/models/hooks/web_hook_spec.rb
@@ -43,51 +43,65 @@ describe WebHook, models: true do
  end
  describe "execute" do
+    let(:project) { create(:project) }
+    let(:project_hook) { create(:project_hook) }
    before(:each) do
-      @project_hook = create(:project_hook)
+      project.hooks << [project_hook]
-      @project = create(:project)
-      @project.hooks << [@project_hook]
      @data = { before: 'oldrev', after: 'newrev', ref: 'ref' }
-      WebMock.stub_request(:post, @project_hook.url)
+      WebMock.stub_request(:post, project_hook.url)
+    end
+    context 'when token is defined' do
+      let(:project_hook) { create(:project_hook, :token) }
+      it 'POSTs to the webhook URL' do
+        project_hook.execute(@data, 'push_hooks')
+        expect(WebMock).to have_requested(:post, project_hook.url).with(
+          headers: { 'Content-Type' => 'application/json',
+                     'X-Gitlab-Event' => 'Push Hook',
+                     'X-Gitlab-Token' => project_hook.token }
+        ).once
+      end
    end
    it "POSTs to the webhook URL" do
-      @project_hook.execute(@data, 'push_hooks')
+      project_hook.execute(@data, 'push_hooks')
-      expect(WebMock).to have_requested(:post, @project_hook.url).with(
+      expect(WebMock).to have_requested(:post, project_hook.url).with(
-        headers: { 'Content-Type'=>'application/json', 'X-Gitlab-Event'=>'Push Hook' }
+        headers: { 'Content-Type' => 'application/json', 'X-Gitlab-Event' => 'Push Hook' }
      ).once
    end
    it "POSTs the data as JSON" do
-      @project_hook.execute(@data, 'push_hooks')
+      project_hook.execute(@data, 'push_hooks')
-      expect(WebMock).to have_requested(:post, @project_hook.url).with(
+      expect(WebMock).to have_requested(:post, project_hook.url).with(
-        headers: { 'Content-Type'=>'application/json', 'X-Gitlab-Event'=>'Push Hook' }
+        headers: { 'Content-Type' => 'application/json', 'X-Gitlab-Event' => 'Push Hook' }
      ).once
    end
    it "catches exceptions" do
      expect(WebHook).to receive(:post).and_raise("Some HTTP Post error")
-      expect { @project_hook.execute(@data, 'push_hooks') }.to raise_error(RuntimeError)
+      expect { project_hook.execute(@data, 'push_hooks') }.to raise_error(RuntimeError)
    end
    it "handles SSL exceptions" do
      expect(WebHook).to receive(:post).and_raise(OpenSSL::SSL::SSLError.new('SSL error'))
-      expect(@project_hook.execute(@data, 'push_hooks')).to eq([false, 'SSL error'])
+      expect(project_hook.execute(@data, 'push_hooks')).to eq([false, 'SSL error'])
    end
    it "handles 200 status code" do
-      WebMock.stub_request(:post, @project_hook.url).to_return(status: 200, body: "Success")
+      WebMock.stub_request(:post, project_hook.url).to_return(status: 200, body: "Success")
-      expect(@project_hook.execute(@data, 'push_hooks')).to eq([true, 'Success'])
+      expect(project_hook.execute(@data, 'push_hooks')).to eq([true, 'Success'])
    end
    it "handles 2xx status codes" do
-      WebMock.stub_request(:post, @project_hook.url).to_return(status: 201, body: "Success")
+      WebMock.stub_request(:post, project_hook.url).to_return(status: 201, body: "Success")
-      expect(@project_hook.execute(@data, 'push_hooks')).to eq([true, 'Success'])
+      expect(project_hook.execute(@data, 'push_hooks')).to eq([true, 'Success'])
    end
  end
 end