From 36f05e6f4e711db0da888584c66ec3f3a3d20749 Mon Sep 17 00:00:00 2001 From: oliverpool Date: Mon, 8 Apr 2024 17:51:39 +0200 Subject: [PATCH] webhook: sourcehut_builds: ask for access_token instead of authorization_header --- models/webhook/webhook.go | 9 +++++++++ options/locale/locale_en-US.ini | 2 ++ services/webhook/sourcehut/builds.go | 9 ++------- templates/webhook/new/sourcehut_builds.tmpl | 6 ++++++ templates/webhook/shared-settings.tmpl | 19 +++++++++++-------- tests/integration/repo_webhook_test.go | 16 +++++++--------- 6 files changed, 37 insertions(+), 24 deletions(-) diff --git a/models/webhook/webhook.go b/models/webhook/webhook.go index 4ab806573b..f3370f3db5 100644 --- a/models/webhook/webhook.go +++ b/models/webhook/webhook.go @@ -361,6 +361,15 @@ func (w Webhook) HeaderAuthorization() (string, error) { return secret.DecryptSecret(setting.SecretKey, w.HeaderAuthorizationEncrypted) } +// HeaderAuthorizationTrimPrefix returns the decrypted Authorization with a specified prefix trimmed. +func (w Webhook) HeaderAuthorizationTrimPrefix(prefix string) (string, error) { + s, err := w.HeaderAuthorization() + if err != nil { + return "", err + } + return strings.TrimPrefix(s, prefix), nil +} + // SetHeaderAuthorization encrypts and sets the Authorization header. func (w *Webhook) SetHeaderAuthorization(cleartext string) error { if cleartext == "" { diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini index b46fd9eb3b..c1bca91e5a 100644 --- a/options/locale/locale_en-US.ini +++ b/options/locale/locale_en-US.ini @@ -561,6 +561,7 @@ TeamName = Team name AuthName = Authorization name AdminEmail = Admin email To = Branch name +AccessToken = Access token NewBranchName = New branch name CommitSummary = Commit summary @@ -2401,6 +2402,7 @@ settings.sourcehut_builds.manifest_path = Build manifest path settings.sourcehut_builds.visibility = Job visibility settings.sourcehut_builds.secrets = Secrets settings.sourcehut_builds.secrets_helper = Give the job access to the build secrets (requires the SECRETS:RO grant) +settings.sourcehut_builds.access_token_helper = Access token that has JOBS:RW grant. Generate a builds.sr.ht token or a builds.sr.ht token with secrets access on meta.sr.ht. settings.deploy_keys = Deploy keys settings.add_deploy_key = Add deploy key settings.deploy_key_desc = Deploy keys have read-only pull access to the repository. diff --git a/services/webhook/sourcehut/builds.go b/services/webhook/sourcehut/builds.go index 1561b9e6e6..e7501110a2 100644 --- a/services/webhook/sourcehut/builds.go +++ b/services/webhook/sourcehut/builds.go @@ -49,6 +49,7 @@ type buildsForm struct { ManifestPath string `binding:"Required"` Visibility string `binding:"Required;In(PUBLIC,UNLISTED,PRIVATE)"` Secrets bool + AccessToken string `binding:"Required"` } var _ binding.Validator = &buildsForm{} @@ -63,13 +64,7 @@ func (f *buildsForm) Validate(req *http.Request, errs binding.Errors) binding.Er Message: ctx.Locale.TrString("repo.settings.add_webhook.invalid_path"), }) } - if !strings.HasPrefix(f.AuthorizationHeader, "Bearer ") { - errs = append(errs, binding.Error{ - FieldNames: []string{"AuthorizationHeader"}, - Classification: "", - Message: ctx.Locale.TrString("form.required_prefix", "Bearer "), - }) - } + f.AuthorizationHeader = "Bearer " + strings.TrimSpace(f.AccessToken) return errs } diff --git a/templates/webhook/new/sourcehut_builds.tmpl b/templates/webhook/new/sourcehut_builds.tmpl index e18b828f8d..3bcbe1bf6e 100644 --- a/templates/webhook/new/sourcehut_builds.tmpl +++ b/templates/webhook/new/sourcehut_builds.tmpl @@ -29,5 +29,11 @@ {{ctx.Locale.Tr "repo.settings.sourcehut_builds.secrets_helper"}} + +
+ + + {{ctx.Locale.Tr "repo.settings.sourcehut_builds.access_token_helper" "https://meta.sr.ht/oauth2/personal-token?grants=builds.sr.ht/JOBS:RW" "https://meta.sr.ht/oauth2/personal-token?grants=builds.sr.ht/JOBS:RW+builds.sr.ht/SECRETS:RO"}} +
{{template "webhook/shared-settings" .}} diff --git a/templates/webhook/shared-settings.tmpl b/templates/webhook/shared-settings.tmpl index 0a39643260..f2724f25e2 100644 --- a/templates/webhook/shared-settings.tmpl +++ b/templates/webhook/shared-settings.tmpl @@ -258,14 +258,17 @@ {{ctx.Locale.Tr "repo.settings.branch_filter_desc"}} - -
- - - {{if ne .HookType "matrix"}}{{/* Matrix doesn't make the authorization optional but it is implied by the help string, should be changed.*/}} - {{ctx.Locale.Tr "repo.settings.authorization_header_desc" ("Bearer token123456, Basic YWxhZGRpbjpvcGVuc2VzYW1l" | SafeHTML)}} - {{end}} -
+{{$skipAuthorizationHeader := (eq .HookType "sourcehut_builds")}} +{{if not $skipAuthorizationHeader}} + +
+ + + {{if ne .HookType "matrix"}}{{/* Matrix doesn't make the authorization optional but it is implied by the help string, should be changed.*/}} + {{ctx.Locale.Tr "repo.settings.authorization_header_desc" ("Bearer token123456, Basic YWxhZGRpbjpvcGVuc2VzYW1l" | SafeHTML)}} + {{end}} +
+{{end}}
diff --git a/tests/integration/repo_webhook_test.go b/tests/integration/repo_webhook_test.go index 9a278e706d..fa717a4496 100644 --- a/tests/integration/repo_webhook_test.go +++ b/tests/integration/repo_webhook_test.go @@ -267,14 +267,12 @@ func TestWebhookForms(t *testing.T) { })) t.Run("sourcehut_builds/required", testWebhookForms("sourcehut_builds", session, map[string]string{ - "payload_url": "https://sourcehut_builds.example.com", - "manifest_path": ".build.yml", - "visibility": "PRIVATE", - "authorization_header": "Bearer 123456", + "payload_url": "https://sourcehut_builds.example.com", + "manifest_path": ".build.yml", + "visibility": "PRIVATE", + "access_token": "123456", }, map[string]string{ - "authorization_header": "", - }, map[string]string{ - "authorization_header": "token ", + "access_token": "", }, map[string]string{ "manifest_path": "", }, map[string]string{ @@ -289,9 +287,9 @@ func TestWebhookForms(t *testing.T) { "manifest_path": ".build.yml", "visibility": "PRIVATE", "secrets": "on", + "access_token": "123456", - "branch_filter": "srht/*", - "authorization_header": "Bearer 123456", + "branch_filter": "srht/*", })) }