2021-03-12 16:46:47 +01:00
|
|
|
# Webhookey
|
2021-05-31 02:16:22 +02:00
|
|
|
Webhookey is a web server listening for requests as for example sent by
|
|
|
|
gitea's webhooks. Further, Webhookey allows you to specify rules
|
2021-03-21 15:51:58 +01:00
|
|
|
which are matched against the data received to trigger certain
|
|
|
|
actions.
|
2021-03-12 16:46:47 +01:00
|
|
|
|
|
|
|
## Build
|
|
|
|
|
|
|
|
### Install Rust
|
2021-04-03 01:10:50 +02:00
|
|
|
Install the Rust toolchain from [rustup.rs](https://rustup.rs).
|
2021-03-12 16:46:47 +01:00
|
|
|
|
|
|
|
Further, for Rocket we need to have the nightly toolchain installed:
|
|
|
|
``` sh
|
|
|
|
rustup toolchain install nightly
|
|
|
|
```
|
|
|
|
|
|
|
|
### Build Webhookey
|
2021-05-31 02:16:22 +02:00
|
|
|
The Webhookey project can be built for development:
|
2021-03-12 16:46:47 +01:00
|
|
|
``` sh
|
|
|
|
cargo b
|
|
|
|
```
|
|
|
|
|
|
|
|
or for releasing:
|
|
|
|
``` sh
|
|
|
|
cargo b --release
|
|
|
|
```
|
|
|
|
|
|
|
|
### Install Webhookey
|
|
|
|
When a Rust toolchain installed you can also install Webhookey
|
2021-05-31 02:16:22 +02:00
|
|
|
directly without cloning it manually:
|
2021-03-12 16:46:47 +01:00
|
|
|
``` sh
|
|
|
|
cargo install --git https://git.onders.org/finga/webhookey.git webhookey
|
|
|
|
```
|
|
|
|
|
|
|
|
or from within the project:
|
|
|
|
``` sh
|
|
|
|
cargo install webhookey
|
|
|
|
```
|
|
|
|
|
|
|
|
### Run Webhookey
|
|
|
|
Webhookey can either be run from the project directory with:
|
|
|
|
``` sh
|
|
|
|
cargo b
|
|
|
|
```
|
|
|
|
|
|
|
|
or you can copy the produced binary somewhere else from
|
2021-05-29 00:50:48 +02:00
|
|
|
`webhookey/target/{debug,release}/webhookey` depending on which one
|
2021-03-12 16:46:47 +01:00
|
|
|
you built.
|
|
|
|
|
|
|
|
## Configuration
|
2021-04-02 00:25:39 +02:00
|
|
|
Configuration syntax is YAML and it's paths as well as it's
|
|
|
|
configuration format is described in the following sections.
|
2021-03-12 16:46:47 +01:00
|
|
|
|
2021-05-31 02:16:22 +02:00
|
|
|
### Configuration Paths
|
2021-04-02 00:25:39 +02:00
|
|
|
Following locations are checked for a configuration file:
|
|
|
|
- `/etc/webhookey/config.yml`
|
|
|
|
- `<config_dir>/webhookey/config.yml`
|
|
|
|
- `./config.yml`
|
|
|
|
|
|
|
|
Whereas `<config_dir>` depends on the platform:
|
|
|
|
- Linux: `$XDG_CONFIG_HOME` or `$HOME/.config`
|
|
|
|
- macOS: `$HOME/Library/Application Support`
|
|
|
|
- Windows: `{FOLDERID_RoamingAppData}`
|
|
|
|
|
|
|
|
### Configuration parameters
|
|
|
|
|
|
|
|
#### Hooks
|
|
|
|
With `hooks` you can configure a sequence of hooks. A single hook
|
|
|
|
consists of the following fields:
|
2021-03-30 01:16:15 +02:00
|
|
|
- command: A command to be executed if a filter matches
|
2021-04-02 00:25:39 +02:00
|
|
|
- allow/deny: An optional parameter to either allow or deny specific
|
|
|
|
source addresses or ranges.
|
2021-03-29 04:21:31 +02:00
|
|
|
- signature: Name of the HTTP header field containing the signature.
|
2021-03-21 15:51:58 +01:00
|
|
|
- secrets: List of secrets.
|
2021-05-31 02:16:22 +02:00
|
|
|
- filter: Tree of filters.
|
2021-03-21 15:51:58 +01:00
|
|
|
|
2021-04-02 00:25:39 +02:00
|
|
|
Example:
|
|
|
|
```yaml
|
|
|
|
hooks:
|
|
|
|
hook1:
|
|
|
|
command: /usr/bin/local/script_xy.sh {{ /repository/name }}
|
|
|
|
signature: X-Gitea-Signature
|
|
|
|
ip_filter:
|
|
|
|
allow:
|
|
|
|
- 127.0.0.1
|
|
|
|
- 127.0.0.1/31
|
|
|
|
secrets:
|
|
|
|
- secret_key_01
|
|
|
|
- secret_key_02
|
2021-05-31 02:16:22 +02:00
|
|
|
filter:
|
|
|
|
or:
|
|
|
|
- json:
|
|
|
|
pointer: /ref
|
|
|
|
regex: refs/heads/master
|
|
|
|
- and:
|
|
|
|
- json:
|
|
|
|
pointer: /ref
|
|
|
|
regex: refs/heads/a_branch
|
|
|
|
- json:
|
|
|
|
pointer: /after
|
|
|
|
regex: f6e5fe4fe37df76629112d55cc210718b6a55e7e
|
2021-04-02 00:25:39 +02:00
|
|
|
```
|
|
|
|
|
|
|
|
##### Command
|
2021-03-30 01:16:15 +02:00
|
|
|
To pass data to a command following two different methods can be used.
|
|
|
|
|
2021-04-02 00:25:39 +02:00
|
|
|
Example: `script_foo {{ header X-Gitea-Event }} {{ /field/foo }}`
|
|
|
|
|
|
|
|
###### JSON Pointers
|
2021-03-30 01:16:15 +02:00
|
|
|
Use JSON pointers ([RFC 6901](https://tools.ietf.org/html/rfc6901))
|
|
|
|
point to values of a JSON field from the JSON data.
|
|
|
|
|
|
|
|
Example: `{{ /field/pointed/to }}`.
|
|
|
|
|
2021-04-02 00:25:39 +02:00
|
|
|
###### Header
|
2021-03-30 01:16:15 +02:00
|
|
|
Use values from header fields sent with the HTTP request.
|
|
|
|
|
|
|
|
Example: `{{ header X-Gitea-Event }}`.
|
|
|
|
|
2021-04-02 00:25:39 +02:00
|
|
|
##### Allow and Deny
|
|
|
|
To allow or deny specific network ranges source is an optional
|
|
|
|
configuration parameter which either contains an allow or a deny field
|
|
|
|
with sequences containing networks. Note that IPv6 addresses have to
|
|
|
|
be put in single quotes due to the colons.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
```yaml
|
|
|
|
allow:
|
|
|
|
- 127.0.0.1
|
|
|
|
- 127.0.0.1/31
|
|
|
|
- "::1"
|
|
|
|
```
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
deny:
|
|
|
|
- 127.0.0.1
|
|
|
|
- 127.0.0.1/31
|
|
|
|
- "::1"
|
|
|
|
```
|
|
|
|
|
|
|
|
##### Signature
|
|
|
|
Set the name of the HTTP header field containing the HMAC signature.
|
|
|
|
|
|
|
|
##### Secrets
|
|
|
|
Configure a list of secrets to validate the hook.
|
|
|
|
|
|
|
|
##### Filter
|
2021-05-31 02:16:22 +02:00
|
|
|
Filter can be either a concrete filter or a conjunction
|
|
|
|
filter. Concrete filters return either true or false on specific
|
|
|
|
constraints. Conjunction filters contain lists of filters which are
|
|
|
|
evaluated and combined based on the type. The result is either used
|
|
|
|
for parent conjunction filters or, if at the root, used to decide if a
|
|
|
|
hook should be executed.
|
|
|
|
|
|
|
|
###### Conjunction Filters
|
|
|
|
Conjunction filters contain lists of other filters.
|
|
|
|
- `and`: Logical conjunction.
|
|
|
|
- `or`: Logical disjunction.
|
|
|
|
|
|
|
|
###### Concrete Filters
|
|
|
|
- `json`:
|
|
|
|
|
|
|
|
The `json` filter matches a regular expression on a field from the
|
|
|
|
received JSON data.
|
|
|
|
|
|
|
|
- pointer: Pointer to the JSON field according to [RFC
|
|
|
|
6901](https://tools.ietf.org/html/rfc6901).
|
|
|
|
- regex: Regular expression which has to match the field pointed to
|
|
|
|
by the pointer.
|