finga/webhookey
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases Wiki Activity
webhookey/src/main.rs

573 lines
17 KiB
Rust
Raw Normal View History

Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
#![feature(proc_macro_hygiene, decl_macro)]
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
use anyhow::{anyhow, bail, Result};
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
use hmac::{Hmac, Mac, NewMac};
Add optional `ip_filter` to hook config In order to allow or deny sources of requests the possibility to configure a list of allowed or denied IP addresses was added as described by the readme. Closes #3
2021-04-02 00:25:39 +02:00
use ipnet::IpNet;
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
use log::{debug, error, info, trace, warn};
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
use nom::{
branch::alt,
bytes::complete::{tag, take_until},
combinator::map_res,
multi::many0,
sequence::delimited,
Finish, IResult,
};
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
use regex::Regex;
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
use rocket::{
data::{self, FromDataSimple},
fairing::AdHoc,
get,
http::{HeaderMap, Status},
post, routes, Data,
Outcome::{Failure, Success},
Request, Response, State,
};
Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
use serde::{Deserialize, Serialize};
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
use sha2::Sha256;
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
use thiserror::Error;
Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
Print `stdout` and `stderr` as string As the `stdout` as well as the `stderr` were printed as `Vec<u8>` we now convert it to a string.
2021-03-22 11:12:45 +01:00
use std::{
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
collections::HashMap,
fs::File,
io::{BufReader, Read},
Add optional `ip_filter` to hook config In order to allow or deny sources of requests the possibility to configure a list of allowed or denied IP addresses was added as described by the readme. Closes #3
2021-04-02 00:25:39 +02:00
net::{IpAddr, Ipv4Addr, SocketAddr},
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
process::Command,
Print `stdout` and `stderr` as string As the `stdout` as well as the `stderr` were printed as `Vec<u8>` we now convert it to a string.
2021-03-22 11:12:45 +01:00
str::from_utf8,
};
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
#[derive(Debug, Deserialize, Serialize)]
Add optional `ip_filter` to hook config In order to allow or deny sources of requests the possibility to configure a list of allowed or denied IP addresses was added as described by the readme. Closes #3
2021-04-02 00:25:39 +02:00
#[serde(deny_unknown_fields, untagged)]
enum AddrType {
IpAddr(IpAddr),
IpNet(IpNet),
}
#[derive(Debug, Deserialize, Serialize)]
#[serde(deny_unknown_fields, rename_all = "lowercase")]
enum IpFilter {
Allow(Vec<AddrType>),
Deny(Vec<AddrType>),
}
#[derive(Debug, Deserialize, Serialize)]
#[serde(deny_unknown_fields)]
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
struct Config {
hooks: HashMap<String, Hook>,
}
Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
#[derive(Debug, Deserialize, Serialize)]
Add optional `ip_filter` to hook config In order to allow or deny sources of requests the possibility to configure a list of allowed or denied IP addresses was added as described by the readme. Closes #3
2021-04-02 00:25:39 +02:00
#[serde(deny_unknown_fields)]
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
struct Hook {
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
command: String,
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
signature: String,
Add optional `ip_filter` to hook config In order to allow or deny sources of requests the possibility to configure a list of allowed or denied IP addresses was added as described by the readme. Closes #3
2021-04-02 00:25:39 +02:00
ip_filter: Option<IpFilter>,
Implement secret functionality In order to validate requests a field called `secret` has to be sent containing a secret key which validates the request. A hook will be executed only if the secret sent with the request matches the hook's secret.
2021-03-19 10:16:46 +01:00
secrets: Vec<String>,
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
filters: HashMap<String, Filter>,
}
#[derive(Debug, Deserialize, Serialize)]
Add optional `ip_filter` to hook config In order to allow or deny sources of requests the possibility to configure a list of allowed or denied IP addresses was added as described by the readme. Closes #3
2021-04-02 00:25:39 +02:00
#[serde(deny_unknown_fields)]
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
struct Filter {
pointer: String,
regex: String,
}
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
#[derive(Debug, Error)]
enum WebhookeyError {
#[error("Could not extract signature from header")]
InvalidHeader,
#[error("Unauthorized request from `{0}`")]
Unauthorized(IpAddr),
#[error("Unmatched hook from `{0}`")]
UnmatchedHook(IpAddr),
#[error("IO Error")]
Io(std::io::Error),
#[error("Serde Error")]
Serde(serde_json::Error),
}
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
#[derive(Debug)]
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
struct Hooks(HashMap<String, String>);
Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
fn accept_ip(hook_name: &str, client_ip: &IpAddr, ip_filter: &Option<IpFilter>) -> bool {
Add optional `ip_filter` to hook config In order to allow or deny sources of requests the possibility to configure a list of allowed or denied IP addresses was added as described by the readme. Closes #3
2021-04-02 00:25:39 +02:00
match ip_filter {
Some(IpFilter::Allow(list)) => {
for i in list {
match i {
AddrType::IpAddr(addr) => {
if addr == client_ip {
info!("Allow hook `{}` from {}", &hook_name, &addr);
return true;
}
}
AddrType::IpNet(net) => {
if net.contains(client_ip) {
info!("Allow hook `{}` from {}", &hook_name, &net);
return true;
}
}
}
}
warn!("Deny hook `{}` from {}", &hook_name, &client_ip);
return false;
}
Some(IpFilter::Deny(list)) => {
for i in list {
match i {
AddrType::IpAddr(addr) => {
if addr == client_ip {
warn!("Deny hook `{}` from {}", &hook_name, &addr);
return false;
}
}
AddrType::IpNet(net) => {
if net.contains(client_ip) {
warn!("Deny hook `{}` from {}", &hook_name, &net);
return false;
}
}
}
}
info!("Allow hook `{}` from {}", &hook_name, &client_ip)
}
None => info!(
"Allow hook `{}` from {} as no IP filter was configured",
&hook_name, &client_ip
),
}
true
}
Breakup `from_data()` into smaller bits To improve readability and reduce indention levels some code was moved into their own functions. And a test case was added to the `secret()` test.
2021-03-29 02:19:30 +02:00
fn validate_request(secret: &str, signature: &str, data: &[u8]) -> Result<()> {
let mut mac = Hmac::<Sha256>::new_varkey(&secret.as_bytes())
.map_err(|e| anyhow!("Could not create hasher with secret: {}", e))?;
mac.update(&data);
let raw_signature = hex::decode(signature.as_bytes())?;
mac.verify(&raw_signature).map_err(|e| anyhow!("{}", e))
}
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
fn replace_parameter(input: &str, headers: &HeaderMap, data: &serde_json::Value) -> Result<String> {
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
let parse: IResult<&str, Vec<&str>> = many0(alt((
map_res(
delimited(tag("{{"), take_until("}}"), tag("}}")),
Arbitrary header fields in commands Adopt the parser to be able to parse header fields.
2021-03-30 01:16:15 +02:00
|param: &str| {
let expr = param.trim().split(' ').collect::<Vec<&str>>();
match expr.get(0) {
Some(&"header") => {
if let Some(field) = expr.get(1) {
match headers.get_one(field) {
Some(value) => Ok(value),
_ => bail!("Could not extract event parameter from header"),
}
} else {
bail!("Missing parameter for `header` expression");
}
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
}
Arbitrary header fields in commands Adopt the parser to be able to parse header fields.
2021-03-30 01:16:15 +02:00
Some(pointer) => match data.pointer(pointer) {
Some(value) => match value.as_str() {
Some(value) => Ok(value),
_ => bail!("Could not convert value `{}` to string", value),
},
_ => bail!("Could not convert field `{}` to string", param.trim()),
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
},
Arbitrary header fields in commands Adopt the parser to be able to parse header fields.
2021-03-30 01:16:15 +02:00
None => bail!("Missing expression in `{}`", input),
}
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
},
),
take_until("{{"),
)))(input);
let (last, mut result) = parse
.finish()
.map_err(|e| anyhow!("Could not parse command: {}", e))?;
result.push(last);
Ok(result.join(""))
}
Breakup `from_data()` into smaller bits To improve readability and reduce indention levels some code was moved into their own functions. And a test case was added to the `secret()` test.
2021-03-29 02:19:30 +02:00
fn filter_match(
hook_name: &str,
hook: &Hook,
filter_name: &str,
filter: &Filter,
request: &Request,
data: &serde_json::Value,
) -> Result<Option<String>> {
trace!("Matching filter `{}` of hook `{}`", filter_name, hook_name);
let regex = Regex::new(&filter.regex)?;
if let Some(value) = data.pointer(&filter.pointer) {
if let Some(value) = value.as_str() {
if regex.is_match(value) {
debug!("Filter `{}` of hook `{}` matched", filter_name, hook_name);
return Ok(Some(replace_parameter(
&hook.command.to_string(),
&request.headers(),
data,
)?));
}
} else {
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
bail!(
Breakup `from_data()` into smaller bits To improve readability and reduce indention levels some code was moved into their own functions. And a test case was added to the `secret()` test.
2021-03-29 02:19:30 +02:00
"Could not parse pointer in hook `{}` from filter `{}`",
hook_name,
filter_name
);
}
}
trace!(
"Filter `{}` of hook `{}` did not match",
filter_name,
hook_name
);
Ok(None)
}
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
fn execute_hooks(request: &Request, data: Data) -> Result<Hooks, WebhookeyError> {
let mut buffer = Vec::new();
let size = data
.open()
.read_to_end(&mut buffer)
.map_err(WebhookeyError::Io)?;
info!("Data of size {} received", size);
let config = request.guard::<State<Config>>().unwrap(); // should never fail
let mut valid = false;
let mut hooks = HashMap::new();
let client_ip = &request
.client_ip()
.unwrap_or(IpAddr::V4(Ipv4Addr::UNSPECIFIED));
for (hook_name, hook) in &config.hooks {
if accept_ip(&hook_name, &client_ip, &hook.ip_filter) {
if let Some(signature) = request.headers().get_one(&hook.signature) {
for secret in &hook.secrets {
match validate_request(&secret, &signature, &buffer) {
Ok(()) => {
trace!("Valid signature found for hook `{}`", hook_name,);
valid = true;
let data: serde_json::Value =
serde_json::from_slice(&buffer).map_err(WebhookeyError::Serde)?;
for (filter_name, filter) in &hook.filters {
match filter_match(
&hook_name,
&hook,
&filter_name,
&filter,
&request,
&data,
) {
Ok(Some(command)) => {
hooks.insert(hook_name.to_string(), command);
break;
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
}
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
Ok(None) => {}
Err(e) => error!("{}", e),
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
}
}
}
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
Err(e) => trace!("Hook `{}` could not validate request: {}", &hook_name, e),
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
}
}
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
} else {
return Err(WebhookeyError::InvalidHeader);
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
}
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
}
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
}
Enable arguments in `action` fields of hooks
2021-03-17 13:40:08 +01:00
Split `from_data()` up in smaller pieces To still be able to handle errors correctly, also regarding the http status code, `thiserror::Error` is used.
2021-04-03 01:10:50 +02:00
if !valid {
return Err(WebhookeyError::Unauthorized(*client_ip));
}
Ok(Hooks(hooks))
}
impl FromDataSimple for Hooks {
type Error = WebhookeyError;
fn from_data(request: &Request, data: Data) -> data::Outcome<Self, Self::Error> {
match execute_hooks(&request, data) {
Ok(hooks) => {
if hooks.0.is_empty() {
let client_ip = &request
.client_ip()
.unwrap_or(IpAddr::V4(Ipv4Addr::UNSPECIFIED));
warn!("Unmatched hook from {}", &client_ip);
return Failure((Status::NotFound, WebhookeyError::UnmatchedHook(*client_ip)));
}
Success(hooks)
}
Err(WebhookeyError::Unauthorized(e)) => {
error!("{}", WebhookeyError::Unauthorized(e));
Failure((Status::Unauthorized, WebhookeyError::Unauthorized(e)))
}
Err(e) => {
error!("{}", e);
Failure((Status::BadRequest, e))
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
}
}
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
}
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
}
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
#[get("/")]
fn index() -> &'static str {
"Hello, webhookey!"
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
}
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
#[post("/", format = "json", data = "<hooks>")]
fn receive_hook<'a>(address: SocketAddr, hooks: Hooks) -> Result<Response<'a>> {
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
info!("Post request received from: {}", address);
Implement proper logging The `log` and `env_logger` crates are used for logging.
2021-03-03 16:14:54 +01:00
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
for hook in hooks.0 {
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
info!("Execute `{}` from hook `{}`", &hook.1, &hook.0);
let command = hook.1.split(' ').collect::<Vec<&str>>();
match Command::new(&command[0]).args(&command[1..]).output() {
Ok(executed) => {
info!(
"Command `{}` exited with return code: {}",
&command[0], &executed.status
);
trace!(
"Output of command `{}` on stdout: {:?}",
&command[0],
from_utf8(&executed.stdout)?
);
debug!(
"Output of command `{}` on stderr: {:?}",
&command[0],
from_utf8(&executed.stderr)?
);
}
Err(e) => {
error!("Execution of `{}` failed: {}", command[0], e);
Implement secret functionality In order to validate requests a field called `secret` has to be sent containing a secret key which validates the request. A hook will be executed only if the secret sent with the request matches the hook's secret.
2021-03-19 10:16:46 +01:00
}
}
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
}
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
Ok(Response::new())
Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
}
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
fn get_config() -> Result<File> {
if let Ok(config) = File::open("/etc/webhookey/config.yml") {
Implement proper logging The `log` and `env_logger` crates are used for logging.
2021-03-03 16:14:54 +01:00
info!("Loading configuration from `/etc/webhookey/config.yml`");
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
return Ok(config);
}
if let Some(mut path) = dirs::config_dir() {
path.push("webhookey/config.yml");
Implement proper logging The `log` and `env_logger` crates are used for logging.
2021-03-03 16:14:54 +01:00
if let Ok(config) = File::open(&path) {
info!(
"Loading configuration from `{}`",
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
path.to_str().unwrap_or("<path unprintable>"),
Implement proper logging The `log` and `env_logger` crates are used for logging.
2021-03-03 16:14:54 +01:00
);
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
return Ok(config);
}
}
if let Ok(config) = File::open("config.yml") {
Implement proper logging The `log` and `env_logger` crates are used for logging.
2021-03-03 16:14:54 +01:00
info!("Loading configuration from `./config.yml`");
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
return Ok(config);
}
Arbitrary header fields in commands Adopt the parser to be able to parse header fields.
2021-03-30 01:16:15 +02:00
bail!("No configuration file found.");
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
}
fn main() -> Result<()> {
Implement proper logging The `log` and `env_logger` crates are used for logging.
2021-03-03 16:14:54 +01:00
env_logger::init();
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
let config: Config = serde_yaml::from_reader(BufReader::new(get_config()?))?;
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
Implement proper logging The `log` and `env_logger` crates are used for logging.
2021-03-03 16:14:54 +01:00
trace!("Parsed configuration:\n{}", serde_yaml::to_string(&config)?);
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
rocket::ignite()
.mount("/", routes![index, receive_hook])
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
.attach(AdHoc::on_attach("webhookey config", move |rocket| {
Ok(rocket.manage(config))
}))
Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
.launch();
Parse config file and act upon All dependencies were updated. An example configuration file `config.yml` is added to show the configuration options. Following locations are checked: - `/etc/webhookey/config.yml` - `<config_dir>/webhookey/config.yml` - `./config.yml` Whereas `<config_dir>` is depending on the platform: - Linux: `$XDG_CONFIG_HOME` or `$HOME/.config` - macOS: `$HOME/Library/Application Support` - Windows: `{FOLDERID_RoamingAppData}` Each hook's action is executed if all of the specified filters match.
2021-03-03 15:24:46 +01:00
Ok(())
Parse JSON from post request Accept a post request and try to parse it expecting the data is formated in JSON.
2021-02-02 11:05:50 +01:00
}
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
#[cfg(test)]
mod tests {
use super::*;
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
use rocket::{
http::{ContentType, Header},
local::Client,
};
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
use serde_json::json;
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
#[test]
fn index() {
let rocket = rocket::ignite().mount("/", routes![index]);
let client = Client::new(rocket).unwrap();
let mut response = client.get("/").dispatch();
assert_eq!(response.status(), Status::Ok);
assert_eq!(response.body_string(), Some("Hello, webhookey!".into()));
}
#[test]
fn secret() {
let mut hooks = HashMap::new();
hooks.insert(
"test_hook".to_string(),
Hook {
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
command: "".to_string(),
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
signature: "X-Gitea-Signature".to_string(),
Add optional `ip_filter` to hook config In order to allow or deny sources of requests the possibility to configure a list of allowed or denied IP addresses was added as described by the readme. Closes #3
2021-04-02 00:25:39 +02:00
ip_filter: None,
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
secrets: vec!["valid".to_string()],
filters: HashMap::new(),
},
);
let config = Config { hooks: hooks };
let rocket = rocket::ignite()
.mount("/", routes![receive_hook])
.attach(AdHoc::on_attach("webhookey config", move |rocket| {
Ok(rocket.manage(config))
}));
let client = Client::new(rocket).unwrap();
let response = client
.post("/")
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
.header(Header::new(
"X-Gitea-Signature",
"28175a0035f637f3cbb85afee9f9d319631580e7621cf790cd16ca063a2f820e",
))
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
.header(ContentType::JSON)
.remote("127.0.0.1:8000".parse().unwrap())
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
.body(&serde_json::to_string(&json!({ "foo": "bar" })).unwrap())
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
.dispatch();
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
assert_eq!(response.status(), Status::NotFound);
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
let response = client
.post("/")
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
.header(Header::new("X-Gitea-Signature", "beef"))
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
.header(ContentType::JSON)
.remote("127.0.0.1:8000".parse().unwrap())
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
.body(&serde_json::to_string(&json!({ "foo": "bar" })).unwrap())
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
.dispatch();
assert_eq!(response.status(), Status::Unauthorized);
let response = client
.post("/")
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
.header(Header::new(
"X-Gitea-Signature",
"c5c315d76318362ec129ca629b50b626bba09ad3d7ba4cc0f4c0afe4a90537a0",
))
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
.header(ContentType::JSON)
.remote("127.0.0.1:8000".parse().unwrap())
.body(r#"{ "not_secret": "invalid" "#)
.dispatch();
assert_eq!(response.status(), Status::BadRequest);
Breakup `from_data()` into smaller bits To improve readability and reduce indention levels some code was moved into their own functions. And a test case was added to the `secret()` test.
2021-03-29 02:19:30 +02:00
let response = client
.post("/")
.header(Header::new("X-Gitea-Signature", "foobar"))
.header(ContentType::JSON)
.remote("127.0.0.1:8000".parse().unwrap())
.dispatch();
assert_eq!(response.status(), Status::Unauthorized);
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
}
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
#[test]
fn parse_command() {
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
let mut map = HeaderMap::new();
map.add_raw("X-Gitea-Event", "something");
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
assert_eq!(
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
replace_parameter("command", &map, &serde_json::Value::Null).unwrap(),
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
"command"
);
assert_eq!(
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
replace_parameter(" command", &map, &serde_json::Value::Null).unwrap(),
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
" command"
);
assert_eq!(
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
replace_parameter("command ", &map, &serde_json::Value::Null).unwrap(),
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
"command "
);
assert_eq!(
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
replace_parameter(" command ", &map, &serde_json::Value::Null).unwrap(),
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
" command "
);
assert_eq!(
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
replace_parameter("command command ", &map, &serde_json::Value::Null).unwrap(),
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
"command command "
);
assert_eq!(
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
replace_parameter("{{ /foo }} command", &map, &json!({ "foo": "bar" })).unwrap(),
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
"bar command"
);
assert_eq!(
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
replace_parameter(" command {{ /foo }} ", &map, &json!({ "foo": "bar" })).unwrap(),
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
" command bar "
);
assert_eq!(
replace_parameter(
"{{ /foo }} command{{/field1/foo}}",
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
&map,
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
&json!({ "foo": "bar", "field1": { "foo": "baz" } })
)
.unwrap(),
"bar commandbaz"
);
assert_eq!(
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
replace_parameter(" command {{ /foo }} ", &map, &json!({ "foo": "bar" })).unwrap(),
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
" command bar "
);
assert_eq!(
replace_parameter(
" {{ /field1/foo }} command",
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
&map,
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
&json!({ "field1": { "foo": "bar" } })
)
.unwrap(),
" bar command"
);
Use signature field for verification Instead of looking for a "secret" field hmac is used. Therefore the raw payload is hashed with all secrets consecutively in order to validate its content. If the content is certified the established behaviour is pursued..
2021-03-28 03:50:52 +02:00
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
assert_eq!(
replace_parameter(
Arbitrary header fields in commands Adopt the parser to be able to parse header fields.
2021-03-30 01:16:15 +02:00
" {{ header X-Gitea-Event }} command",
Restructuring of `from_data()` and configuration For better readability, correctness and maintainability the body (which is still rather large, though) was restructured. Regarding the signature, to be able to configure different fields in the HTTP header the configuration parameter signature was added.
2021-03-29 04:21:31 +02:00
&map,
&json!({ "field1": { "foo": "bar" } })
)
.unwrap(),
" something command"
);
Replace command parameters with values To create a minimalistic parser, nom is used to identify and replace parameters given in the command field. For clarity the `action` field for hooks was renamed to `command`.
2021-03-21 15:51:58 +01:00
}
Improve secret handling and add tests Instead of a string `receive_hook` returns a `Response` now. Some rudimentary tests were added.
2021-03-20 00:12:01 +01:00
}
Reference in a new issue Copy permalink