2021-03-12 16:46:47 +01:00
|
|
|
# Webhookey
|
2021-11-22 14:42:38 +01:00
|
|
|
Webhookey is a web server listening for
|
|
|
|
[webhooks](https://en.wikipedia.org/wiki/Webhook) as for example sent
|
|
|
|
by Gitea's webhooks. Further, Webhookey allows you to specify rules
|
2021-03-21 15:51:58 +01:00
|
|
|
which are matched against the data received to trigger certain
|
|
|
|
actions.
|
2021-03-12 16:46:47 +01:00
|
|
|
|
|
|
|
## Build
|
|
|
|
|
|
|
|
### Install Rust
|
2021-04-03 01:10:50 +02:00
|
|
|
Install the Rust toolchain from [rustup.rs](https://rustup.rs).
|
2021-03-12 16:46:47 +01:00
|
|
|
|
|
|
|
### Build Webhookey
|
2021-05-31 02:16:22 +02:00
|
|
|
The Webhookey project can be built for development:
|
2021-03-12 16:46:47 +01:00
|
|
|
``` sh
|
|
|
|
cargo b
|
|
|
|
```
|
|
|
|
|
|
|
|
or for releasing:
|
|
|
|
``` sh
|
|
|
|
cargo b --release
|
|
|
|
```
|
|
|
|
|
|
|
|
### Install Webhookey
|
|
|
|
When a Rust toolchain installed you can also install Webhookey
|
2021-05-31 02:16:22 +02:00
|
|
|
directly without cloning it manually:
|
2021-03-12 16:46:47 +01:00
|
|
|
``` sh
|
|
|
|
cargo install --git https://git.onders.org/finga/webhookey.git webhookey
|
|
|
|
```
|
|
|
|
|
|
|
|
or from within the project:
|
|
|
|
``` sh
|
|
|
|
cargo install webhookey
|
|
|
|
```
|
|
|
|
|
|
|
|
### Run Webhookey
|
|
|
|
Webhookey can either be run from the project directory with:
|
|
|
|
``` sh
|
|
|
|
cargo b
|
|
|
|
```
|
|
|
|
|
|
|
|
or you can copy the produced binary somewhere else from
|
2021-05-29 00:50:48 +02:00
|
|
|
`webhookey/target/{debug,release}/webhookey` depending on which one
|
2021-03-12 16:46:47 +01:00
|
|
|
you built.
|
|
|
|
|
|
|
|
## Configuration
|
2021-04-02 00:25:39 +02:00
|
|
|
Configuration syntax is YAML and it's paths as well as it's
|
|
|
|
configuration format is described in the following sections.
|
2021-03-12 16:46:47 +01:00
|
|
|
|
2021-05-31 02:16:22 +02:00
|
|
|
### Configuration Paths
|
2021-04-02 00:25:39 +02:00
|
|
|
Following locations are checked for a configuration file:
|
|
|
|
- `/etc/webhookey/config.yml`
|
|
|
|
- `<config_dir>/webhookey/config.yml`
|
|
|
|
- `./config.yml`
|
|
|
|
|
|
|
|
Whereas `<config_dir>` depends on the platform:
|
|
|
|
- Linux: `$XDG_CONFIG_HOME` or `$HOME/.config`
|
|
|
|
- macOS: `$HOME/Library/Application Support`
|
|
|
|
- Windows: `{FOLDERID_RoamingAppData}`
|
|
|
|
|
|
|
|
### Configuration parameters
|
|
|
|
|
2021-11-09 14:50:02 +01:00
|
|
|
#### Metrics
|
|
|
|
A metrics page can optionally enabled to query stats of the currently
|
|
|
|
running webhookey instance. Note that stats are lost between restarts
|
2021-11-19 14:32:18 +01:00
|
|
|
of webhookey as those are not stored persistently. The `metrics`
|
|
|
|
structure is optional as well as the `ip_filter`. The `ip_filter`
|
|
|
|
supports either `allow` or `deny` containing a list of IPv4 and IPv6
|
|
|
|
addresses and networks.
|
2021-11-09 14:50:02 +01:00
|
|
|
|
|
|
|
Example:
|
|
|
|
```yaml
|
|
|
|
metrics:
|
|
|
|
enabled: true
|
|
|
|
ip_filter:
|
|
|
|
allow:
|
|
|
|
- 127.0.0.1/31
|
|
|
|
```
|
|
|
|
|
2021-04-02 00:25:39 +02:00
|
|
|
#### Hooks
|
|
|
|
With `hooks` you can configure a sequence of hooks. A single hook
|
|
|
|
consists of the following fields:
|
2021-06-02 03:35:43 +02:00
|
|
|
- `command`: A command to be executed if a filter matches
|
|
|
|
- `allow`/`deny`: An optional parameter to either allow or deny
|
|
|
|
specific source addresses or ranges.
|
|
|
|
- `signature`: Name of the HTTP header field containing the signature.
|
|
|
|
- `secrets`: List of secrets.
|
|
|
|
- `filter`: Tree of filters.
|
2021-03-21 15:51:58 +01:00
|
|
|
|
2021-04-02 00:25:39 +02:00
|
|
|
Example:
|
|
|
|
```yaml
|
|
|
|
hooks:
|
|
|
|
hook1:
|
|
|
|
command: /usr/bin/local/script_xy.sh {{ /repository/name }}
|
|
|
|
signature: X-Gitea-Signature
|
|
|
|
ip_filter:
|
|
|
|
allow:
|
|
|
|
- 127.0.0.1
|
|
|
|
- 127.0.0.1/31
|
|
|
|
secrets:
|
|
|
|
- secret_key_01
|
|
|
|
- secret_key_02
|
2021-05-31 02:16:22 +02:00
|
|
|
filter:
|
|
|
|
or:
|
2021-11-17 15:19:38 +01:00
|
|
|
- not:
|
|
|
|
json:
|
|
|
|
pointer: /ref
|
|
|
|
regex: refs/heads/dev
|
2021-05-31 02:16:22 +02:00
|
|
|
- and:
|
|
|
|
- json:
|
|
|
|
pointer: /ref
|
|
|
|
regex: refs/heads/a_branch
|
2021-11-17 15:19:38 +01:00
|
|
|
- header:
|
|
|
|
field: X-Gitea-Event
|
|
|
|
regex: push
|
2021-04-02 00:25:39 +02:00
|
|
|
```
|
|
|
|
|
|
|
|
##### Command
|
2021-03-30 01:16:15 +02:00
|
|
|
To pass data to a command following two different methods can be used.
|
|
|
|
|
2021-04-02 00:25:39 +02:00
|
|
|
Example: `script_foo {{ header X-Gitea-Event }} {{ /field/foo }}`
|
|
|
|
|
|
|
|
###### JSON Pointers
|
2021-03-30 01:16:15 +02:00
|
|
|
Use JSON pointers ([RFC 6901](https://tools.ietf.org/html/rfc6901))
|
|
|
|
point to values of a JSON field from the JSON data.
|
|
|
|
|
|
|
|
Example: `{{ /field/pointed/to }}`.
|
|
|
|
|
2021-04-02 00:25:39 +02:00
|
|
|
###### Header
|
2021-03-30 01:16:15 +02:00
|
|
|
Use values from header fields sent with the HTTP request.
|
|
|
|
|
|
|
|
Example: `{{ header X-Gitea-Event }}`.
|
|
|
|
|
2021-11-19 14:32:18 +01:00
|
|
|
##### IP Filter
|
|
|
|
Specific IPv4 and IPv6 addresses and/or ranges ranges can be allowed
|
|
|
|
or denied. The `ip_filter` is optional and has to contain either an
|
|
|
|
`allow` or a `deny` field which contains a sequence of IPv4 or IPv6
|
|
|
|
addresses or CIDR network ranges. Note that IPv6 addresses have to be
|
|
|
|
quoted due to the colons.
|
2021-04-02 00:25:39 +02:00
|
|
|
|
|
|
|
Example:
|
|
|
|
```yaml
|
2021-11-19 14:32:18 +01:00
|
|
|
ip_filter:
|
|
|
|
allow:
|
|
|
|
- 127.0.0.1
|
|
|
|
- 127.0.0.1/31
|
|
|
|
- "::1"
|
2021-04-02 00:25:39 +02:00
|
|
|
```
|
|
|
|
|
|
|
|
```yaml
|
2021-11-19 14:32:18 +01:00
|
|
|
ip_filter:
|
|
|
|
deny:
|
|
|
|
- 127.0.0.1
|
|
|
|
- 127.0.0.1/31
|
|
|
|
- "::1"
|
2021-04-02 00:25:39 +02:00
|
|
|
```
|
|
|
|
|
|
|
|
##### Signature
|
|
|
|
Set the name of the HTTP header field containing the HMAC signature.
|
|
|
|
|
|
|
|
##### Secrets
|
|
|
|
Configure a list of secrets to validate the hook.
|
|
|
|
|
|
|
|
##### Filter
|
2021-05-31 02:16:22 +02:00
|
|
|
Filter can be either a concrete filter or a conjunction
|
|
|
|
filter. Concrete filters return either true or false on specific
|
|
|
|
constraints. Conjunction filters contain lists of filters which are
|
|
|
|
evaluated and combined based on the type. The result is either used
|
|
|
|
for parent conjunction filters or, if at the root, used to decide if a
|
|
|
|
hook should be executed.
|
|
|
|
|
|
|
|
###### Conjunction Filters
|
|
|
|
Conjunction filters contain lists of other filters.
|
2021-11-17 15:19:38 +01:00
|
|
|
- `not`: Logical negation.
|
2021-05-31 02:16:22 +02:00
|
|
|
- `and`: Logical conjunction.
|
|
|
|
- `or`: Logical disjunction.
|
|
|
|
|
|
|
|
###### Concrete Filters
|
2021-11-17 15:19:38 +01:00
|
|
|
- `header`:
|
|
|
|
|
|
|
|
The `header` filter matches a regular expression on a field from the
|
|
|
|
received http(s) request header.
|
|
|
|
|
|
|
|
- `field`: The header field which should be matched.
|
2021-11-19 14:32:18 +01:00
|
|
|
- `regex`: Regular expression which has to match the specified
|
2021-11-17 15:19:38 +01:00
|
|
|
header field.
|
|
|
|
|
2021-05-31 02:16:22 +02:00
|
|
|
- `json`:
|
|
|
|
|
|
|
|
The `json` filter matches a regular expression on a field from the
|
|
|
|
received JSON data.
|
|
|
|
|
2021-06-02 03:35:43 +02:00
|
|
|
- `pointer`: Pointer to the JSON field according to [RFC
|
2021-05-31 02:16:22 +02:00
|
|
|
6901](https://tools.ietf.org/html/rfc6901).
|
2021-06-02 03:35:43 +02:00
|
|
|
- `regex`: Regular expression which has to match the field pointed
|
|
|
|
to by the pointer.
|