Support BasicAuth [wip]

To use BasicAuth either a global auth user or a per hook basis can be
configured.

ToDo:
- Add logic to check if a hook BasicAuth is configured, if not check
  for globaly

.woodpecker.yml

@@ -1,37 +0,0 @@
-pipeline:
-  fmt:
-    group: default
-    image: rust_full
-    commands:
-      - cargo fmt --all -- --check
-
-  clippy:
-    group: default
-    image: rust_full
-    commands:
-      - cargo clippy --all-features
-
-  test:
-    group: default
-    image: rust_full
-    commands:
-      - cargo test
-
-  build:
-    group: default
-    image: rust_full
-    commands:
-      - cargo build
-      - cargo build --release
-
-  build-deb:
-    group: default
-    image: rust_full
-    commands:
-      - cargo deb
-
-  doc:
-    group: default
-    image: rust_full
-    commands:
-      - cargo doc

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "webhookey"
-version = "0.1.6"
+version = "0.1.5"
 authors = ["finga <webhookey@onders.org>"]
 edition = "2021"
 license = "GPL-3.0-or-later"
@@ -11,23 +11,24 @@ description = "Trigger scripts via http(s) requests"
 tls = ["rocket/tls"]
 
 [dependencies]
-anyhow = "1.0"
-clap = { version = "4.3", features = ["derive"] }
-dirs = "4.0"
-env_logger = "0.9"
-hex = "0.4"
-hmac = "0.12"
-ipnet = { version = "2.3", features = ["serde"] }
-log = "0.4"
-regex = "1.5"
 rocket = "0.5.0-rc.1"
-run_script = "0.9"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-serde_regex = "1.1"
 serde_yaml = "0.8"
-sha2 = "0.10"
+serde_regex = "1.1"
+regex = "1.5"
+dirs = "4.0"
+anyhow = "1.0"
+log = "0.4"
+env_logger = "0.9"
+hmac = "0.11"
+sha2 = "0.9"
+hex = "0.4"
+ipnet = { version = "2.3", features = ["serde"] }
 thiserror = "1.0"
+run_script = "0.9"
+clap = "3.0.0-beta.5"
+base64 = "0.13"
 
 [package.metadata.deb]
 extended-description = "Webhookey receives requests in form of a so called Webhook as for example sent by Gitea. Those requests are matched against configured filters, if a filter matches, values from the header and the body can be passed to scripts as parameters which are then executed subsequently."

README.md

@@ -1,6 +1,4 @@
 # Webhookey
-![status-badge](https://ci.onders.org/api/badges/finga/webhookey/status.svg?branch=main)
-
 Webhookey is a web server listening for
 [webhooks](https://en.wikipedia.org/wiki/Webhook) as for example sent
 by Gitea's webhooks. Further, Webhookey allows you to specify rules

src/auth.rs

@@ -0,0 +1,74 @@
+use crate::WebhookeyError;
+use base64;
+use rocket::{
+    http::Status,
+    outcome::Outcome,
+    request::{self, FromRequest},
+    Request,
+};
+use serde::{Deserialize, Serialize};
+use std::net::{IpAddr, Ipv4Addr};
+
+fn decode_to_creds<T: Into<String>>(base64_encoded: T) -> Option<(String, String)> {
+    let decoded_creds = match base64::decode(base64_encoded.into()) {
+        Ok(cred_bytes) => String::from_utf8(cred_bytes).unwrap(),
+        Err(_) => return None,
+    };
+
+    if let Some((username, password)) = decoded_creds.split_once(":") {
+        Some((username.to_string(), password.to_string()))
+    } else {
+        None
+    }
+}
+
+#[derive(Debug, Deserialize, Serialize)]
+pub struct BasicAuth {
+    username: String,
+    password: String,
+}
+
+impl BasicAuth {
+    pub fn new<T: Into<String>>(auth_header: T) -> Option<Self> {
+        let key = auth_header.into();
+
+        if key.len() < 7 || &key[..6] != "Basic " {
+            return None;
+        }
+
+        let (username, password) = decode_to_creds(&key[6..])?;
+        Some(Self { username, password })
+    }
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for BasicAuth {
+    type Error = WebhookeyError;
+
+    async fn from_request(request: &'r Request<'_>) -> request::Outcome<Self, Self::Error> {
+        let keys: Vec<_> = request.headers().get("Authorization").collect();
+
+        match keys.len() {
+            0 => Outcome::Forward(()),
+            1 => match BasicAuth::new(keys[0]) {
+                Some(auth_header) => Outcome::Success(auth_header),
+                None => Outcome::Failure((
+                    Status::Unauthorized,
+                    WebhookeyError::Unauthorized(
+                        request
+                            .client_ip()
+                            .unwrap_or(IpAddr::V4(Ipv4Addr::UNSPECIFIED)),
+                    ),
+                )),
+            },
+            _ => Outcome::Failure((
+                Status::Unauthorized,
+                WebhookeyError::Unauthorized(
+                    request
+                        .client_ip()
+                        .unwrap_or(IpAddr::V4(Ipv4Addr::UNSPECIFIED)),
+                ),
+            )),
+        }
+    }
+}

src/cli.rs

@@ -1,4 +1,4 @@
-use clap::Parser;
+use clap::{crate_authors, crate_version, AppSettings, Parser};
 
 #[derive(Debug, Parser)]
 pub enum Command {
@@ -7,10 +7,16 @@ pub enum Command {
 }
 
 #[derive(Debug, Parser)]
+#[clap(
+    version = crate_version!(),
+    author = crate_authors!(", "),
+    global_setting = AppSettings::InferSubcommands,
+    global_setting = AppSettings::PropagateVersion,
+)]
 pub struct Opts {
     /// Provide a path to the configuration file
-    #[arg(short, long, value_name = "FILE")]
+    #[clap(short, long, value_name = "FILE")]
     pub config: Option<String>,
-    #[command(subcommand)]
+    #[clap(subcommand)]
     pub command: Option<Command>,
 }

src/config.rs

@@ -1,4 +1,4 @@
-use crate::{filters::IpFilter, hooks::Hook};
+use crate::{auth::BasicAuth, filters::IpFilter, hooks::Hook};
 use anyhow::{bail, Result};
 use log::info;
 use serde::{Deserialize, Serialize};
@@ -15,6 +15,7 @@ pub struct MetricsConfig {
 #[serde(deny_unknown_fields)]
 pub struct Config {
     pub metrics: Option<MetricsConfig>,
+    pub auth: Option<BasicAuth>,
     pub hooks: BTreeMap<String, Hook>,
 }
 

src/hooks.rs

@@ -1,9 +1,10 @@
 use crate::{
+    auth::BasicAuth,
     filters::{FilterType, IpFilter},
     Config, Metrics, WebhookeyError,
 };
 use anyhow::{anyhow, bail, Result};
-use hmac::{Hmac, Mac};
+use hmac::{Hmac, Mac, NewMac};
 use log::{debug, error, info, trace, warn};
 use rocket::{
     data::{FromData, ToByteUnit},
@@ -44,8 +45,7 @@ fn validate_request(secret: &str, signature: &str, data: &[u8]) -> Result<()> {
         .map_err(|e| anyhow!("Could not create hasher with secret: {}", e))?;
     mac.update(data);
     let raw_signature = hex::decode(signature.as_bytes())?;
-    mac.verify_slice(&raw_signature)
+    mac.verify(&raw_signature).map_err(|e| anyhow!("{}", e))
-        .map_err(|e| anyhow!("{}", e))
 }
 
 #[derive(Debug, Deserialize, Serialize)]
@@ -53,6 +53,7 @@ fn validate_request(secret: &str, signature: &str, data: &[u8]) -> Result<()> {
 pub struct Hook {
     command: String,
     signature: String,
+    auth: Option<BasicAuth>,
     ip_filter: Option<IpFilter>,
     secrets: Vec<String>,
     filter: FilterType,
@@ -88,7 +89,7 @@ impl Hook {
                             if let Some('}') = command_template.next() {
                                 let expr = token.trim().split(' ').collect::<Vec<&str>>();
 
-                                let replaced = match expr.first() {
+                                let replaced = match expr.get(0) {
                                     Some(&"header") => get_header_field(
                                         headers,
                                         expr.get(1).ok_or_else(|| {
@@ -316,8 +317,6 @@ pub async fn receive_hook<'a>(
                     .fetch_add(1, Ordering::Relaxed);
             }
         }
-
-        metrics.hooks_successful.fetch_add(1, Ordering::Relaxed);
     });
 
     Status::Ok

src/main.rs

@@ -1,3 +1,4 @@
+mod auth;
 mod cli;
 mod config;
 mod filters;
@@ -23,9 +24,9 @@ pub enum WebhookeyError {
     #[error("Could not evaluate filter request")]
     InvalidFilter,
     #[error("IO Error")]
-    Io(#[from] std::io::Error),
+    Io(std::io::Error),
     #[error("Serde Error")]
-    Serde(#[from] serde_json::Error),
+    Serde(serde_json::Error),
 }
 
 pub fn get_string(data: &serde_json::Value) -> Result<String, WebhookeyError> {