Compare commits

..

1 commit

Author SHA1 Message Date
ff62933ef5 Support BasicAuth [wip]
To use BasicAuth either a global auth user or a per hook basis can be
configured.

ToDo:
- Add logic to check if a hook BasicAuth is configured, if not check
  for globaly
2021-11-28 10:17:18 +01:00
9 changed files with 713 additions and 703 deletions

View file

@ -1,37 +0,0 @@
pipeline:
fmt:
group: default
image: rust_full
commands:
- cargo fmt --all -- --check
clippy:
group: default
image: rust_full
commands:
- cargo clippy --all-features
test:
group: default
image: rust_full
commands:
- cargo test
build:
group: default
image: rust_full
commands:
- cargo build
- cargo build --release
build-deb:
group: default
image: rust_full
commands:
- cargo deb
doc:
group: default
image: rust_full
commands:
- cargo doc

1245
Cargo.lock generated

File diff suppressed because it is too large Load diff

View file

@ -1,6 +1,6 @@
[package]
name = "webhookey"
version = "0.1.6"
version = "0.1.5"
authors = ["finga <webhookey@onders.org>"]
edition = "2021"
license = "GPL-3.0-or-later"
@ -11,23 +11,24 @@ description = "Trigger scripts via http(s) requests"
tls = ["rocket/tls"]
[dependencies]
anyhow = "1.0"
clap = { version = "4.3", features = ["derive"] }
dirs = "4.0"
env_logger = "0.9"
hex = "0.4"
hmac = "0.12"
ipnet = { version = "2.3", features = ["serde"] }
log = "0.4"
regex = "1.5"
rocket = "0.5.0-rc.1"
run_script = "0.9"
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
serde_regex = "1.1"
serde_yaml = "0.8"
sha2 = "0.10"
serde_regex = "1.1"
regex = "1.5"
dirs = "4.0"
anyhow = "1.0"
log = "0.4"
env_logger = "0.9"
hmac = "0.11"
sha2 = "0.9"
hex = "0.4"
ipnet = { version = "2.3", features = ["serde"] }
thiserror = "1.0"
run_script = "0.9"
clap = "3.0.0-beta.5"
base64 = "0.13"
[package.metadata.deb]
extended-description = "Webhookey receives requests in form of a so called Webhook as for example sent by Gitea. Those requests are matched against configured filters, if a filter matches, values from the header and the body can be passed to scripts as parameters which are then executed subsequently."

View file

@ -1,6 +1,4 @@
# Webhookey
![status-badge](https://ci.onders.org/api/badges/finga/webhookey/status.svg?branch=main)
Webhookey is a web server listening for
[webhooks](https://en.wikipedia.org/wiki/Webhook) as for example sent
by Gitea's webhooks. Further, Webhookey allows you to specify rules

74
src/auth.rs Normal file
View file

@ -0,0 +1,74 @@
use crate::WebhookeyError;
use base64;
use rocket::{
http::Status,
outcome::Outcome,
request::{self, FromRequest},
Request,
};
use serde::{Deserialize, Serialize};
use std::net::{IpAddr, Ipv4Addr};
fn decode_to_creds<T: Into<String>>(base64_encoded: T) -> Option<(String, String)> {
let decoded_creds = match base64::decode(base64_encoded.into()) {
Ok(cred_bytes) => String::from_utf8(cred_bytes).unwrap(),
Err(_) => return None,
};
if let Some((username, password)) = decoded_creds.split_once(":") {
Some((username.to_string(), password.to_string()))
} else {
None
}
}
#[derive(Debug, Deserialize, Serialize)]
pub struct BasicAuth {
username: String,
password: String,
}
impl BasicAuth {
pub fn new<T: Into<String>>(auth_header: T) -> Option<Self> {
let key = auth_header.into();
if key.len() < 7 || &key[..6] != "Basic " {
return None;
}
let (username, password) = decode_to_creds(&key[6..])?;
Some(Self { username, password })
}
}
#[rocket::async_trait]
impl<'r> FromRequest<'r> for BasicAuth {
type Error = WebhookeyError;
async fn from_request(request: &'r Request<'_>) -> request::Outcome<Self, Self::Error> {
let keys: Vec<_> = request.headers().get("Authorization").collect();
match keys.len() {
0 => Outcome::Forward(()),
1 => match BasicAuth::new(keys[0]) {
Some(auth_header) => Outcome::Success(auth_header),
None => Outcome::Failure((
Status::Unauthorized,
WebhookeyError::Unauthorized(
request
.client_ip()
.unwrap_or(IpAddr::V4(Ipv4Addr::UNSPECIFIED)),
),
)),
},
_ => Outcome::Failure((
Status::Unauthorized,
WebhookeyError::Unauthorized(
request
.client_ip()
.unwrap_or(IpAddr::V4(Ipv4Addr::UNSPECIFIED)),
),
)),
}
}
}

View file

@ -1,4 +1,4 @@
use clap::Parser;
use clap::{crate_authors, crate_version, AppSettings, Parser};
#[derive(Debug, Parser)]
pub enum Command {
@ -7,10 +7,16 @@ pub enum Command {
}
#[derive(Debug, Parser)]
#[clap(
version = crate_version!(),
author = crate_authors!(", "),
global_setting = AppSettings::InferSubcommands,
global_setting = AppSettings::PropagateVersion,
)]
pub struct Opts {
/// Provide a path to the configuration file
#[arg(short, long, value_name = "FILE")]
#[clap(short, long, value_name = "FILE")]
pub config: Option<String>,
#[command(subcommand)]
#[clap(subcommand)]
pub command: Option<Command>,
}

View file

@ -1,4 +1,4 @@
use crate::{filters::IpFilter, hooks::Hook};
use crate::{auth::BasicAuth, filters::IpFilter, hooks::Hook};
use anyhow::{bail, Result};
use log::info;
use serde::{Deserialize, Serialize};
@ -15,6 +15,7 @@ pub struct MetricsConfig {
#[serde(deny_unknown_fields)]
pub struct Config {
pub metrics: Option<MetricsConfig>,
pub auth: Option<BasicAuth>,
pub hooks: BTreeMap<String, Hook>,
}

View file

@ -1,9 +1,10 @@
use crate::{
auth::BasicAuth,
filters::{FilterType, IpFilter},
Config, Metrics, WebhookeyError,
};
use anyhow::{anyhow, bail, Result};
use hmac::{Hmac, Mac};
use hmac::{Hmac, Mac, NewMac};
use log::{debug, error, info, trace, warn};
use rocket::{
data::{FromData, ToByteUnit},
@ -44,8 +45,7 @@ fn validate_request(secret: &str, signature: &str, data: &[u8]) -> Result<()> {
.map_err(|e| anyhow!("Could not create hasher with secret: {}", e))?;
mac.update(data);
let raw_signature = hex::decode(signature.as_bytes())?;
mac.verify_slice(&raw_signature)
.map_err(|e| anyhow!("{}", e))
mac.verify(&raw_signature).map_err(|e| anyhow!("{}", e))
}
#[derive(Debug, Deserialize, Serialize)]
@ -53,6 +53,7 @@ fn validate_request(secret: &str, signature: &str, data: &[u8]) -> Result<()> {
pub struct Hook {
command: String,
signature: String,
auth: Option<BasicAuth>,
ip_filter: Option<IpFilter>,
secrets: Vec<String>,
filter: FilterType,
@ -88,7 +89,7 @@ impl Hook {
if let Some('}') = command_template.next() {
let expr = token.trim().split(' ').collect::<Vec<&str>>();
let replaced = match expr.first() {
let replaced = match expr.get(0) {
Some(&"header") => get_header_field(
headers,
expr.get(1).ok_or_else(|| {
@ -316,8 +317,6 @@ pub async fn receive_hook<'a>(
.fetch_add(1, Ordering::Relaxed);
}
}
metrics.hooks_successful.fetch_add(1, Ordering::Relaxed);
});
Status::Ok

View file

@ -1,3 +1,4 @@
mod auth;
mod cli;
mod config;
mod filters;
@ -23,9 +24,9 @@ pub enum WebhookeyError {
#[error("Could not evaluate filter request")]
InvalidFilter,
#[error("IO Error")]
Io(#[from] std::io::Error),
Io(std::io::Error),
#[error("Serde Error")]
Serde(#[from] serde_json::Error),
Serde(serde_json::Error),
}
pub fn get_string(data: &serde_json::Value) -> Result<String, WebhookeyError> {