feat: auto-generated per-repo webhook secrets with dashboard proxy
Some checks failed
CI / Format (push) Successful in 5s
CI / Clippy (push) Failing after 1m57s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
CI / Security Audit (push) Has been skipped
CI / Tests (push) Has been skipped
CI / Detect Changes (push) Has been skipped
CI / Deploy Agent (push) Has been skipped
CI / Deploy Dashboard (push) Has been skipped
CI / Deploy Docs (push) Has been skipped
CI / Deploy MCP (push) Has been skipped
CI / Format (pull_request) Successful in 8s
CI / Clippy (pull_request) Failing after 1m53s
CI / Security Audit (pull_request) Has been skipped
CI / Tests (pull_request) Has been skipped
Some checks failed
CI / Format (push) Successful in 5s
CI / Clippy (push) Failing after 1m57s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
CI / Security Audit (push) Has been skipped
CI / Tests (push) Has been skipped
CI / Detect Changes (push) Has been skipped
CI / Deploy Agent (push) Has been skipped
CI / Deploy Dashboard (push) Has been skipped
CI / Deploy Docs (push) Has been skipped
CI / Deploy MCP (push) Has been skipped
CI / Format (pull_request) Successful in 8s
CI / Clippy (pull_request) Failing after 1m53s
CI / Security Audit (pull_request) Has been skipped
CI / Tests (pull_request) Has been skipped
- Auto-generate webhook_secret on repository creation (UUID-based)
- Webhook routes use per-repo URLs: /webhook/{platform}/{repo_id}
- Verify signatures using per-repo secret (not global env var)
- Dashboard proxies webhooks to agent (agent not exposed publicly)
- Edit modal shows webhook URL + secret for user to copy into Gitea
- Add webhook-config API endpoint to retrieve per-repo secret
- Add Gitea option to edit dialog tracker type dropdown
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
@@ -433,6 +433,32 @@ pub async fn trigger_scan(
|
||||
Ok(Json(serde_json::json!({ "status": "scan_triggered" })))
|
||||
}
|
||||
|
||||
/// Return the webhook secret for a repository (used by dashboard to display it)
|
||||
pub async fn get_webhook_config(
|
||||
Extension(agent): AgentExt,
|
||||
Path(id): Path<String>,
|
||||
) -> Result<Json<serde_json::Value>, StatusCode> {
|
||||
let oid = mongodb::bson::oid::ObjectId::parse_str(&id).map_err(|_| StatusCode::BAD_REQUEST)?;
|
||||
let repo = agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(doc! { "_id": oid })
|
||||
.await
|
||||
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
|
||||
.ok_or(StatusCode::NOT_FOUND)?;
|
||||
|
||||
let tracker_type = repo
|
||||
.tracker_type
|
||||
.as_ref()
|
||||
.map(|t| t.to_string())
|
||||
.unwrap_or_else(|| "gitea".to_string());
|
||||
|
||||
Ok(Json(serde_json::json!({
|
||||
"webhook_secret": repo.webhook_secret,
|
||||
"tracker_type": tracker_type,
|
||||
})))
|
||||
}
|
||||
|
||||
#[tracing::instrument(skip_all, fields(repo_id = %id))]
|
||||
pub async fn delete_repository(
|
||||
Extension(agent): AgentExt,
|
||||
|
||||
@@ -2,6 +2,7 @@ use axum::routing::{delete, get, patch, post};
|
||||
use axum::Router;
|
||||
|
||||
use crate::api::handlers;
|
||||
use crate::webhooks;
|
||||
|
||||
pub fn build_router() -> Router {
|
||||
Router::new()
|
||||
@@ -21,6 +22,10 @@ pub fn build_router() -> Router {
|
||||
"/api/v1/repositories/{id}",
|
||||
delete(handlers::delete_repository).patch(handlers::update_repository),
|
||||
)
|
||||
.route(
|
||||
"/api/v1/repositories/{id}/webhook-config",
|
||||
get(handlers::get_webhook_config),
|
||||
)
|
||||
.route("/api/v1/findings", get(handlers::list_findings))
|
||||
.route("/api/v1/findings/{id}", get(handlers::get_finding))
|
||||
.route(
|
||||
@@ -94,4 +99,17 @@ pub fn build_router() -> Router {
|
||||
"/api/v1/chat/{repo_id}/status",
|
||||
get(handlers::chat::embedding_status),
|
||||
)
|
||||
// Webhook endpoints (proxied through dashboard)
|
||||
.route(
|
||||
"/webhook/github/{repo_id}",
|
||||
post(webhooks::github::handle_github_webhook),
|
||||
)
|
||||
.route(
|
||||
"/webhook/gitlab/{repo_id}",
|
||||
post(webhooks::gitlab::handle_gitlab_webhook),
|
||||
)
|
||||
.route(
|
||||
"/webhook/gitea/{repo_id}",
|
||||
post(webhooks::gitea::handle_gitea_webhook),
|
||||
)
|
||||
}
|
||||
|
||||
@@ -31,7 +31,6 @@ pub fn load_config() -> Result<AgentConfig, AgentError> {
|
||||
gitlab_url: env_var_opt("GITLAB_URL"),
|
||||
gitlab_token: env_secret_opt("GITLAB_TOKEN"),
|
||||
gitlab_webhook_secret: env_secret_opt("GITLAB_WEBHOOK_SECRET"),
|
||||
gitea_webhook_secret: env_secret_opt("GITEA_WEBHOOK_SECRET"),
|
||||
jira_url: env_var_opt("JIRA_URL"),
|
||||
jira_email: env_var_opt("JIRA_EMAIL"),
|
||||
jira_api_token: env_secret_opt("JIRA_API_TOKEN"),
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
use std::sync::Arc;
|
||||
|
||||
use axum::body::Bytes;
|
||||
use axum::extract::Extension;
|
||||
use axum::extract::{Extension, Path};
|
||||
use axum::http::{HeaderMap, StatusCode};
|
||||
use hmac::{Hmac, Mac};
|
||||
use sha2::Sha256;
|
||||
@@ -14,19 +14,37 @@ type HmacSha256 = Hmac<Sha256>;
|
||||
|
||||
pub async fn handle_gitea_webhook(
|
||||
Extension(agent): Extension<Arc<ComplianceAgent>>,
|
||||
Path(repo_id): Path<String>,
|
||||
headers: HeaderMap,
|
||||
body: Bytes,
|
||||
) -> StatusCode {
|
||||
// Verify HMAC-SHA256 signature (Gitea uses X-Gitea-Signature, no sha256= prefix)
|
||||
if let Some(secret) = &agent.config.gitea_webhook_secret {
|
||||
use secrecy::ExposeSecret;
|
||||
// Look up the repo to get its webhook secret
|
||||
let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
|
||||
Ok(oid) => oid,
|
||||
Err(_) => return StatusCode::NOT_FOUND,
|
||||
};
|
||||
let repo = match agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "_id": oid })
|
||||
.await
|
||||
{
|
||||
Ok(Some(repo)) => repo,
|
||||
_ => {
|
||||
tracing::warn!("Gitea webhook: repo {repo_id} not found");
|
||||
return StatusCode::NOT_FOUND;
|
||||
}
|
||||
};
|
||||
|
||||
// Verify HMAC-SHA256 signature using the per-repo secret
|
||||
if let Some(secret) = &repo.webhook_secret {
|
||||
let signature = headers
|
||||
.get("x-gitea-signature")
|
||||
.and_then(|v| v.to_str().ok())
|
||||
.unwrap_or("");
|
||||
|
||||
if !verify_signature(secret.expose_secret(), &body, signature) {
|
||||
tracing::warn!("Gitea webhook: invalid signature");
|
||||
if !verify_signature(secret, &body, signature) {
|
||||
tracing::warn!("Gitea webhook: invalid signature for repo {repo_id}");
|
||||
return StatusCode::UNAUTHORIZED;
|
||||
}
|
||||
}
|
||||
@@ -45,8 +63,18 @@ pub async fn handle_gitea_webhook(
|
||||
};
|
||||
|
||||
match event {
|
||||
"push" => handle_push(agent, &payload).await,
|
||||
"pull_request" => handle_pull_request(agent, &payload).await,
|
||||
"push" => {
|
||||
let agent_clone = (*agent).clone();
|
||||
let repo_id = repo_id.clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("Gitea push webhook: triggering scan for {repo_id}");
|
||||
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
|
||||
tracing::error!("Webhook-triggered scan failed: {e}");
|
||||
}
|
||||
});
|
||||
StatusCode::OK
|
||||
}
|
||||
"pull_request" => handle_pull_request(agent, &repo_id, &payload).await,
|
||||
_ => {
|
||||
tracing::debug!("Gitea webhook: ignoring event '{event}'");
|
||||
StatusCode::OK
|
||||
@@ -54,42 +82,9 @@ pub async fn handle_gitea_webhook(
|
||||
}
|
||||
}
|
||||
|
||||
async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
|
||||
let repo_url = payload["repository"]["clone_url"]
|
||||
.as_str()
|
||||
.or_else(|| payload["repository"]["html_url"].as_str())
|
||||
.unwrap_or("");
|
||||
|
||||
if repo_url.is_empty() {
|
||||
return StatusCode::BAD_REQUEST;
|
||||
}
|
||||
|
||||
let repo = agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "git_url": repo_url })
|
||||
.await
|
||||
.ok()
|
||||
.flatten();
|
||||
|
||||
if let Some(repo) = repo {
|
||||
let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("Gitea push webhook: triggering scan for {repo_id}");
|
||||
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
|
||||
tracing::error!("Webhook-triggered scan failed: {e}");
|
||||
}
|
||||
});
|
||||
} else {
|
||||
tracing::debug!("Gitea push webhook: no tracked repo for {repo_url}");
|
||||
}
|
||||
|
||||
StatusCode::OK
|
||||
}
|
||||
|
||||
async fn handle_pull_request(
|
||||
agent: Arc<ComplianceAgent>,
|
||||
repo_id: &str,
|
||||
payload: &serde_json::Value,
|
||||
) -> StatusCode {
|
||||
let action = payload["action"].as_str().unwrap_or("");
|
||||
@@ -97,10 +92,6 @@ async fn handle_pull_request(
|
||||
return StatusCode::OK;
|
||||
}
|
||||
|
||||
let repo_url = payload["repository"]["clone_url"]
|
||||
.as_str()
|
||||
.or_else(|| payload["repository"]["html_url"].as_str())
|
||||
.unwrap_or("");
|
||||
let pr_number = payload["pull_request"]["number"].as_u64().unwrap_or(0);
|
||||
let head_sha = payload["pull_request"]["head"]["sha"]
|
||||
.as_str()
|
||||
@@ -109,42 +100,30 @@ async fn handle_pull_request(
|
||||
.as_str()
|
||||
.unwrap_or("");
|
||||
|
||||
if repo_url.is_empty() || pr_number == 0 || head_sha.is_empty() || base_sha.is_empty() {
|
||||
if pr_number == 0 || head_sha.is_empty() || base_sha.is_empty() {
|
||||
tracing::warn!("Gitea PR webhook: missing required fields");
|
||||
return StatusCode::BAD_REQUEST;
|
||||
}
|
||||
|
||||
let repo = agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "git_url": repo_url })
|
||||
.await
|
||||
.ok()
|
||||
.flatten();
|
||||
|
||||
if let Some(repo) = repo {
|
||||
let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
|
||||
let head_sha = head_sha.to_string();
|
||||
let base_sha = base_sha.to_string();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("Gitea PR webhook: reviewing PR #{pr_number} on {repo_id}");
|
||||
if let Err(e) = agent_clone
|
||||
.run_pr_review(&repo_id, pr_number, &base_sha, &head_sha)
|
||||
.await
|
||||
{
|
||||
tracing::error!("PR review failed for #{pr_number}: {e}");
|
||||
}
|
||||
});
|
||||
} else {
|
||||
tracing::debug!("Gitea PR webhook: no tracked repo for {repo_url}");
|
||||
}
|
||||
let repo_id = repo_id.to_string();
|
||||
let head_sha = head_sha.to_string();
|
||||
let base_sha = base_sha.to_string();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("Gitea PR webhook: reviewing PR #{pr_number} on {repo_id}");
|
||||
if let Err(e) = agent_clone
|
||||
.run_pr_review(&repo_id, pr_number, &base_sha, &head_sha)
|
||||
.await
|
||||
{
|
||||
tracing::error!("PR review failed for #{pr_number}: {e}");
|
||||
}
|
||||
});
|
||||
|
||||
StatusCode::OK
|
||||
}
|
||||
|
||||
fn verify_signature(secret: &str, body: &[u8], signature: &str) -> bool {
|
||||
// Gitea sends raw hex (no sha256= prefix unlike GitHub)
|
||||
// Gitea sends raw hex (no sha256= prefix)
|
||||
let sig_bytes = match hex::decode(signature) {
|
||||
Ok(b) => b,
|
||||
Err(_) => return false,
|
||||
|
||||
@@ -1,10 +1,9 @@
|
||||
use std::sync::Arc;
|
||||
|
||||
use axum::body::Bytes;
|
||||
use axum::extract::Extension;
|
||||
use axum::extract::{Extension, Path};
|
||||
use axum::http::{HeaderMap, StatusCode};
|
||||
use hmac::{Hmac, Mac};
|
||||
use secrecy::ExposeSecret;
|
||||
use sha2::Sha256;
|
||||
|
||||
use compliance_core::models::ScanTrigger;
|
||||
@@ -15,18 +14,37 @@ type HmacSha256 = Hmac<Sha256>;
|
||||
|
||||
pub async fn handle_github_webhook(
|
||||
Extension(agent): Extension<Arc<ComplianceAgent>>,
|
||||
Path(repo_id): Path<String>,
|
||||
headers: HeaderMap,
|
||||
body: Bytes,
|
||||
) -> StatusCode {
|
||||
// Verify HMAC signature
|
||||
if let Some(secret) = &agent.config.github_webhook_secret {
|
||||
// Look up the repo to get its webhook secret
|
||||
let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
|
||||
Ok(oid) => oid,
|
||||
Err(_) => return StatusCode::NOT_FOUND,
|
||||
};
|
||||
let repo = match agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "_id": oid })
|
||||
.await
|
||||
{
|
||||
Ok(Some(repo)) => repo,
|
||||
_ => {
|
||||
tracing::warn!("GitHub webhook: repo {repo_id} not found");
|
||||
return StatusCode::NOT_FOUND;
|
||||
}
|
||||
};
|
||||
|
||||
// Verify HMAC-SHA256 signature using the per-repo secret
|
||||
if let Some(secret) = &repo.webhook_secret {
|
||||
let signature = headers
|
||||
.get("x-hub-signature-256")
|
||||
.and_then(|v| v.to_str().ok())
|
||||
.unwrap_or("");
|
||||
|
||||
if !verify_signature(secret.expose_secret(), &body, signature) {
|
||||
tracing::warn!("GitHub webhook: invalid signature");
|
||||
if !verify_signature(secret, &body, signature) {
|
||||
tracing::warn!("GitHub webhook: invalid signature for repo {repo_id}");
|
||||
return StatusCode::UNAUTHORIZED;
|
||||
}
|
||||
}
|
||||
@@ -45,8 +63,18 @@ pub async fn handle_github_webhook(
|
||||
};
|
||||
|
||||
match event {
|
||||
"push" => handle_push(agent, &payload).await,
|
||||
"pull_request" => handle_pull_request(agent, &payload).await,
|
||||
"push" => {
|
||||
let agent_clone = (*agent).clone();
|
||||
let repo_id = repo_id.clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("GitHub push webhook: triggering scan for {repo_id}");
|
||||
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
|
||||
tracing::error!("Webhook-triggered scan failed: {e}");
|
||||
}
|
||||
});
|
||||
StatusCode::OK
|
||||
}
|
||||
"pull_request" => handle_pull_request(agent, &repo_id, &payload).await,
|
||||
_ => {
|
||||
tracing::debug!("GitHub webhook: ignoring event '{event}'");
|
||||
StatusCode::OK
|
||||
@@ -54,43 +82,9 @@ pub async fn handle_github_webhook(
|
||||
}
|
||||
}
|
||||
|
||||
async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
|
||||
let repo_url = payload["repository"]["clone_url"]
|
||||
.as_str()
|
||||
.or_else(|| payload["repository"]["html_url"].as_str())
|
||||
.unwrap_or("");
|
||||
|
||||
if repo_url.is_empty() {
|
||||
return StatusCode::BAD_REQUEST;
|
||||
}
|
||||
|
||||
// Find matching tracked repository
|
||||
let repo = agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "git_url": repo_url })
|
||||
.await
|
||||
.ok()
|
||||
.flatten();
|
||||
|
||||
if let Some(repo) = repo {
|
||||
let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("GitHub push webhook: triggering scan for {repo_id}");
|
||||
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
|
||||
tracing::error!("Webhook-triggered scan failed: {e}");
|
||||
}
|
||||
});
|
||||
} else {
|
||||
tracing::debug!("GitHub push webhook: no tracked repo for {repo_url}");
|
||||
}
|
||||
|
||||
StatusCode::OK
|
||||
}
|
||||
|
||||
async fn handle_pull_request(
|
||||
agent: Arc<ComplianceAgent>,
|
||||
repo_id: &str,
|
||||
payload: &serde_json::Value,
|
||||
) -> StatusCode {
|
||||
let action = payload["action"].as_str().unwrap_or("");
|
||||
@@ -98,7 +92,6 @@ async fn handle_pull_request(
|
||||
return StatusCode::OK;
|
||||
}
|
||||
|
||||
let repo_url = payload["repository"]["clone_url"].as_str().unwrap_or("");
|
||||
let pr_number = payload["pull_request"]["number"].as_u64().unwrap_or(0);
|
||||
let head_sha = payload["pull_request"]["head"]["sha"]
|
||||
.as_str()
|
||||
@@ -107,40 +100,29 @@ async fn handle_pull_request(
|
||||
.as_str()
|
||||
.unwrap_or("");
|
||||
|
||||
if repo_url.is_empty() || pr_number == 0 || head_sha.is_empty() || base_sha.is_empty() {
|
||||
if pr_number == 0 || head_sha.is_empty() || base_sha.is_empty() {
|
||||
return StatusCode::BAD_REQUEST;
|
||||
}
|
||||
|
||||
let repo = agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "git_url": repo_url })
|
||||
.await
|
||||
.ok()
|
||||
.flatten();
|
||||
|
||||
if let Some(repo) = repo {
|
||||
let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
|
||||
let head_sha = head_sha.to_string();
|
||||
let base_sha = base_sha.to_string();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("GitHub PR webhook: reviewing PR #{pr_number} on {repo_id}");
|
||||
if let Err(e) = agent_clone
|
||||
.run_pr_review(&repo_id, pr_number, &base_sha, &head_sha)
|
||||
.await
|
||||
{
|
||||
tracing::error!("PR review failed for #{pr_number}: {e}");
|
||||
}
|
||||
});
|
||||
} else {
|
||||
tracing::debug!("GitHub PR webhook: no tracked repo for {repo_url}");
|
||||
}
|
||||
let repo_id = repo_id.to_string();
|
||||
let head_sha = head_sha.to_string();
|
||||
let base_sha = base_sha.to_string();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("GitHub PR webhook: reviewing PR #{pr_number} on {repo_id}");
|
||||
if let Err(e) = agent_clone
|
||||
.run_pr_review(&repo_id, pr_number, &base_sha, &head_sha)
|
||||
.await
|
||||
{
|
||||
tracing::error!("PR review failed for #{pr_number}: {e}");
|
||||
}
|
||||
});
|
||||
|
||||
StatusCode::OK
|
||||
}
|
||||
|
||||
fn verify_signature(secret: &str, body: &[u8], signature: &str) -> bool {
|
||||
// GitHub sends sha256=<hex>
|
||||
let sig = signature.strip_prefix("sha256=").unwrap_or(signature);
|
||||
let sig_bytes = match hex::decode(sig) {
|
||||
Ok(b) => b,
|
||||
|
||||
@@ -1,9 +1,8 @@
|
||||
use std::sync::Arc;
|
||||
|
||||
use axum::body::Bytes;
|
||||
use axum::extract::Extension;
|
||||
use axum::extract::{Extension, Path};
|
||||
use axum::http::{HeaderMap, StatusCode};
|
||||
use secrecy::ExposeSecret;
|
||||
|
||||
use compliance_core::models::ScanTrigger;
|
||||
|
||||
@@ -11,18 +10,37 @@ use crate::agent::ComplianceAgent;
|
||||
|
||||
pub async fn handle_gitlab_webhook(
|
||||
Extension(agent): Extension<Arc<ComplianceAgent>>,
|
||||
Path(repo_id): Path<String>,
|
||||
headers: HeaderMap,
|
||||
body: Bytes,
|
||||
) -> StatusCode {
|
||||
// Verify GitLab token
|
||||
if let Some(secret) = &agent.config.gitlab_webhook_secret {
|
||||
// Look up the repo to get its webhook secret
|
||||
let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
|
||||
Ok(oid) => oid,
|
||||
Err(_) => return StatusCode::NOT_FOUND,
|
||||
};
|
||||
let repo = match agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "_id": oid })
|
||||
.await
|
||||
{
|
||||
Ok(Some(repo)) => repo,
|
||||
_ => {
|
||||
tracing::warn!("GitLab webhook: repo {repo_id} not found");
|
||||
return StatusCode::NOT_FOUND;
|
||||
}
|
||||
};
|
||||
|
||||
// GitLab sends the secret token in X-Gitlab-Token header (plain text comparison)
|
||||
if let Some(secret) = &repo.webhook_secret {
|
||||
let token = headers
|
||||
.get("x-gitlab-token")
|
||||
.and_then(|v| v.to_str().ok())
|
||||
.unwrap_or("");
|
||||
|
||||
if token != secret.expose_secret() {
|
||||
tracing::warn!("GitLab webhook: invalid token");
|
||||
if token != secret {
|
||||
tracing::warn!("GitLab webhook: invalid token for repo {repo_id}");
|
||||
return StatusCode::UNAUTHORIZED;
|
||||
}
|
||||
}
|
||||
@@ -38,8 +56,18 @@ pub async fn handle_gitlab_webhook(
|
||||
let event_type = payload["object_kind"].as_str().unwrap_or("");
|
||||
|
||||
match event_type {
|
||||
"push" => handle_push(agent, &payload).await,
|
||||
"merge_request" => handle_merge_request(agent, &payload).await,
|
||||
"push" => {
|
||||
let agent_clone = (*agent).clone();
|
||||
let repo_id = repo_id.clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
|
||||
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
|
||||
tracing::error!("Webhook-triggered scan failed: {e}");
|
||||
}
|
||||
});
|
||||
StatusCode::OK
|
||||
}
|
||||
"merge_request" => handle_merge_request(agent, &repo_id, &payload).await,
|
||||
_ => {
|
||||
tracing::debug!("GitLab webhook: ignoring event '{event_type}'");
|
||||
StatusCode::OK
|
||||
@@ -47,40 +75,9 @@ pub async fn handle_gitlab_webhook(
|
||||
}
|
||||
}
|
||||
|
||||
async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
|
||||
let repo_url = payload["project"]["git_http_url"]
|
||||
.as_str()
|
||||
.or_else(|| payload["project"]["web_url"].as_str())
|
||||
.unwrap_or("");
|
||||
|
||||
if repo_url.is_empty() {
|
||||
return StatusCode::BAD_REQUEST;
|
||||
}
|
||||
|
||||
let repo = agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "git_url": repo_url })
|
||||
.await
|
||||
.ok()
|
||||
.flatten();
|
||||
|
||||
if let Some(repo) = repo {
|
||||
let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
|
||||
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
|
||||
tracing::error!("Webhook-triggered scan failed: {e}");
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
StatusCode::OK
|
||||
}
|
||||
|
||||
async fn handle_merge_request(
|
||||
agent: Arc<ComplianceAgent>,
|
||||
repo_id: &str,
|
||||
payload: &serde_json::Value,
|
||||
) -> StatusCode {
|
||||
let action = payload["object_attributes"]["action"]
|
||||
@@ -90,49 +87,32 @@ async fn handle_merge_request(
|
||||
return StatusCode::OK;
|
||||
}
|
||||
|
||||
let repo_url = payload["project"]["git_http_url"]
|
||||
.as_str()
|
||||
.or_else(|| payload["project"]["web_url"].as_str())
|
||||
.unwrap_or("");
|
||||
let mr_iid = payload["object_attributes"]["iid"].as_u64().unwrap_or(0);
|
||||
let head_sha = payload["object_attributes"]["last_commit"]["id"]
|
||||
.as_str()
|
||||
.unwrap_or("");
|
||||
// GitLab doesn't include base sha directly; use the target branch's latest
|
||||
let base_sha = payload["object_attributes"]["diff_refs"]["base_sha"]
|
||||
.as_str()
|
||||
.unwrap_or("");
|
||||
|
||||
if repo_url.is_empty() || mr_iid == 0 || head_sha.is_empty() || base_sha.is_empty() {
|
||||
if mr_iid == 0 || head_sha.is_empty() || base_sha.is_empty() {
|
||||
tracing::warn!("GitLab MR webhook: missing required fields");
|
||||
return StatusCode::BAD_REQUEST;
|
||||
}
|
||||
|
||||
let repo = agent
|
||||
.db
|
||||
.repositories()
|
||||
.find_one(mongodb::bson::doc! { "git_url": repo_url })
|
||||
.await
|
||||
.ok()
|
||||
.flatten();
|
||||
|
||||
if let Some(repo) = repo {
|
||||
let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
|
||||
let head_sha = head_sha.to_string();
|
||||
let base_sha = base_sha.to_string();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("GitLab MR webhook: reviewing MR !{mr_iid} on {repo_id}");
|
||||
if let Err(e) = agent_clone
|
||||
.run_pr_review(&repo_id, mr_iid, &base_sha, &head_sha)
|
||||
.await
|
||||
{
|
||||
tracing::error!("MR review failed for !{mr_iid}: {e}");
|
||||
}
|
||||
});
|
||||
} else {
|
||||
tracing::debug!("GitLab MR webhook: no tracked repo for {repo_url}");
|
||||
}
|
||||
let repo_id = repo_id.to_string();
|
||||
let head_sha = head_sha.to_string();
|
||||
let base_sha = base_sha.to_string();
|
||||
let agent_clone = (*agent).clone();
|
||||
tokio::spawn(async move {
|
||||
tracing::info!("GitLab MR webhook: reviewing MR !{mr_iid} on {repo_id}");
|
||||
if let Err(e) = agent_clone
|
||||
.run_pr_review(&repo_id, mr_iid, &base_sha, &head_sha)
|
||||
.await
|
||||
{
|
||||
tracing::error!("MR review failed for !{mr_iid}: {e}");
|
||||
}
|
||||
});
|
||||
|
||||
StatusCode::OK
|
||||
}
|
||||
|
||||
@@ -9,9 +9,19 @@ use crate::webhooks::{gitea, github, gitlab};
|
||||
|
||||
pub async fn start_webhook_server(agent: &ComplianceAgent) -> Result<(), AgentError> {
|
||||
let app = Router::new()
|
||||
.route("/webhook/github", post(github::handle_github_webhook))
|
||||
.route("/webhook/gitlab", post(gitlab::handle_gitlab_webhook))
|
||||
.route("/webhook/gitea", post(gitea::handle_gitea_webhook))
|
||||
// Per-repo webhook URLs: /webhook/{platform}/{repo_id}
|
||||
.route(
|
||||
"/webhook/github/{repo_id}",
|
||||
post(github::handle_github_webhook),
|
||||
)
|
||||
.route(
|
||||
"/webhook/gitlab/{repo_id}",
|
||||
post(gitlab::handle_gitlab_webhook),
|
||||
)
|
||||
.route(
|
||||
"/webhook/gitea/{repo_id}",
|
||||
post(gitea::handle_gitea_webhook),
|
||||
)
|
||||
.layer(Extension(Arc::new(agent.clone())));
|
||||
|
||||
let addr = "0.0.0.0:3002";
|
||||
|
||||
Reference in New Issue
Block a user