feat: per-repo issue tracker, Gitea support, PR review pipeline (#10)

compliance-agent/src/webhooks/gitlab.rs

@@ -1,9 +1,8 @@
 use std::sync::Arc;
 
 use axum::body::Bytes;
-use axum::extract::Extension;
+use axum::extract::{Extension, Path};
 use axum::http::{HeaderMap, StatusCode};
-use secrecy::ExposeSecret;
 
 use compliance_core::models::ScanTrigger;
 
@@ -11,18 +10,37 @@ use crate::agent::ComplianceAgent;
 
 pub async fn handle_gitlab_webhook(
     Extension(agent): Extension<Arc<ComplianceAgent>>,
+    Path(repo_id): Path<String>,
     headers: HeaderMap,
     body: Bytes,
 ) -> StatusCode {
-    // Verify GitLab token
-    if let Some(secret) = &agent.config.gitlab_webhook_secret {
+    // Look up the repo to get its webhook secret
+    let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
+        Ok(oid) => oid,
+        Err(_) => return StatusCode::NOT_FOUND,
+    };
+    let repo = match agent
+        .db
+        .repositories()
+        .find_one(mongodb::bson::doc! { "_id": oid })
+        .await
+    {
+        Ok(Some(repo)) => repo,
+        _ => {
+            tracing::warn!("GitLab webhook: repo {repo_id} not found");
+            return StatusCode::NOT_FOUND;
+        }
+    };
+
+    // GitLab sends the secret token in X-Gitlab-Token header (plain text comparison)
+    if let Some(secret) = &repo.webhook_secret {
         let token = headers
             .get("x-gitlab-token")
             .and_then(|v| v.to_str().ok())
             .unwrap_or("");
 
-        if token != secret.expose_secret() {
-            tracing::warn!("GitLab webhook: invalid token");
+        if token != secret {
+            tracing::warn!("GitLab webhook: invalid token for repo {repo_id}");
             return StatusCode::UNAUTHORIZED;
         }
     }
@@ -38,8 +56,18 @@ pub async fn handle_gitlab_webhook(
     let event_type = payload["object_kind"].as_str().unwrap_or("");
 
     match event_type {
-        "push" => handle_push(agent, &payload).await,
-        "merge_request" => handle_merge_request(agent, &payload).await,
+        "push" => {
+            let agent_clone = (*agent).clone();
+            let repo_id = repo_id.clone();
+            tokio::spawn(async move {
+                tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
+                if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
+                    tracing::error!("Webhook-triggered scan failed: {e}");
+                }
+            });
+            StatusCode::OK
+        }
+        "merge_request" => handle_merge_request(agent, &repo_id, &payload).await,
         _ => {
             tracing::debug!("GitLab webhook: ignoring event '{event_type}'");
             StatusCode::OK
@@ -47,40 +75,9 @@ pub async fn handle_gitlab_webhook(
     }
 }
 
-async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
-    let repo_url = payload["project"]["git_http_url"]
-        .as_str()
-        .or_else(|| payload["project"]["web_url"].as_str())
-        .unwrap_or("");
-
-    if repo_url.is_empty() {
-        return StatusCode::BAD_REQUEST;
-    }
-
-    let repo = agent
-        .db
-        .repositories()
-        .find_one(mongodb::bson::doc! { "git_url": repo_url })
-        .await
-        .ok()
-        .flatten();
-
-    if let Some(repo) = repo {
-        let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
-        let agent_clone = (*agent).clone();
-        tokio::spawn(async move {
-            tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
-            if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
-                tracing::error!("Webhook-triggered scan failed: {e}");
-            }
-        });
-    }
-
-    StatusCode::OK
-}
-
 async fn handle_merge_request(
-    _agent: Arc<ComplianceAgent>,
+    agent: Arc<ComplianceAgent>,
+    repo_id: &str,
     payload: &serde_json::Value,
 ) -> StatusCode {
     let action = payload["object_attributes"]["action"]
@@ -91,7 +88,31 @@ async fn handle_merge_request(
     }
 
     let mr_iid = payload["object_attributes"]["iid"].as_u64().unwrap_or(0);
-    tracing::info!("GitLab MR webhook: MR !{mr_iid} {action}");
+    let head_sha = payload["object_attributes"]["last_commit"]["id"]
+        .as_str()
+        .unwrap_or("");
+    let base_sha = payload["object_attributes"]["diff_refs"]["base_sha"]
+        .as_str()
+        .unwrap_or("");
+
+    if mr_iid == 0 || head_sha.is_empty() || base_sha.is_empty() {
+        tracing::warn!("GitLab MR webhook: missing required fields");
+        return StatusCode::BAD_REQUEST;
+    }
+
+    let repo_id = repo_id.to_string();
+    let head_sha = head_sha.to_string();
+    let base_sha = base_sha.to_string();
+    let agent_clone = (*agent).clone();
+    tokio::spawn(async move {
+        tracing::info!("GitLab MR webhook: reviewing MR !{mr_iid} on {repo_id}");
+        if let Err(e) = agent_clone
+            .run_pr_review(&repo_id, mr_iid, &base_sha, &head_sha)
+            .await
+        {
+            tracing::error!("MR review failed for !{mr_iid}: {e}");
+        }
+    });
 
     StatusCode::OK
 }