compliance-scanner-agent/compliance-agent/src/webhooks/gitlab.rs

use std::sync::Arc;

use axum::body::Bytes;
use axum::extract::Extension;
use axum::http::{HeaderMap, StatusCode};
use secrecy::ExposeSecret;

use compliance_core::models::ScanTrigger;

use crate::agent::ComplianceAgent;

pub async fn handle_gitlab_webhook(
    Extension(agent): Extension<Arc<ComplianceAgent>>,
    headers: HeaderMap,
    body: Bytes,
) -> StatusCode {
    // Verify GitLab token
    if let Some(secret) = &agent.config.gitlab_webhook_secret {
        let token = headers
            .get("x-gitlab-token")
            .and_then(|v| v.to_str().ok())
            .unwrap_or("");

        if token != secret.expose_secret() {
            tracing::warn!("GitLab webhook: invalid token");
            return StatusCode::UNAUTHORIZED;
        }
    }

    let payload: serde_json::Value = match serde_json::from_slice(&body) {
        Ok(v) => v,
        Err(e) => {
            tracing::warn!("GitLab webhook: invalid JSON: {e}");
            return StatusCode::BAD_REQUEST;
        }
    };

    let event_type = payload["object_kind"].as_str().unwrap_or("");

    match event_type {
        "push" => handle_push(agent, &payload).await,
        "merge_request" => handle_merge_request(agent, &payload).await,
        _ => {
            tracing::debug!("GitLab webhook: ignoring event '{event_type}'");
            StatusCode::OK
        }
    }
}

async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
    let repo_url = payload["project"]["git_http_url"]
        .as_str()
        .or_else(|| payload["project"]["web_url"].as_str())
        .unwrap_or("");

    if repo_url.is_empty() {
        return StatusCode::BAD_REQUEST;
    }

    let repo = agent
        .db
        .repositories()
        .find_one(mongodb::bson::doc! { "git_url": repo_url })
        .await
        .ok()
        .flatten();

    if let Some(repo) = repo {
        let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
        let agent_clone = (*agent).clone();
        tokio::spawn(async move {
            tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
            if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
                tracing::error!("Webhook-triggered scan failed: {e}");
            }
        });
    }

    StatusCode::OK
}

async fn handle_merge_request(
    _agent: Arc<ComplianceAgent>,
    payload: &serde_json::Value,
) -> StatusCode {
    let action = payload["object_attributes"]["action"]
        .as_str()
        .unwrap_or("");
    if action != "open" && action != "update" {
        return StatusCode::OK;
    }

    let mr_iid = payload["object_attributes"]["iid"].as_u64().unwrap_or(0);
    tracing::info!("GitLab MR webhook: MR !{mr_iid} {action}");

    StatusCode::OK
}