woodpecker/server/model/secret.go

183 lines
5.5 KiB
Go
Raw Normal View History

// Copyright 2021 Woodpecker Authors
2018-02-19 22:24:10 +00:00
// Copyright 2018 Drone.IO Inc.
2018-03-21 13:02:17 +00:00
//
2018-02-19 22:24:10 +00:00
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
2018-03-21 13:02:17 +00:00
//
2018-02-19 22:24:10 +00:00
// http://www.apache.org/licenses/LICENSE-2.0
2018-03-21 13:02:17 +00:00
//
2018-02-19 22:24:10 +00:00
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package model
2016-07-31 20:29:56 +00:00
import (
"errors"
"fmt"
"regexp"
"sort"
2016-07-31 20:29:56 +00:00
)
2016-04-21 08:18:20 +00:00
var (
ErrSecretNameInvalid = errors.New("Invalid Secret Name")
ErrSecretImageInvalid = errors.New("Invalid Secret Image")
ErrSecretValueInvalid = errors.New("Invalid Secret Value")
ErrSecretEventInvalid = errors.New("Invalid Secret Event")
)
// SecretService defines a service for managing secrets.
type SecretService interface {
SecretListPipeline(*Repo, *Pipeline, *ListOptions) ([]*Secret, error)
// Repository secrets
SecretFind(*Repo, string) (*Secret, error)
SecretList(*Repo, *ListOptions) ([]*Secret, error)
SecretCreate(*Repo, *Secret) error
SecretUpdate(*Repo, *Secret) error
SecretDelete(*Repo, string) error
// Organization secrets
OrgSecretFind(int64, string) (*Secret, error)
OrgSecretList(int64, *ListOptions) ([]*Secret, error)
OrgSecretCreate(int64, *Secret) error
OrgSecretUpdate(int64, *Secret) error
OrgSecretDelete(int64, string) error
// Global secrets
GlobalSecretFind(string) (*Secret, error)
GlobalSecretList(*ListOptions) ([]*Secret, error)
GlobalSecretCreate(*Secret) error
GlobalSecretUpdate(*Secret) error
GlobalSecretDelete(string) error
}
// SecretStore persists secret information to storage.
type SecretStore interface {
SecretFind(*Repo, string) (*Secret, error)
SecretList(*Repo, bool, *ListOptions) ([]*Secret, error)
SecretCreate(*Secret) error
SecretUpdate(*Secret) error
SecretDelete(*Secret) error
OrgSecretFind(int64, string) (*Secret, error)
OrgSecretList(int64, *ListOptions) ([]*Secret, error)
GlobalSecretFind(string) (*Secret, error)
GlobalSecretList(*ListOptions) ([]*Secret, error)
SecretListAll() ([]*Secret, error)
}
// Secret represents a secret variable, such as a password or token.
type Secret struct {
ID int64 `json:"id" xorm:"pk autoincr 'secret_id'"`
OrgID int64 `json:"org_id" xorm:"NOT NULL DEFAULT 0 UNIQUE(s) INDEX 'secret_org_id'"`
RepoID int64 `json:"repo_id" xorm:"NOT NULL DEFAULT 0 UNIQUE(s) INDEX 'secret_repo_id'"`
Name string `json:"name" xorm:"NOT NULL UNIQUE(s) INDEX 'secret_name'"`
Value string `json:"value,omitempty" xorm:"TEXT 'secret_value'"`
Images []string `json:"images" xorm:"json 'secret_images'"`
Events []WebhookEvent `json:"events" xorm:"json 'secret_events'"`
} // @name Secret
// TableName return database table name for xorm
func (Secret) TableName() string {
return "secrets"
}
// BeforeInsert will sort events before inserted into database
func (s *Secret) BeforeInsert() {
s.Events = sortEvents(s.Events)
}
// Global secret.
func (s Secret) IsGlobal() bool {
return s.RepoID == 0 && s.OrgID == 0
}
// Organization secret.
func (s Secret) IsOrganization() bool {
return s.RepoID == 0 && s.OrgID != 0
}
// Repository secret.
func (s Secret) IsRepository() bool {
return s.RepoID != 0 && s.OrgID == 0
}
// Match returns true if an image and event match the restricted list.
// Note that EventPullClosed are treated as EventPull.
func (s *Secret) Match(event WebhookEvent) bool {
// if there is no filter set secret matches all webhook events
2017-05-19 23:01:30 +00:00
if len(s.Events) == 0 {
return true
}
// tread all pull events the same way
if event == EventPullClosed {
event = EventPull
}
// one match is enough
for _, e := range s.Events {
if e == event {
return true
}
}
// a filter is set but the webhook did not match it
return false
}
var validDockerImageString = regexp.MustCompile(
2023-10-31 12:15:13 +00:00
`^(` +
`[\w\d\-_\.]+` + // hostname
`(:\d+)?` + // optional port
`/)?` + // optional hostname + port
`([\w\d\-_\.][\w\d\-_\.\/]*/)?` + // optional url prefix
`([\w\d\-_]+)` + // image name
`(:[\w\d\-_]+)?` + // optional image tag
`$`,
)
// Validate validates the required fields and formats.
func (s *Secret) Validate() error {
for _, event := range s.Events {
if err := ValidateWebhookEvent(event); err != nil {
return errors.Join(err, ErrSecretEventInvalid)
}
}
if len(s.Events) == 0 {
return fmt.Errorf("%w: no event specified", ErrSecretEventInvalid)
}
for _, image := range s.Images {
if len(image) == 0 {
return fmt.Errorf("%w: empty image in images", ErrSecretImageInvalid)
}
if !validDockerImageString.MatchString(image) {
return fmt.Errorf("%w: image '%s' do not match regexp '%s'", ErrSecretImageInvalid, image, validDockerImageString.String())
}
}
switch {
case len(s.Name) == 0:
return fmt.Errorf("%w: empty name", ErrSecretNameInvalid)
case len(s.Value) == 0:
return fmt.Errorf("%w: empty value", ErrSecretValueInvalid)
default:
return nil
}
}
// Copy makes a copy of the secret without the value.
func (s *Secret) Copy() *Secret {
return &Secret{
ID: s.ID,
OrgID: s.OrgID,
RepoID: s.RepoID,
Name: s.Name,
Images: s.Images,
Events: sortEvents(s.Events),
}
}
func sortEvents(wel WebhookEventList) WebhookEventList {
sort.Sort(wel)
return wel
}