2021-11-13 19:18:06 +00:00
|
|
|
// Copyright 2021 Woodpecker Authors
|
2018-02-19 22:24:10 +00:00
|
|
|
// Copyright 2018 Drone.IO Inc.
|
2018-03-21 13:02:17 +00:00
|
|
|
//
|
2018-02-19 22:24:10 +00:00
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
2018-03-21 13:02:17 +00:00
|
|
|
//
|
2018-02-19 22:24:10 +00:00
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
2018-03-21 13:02:17 +00:00
|
|
|
//
|
2018-02-19 22:24:10 +00:00
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
2016-03-31 19:01:32 +00:00
|
|
|
package model
|
|
|
|
|
2016-07-31 20:29:56 +00:00
|
|
|
import (
|
2017-04-11 17:06:45 +00:00
|
|
|
"errors"
|
2021-12-17 23:09:09 +00:00
|
|
|
"fmt"
|
2021-12-30 06:26:36 +00:00
|
|
|
"regexp"
|
2022-09-29 20:46:20 +00:00
|
|
|
"sort"
|
2016-07-31 20:29:56 +00:00
|
|
|
)
|
2016-04-21 08:18:20 +00:00
|
|
|
|
2017-04-11 17:06:45 +00:00
|
|
|
var (
|
2024-01-10 21:56:42 +00:00
|
|
|
ErrSecretNameInvalid = errors.New("invalid secret name")
|
|
|
|
ErrSecretImageInvalid = errors.New("invalid secret image")
|
|
|
|
ErrSecretValueInvalid = errors.New("invalid secret value")
|
|
|
|
ErrSecretEventInvalid = errors.New("invalid secret event")
|
2017-04-11 17:06:45 +00:00
|
|
|
)
|
2016-11-16 19:28:36 +00:00
|
|
|
|
2017-04-11 17:06:45 +00:00
|
|
|
// SecretService defines a service for managing secrets.
|
|
|
|
type SecretService interface {
|
2023-04-30 01:40:13 +00:00
|
|
|
SecretListPipeline(*Repo, *Pipeline, *ListOptions) ([]*Secret, error)
|
2022-08-14 11:48:53 +00:00
|
|
|
// Repository secrets
|
2017-04-11 17:06:45 +00:00
|
|
|
SecretFind(*Repo, string) (*Secret, error)
|
2023-04-30 01:40:13 +00:00
|
|
|
SecretList(*Repo, *ListOptions) ([]*Secret, error)
|
2017-04-11 17:06:45 +00:00
|
|
|
SecretCreate(*Repo, *Secret) error
|
|
|
|
SecretUpdate(*Repo, *Secret) error
|
|
|
|
SecretDelete(*Repo, string) error
|
2022-08-14 11:48:53 +00:00
|
|
|
// Organization secrets
|
2023-07-21 17:45:32 +00:00
|
|
|
OrgSecretFind(int64, string) (*Secret, error)
|
|
|
|
OrgSecretList(int64, *ListOptions) ([]*Secret, error)
|
|
|
|
OrgSecretCreate(int64, *Secret) error
|
|
|
|
OrgSecretUpdate(int64, *Secret) error
|
|
|
|
OrgSecretDelete(int64, string) error
|
2022-08-14 11:48:53 +00:00
|
|
|
// Global secrets
|
|
|
|
GlobalSecretFind(string) (*Secret, error)
|
2023-04-30 01:40:13 +00:00
|
|
|
GlobalSecretList(*ListOptions) ([]*Secret, error)
|
2022-08-14 11:48:53 +00:00
|
|
|
GlobalSecretCreate(*Secret) error
|
|
|
|
GlobalSecretUpdate(*Secret) error
|
|
|
|
GlobalSecretDelete(string) error
|
2016-03-31 19:01:32 +00:00
|
|
|
}
|
|
|
|
|
2017-04-11 17:06:45 +00:00
|
|
|
// SecretStore persists secret information to storage.
|
|
|
|
type SecretStore interface {
|
|
|
|
SecretFind(*Repo, string) (*Secret, error)
|
2023-04-30 01:40:13 +00:00
|
|
|
SecretList(*Repo, bool, *ListOptions) ([]*Secret, error)
|
2017-04-11 17:06:45 +00:00
|
|
|
SecretCreate(*Secret) error
|
|
|
|
SecretUpdate(*Secret) error
|
|
|
|
SecretDelete(*Secret) error
|
2023-07-21 17:45:32 +00:00
|
|
|
OrgSecretFind(int64, string) (*Secret, error)
|
|
|
|
OrgSecretList(int64, *ListOptions) ([]*Secret, error)
|
2022-08-14 11:48:53 +00:00
|
|
|
GlobalSecretFind(string) (*Secret, error)
|
2023-04-30 01:40:13 +00:00
|
|
|
GlobalSecretList(*ListOptions) ([]*Secret, error)
|
2023-01-12 19:59:07 +00:00
|
|
|
SecretListAll() ([]*Secret, error)
|
2016-04-21 07:25:30 +00:00
|
|
|
}
|
|
|
|
|
2017-04-11 17:06:45 +00:00
|
|
|
// Secret represents a secret variable, such as a password or token.
|
|
|
|
type Secret struct {
|
2023-10-24 18:38:47 +00:00
|
|
|
ID int64 `json:"id" xorm:"pk autoincr 'secret_id'"`
|
2023-12-16 09:29:13 +00:00
|
|
|
OrgID int64 `json:"org_id" xorm:"NOT NULL DEFAULT 0 UNIQUE(s) INDEX 'secret_org_id'"`
|
|
|
|
RepoID int64 `json:"repo_id" xorm:"NOT NULL DEFAULT 0 UNIQUE(s) INDEX 'secret_repo_id'"`
|
2023-10-24 18:38:47 +00:00
|
|
|
Name string `json:"name" xorm:"NOT NULL UNIQUE(s) INDEX 'secret_name'"`
|
|
|
|
Value string `json:"value,omitempty" xorm:"TEXT 'secret_value'"`
|
|
|
|
Images []string `json:"images" xorm:"json 'secret_images'"`
|
|
|
|
Events []WebhookEvent `json:"events" xorm:"json 'secret_events'"`
|
2023-06-03 19:38:36 +00:00
|
|
|
} // @name Secret
|
2021-11-13 19:18:06 +00:00
|
|
|
|
|
|
|
// TableName return database table name for xorm
|
|
|
|
func (Secret) TableName() string {
|
|
|
|
return "secrets"
|
2016-04-21 07:25:30 +00:00
|
|
|
}
|
|
|
|
|
2022-09-29 20:46:20 +00:00
|
|
|
// BeforeInsert will sort events before inserted into database
|
|
|
|
func (s *Secret) BeforeInsert() {
|
|
|
|
s.Events = sortEvents(s.Events)
|
|
|
|
}
|
|
|
|
|
2022-08-14 11:48:53 +00:00
|
|
|
// Global secret.
|
2023-12-16 09:29:13 +00:00
|
|
|
func (s Secret) IsGlobal() bool {
|
2023-07-21 17:45:32 +00:00
|
|
|
return s.RepoID == 0 && s.OrgID == 0
|
2022-08-14 11:48:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Organization secret.
|
2023-12-16 09:29:13 +00:00
|
|
|
func (s Secret) IsOrganization() bool {
|
2023-07-21 17:45:32 +00:00
|
|
|
return s.RepoID == 0 && s.OrgID != 0
|
2022-08-14 11:48:53 +00:00
|
|
|
}
|
|
|
|
|
2023-12-16 09:29:13 +00:00
|
|
|
// Repository secret.
|
|
|
|
func (s Secret) IsRepository() bool {
|
|
|
|
return s.RepoID != 0 && s.OrgID == 0
|
|
|
|
}
|
|
|
|
|
2017-04-11 17:06:45 +00:00
|
|
|
// Match returns true if an image and event match the restricted list.
|
2023-12-31 20:43:24 +00:00
|
|
|
// Note that EventPullClosed are treated as EventPull.
|
2021-12-11 01:37:40 +00:00
|
|
|
func (s *Secret) Match(event WebhookEvent) bool {
|
2023-12-31 20:43:24 +00:00
|
|
|
// if there is no filter set secret matches all webhook events
|
2017-05-19 23:01:30 +00:00
|
|
|
if len(s.Events) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
2023-12-31 20:43:24 +00:00
|
|
|
// tread all pull events the same way
|
|
|
|
if event == EventPullClosed {
|
|
|
|
event = EventPull
|
|
|
|
}
|
|
|
|
// one match is enough
|
|
|
|
for _, e := range s.Events {
|
|
|
|
if e == event {
|
2016-04-21 07:25:30 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
2023-12-31 20:43:24 +00:00
|
|
|
// a filter is set but the webhook did not match it
|
2016-04-21 07:25:30 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2021-12-30 06:26:36 +00:00
|
|
|
var validDockerImageString = regexp.MustCompile(
|
2023-10-31 12:15:13 +00:00
|
|
|
`^(` +
|
|
|
|
`[\w\d\-_\.]+` + // hostname
|
|
|
|
`(:\d+)?` + // optional port
|
|
|
|
`/)?` + // optional hostname + port
|
|
|
|
`([\w\d\-_\.][\w\d\-_\.\/]*/)?` + // optional url prefix
|
|
|
|
`([\w\d\-_]+)` + // image name
|
|
|
|
`(:[\w\d\-_]+)?` + // optional image tag
|
|
|
|
`$`,
|
2021-12-30 06:26:36 +00:00
|
|
|
)
|
|
|
|
|
2016-04-21 07:25:30 +00:00
|
|
|
// Validate validates the required fields and formats.
|
2016-03-31 19:01:32 +00:00
|
|
|
func (s *Secret) Validate() error {
|
2021-12-11 01:37:40 +00:00
|
|
|
for _, event := range s.Events {
|
2023-04-30 15:02:47 +00:00
|
|
|
if err := ValidateWebhookEvent(event); err != nil {
|
|
|
|
return errors.Join(err, ErrSecretEventInvalid)
|
2021-12-11 01:37:40 +00:00
|
|
|
}
|
|
|
|
}
|
2021-12-30 06:26:36 +00:00
|
|
|
if len(s.Events) == 0 {
|
2023-02-01 23:08:02 +00:00
|
|
|
return fmt.Errorf("%w: no event specified", ErrSecretEventInvalid)
|
2021-12-30 06:26:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, image := range s.Images {
|
|
|
|
if len(image) == 0 {
|
2023-02-01 23:08:02 +00:00
|
|
|
return fmt.Errorf("%w: empty image in images", ErrSecretImageInvalid)
|
2021-12-30 06:26:36 +00:00
|
|
|
}
|
|
|
|
if !validDockerImageString.MatchString(image) {
|
2023-02-01 23:08:02 +00:00
|
|
|
return fmt.Errorf("%w: image '%s' do not match regexp '%s'", ErrSecretImageInvalid, image, validDockerImageString.String())
|
2021-12-30 06:26:36 +00:00
|
|
|
}
|
|
|
|
}
|
2021-12-11 01:37:40 +00:00
|
|
|
|
2017-04-11 17:06:45 +00:00
|
|
|
switch {
|
|
|
|
case len(s.Name) == 0:
|
2023-02-01 23:08:02 +00:00
|
|
|
return fmt.Errorf("%w: empty name", ErrSecretNameInvalid)
|
2017-04-11 17:06:45 +00:00
|
|
|
case len(s.Value) == 0:
|
2023-02-01 23:08:02 +00:00
|
|
|
return fmt.Errorf("%w: empty value", ErrSecretValueInvalid)
|
2017-04-11 17:06:45 +00:00
|
|
|
default:
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Copy makes a copy of the secret without the value.
|
|
|
|
func (s *Secret) Copy() *Secret {
|
|
|
|
return &Secret{
|
2023-10-24 18:38:47 +00:00
|
|
|
ID: s.ID,
|
|
|
|
OrgID: s.OrgID,
|
|
|
|
RepoID: s.RepoID,
|
|
|
|
Name: s.Name,
|
|
|
|
Images: s.Images,
|
|
|
|
Events: sortEvents(s.Events),
|
2017-04-11 17:06:45 +00:00
|
|
|
}
|
2016-03-31 19:01:32 +00:00
|
|
|
}
|
2022-09-29 20:46:20 +00:00
|
|
|
|
|
|
|
func sortEvents(wel WebhookEventList) WebhookEventList {
|
|
|
|
sort.Sort(wel)
|
|
|
|
return wel
|
|
|
|
}
|