Fix pr secret event names (#592)

* Fix pr secret event names
* Add validation for secret events
This commit is contained in:
Anbraten 2021-12-11 02:37:40 +01:00 committed by GitHub
parent f1e2f3dcad
commit cb97b39c82
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 129 additions and 57 deletions

View file

@ -500,12 +500,10 @@ func PostBuild(c *gin.Context) {
build.Error = ""
build.Deploy = c.DefaultQuery("deploy_to", build.Deploy)
event := c.DefaultQuery("event", build.Event)
if event == model.EventPush ||
event == model.EventPull ||
event == model.EventTag ||
event == model.EventDeploy {
build.Event = event
if event, ok := c.GetQuery("event"); ok {
if event := model.WebhookEvent(event); model.ValidateWebhookEvent(event) {
build.Event = event
}
}
err = _store.CreateBuild(build)

View file

@ -17,39 +17,39 @@ package model
// swagger:model build
type Build struct {
ID int64 `json:"id" xorm:"pk autoincr 'build_id'"`
RepoID int64 `json:"-" xorm:"UNIQUE(s) INDEX 'build_repo_id'"`
Number int64 `json:"number" xorm:"UNIQUE(s) 'build_number'"`
Author string `json:"author" xorm:"INDEX 'build_author'"`
ConfigID int64 `json:"-" xorm:"build_config_id"`
Parent int64 `json:"parent" xorm:"build_parent"`
Event string `json:"event" xorm:"build_event"`
Status StatusValue `json:"status" xorm:"INDEX 'build_status'"`
Error string `json:"error" xorm:"build_error"`
Enqueued int64 `json:"enqueued_at" xorm:"build_enqueued"`
Created int64 `json:"created_at" xorm:"build_created"`
Started int64 `json:"started_at" xorm:"build_started"`
Finished int64 `json:"finished_at" xorm:"build_finished"`
Deploy string `json:"deploy_to" xorm:"build_deploy"`
Commit string `json:"commit" xorm:"build_commit"`
Branch string `json:"branch" xorm:"build_branch"`
Ref string `json:"ref" xorm:"build_ref"`
Refspec string `json:"refspec" xorm:"build_refspec"`
Remote string `json:"remote" xorm:"build_remote"`
Title string `json:"title" xorm:"build_title"`
Message string `json:"message" xorm:"build_message"`
Timestamp int64 `json:"timestamp" xorm:"build_timestamp"`
Sender string `json:"sender" xorm:"build_sender"`
Avatar string `json:"author_avatar" xorm:"build_avatar"`
Email string `json:"author_email" xorm:"build_email"`
Link string `json:"link_url" xorm:"build_link"`
Signed bool `json:"signed" xorm:"build_signed"` // deprecate
Verified bool `json:"verified" xorm:"build_verified"` // deprecate
Reviewer string `json:"reviewed_by" xorm:"build_reviewer"`
Reviewed int64 `json:"reviewed_at" xorm:"build_reviewed"`
Procs []*Proc `json:"procs,omitempty" xorm:"-"`
Files []*File `json:"files,omitempty" xorm:"-"`
ChangedFiles []string `json:"changed_files,omitempty" xorm:"json 'changed_files'"`
ID int64 `json:"id" xorm:"pk autoincr 'build_id'"`
RepoID int64 `json:"-" xorm:"UNIQUE(s) INDEX 'build_repo_id'"`
Number int64 `json:"number" xorm:"UNIQUE(s) 'build_number'"`
Author string `json:"author" xorm:"INDEX 'build_author'"`
ConfigID int64 `json:"-" xorm:"build_config_id"`
Parent int64 `json:"parent" xorm:"build_parent"`
Event WebhookEvent `json:"event" xorm:"build_event"`
Status StatusValue `json:"status" xorm:"INDEX 'build_status'"`
Error string `json:"error" xorm:"build_error"`
Enqueued int64 `json:"enqueued_at" xorm:"build_enqueued"`
Created int64 `json:"created_at" xorm:"build_created"`
Started int64 `json:"started_at" xorm:"build_started"`
Finished int64 `json:"finished_at" xorm:"build_finished"`
Deploy string `json:"deploy_to" xorm:"build_deploy"`
Commit string `json:"commit" xorm:"build_commit"`
Branch string `json:"branch" xorm:"build_branch"`
Ref string `json:"ref" xorm:"build_ref"`
Refspec string `json:"refspec" xorm:"build_refspec"`
Remote string `json:"remote" xorm:"build_remote"`
Title string `json:"title" xorm:"build_title"`
Message string `json:"message" xorm:"build_message"`
Timestamp int64 `json:"timestamp" xorm:"build_timestamp"`
Sender string `json:"sender" xorm:"build_sender"`
Avatar string `json:"author_avatar" xorm:"build_avatar"`
Email string `json:"author_email" xorm:"build_email"`
Link string `json:"link_url" xorm:"build_link"`
Signed bool `json:"signed" xorm:"build_signed"` // deprecate
Verified bool `json:"verified" xorm:"build_verified"` // deprecate
Reviewer string `json:"reviewed_by" xorm:"build_reviewer"`
Reviewed int64 `json:"reviewed_at" xorm:"build_reviewed"`
Procs []*Proc `json:"procs,omitempty" xorm:"-"`
Files []*File `json:"files,omitempty" xorm:"-"`
ChangedFiles []string `json:"changed_files,omitempty" xorm:"json 'changed_files'"`
}
// TableName return database table name for xorm

View file

@ -14,13 +14,24 @@
package model
type WebhookEvent string
const (
EventPush = "push"
EventPull = "pull_request"
EventTag = "tag"
EventDeploy = "deployment"
EventPush WebhookEvent = "push"
EventPull WebhookEvent = "pull_request"
EventTag WebhookEvent = "tag"
EventDeploy WebhookEvent = "deployment"
)
func ValidateWebhookEvent(s WebhookEvent) bool {
switch s {
case EventPush, EventPull, EventTag, EventDeploy:
return true
default:
return false
}
}
// StatusValue represent pipeline states woodpecker know
type StatusValue string

View file

@ -23,6 +23,7 @@ import (
var (
errSecretNameInvalid = errors.New("Invalid Secret Name")
errSecretValueInvalid = errors.New("Invalid Secret Value")
errSecretEventInvalid = errors.New("Invalid Secret Event")
)
// SecretService defines a service for managing secrets.
@ -47,14 +48,14 @@ type SecretStore interface {
// Secret represents a secret variable, such as a password or token.
// swagger:model registry
type Secret struct {
ID int64 `json:"id" xorm:"pk autoincr 'secret_id'"`
RepoID int64 `json:"-" xorm:"UNIQUE(s) INDEX 'secret_repo_id'"`
Name string `json:"name" xorm:"UNIQUE(s) INDEX 'secret_name'"`
Value string `json:"value,omitempty" xorm:"TEXT 'secret_value'"`
Images []string `json:"image" xorm:"json 'secret_images'"`
Events []string `json:"event" xorm:"json 'secret_events'"`
SkipVerify bool `json:"-" xorm:"secret_skip_verify"`
Conceal bool `json:"-" xorm:"secret_conceal"`
ID int64 `json:"id" xorm:"pk autoincr 'secret_id'"`
RepoID int64 `json:"-" xorm:"UNIQUE(s) INDEX 'secret_repo_id'"`
Name string `json:"name" xorm:"UNIQUE(s) INDEX 'secret_name'"`
Value string `json:"value,omitempty" xorm:"TEXT 'secret_value'"`
Images []string `json:"image" xorm:"json 'secret_images'"`
Events []WebhookEvent `json:"event" xorm:"json 'secret_events'"`
SkipVerify bool `json:"-" xorm:"secret_skip_verify"`
Conceal bool `json:"-" xorm:"secret_conceal"`
}
// TableName return database table name for xorm
@ -63,12 +64,12 @@ func (Secret) TableName() string {
}
// Match returns true if an image and event match the restricted list.
func (s *Secret) Match(event string) bool {
func (s *Secret) Match(event WebhookEvent) bool {
if len(s.Events) == 0 {
return true
}
for _, pattern := range s.Events {
if match, _ := filepath.Match(pattern, event); match {
if match, _ := filepath.Match(string(pattern), string(event)); match {
return true
}
}
@ -77,6 +78,12 @@ func (s *Secret) Match(event string) bool {
// Validate validates the required fields and formats.
func (s *Secret) Validate() error {
for _, event := range s.Events {
if !ValidateWebhookEvent(event) {
return errSecretEventInvalid
}
}
switch {
case len(s.Name) == 0:
return errSecretNameInvalid

View file

@ -440,7 +440,7 @@ func repoStatus(c context.Context, client *github.Client, r *model.Repo, b *mode
ctx += "/pr"
default:
if len(b.Event) > 0 {
ctx += "/" + b.Event
ctx += "/" + string(b.Event)
}
}

View file

@ -305,7 +305,7 @@ func metadataFromStruct(repo *model.Repo, build, last *model.Build, proc *model.
Started: build.Started,
Finished: build.Finished,
Status: string(build.Status),
Event: build.Event,
Event: string(build.Event),
Link: build.Link,
Target: build.Deploy,
Commit: frontend.Commit{
@ -328,7 +328,7 @@ func metadataFromStruct(repo *model.Repo, build, last *model.Build, proc *model.
Started: last.Started,
Finished: last.Finished,
Status: string(last.Status),
Event: last.Event,
Event: string(last.Event),
Link: last.Link,
Target: last.Deploy,
Commit: frontend.Commit{

View file

@ -0,0 +1,55 @@
// Copyright 2021 Woodpecker Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package migration
import (
"xorm.io/xorm"
"github.com/woodpecker-ci/woodpecker/server/model"
)
var fixPRSecretEventName = task{
name: "fix-pr-secret-event-name",
fn: func(sess *xorm.Session) error {
const batchSize = 100
for start := 0; ; start += batchSize {
secrets := make([]*model.Secret, 0, batchSize)
if err := sess.Limit(batchSize, start).Table("secrets").Cols("secret_id", "secret_events").Where("secret_events LIKE '%pull-request%'").Find(&secrets); err != nil {
return err
}
if len(secrets) == 0 {
break
}
for _, secret := range secrets {
for i, event := range secret.Events {
if event == "pull-request" {
secret.Events[i] = "pull_request"
}
}
if _, err := sess.ID(secret.ID).Cols("secret_events").Update(secret); err != nil {
return err
}
}
}
if err := sess.Begin(); err != nil {
return err
}
return sess.Commit()
},
}

View file

@ -30,6 +30,7 @@ var migrationTasks = []task{
legacy2Xorm,
alterTableReposDropFallback,
alterTableReposDropAllowDeploysAllowTags,
fixPRSecretEventName,
}
type migrations struct {

View file

@ -1,6 +1,6 @@
export enum WebhookEvents {
Push = 'push',
Tag = 'tag',
PullRequest = 'pull-request',
PullRequest = 'pull_request',
Deploy = 'deploy',
}