ci-github: Store webhook secret in a file

Keep secrets out of the configuration file for the sake of security.
author: Francois Kritzinger <francois@codesynthesis.com> 2025-01-10 14:41:50 +0200
committer: Francois Kritzinger <francois@codesynthesis.com> 2025-01-15 14:21:05 +0200
commit: 4de6640c0d61a3c36a606eac01a8c2df8e212b03 (patch)
tree: f3f19cce83a8b94985fb0474217b36fb0b6e4b65
parent: 2baa14d5e07095a5ce2d82f60806e34c20c4aa71 (diff)
5 files changed, 53 insertions, 17 deletions
diff --git a/etc/brep-module.conf b/etc/brep-module.conf
index fd6ba67..cdf028a 100644
--- a/etc/brep-module.conf
+++ b/etc/brep-module.conf
@@ -454,13 +454,15 @@ menu About=?about
 
 
 # The GitHub App's configured webhook secret. If not set, then the GitHub CI
-# service is disabled. Note: make sure to choose a strong (random) secret.
+# service is disabled. Note that the path must be absolute. Note: make sure to
+# choose a strong (random) secret.
 #
-# ci-github-app-webhook-secret
+# ci-github-app-webhook-secret <path>
 
 
 # The private key used during GitHub API authentication for the specified
-# GitHub App ID. Both vales are found in the GitHub App's settings.
+# GitHub App ID. Both vales are found in the GitHub App's settings. Note that
+# the paths must be absolute.
 #
 # ci-github-app-id-private-key <id>=<path>
 
diff --git a/etc/private/install/brep-module.conf b/etc/private/install/brep-module.conf
index 07db881..2545a87 100644
--- a/etc/private/install/brep-module.conf
+++ b/etc/private/install/brep-module.conf
@@ -462,13 +462,15 @@ submit-handler-timeout 120
 
 
 # The GitHub App's configured webhook secret. If not set, then the GitHub CI
-# service is disabled. Note: make sure to choose a strong (random) secret.
+# service is disabled. Note that the path must be absolute. Note: make sure to
+# choose a strong (random) secret.
 #
-# ci-github-app-webhook-secret
+# ci-github-app-webhook-secret <path>
 
 
 # The private key used during GitHub API authentication for the specified
-# GitHub App ID. Both vales are found in the GitHub App's settings.
+# GitHub App ID. Both vales are found in the GitHub App's settings. Note that
+# the paths must be absolute.
 #
 # ci-github-app-id-private-key <id>=<path>
 
diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx
index 44de247..139be68 100644
--- a/mod/mod-ci-github.cxx
+++ b/mod/mod-ci-github.cxx
@@ -77,12 +77,42 @@ namespace brep
 
     // Prepare for the CI requests handling, if configured.
     //
-    if (options_->build_config_specified () &&
-        options_->ci_github_app_webhook_secret_specified ())
+    if (options_->ci_github_app_webhook_secret_specified ())
     {
+      if (!options_->build_config_specified ())
+        fail << "package building functionality must be enabled";
+
       if (!options_->ci_github_app_id_private_key_specified ())
         fail << "no app id/private key mappings configured";
 
+      for (const auto& pr: options_->ci_github_app_id_private_key ())
+      {
+        if (pr.second.relative ())
+          fail << "ci-github-app-id-private-key path must be absolute";
+      }
+
+      // Read the webhook secret from the configured path.
+      //
+      {
+        const path& p (options_->ci_github_app_webhook_secret ());
+
+        if (p.relative ())
+          fail << "ci-github-app-webhook-secret path must be absolute";
+
+        try
+        {
+          ifdstream is (p);
+          getline (is, webhook_secret_, '\0');
+
+          if (webhook_secret_.empty ())
+            fail << "empty webhook secret in " << p;
+        }
+        catch (const io_error& e)
+        {
+          fail << "unable to read webhook secret from " << p << ": " << e;
+        }
+      }
+
       ci_start::init (make_shared<options::ci_start> (*options_));
 
       database_module::init (*options_, options_->build_db_retry ());
@@ -207,10 +237,10 @@ namespace brep
     //
     try
     {
-      string h (
-        compute_hmac (*options_,
-                      body.data (), body.size (),
-                      options_->ci_github_app_webhook_secret ().c_str ()));
+      string h (compute_hmac (*options_,
+                              body.data (),
+                              body.size (),
+                              webhook_secret_.c_str ()));
 
       if (!icasecmp (h, hmac))
       {
diff --git a/mod/mod-ci-github.hxx b/mod/mod-ci-github.hxx
index 4fcfa7e..1e5f24f 100644
--- a/mod/mod-ci-github.hxx
+++ b/mod/mod-ci-github.hxx
@@ -145,6 +145,8 @@ namespace brep
     shared_ptr<options::ci_github> options_;
 
     tenant_service_map& tenant_service_map_;
+
+    string webhook_secret_;
   };
 }
 
diff --git a/mod/module.cli b/mod/module.cli
index 1273bf4..ba2b986 100644
--- a/mod/module.cli
+++ b/mod/module.cli
@@ -850,12 +850,12 @@ namespace brep
       // GitHub CI-specific options.
       //
 
-      string ci-github-app-webhook-secret
+      path ci-github-app-webhook-secret
       {
-        "<secret>",
+        "<path>",
         "The GitHub App's configured webhook secret. If not set, then the
-         GitHub CI service is disabled. Note: make sure to choose a strong
-         (random) secret."
+         GitHub CI service is disabled. Note that the path must be absolute.
+         Note: make sure to choose a strong (random) secret."
       }
 
       std::map<string, dir_path> ci-github-app-id-private-key
@@ -863,7 +863,7 @@ namespace brep
         "<id>=<path>",
         "The private key used during GitHub API authentication for the
          specified GitHub App ID. Both vales are found in the GitHub App's
-         settings."
+         settings. Note that the paths must be absolute."
       }
 
       uint16_t ci-github-jwt-validity-period = 600
author	Francois Kritzinger <francois@codesynthesis.com>	2025-01-10 14:41:50 +0200
committer	Francois Kritzinger <francois@codesynthesis.com>	2025-01-15 14:21:05 +0200
commit	4de6640c0d61a3c36a606eac01a8c2df8e212b03 (patch)
tree	f3f19cce83a8b94985fb0474217b36fb0b6e4b65
parent	2baa14d5e07095a5ce2d82f60806e34c20c4aa71 (diff)