diff options
| author | Francois Kritzinger <francois@codesynthesis.com> | 2025-01-10 14:41:50 +0200 |
|---|---|---|
| committer | Francois Kritzinger <francois@codesynthesis.com> | 2025-01-10 16:06:32 +0200 |
| commit | 31a8c9b8009acdeecfb26202a597fb5091369c28 (patch) | |
| tree | 13b391eb104f7bdf85b7ea16b120c64f21bb22c5 /mod | |
| parent | a526c1bc524d2cdf4e44d18f25047280688a6fae (diff) | |
ci-github: Store webhook secret in a fileci-github
Keep secrets out of the configuration file for the sake of security.
Diffstat (limited to 'mod')
| -rw-r--r-- | mod/mod-ci-github.cxx | 39 | ||||
| -rw-r--r-- | mod/mod-ci-github.hxx | 2 | ||||
| -rw-r--r-- | mod/module.cli | 10 |
3 files changed, 42 insertions, 9 deletions
diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx index 44de247..e008314 100644 --- a/mod/mod-ci-github.cxx +++ b/mod/mod-ci-github.cxx @@ -77,15 +77,46 @@ namespace brep // Prepare for the CI requests handling, if configured. // + // @@ TMP Shouldn't we be checking options_->ci_data_specified () like + // mod-ci does? + // if (options_->build_config_specified () && options_->ci_github_app_webhook_secret_specified ()) { if (!options_->ci_github_app_id_private_key_specified ()) fail << "no app id/private key mappings configured"; + for (const auto& pr: options_->ci_github_app_id_private_key ()) + { + if (pr.second.relative ()) + fail << "ci-github-app-id-private-key paths must be absolute"; + } + ci_start::init (make_shared<options::ci_start> (*options_)); database_module::init (*options_, options_->build_db_retry ()); + + // Read the webhook secret from the configured path. + // + { + const path& p (options_->ci_github_app_webhook_secret ()); + + if (p.relative ()) + fail << "ci-github-app-webhook-secret path must be absolute"; + + try + { + ifdstream is (p); + getline (is, webhook_secret_); + + if (webhook_secret_.empty ()) + fail << "empty webhook secret read from " << p; + } + catch (const io_error& e) + { + fail << "unable to read webhook secret file " << p << ": " << e; + } + } } } @@ -207,10 +238,10 @@ namespace brep // try { - string h ( - compute_hmac (*options_, - body.data (), body.size (), - options_->ci_github_app_webhook_secret ().c_str ())); + string h (compute_hmac (*options_, + body.data (), + body.size (), + webhook_secret_.c_str ())); if (!icasecmp (h, hmac)) { diff --git a/mod/mod-ci-github.hxx b/mod/mod-ci-github.hxx index 4fcfa7e..1e5f24f 100644 --- a/mod/mod-ci-github.hxx +++ b/mod/mod-ci-github.hxx @@ -145,6 +145,8 @@ namespace brep shared_ptr<options::ci_github> options_; tenant_service_map& tenant_service_map_; + + string webhook_secret_; }; } diff --git a/mod/module.cli b/mod/module.cli index 1273bf4..ba2b986 100644 --- a/mod/module.cli +++ b/mod/module.cli @@ -850,12 +850,12 @@ namespace brep // GitHub CI-specific options. // - string ci-github-app-webhook-secret + path ci-github-app-webhook-secret { - "<secret>", + "<path>", "The GitHub App's configured webhook secret. If not set, then the - GitHub CI service is disabled. Note: make sure to choose a strong - (random) secret." + GitHub CI service is disabled. Note that the path must be absolute. + Note: make sure to choose a strong (random) secret." } std::map<string, dir_path> ci-github-app-id-private-key @@ -863,7 +863,7 @@ namespace brep "<id>=<path>", "The private key used during GitHub API authentication for the specified GitHub App ID. Both vales are found in the GitHub App's - settings." + settings. Note that the paths must be absolute." } uint16_t ci-github-jwt-validity-period = 600 |