diff options
| -rw-r--r-- | etc/private/install/brep-module.conf | 8 | ||||
| -rw-r--r-- | mod/mod-ci-github.cxx | 39 | ||||
| -rw-r--r-- | mod/mod-ci-github.hxx | 2 | ||||
| -rw-r--r-- | mod/module.cli | 10 |
4 files changed, 47 insertions, 12 deletions
diff --git a/etc/private/install/brep-module.conf b/etc/private/install/brep-module.conf index 07db881..2545a87 100644 --- a/etc/private/install/brep-module.conf +++ b/etc/private/install/brep-module.conf @@ -462,13 +462,15 @@ submit-handler-timeout 120 # The GitHub App's configured webhook secret. If not set, then the GitHub CI -# service is disabled. Note: make sure to choose a strong (random) secret. +# service is disabled. Note that the path must be absolute. Note: make sure to +# choose a strong (random) secret. # -# ci-github-app-webhook-secret +# ci-github-app-webhook-secret <path> # The private key used during GitHub API authentication for the specified -# GitHub App ID. Both vales are found in the GitHub App's settings. +# GitHub App ID. Both vales are found in the GitHub App's settings. Note that +# the paths must be absolute. # # ci-github-app-id-private-key <id>=<path> diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx index 44de247..e008314 100644 --- a/mod/mod-ci-github.cxx +++ b/mod/mod-ci-github.cxx @@ -77,15 +77,46 @@ namespace brep // Prepare for the CI requests handling, if configured. // + // @@ TMP Shouldn't we be checking options_->ci_data_specified () like + // mod-ci does? + // if (options_->build_config_specified () && options_->ci_github_app_webhook_secret_specified ()) { if (!options_->ci_github_app_id_private_key_specified ()) fail << "no app id/private key mappings configured"; + for (const auto& pr: options_->ci_github_app_id_private_key ()) + { + if (pr.second.relative ()) + fail << "ci-github-app-id-private-key paths must be absolute"; + } + ci_start::init (make_shared<options::ci_start> (*options_)); database_module::init (*options_, options_->build_db_retry ()); + + // Read the webhook secret from the configured path. + // + { + const path& p (options_->ci_github_app_webhook_secret ()); + + if (p.relative ()) + fail << "ci-github-app-webhook-secret path must be absolute"; + + try + { + ifdstream is (p); + getline (is, webhook_secret_); + + if (webhook_secret_.empty ()) + fail << "empty webhook secret read from " << p; + } + catch (const io_error& e) + { + fail << "unable to read webhook secret file " << p << ": " << e; + } + } } } @@ -207,10 +238,10 @@ namespace brep // try { - string h ( - compute_hmac (*options_, - body.data (), body.size (), - options_->ci_github_app_webhook_secret ().c_str ())); + string h (compute_hmac (*options_, + body.data (), + body.size (), + webhook_secret_.c_str ())); if (!icasecmp (h, hmac)) { diff --git a/mod/mod-ci-github.hxx b/mod/mod-ci-github.hxx index 4fcfa7e..1e5f24f 100644 --- a/mod/mod-ci-github.hxx +++ b/mod/mod-ci-github.hxx @@ -145,6 +145,8 @@ namespace brep shared_ptr<options::ci_github> options_; tenant_service_map& tenant_service_map_; + + string webhook_secret_; }; } diff --git a/mod/module.cli b/mod/module.cli index 1273bf4..ba2b986 100644 --- a/mod/module.cli +++ b/mod/module.cli @@ -850,12 +850,12 @@ namespace brep // GitHub CI-specific options. // - string ci-github-app-webhook-secret + path ci-github-app-webhook-secret { - "<secret>", + "<path>", "The GitHub App's configured webhook secret. If not set, then the - GitHub CI service is disabled. Note: make sure to choose a strong - (random) secret." + GitHub CI service is disabled. Note that the path must be absolute. + Note: make sure to choose a strong (random) secret." } std::map<string, dir_path> ci-github-app-id-private-key @@ -863,7 +863,7 @@ namespace brep "<id>=<path>", "The private key used during GitHub API authentication for the specified GitHub App ID. Both vales are found in the GitHub App's - settings." + settings. Note that the paths must be absolute." } uint16_t ci-github-jwt-validity-period = 600 |