From 31a8c9b8009acdeecfb26202a597fb5091369c28 Mon Sep 17 00:00:00 2001 From: Francois Kritzinger Date: Fri, 10 Jan 2025 14:41:50 +0200 Subject: ci-github: Store webhook secret in a file Keep secrets out of the configuration file for the sake of security. --- mod/mod-ci-github.cxx | 39 +++++++++++++++++++++++++++++++++++---- mod/mod-ci-github.hxx | 2 ++ mod/module.cli | 10 +++++----- 3 files changed, 42 insertions(+), 9 deletions(-) (limited to 'mod') diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx index 44de247..e008314 100644 --- a/mod/mod-ci-github.cxx +++ b/mod/mod-ci-github.cxx @@ -77,15 +77,46 @@ namespace brep // Prepare for the CI requests handling, if configured. // + // @@ TMP Shouldn't we be checking options_->ci_data_specified () like + // mod-ci does? + // if (options_->build_config_specified () && options_->ci_github_app_webhook_secret_specified ()) { if (!options_->ci_github_app_id_private_key_specified ()) fail << "no app id/private key mappings configured"; + for (const auto& pr: options_->ci_github_app_id_private_key ()) + { + if (pr.second.relative ()) + fail << "ci-github-app-id-private-key paths must be absolute"; + } + ci_start::init (make_shared (*options_)); database_module::init (*options_, options_->build_db_retry ()); + + // Read the webhook secret from the configured path. + // + { + const path& p (options_->ci_github_app_webhook_secret ()); + + if (p.relative ()) + fail << "ci-github-app-webhook-secret path must be absolute"; + + try + { + ifdstream is (p); + getline (is, webhook_secret_); + + if (webhook_secret_.empty ()) + fail << "empty webhook secret read from " << p; + } + catch (const io_error& e) + { + fail << "unable to read webhook secret file " << p << ": " << e; + } + } } } @@ -207,10 +238,10 @@ namespace brep // try { - string h ( - compute_hmac (*options_, - body.data (), body.size (), - options_->ci_github_app_webhook_secret ().c_str ())); + string h (compute_hmac (*options_, + body.data (), + body.size (), + webhook_secret_.c_str ())); if (!icasecmp (h, hmac)) { diff --git a/mod/mod-ci-github.hxx b/mod/mod-ci-github.hxx index 4fcfa7e..1e5f24f 100644 --- a/mod/mod-ci-github.hxx +++ b/mod/mod-ci-github.hxx @@ -145,6 +145,8 @@ namespace brep shared_ptr options_; tenant_service_map& tenant_service_map_; + + string webhook_secret_; }; } diff --git a/mod/module.cli b/mod/module.cli index 1273bf4..ba2b986 100644 --- a/mod/module.cli +++ b/mod/module.cli @@ -850,12 +850,12 @@ namespace brep // GitHub CI-specific options. // - string ci-github-app-webhook-secret + path ci-github-app-webhook-secret { - "", + "", "The GitHub App's configured webhook secret. If not set, then the - GitHub CI service is disabled. Note: make sure to choose a strong - (random) secret." + GitHub CI service is disabled. Note that the path must be absolute. + Note: make sure to choose a strong (random) secret." } std::map ci-github-app-id-private-key @@ -863,7 +863,7 @@ namespace brep "=", "The private key used during GitHub API authentication for the specified GitHub App ID. Both vales are found in the GitHub App's - settings." + settings. Note that the paths must be absolute." } uint16_t ci-github-jwt-validity-period = 600 -- cgit v1.1