Adding repo whitelist.

2024-09-29 16:27:04 -04:00
parent cd56bb2fe1
commit 613026b326
5 changed files with 50 additions and 7 deletions
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,4 +1,6 @@
 #![forbid(unsafe_code)]
+use std::collections::HashSet;
+use std::sync::Arc;
 use std::time::Duration;

 use axum::http::StatusCode;
@@ -35,7 +37,8 @@ pub async fn init_tracing() -> Result<(), Box<dyn std::error::Error>> {
    tracing_subscriber::registry()
        .with(
            tracing_subscriber::EnvFilter::try_from_default_env().unwrap_or_else(|_| {
-                "webhook_bridge=info,tower_http=debug,axum::rejection=trace".into()
+                "webhookbridge=info,webhook_bridge=info,local_trigger=info,tower_http=debug,axum::rejection=trace"
+                    .into()
            }),
        )
        .with(tracing_subscriber::fmt::layer())
@@ -52,6 +55,15 @@ pub async fn launch_server() -> Result<(), Box<dyn std::error::Error>> {
    let gitea_api_token = std::env::var("WEBHOOK_BRIDGE_OAUTH_TOKEN")?;
    let gitea = GiteaClient::new(gitea_api_root, gitea_api_token);

+    let allowed_repos = std::env::var("WEBHOOK_BRIDGE_REPO_WHITELIST")?;
+    let allowed_repos: HashSet<_> = allowed_repos
+        .split(",")
+        .filter(|s| !s.is_empty())
+        .map(str::to_owned)
+        .collect();
+    tracing::debug!("Using repo whitelist: {:?}", allowed_repos);
+
+    let allowed_repos = HashSet::new();
    let app = Router::new()
        .route("/hook", post(hook))
        .layer(middleware::from_fn(verify_signature))
@@ -64,6 +76,7 @@ pub async fn launch_server() -> Result<(), Box<dyn std::error::Error>> {
        .with_state(AppState {
            kubernetes_client,
            gitea,
+            allowed_repos: Arc::new(allowed_repos),
        });

    let listener = tokio::net::TcpListener::bind("0.0.0.0:9988").await?;
@@ -83,9 +96,19 @@ pub async fn local_trigger(payload: &str) -> Result<(), Box<dyn std::error::Erro
    let gitea_api_token = std::env::var("WEBHOOK_BRIDGE_OAUTH_TOKEN")?;
    let gitea = GiteaClient::new(gitea_api_root, gitea_api_token);

+    let allowed_repos = std::env::var("WEBHOOK_BRIDGE_REPO_WHITELIST")
+        .ok()
+        .unwrap_or_else(String::new);
+    let allowed_repos: HashSet<_> = allowed_repos
+        .split(",")
+        .filter(|s| !s.is_empty())
+        .map(str::to_owned)
+        .collect();
+    tracing::debug!("Using repo whitelist: {:?}", allowed_repos);
+
    let webhook_payload: HookPush = serde_json::from_str(payload)?;

-    handle_push(gitea, kubernetes_client, webhook_payload).await?;
+    handle_push(gitea, kubernetes_client, &allowed_repos, webhook_payload).await?;

    Ok(())
 }