// Copyright 2019 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. package webhook import ( "context" "crypto/hmac" "crypto/sha1" "crypto/sha256" "crypto/tls" "encoding/hex" "fmt" "io" "net/http" "net/url" "strings" "sync" "time" webhook_model "code.gitea.io/gitea/models/webhook" "code.gitea.io/gitea/modules/graceful" "code.gitea.io/gitea/modules/hostmatcher" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/proxy" "code.gitea.io/gitea/modules/queue" "code.gitea.io/gitea/modules/setting" "github.com/gobwas/glob" ) // Deliver deliver hook task func Deliver(ctx context.Context, t *webhook_model.HookTask) error { w, err := webhook_model.GetWebhookByID(t.HookID) if err != nil { return err } defer func() { err := recover() if err == nil { return } // There was a panic whilst delivering a hook... log.Error("PANIC whilst trying to deliver webhook[%d] to %s Panic: %v\nStacktrace: %s", t.ID, w.URL, err, log.Stack(2)) }() t.IsDelivered = true var req *http.Request switch w.HTTPMethod { case "": log.Info("HTTP Method for webhook %d empty, setting to POST as default", t.ID) fallthrough case http.MethodPost: switch w.ContentType { case webhook_model.ContentTypeJSON: req, err = http.NewRequest("POST", w.URL, strings.NewReader(t.PayloadContent)) if err != nil { return err } req.Header.Set("Content-Type", "application/json") case webhook_model.ContentTypeForm: forms := url.Values{ "payload": []string{t.PayloadContent}, } req, err = http.NewRequest("POST", w.URL, strings.NewReader(forms.Encode())) if err != nil { return err } req.Header.Set("Content-Type", "application/x-www-form-urlencoded") } case http.MethodGet: u, err := url.Parse(w.URL) if err != nil { return err } vals := u.Query() vals["payload"] = []string{t.PayloadContent} u.RawQuery = vals.Encode() req, err = http.NewRequest("GET", u.String(), nil) if err != nil { return err } case http.MethodPut: switch w.Type { case webhook_model.MATRIX: req, err = getMatrixHookRequest(w, t) if err != nil { return err } default: return fmt.Errorf("invalid http method for webhook: [%d] %v", t.ID, w.HTTPMethod) } default: return fmt.Errorf("invalid http method for webhook: [%d] %v", t.ID, w.HTTPMethod) } var signatureSHA1 string var signatureSHA256 string if len(w.Secret) > 0 { sig1 := hmac.New(sha1.New, []byte(w.Secret)) sig256 := hmac.New(sha256.New, []byte(w.Secret)) _, err = io.MultiWriter(sig1, sig256).Write([]byte(t.PayloadContent)) if err != nil { log.Error("prepareWebhooks.sigWrite: %v", err) } signatureSHA1 = hex.EncodeToString(sig1.Sum(nil)) signatureSHA256 = hex.EncodeToString(sig256.Sum(nil)) } event := t.EventType.Event() eventType := string(t.EventType) req.Header.Add("X-Gitea-Delivery", t.UUID) req.Header.Add("X-Gitea-Event", event) req.Header.Add("X-Gitea-Event-Type", eventType) req.Header.Add("X-Gitea-Signature", signatureSHA256) req.Header.Add("X-Gogs-Delivery", t.UUID) req.Header.Add("X-Gogs-Event", event) req.Header.Add("X-Gogs-Event-Type", eventType) req.Header.Add("X-Gogs-Signature", signatureSHA256) req.Header.Add("X-Hub-Signature", "sha1="+signatureSHA1) req.Header.Add("X-Hub-Signature-256", "sha256="+signatureSHA256) req.Header["X-GitHub-Delivery"] = []string{t.UUID} req.Header["X-GitHub-Event"] = []string{event} req.Header["X-GitHub-Event-Type"] = []string{eventType} // Record delivery information. t.RequestInfo = &webhook_model.HookRequest{ URL: req.URL.String(), HTTPMethod: req.Method, Headers: map[string]string{}, } for k, vals := range req.Header { t.RequestInfo.Headers[k] = strings.Join(vals, ",") } t.ResponseInfo = &webhook_model.HookResponse{ Headers: map[string]string{}, } defer func() { t.Delivered = time.Now().UnixNano() if t.IsSucceed { log.Trace("Hook delivered: %s", t.UUID) } else if !w.IsActive { log.Trace("Hook delivery skipped as webhook is inactive: %s", t.UUID) } else { log.Trace("Hook delivery failed: %s", t.UUID) } if err := webhook_model.UpdateHookTask(t); err != nil { log.Error("UpdateHookTask [%d]: %v", t.ID, err) } // Update webhook last delivery status. if t.IsSucceed { w.LastStatus = webhook_model.HookStatusSucceed } else { w.LastStatus = webhook_model.HookStatusFail } if err = webhook_model.UpdateWebhookLastStatus(w); err != nil { log.Error("UpdateWebhookLastStatus: %v", err) return } }() if setting.DisableWebhooks { return fmt.Errorf("webhook task skipped (webhooks disabled): [%d]", t.ID) } if !w.IsActive { return nil } resp, err := webhookHTTPClient.Do(req.WithContext(ctx)) if err != nil { t.ResponseInfo.Body = fmt.Sprintf("Delivery: %v", err) return err } defer resp.Body.Close() // Status code is 20x can be seen as succeed. t.IsSucceed = resp.StatusCode/100 == 2 t.ResponseInfo.Status = resp.StatusCode for k, vals := range resp.Header { t.ResponseInfo.Headers[k] = strings.Join(vals, ",") } p, err := io.ReadAll(resp.Body) if err != nil { t.ResponseInfo.Body = fmt.Sprintf("read body: %s", err) return err } t.ResponseInfo.Body = string(p) return nil } var ( webhookHTTPClient *http.Client once sync.Once hostMatchers []glob.Glob ) func webhookProxy() func(req *http.Request) (*url.URL, error) { if setting.Webhook.ProxyURL == "" { return proxy.Proxy() } once.Do(func() { for _, h := range setting.Webhook.ProxyHosts { if g, err := glob.Compile(h); err == nil { hostMatchers = append(hostMatchers, g) } else { log.Error("glob.Compile %s failed: %v", h, err) } } }) return func(req *http.Request) (*url.URL, error) { for _, v := range hostMatchers { if v.Match(req.URL.Host) { return http.ProxyURL(setting.Webhook.ProxyURLFixed)(req) } } return http.ProxyFromEnvironment(req) } } // Init starts the hooks delivery thread func Init() error { timeout := time.Duration(setting.Webhook.DeliverTimeout) * time.Second allowedHostListValue := setting.Webhook.AllowedHostList if allowedHostListValue == "" { allowedHostListValue = hostmatcher.MatchBuiltinExternal } allowedHostMatcher := hostmatcher.ParseHostMatchList("webhook.ALLOWED_HOST_LIST", allowedHostListValue) webhookHTTPClient = &http.Client{ Timeout: timeout, Transport: &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify}, Proxy: webhookProxy(), DialContext: hostmatcher.NewDialContext("webhook", allowedHostMatcher, nil), }, } hookQueue = queue.CreateUniqueQueue("webhook_sender", handle, int64(0)) if hookQueue == nil { return fmt.Errorf("Unable to create webhook_sender Queue") } go graceful.GetManager().RunWithShutdownFns(hookQueue.Run) tasks, err := webhook_model.FindUndeliveredHookTasks(graceful.GetManager().HammerContext()) if err != nil { log.Error("FindUndeliveredHookTasks failed: %v", err) return err } for _, task := range tasks { if err := enqueueHookTask(task); err != nil { log.Error("enqueueHookTask failed: %v", err) } } return nil }