diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb new file mode 100644 index 00000000..36e6a6d1 --- /dev/null +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -0,0 +1,77 @@ +# frozen_string_literal: true + +module Api + module V1 + # Recibe webhooks y lanza un PullJob + class WebhooksController < BaseController + # responde con forbidden si falla la validación del token + rescue_from ActiveRecord::RecordNotFound, with: :platforms_answer + + # Trae los cambios a partir de un post de Webhooks: + # (Gitlab, Github, Gitea, etc) + # + # @return [nil] + def pull + message = I18n.with_locale(site.default_locale) do + I18n.t('webhooks.pull.message') + end + + GitPullJob.perform_later(site, usuarie, message) + head :ok + end + + private + + # encuentra el sitio a partir de la url + def site + @site ||= Site.find_by_name!(params[:site_id]) + end + + # valida el token que envía la plataforma del webhook + # + # @return [String] + def token + @token ||= + begin + # Gitlab + if request.headers['X-Gitlab-Token'].present? + request.headers['X-Gitlab-Token'] + # Github + elsif request.headers['X-Hub-Signature-256'].present? + token_from_signature(request.headers['X-Hub-Signature-256'], 'sha256=') + # Gitea + elsif request.headers['X-Gitea-Signature'].present? + token_from_signature(request.headers['X-Gitea-Signature']) + else + raise ActiveRecord::RecordNotFound, 'proveedor no soportado' + end + end + end + + # valida token a partir de firma de webhook + # + # @return [String, Boolean] + def token_from_signature(signature, prepend = '') + payload = request.body.read + site.roles.where(temporal: false, rol: 'usuarie').pluck(:token).find do |token| + new_signature = prepend + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), token, payload) + ActiveSupport::SecurityUtils.secure_compare(new_signature, signature.to_s) + end.tap do |t| + raise ActiveRecord::RecordNotFound, 'token no encontrado' if t.nil? + end + end + + # encuentra le usuarie + def usuarie + @usuarie ||= site.roles.find_by!(temporal: false, rol: 'usuarie', token: token).usuarie + end + + # respuesta de error a plataformas + def platforms_answer(exception) + ExceptionNotifier.notify_exception(exception, data: { headers: request.headers.to_h } + + head :forbidden + end + end + end +end diff --git a/app/jobs/git_pull_job.rb b/app/jobs/git_pull_job.rb new file mode 100644 index 00000000..dc4a285c --- /dev/null +++ b/app/jobs/git_pull_job.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +# Permite traer los cambios desde webhooks + +class GitPullJob < ApplicationJob + # @param :site [Site] + # @param :usuarie [Usuarie] + # @param :message [String] + # @return [nil] + def perform(site, usuarie, message) + site.repository.merge(usuarie, message) if site.repository.fetch&.positive? + end +end \ No newline at end of file diff --git a/app/models/rol.rb b/app/models/rol.rb index fcd07037..37332400 100644 --- a/app/models/rol.rb +++ b/app/models/rol.rb @@ -14,6 +14,8 @@ class Rol < ApplicationRecord validates_inclusion_of :rol, in: ROLES + before_save :add_token_if_missing! + def invitade? rol == INVITADE end @@ -25,4 +27,11 @@ class Rol < ApplicationRecord def self.role?(rol) ROLES.include? rol end + + private + + # Asegurarse que tenga un token + def add_token_if_missing! + self.token ||= SecureRandom.hex(64) + end end diff --git a/app/models/site/repository.rb b/app/models/site/repository.rb index 2eafb92e..acbf6553 100644 --- a/app/models/site/repository.rb +++ b/app/models/site/repository.rb @@ -54,7 +54,7 @@ class Site # Incorpora los cambios en el repositorio actual # # @return [Rugged::Commit] - def merge(usuarie) + def merge(usuarie, message = I18n.t('sites.fetch.merge.message')) merge = rugged.merge_commits(head_commit, remote_head_commit) # No hacemos nada si hay conflictos, pero notificarnos @@ -69,12 +69,16 @@ class Site .create(rugged, update_ref: 'HEAD', parents: [head_commit, remote_head_commit], tree: merge.write_tree(rugged), - message: I18n.t('sites.fetch.merge.message'), + message: message, author: author(usuarie), committer: committer) # Forzamos el checkout para mover el HEAD al último commit y # escribir los cambios rugged.checkout 'HEAD', strategy: :force + + git_sh("git", "lfs", "fetch", "origin", default_branch) + # reemplaza los pointers por los archivos correspondientes + git_sh("git", "lfs", "checkout") commit end diff --git a/config/environments/production.rb b/config/environments/production.rb index 4cc1cb39..5e089ff9 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -142,7 +142,7 @@ Rails.application.configure do } config.action_mailer.default_options = { from: ENV.fetch('DEFAULT_FROM', "noreply@sutty.nl") } - config.middleware.use ExceptionNotification::Rack, gitlab: {}, ignore_exceptions: (['DeployJob::DeployAlreadyRunningException'] + ExceptionNotifier.ignored_exceptions) + config.middleware.use ExceptionNotification::Rack, gitlab: {}, ignore_exceptions: ['DeployJob::DeployAlreadyRunningException'] Rails.application.routes.default_url_options[:host] = "panel.#{ENV.fetch('SUTTY', 'sutty.nl')}" Rails.application.routes.default_url_options[:protocol] = 'https' diff --git a/config/locales/en.yml b/config/locales/en.yml index 7f611980..212736c7 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -485,6 +485,9 @@ en: success: 'Site upgrade has been completed. Your next build will run this upgrade :)' error: "There was an error when trying to upgrade your site. This could be due to conflicts that couldn't be solved automatically. A report of the issue has already been sent to our admins. Sorry for the inconvenience! :(" message: 'Skeleton upgrade' + webhooks: + pull: + message: 'Webhooks pull' footer: powered_by: 'is developed by' i18n: diff --git a/config/locales/es.yml b/config/locales/es.yml index 9ebb2520..144b1983 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -493,6 +493,9 @@ es: success: 'Ya se incorporaron los cambios en el sitio, se aplicarán en la próxima compilación que hagas :)' error: 'Hubo un error al incorporar los cambios en el sitio. Esto puede deberse a conflictos entre cambios que no se pueden resolver automáticamente. Hemos enviado un reporte del problema a les administradores de Sutty para que estén al tanto de la situación. ¡Lo sentimos! :(' message: 'Actualización del esqueleto' + webhooks: + pull: + message: 'Traer los cambios a partir de un evento remoto' footer: powered_by: 'es desarrollada por' i18n: diff --git a/config/routes.rb b/config/routes.rb index 3828915c..f2487066 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -17,6 +17,8 @@ Rails.application.routes.draw do get :'contact/cookie', to: 'invitades#contact_cookie' post :'contact/:form', to: 'contact#receive', as: :contact + + post :'webhooks/pull', to: 'webhooks#pull' end end end diff --git a/db/migrate/20230731195050_add_token_to_roles.rb b/db/migrate/20230731195050_add_token_to_roles.rb new file mode 100644 index 00000000..c38b0526 --- /dev/null +++ b/db/migrate/20230731195050_add_token_to_roles.rb @@ -0,0 +1,12 @@ +class AddTokenToRoles < ActiveRecord::Migration[6.1] + def up + add_column :roles, :token, :string + Rol.find_each do |m| + m.update_column( :token, SecureRandom.hex(64) ) + end + end + + def down + remove_column :roles, :token + end +end