From 06ebb63d9389c260e547c73487eb89c108dacb0b Mon Sep 17 00:00:00 2001 From: jazzari Date: Mon, 31 Jul 2023 14:18:07 -0300 Subject: [PATCH 01/13] =?UTF-8?q?fix:=20movido=20git=20lfs=20a=20m=C3=A9to?= =?UTF-8?q?do=20merge=20en=20repository.rb=20#13903?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/jobs/git_pull_job.rb | 4 ++-- app/models/site/repository.rb | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/app/jobs/git_pull_job.rb b/app/jobs/git_pull_job.rb index a0c15950..dc4a285c 100644 --- a/app/jobs/git_pull_job.rb +++ b/app/jobs/git_pull_job.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true -# Permite traer los cambios cada vez que se -# hace un push al repositorio +# Permite traer los cambios desde webhooks + class GitPullJob < ApplicationJob # @param :site [Site] # @param :usuarie [Usuarie] diff --git a/app/models/site/repository.rb b/app/models/site/repository.rb index c0607d84..9c4d873f 100644 --- a/app/models/site/repository.rb +++ b/app/models/site/repository.rb @@ -45,9 +45,7 @@ class Site # @return [Integer] def fetch if origin.check_connection(:fetch, credentials: credentials) - rugged.fetch(origin, credentials: credentials)[:received_objects].tap do |objects| - git_sh("git", "lfs", "fetch", "origin", default_branch) if objects&.positive? - end + rugged.fetch(origin, credentials: credentials)[:received_objects] else 0 end @@ -77,6 +75,8 @@ class Site # Forzamos el checkout para mover el HEAD al último commit y # escribir los cambios rugged.checkout 'HEAD', strategy: :force + + git_sh("git", "lfs", "fetch", "origin", default_branch) # reemplaza los pointers por los archivos correspondientes git_sh("git", "lfs", "checkout") commit From 579e1776842774733c036b6b621ccf087b2b06cc Mon Sep 17 00:00:00 2001 From: jazzari Date: Mon, 31 Jul 2023 17:32:14 -0300 Subject: [PATCH 02/13] feat: agregada columna token a model rol #13903 --- app/models/rol.rb | 10 ++++++++++ db/migrate/20230731195050_add_token_to_roles.rb | 5 +++++ db/migrate/20230731202003_change_token_name.rb | 5 +++++ 3 files changed, 20 insertions(+) create mode 100644 db/migrate/20230731195050_add_token_to_roles.rb create mode 100644 db/migrate/20230731202003_change_token_name.rb diff --git a/app/models/rol.rb b/app/models/rol.rb index fcd07037..f17bf418 100644 --- a/app/models/rol.rb +++ b/app/models/rol.rb @@ -14,6 +14,9 @@ class Rol < ApplicationRecord validates_inclusion_of :rol, in: ROLES + encrypts :token + before_save :add_token_if_missing! + def invitade? rol == INVITADE end @@ -25,4 +28,11 @@ class Rol < ApplicationRecord def self.role?(rol) ROLES.include? rol end + + private + + # Asegurarse que tenga un token + def add_token_if_missing! + self.token ||= SecureRandom.hex(64) + end end diff --git a/db/migrate/20230731195050_add_token_to_roles.rb b/db/migrate/20230731195050_add_token_to_roles.rb new file mode 100644 index 00000000..635e065c --- /dev/null +++ b/db/migrate/20230731195050_add_token_to_roles.rb @@ -0,0 +1,5 @@ +class AddTokenToRoles < ActiveRecord::Migration[6.1] + def change + add_column :roles, :token, :text + end +end diff --git a/db/migrate/20230731202003_change_token_name.rb b/db/migrate/20230731202003_change_token_name.rb new file mode 100644 index 00000000..50fc0c40 --- /dev/null +++ b/db/migrate/20230731202003_change_token_name.rb @@ -0,0 +1,5 @@ +class ChangeTokenName < ActiveRecord::Migration[6.1] + def change + rename_column :roles, :token, :token_cyphertext + end +end From c19c834f10962e3c58d2b08418ee7790430318c9 Mon Sep 17 00:00:00 2001 From: jazzari Date: Mon, 31 Jul 2023 18:46:07 -0300 Subject: [PATCH 03/13] =?UTF-8?q?fix:=20cambio=20nombre=20comuna=20token?= =?UTF-8?q?=5Fcyphertext=20en=20modelo=20rol=20y=20asignaci=C3=B3n=20retro?= =?UTF-8?q?activa=20#13903?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- db/migrate/20230731202003_change_token_name.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/db/migrate/20230731202003_change_token_name.rb b/db/migrate/20230731202003_change_token_name.rb index 50fc0c40..c3fce3c0 100644 --- a/db/migrate/20230731202003_change_token_name.rb +++ b/db/migrate/20230731202003_change_token_name.rb @@ -1,5 +1,6 @@ class ChangeTokenName < ActiveRecord::Migration[6.1] def change rename_column :roles, :token, :token_cyphertext + Rol.find_each { |m| m.update_column( :token_cyphertext, SecureRandom.hex(64) ) } end end From 705d15c0c1959d3e50b2f8646830a15372c4797e Mon Sep 17 00:00:00 2001 From: jazzari Date: Thu, 10 Aug 2023 16:05:14 -0300 Subject: [PATCH 04/13] fix: change token attribute from encrypted to normal in Rol model #13903 --- app/controllers/api/v1/webhooks_controller.rb | 22 ++++++++++++++----- app/models/rol.rb | 1 - 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index a538d99f..1933f24e 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -2,19 +2,31 @@ module Api module V1 - # Recibe webhooks y lanza jobs + # Recibe webhooks y lanza un PullJob class WebhooksController < BaseController + rescue_from ActiveRecord::RecordNotFound, with: :platforms_answer + + def site + @site ||= Site.find_by_name!(params[:site_id]) + end + + # valida la plataforma del webhook + def usuarie + # Gitlab + token = request.headers["X-Gitlab-Token"] + @usuarie = site.roles.find_by!(temporal: false, rol: 'usuarie', token: token).usuarie + end + # Trae los cambios a partir de un post de Webhooks: # (Gitlab, Github, Guitea, etc) def pull - site = Site.find_by_name!(params[:site_id]) - usuarie = GitAuthor.new email: "webhook@#{Site.domain}", name: 'Webhook' message = I18n.with_locale(site.default_locale) do I18n.t('webhooks.pull.message') end - GitPullJob.perform_later(site, usuarie, message) - + end + + def platforms_answer head :ok end end diff --git a/app/models/rol.rb b/app/models/rol.rb index f17bf418..37332400 100644 --- a/app/models/rol.rb +++ b/app/models/rol.rb @@ -14,7 +14,6 @@ class Rol < ApplicationRecord validates_inclusion_of :rol, in: ROLES - encrypts :token before_save :add_token_if_missing! def invitade? From 63fd91ee48f3a9cab4417f6e9bd21be6604440f0 Mon Sep 17 00:00:00 2001 From: jazzari Date: Thu, 10 Aug 2023 16:13:13 -0300 Subject: [PATCH 05/13] feat: add token to existing records #13903 --- db/migrate/20230731195050_add_token_to_roles.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/db/migrate/20230731195050_add_token_to_roles.rb b/db/migrate/20230731195050_add_token_to_roles.rb index 635e065c..620c9fef 100644 --- a/db/migrate/20230731195050_add_token_to_roles.rb +++ b/db/migrate/20230731195050_add_token_to_roles.rb @@ -1,5 +1,6 @@ class AddTokenToRoles < ActiveRecord::Migration[6.1] def change add_column :roles, :token, :text + Rol.find_each { |m| m.update_column( :token, SecureRandom.hex(64) ) } end end From 23732bbfe0ed8c4920bd7188b700f63ed5612b51 Mon Sep 17 00:00:00 2001 From: jazzari Date: Mon, 14 Aug 2023 12:50:18 -0300 Subject: [PATCH 06/13] feat: add method to validate token from diff platforms in webhooks controller #13903 --- app/controllers/api/v1/webhooks_controller.rb | 29 +++++++++++++++++-- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index 1933f24e..091d467e 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -10,10 +10,32 @@ module Api @site ||= Site.find_by_name!(params[:site_id]) end - # valida la plataforma del webhook + # valida el token que envía la plataforma del webhook + def token + @token ||= + begin + # Gitlab + if request.headers['X-Gitlab-Token'] + request.headers["X-Gitlab-Token"] + # Github + elsif request.headers['X-HUB-SIGNATURE-256'] + signature(request.env['HTTP_X_HUB_SIGNATURE_256']) + # Guitea + else + signature(request.env['HTTP_X_GITEA_SIGNATURE']) + end + end + end + + def token_from_signature(signature) + payload = request.body.read + site.roles.where(temporal: false, rol: 'usuarie').pluck(:token).find do |token| + new_signature = hash_mac(OpenSSL::Digest.new('sha256'), token, payload) + @token ||= Rack::Utils.secure_compare(new_signature, signature) + end + end + def usuarie - # Gitlab - token = request.headers["X-Gitlab-Token"] @usuarie = site.roles.find_by!(temporal: false, rol: 'usuarie', token: token).usuarie end @@ -23,6 +45,7 @@ module Api message = I18n.with_locale(site.default_locale) do I18n.t('webhooks.pull.message') end + GitPullJob.perform_later(site, usuarie, message) end From f2236bb305573e7a471e1b3a94ab50d486bc0d63 Mon Sep 17 00:00:00 2001 From: jazzari Date: Mon, 14 Aug 2023 16:49:24 -0300 Subject: [PATCH 07/13] feat: move methods to private #13903 --- app/controllers/api/v1/webhooks_controller.rb | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index 091d467e..b356d20a 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -6,6 +6,19 @@ module Api class WebhooksController < BaseController rescue_from ActiveRecord::RecordNotFound, with: :platforms_answer + # Trae los cambios a partir de un post de Webhooks: + # (Gitlab, Github, Guitea, etc) + def pull + message = I18n.with_locale(site.default_locale) do + I18n.t('webhooks.pull.message') + end + + GitPullJob.perform_later(site, usuarie, message) + platforms_answer + end + + private + def site @site ||= Site.find_by_name!(params[:site_id]) end @@ -37,17 +50,7 @@ module Api def usuarie @usuarie = site.roles.find_by!(temporal: false, rol: 'usuarie', token: token).usuarie - end - - # Trae los cambios a partir de un post de Webhooks: - # (Gitlab, Github, Guitea, etc) - def pull - message = I18n.with_locale(site.default_locale) do - I18n.t('webhooks.pull.message') - end - - GitPullJob.perform_later(site, usuarie, message) - end + end def platforms_answer head :ok From a098e1baa7d2e7e96b18bc16be7a21cc413c8f38 Mon Sep 17 00:00:00 2001 From: jazzari Date: Tue, 15 Aug 2023 16:14:34 -0300 Subject: [PATCH 08/13] fix: change migration methods to add token to roles #13903 --- db/migrate/20230731195050_add_token_to_roles.rb | 12 +++++++++--- db/migrate/20230731202003_change_token_name.rb | 6 ------ 2 files changed, 9 insertions(+), 9 deletions(-) delete mode 100644 db/migrate/20230731202003_change_token_name.rb diff --git a/db/migrate/20230731195050_add_token_to_roles.rb b/db/migrate/20230731195050_add_token_to_roles.rb index 620c9fef..c38b0526 100644 --- a/db/migrate/20230731195050_add_token_to_roles.rb +++ b/db/migrate/20230731195050_add_token_to_roles.rb @@ -1,6 +1,12 @@ class AddTokenToRoles < ActiveRecord::Migration[6.1] - def change - add_column :roles, :token, :text - Rol.find_each { |m| m.update_column( :token, SecureRandom.hex(64) ) } + def up + add_column :roles, :token, :string + Rol.find_each do |m| + m.update_column( :token, SecureRandom.hex(64) ) + end + end + + def down + remove_column :roles, :token end end diff --git a/db/migrate/20230731202003_change_token_name.rb b/db/migrate/20230731202003_change_token_name.rb deleted file mode 100644 index c3fce3c0..00000000 --- a/db/migrate/20230731202003_change_token_name.rb +++ /dev/null @@ -1,6 +0,0 @@ -class ChangeTokenName < ActiveRecord::Migration[6.1] - def change - rename_column :roles, :token, :token_cyphertext - Rol.find_each { |m| m.update_column( :token_cyphertext, SecureRandom.hex(64) ) } - end -end From c5406acb26221e591804d481ac6547072dd38952 Mon Sep 17 00:00:00 2001 From: jazzari Date: Tue, 15 Aug 2023 16:59:16 -0300 Subject: [PATCH 09/13] fix: add documentation and fix typos #13903 --- app/controllers/api/v1/webhooks_controller.rb | 101 ++++++++++-------- config/locales/es.yml | 2 +- 2 files changed, 56 insertions(+), 47 deletions(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index b356d20a..20cc0ddc 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -1,60 +1,69 @@ # frozen_string_literal: true module Api - module V1 - # Recibe webhooks y lanza un PullJob - class WebhooksController < BaseController - rescue_from ActiveRecord::RecordNotFound, with: :platforms_answer + module V1 + # Recibe webhooks y lanza un PullJob + class WebhooksController < BaseController + # responde con forbidden si falla la validación del token + rescue_from ActiveRecord::RecordNotFound, with: :platforms_answer - # Trae los cambios a partir de un post de Webhooks: - # (Gitlab, Github, Guitea, etc) - def pull - message = I18n.with_locale(site.default_locale) do - I18n.t('webhooks.pull.message') - end - - GitPullJob.perform_later(site, usuarie, message) - platforms_answer + # Trae los cambios a partir de un post de Webhooks: + # (Gitlab, Github, Gitea, etc) + def pull + message = I18n.with_locale(site.default_locale) do + I18n.t('webhooks.pull.message') end - private + GitPullJob.perform_later(site, usuarie, message) + head :ok + end - def site - @site ||= Site.find_by_name!(params[:site_id]) - end + private - # valida el token que envía la plataforma del webhook - def token - @token ||= - begin - # Gitlab - if request.headers['X-Gitlab-Token'] - request.headers["X-Gitlab-Token"] - # Github - elsif request.headers['X-HUB-SIGNATURE-256'] - signature(request.env['HTTP_X_HUB_SIGNATURE_256']) - # Guitea - else - signature(request.env['HTTP_X_GITEA_SIGNATURE']) - end - end - end + # encuentra el sitio a partir de la url + def site + @site ||= Site.find_by_name!(params[:site_id]) + end - def token_from_signature(signature) - payload = request.body.read - site.roles.where(temporal: false, rol: 'usuarie').pluck(:token).find do |token| - new_signature = hash_mac(OpenSSL::Digest.new('sha256'), token, payload) - @token ||= Rack::Utils.secure_compare(new_signature, signature) - end - end + # valida el token que envía la plataforma del webhook + # + # @return [String] + def token + @token ||= + begin + # Gitlab + if request.headers['X-Gitlab-Token'] + request.headers['X-Gitlab-Token'] + # Github + elsif request.headers['X-HUB-SIGNATURE-256'] + request.env['HTTP_X_HUB_SIGNATURE_256'] + # Gitea + else + request.env['HTTP_X_GITEA_SIGNATURE'] + end + end + end - def usuarie - @usuarie = site.roles.find_by!(temporal: false, rol: 'usuarie', token: token).usuarie - end - - def platforms_answer - head :ok + # valida token a partir de firma de webhook + # + # @return [String] + def token_from_signature(signature) + payload = request.body.read + site.roles.where(temporal: false, rol: 'usuarie').pluck(:token).find do |token| + new_signature = 'sha256=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), token, payload) + ActiveSupport::SecurityUtils.secure_compare(new_signature, signature) end end + + # encuentra le usuarie + def usuarie + @usuarie ||= site.roles.find_by!(temporal: false, rol: 'usuarie', token: token).usuarie + end + + # respuesta de error a plataformas + def platforms_answer + head :forbidden + end end + end end \ No newline at end of file diff --git a/config/locales/es.yml b/config/locales/es.yml index b03a222f..7a83483f 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -476,7 +476,7 @@ es: message: 'Actualización del esqueleto' webhooks_controller: pull: - message: 'Pull de webhooks' + message: 'Traer los cambios a partir de un evento remoto' footer: powered_by: 'es desarrollada por' i18n: From aeb2105dc7273cf603ab8e86f7bc90780f96093f Mon Sep 17 00:00:00 2001 From: jazzari Date: Tue, 15 Aug 2023 19:25:06 -0300 Subject: [PATCH 10/13] fix: add rescue in token_from_signature method #13903 --- app/controllers/api/v1/webhooks_controller.rb | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index 20cc0ddc..0ecca9d7 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -9,6 +9,8 @@ module Api # Trae los cambios a partir de un post de Webhooks: # (Gitlab, Github, Gitea, etc) + # + # @return [nil] def pull message = I18n.with_locale(site.default_locale) do I18n.t('webhooks.pull.message') @@ -36,22 +38,27 @@ module Api request.headers['X-Gitlab-Token'] # Github elsif request.headers['X-HUB-SIGNATURE-256'] - request.env['HTTP_X_HUB_SIGNATURE_256'] + token_from_signature(request.env['HTTP_X_HUB_SIGNATURE_256']) # Gitea else - request.env['HTTP_X_GITEA_SIGNATURE'] + token_from_signatureq(request.env['HTTP_X_GITEA_SIGNATURE']) end end end # valida token a partir de firma de webhook # - # @return [String] + # @return [String, Boolean] def token_from_signature(signature) payload = request.body.read site.roles.where(temporal: false, rol: 'usuarie').pluck(:token).find do |token| new_signature = 'sha256=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), token, payload) ActiveSupport::SecurityUtils.secure_compare(new_signature, signature) + end.tap do |t| + raise ArgumentError, 'token no encontrado' if t.nil? + rescue ArgumentError => e + ExceptionNotifier.notify_exception(e, data: { params: params.to_h }) + raise ActiveRecord::RecordNotFound end end From 5ac628b38a0032a26e0f9d29f1c4e1266069360b Mon Sep 17 00:00:00 2001 From: jazzari Date: Wed, 16 Aug 2023 12:58:14 -0300 Subject: [PATCH 11/13] fix: fix typo and change response to platforms #13903 --- app/controllers/api/v1/webhooks_controller.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index 0ecca9d7..40f2f06d 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -40,8 +40,10 @@ module Api elsif request.headers['X-HUB-SIGNATURE-256'] token_from_signature(request.env['HTTP_X_HUB_SIGNATURE_256']) # Gitea + elsif + token_from_signature(request.env['HTTP_X_GITEA_SIGNATURE']) else - token_from_signatureq(request.env['HTTP_X_GITEA_SIGNATURE']) + raise ActiveRecord::RecordNotFound end end end @@ -55,10 +57,7 @@ module Api new_signature = 'sha256=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), token, payload) ActiveSupport::SecurityUtils.secure_compare(new_signature, signature) end.tap do |t| - raise ArgumentError, 'token no encontrado' if t.nil? - rescue ArgumentError => e - ExceptionNotifier.notify_exception(e, data: { params: params.to_h }) - raise ActiveRecord::RecordNotFound + raise ActiveRecord::RecordNotFound if t.nil? end end @@ -70,6 +69,9 @@ module Api # respuesta de error a plataformas def platforms_answer head :forbidden + raise ArgumentError, 'token no encontrado' + rescue ArgumentError => e + ExceptionNotifier.notify_exception(e, data: { params: params.to_h }) end end end From 35dca9d7565f40f2a037b095ea8005cd2a953232 Mon Sep 17 00:00:00 2001 From: jazzari Date: Wed, 16 Aug 2023 13:39:29 -0300 Subject: [PATCH 12/13] fix: fix exception in platforms_answer method #13903 --- app/controllers/api/v1/webhooks_controller.rb | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index 40f2f06d..13a227ce 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -57,7 +57,7 @@ module Api new_signature = 'sha256=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), token, payload) ActiveSupport::SecurityUtils.secure_compare(new_signature, signature) end.tap do |t| - raise ActiveRecord::RecordNotFound if t.nil? + raise ActiveRecord::RecordNotFound, 'token no encontrado' if t.nil? end end @@ -67,12 +67,9 @@ module Api end # respuesta de error a plataformas - def platforms_answer + def platforms_answer(exception) head :forbidden - raise ArgumentError, 'token no encontrado' - rescue ArgumentError => e - ExceptionNotifier.notify_exception(e, data: { params: params.to_h }) - end + ExceptionNotifier.notify_exception(exception, data: { params: params.to_h }) end end end \ No newline at end of file From cefd053d1d7f70233f07cd047fd1dc5d321dd8b5 Mon Sep 17 00:00:00 2001 From: jazzari Date: Wed, 16 Aug 2023 14:57:01 -0300 Subject: [PATCH 13/13] fix: add condition in elsif in token method #13903 --- app/controllers/api/v1/webhooks_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/v1/webhooks_controller.rb b/app/controllers/api/v1/webhooks_controller.rb index 13a227ce..3af9abee 100644 --- a/app/controllers/api/v1/webhooks_controller.rb +++ b/app/controllers/api/v1/webhooks_controller.rb @@ -40,7 +40,7 @@ module Api elsif request.headers['X-HUB-SIGNATURE-256'] token_from_signature(request.env['HTTP_X_HUB_SIGNATURE_256']) # Gitea - elsif + elsif request.headers['HTTP_X_GITEA_SIGNATURE'] token_from_signature(request.env['HTTP_X_GITEA_SIGNATURE']) else raise ActiveRecord::RecordNotFound