webhook: sourcehut_builds: ask for access_token instead of authorization_header
This commit is contained in:
parent
3155e21cbb
commit
36f05e6f4e
6 changed files with 37 additions and 24 deletions
|
@ -361,6 +361,15 @@ func (w Webhook) HeaderAuthorization() (string, error) {
|
||||||
return secret.DecryptSecret(setting.SecretKey, w.HeaderAuthorizationEncrypted)
|
return secret.DecryptSecret(setting.SecretKey, w.HeaderAuthorizationEncrypted)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// HeaderAuthorizationTrimPrefix returns the decrypted Authorization with a specified prefix trimmed.
|
||||||
|
func (w Webhook) HeaderAuthorizationTrimPrefix(prefix string) (string, error) {
|
||||||
|
s, err := w.HeaderAuthorization()
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return strings.TrimPrefix(s, prefix), nil
|
||||||
|
}
|
||||||
|
|
||||||
// SetHeaderAuthorization encrypts and sets the Authorization header.
|
// SetHeaderAuthorization encrypts and sets the Authorization header.
|
||||||
func (w *Webhook) SetHeaderAuthorization(cleartext string) error {
|
func (w *Webhook) SetHeaderAuthorization(cleartext string) error {
|
||||||
if cleartext == "" {
|
if cleartext == "" {
|
||||||
|
|
|
@ -561,6 +561,7 @@ TeamName = Team name
|
||||||
AuthName = Authorization name
|
AuthName = Authorization name
|
||||||
AdminEmail = Admin email
|
AdminEmail = Admin email
|
||||||
To = Branch name
|
To = Branch name
|
||||||
|
AccessToken = Access token
|
||||||
|
|
||||||
NewBranchName = New branch name
|
NewBranchName = New branch name
|
||||||
CommitSummary = Commit summary
|
CommitSummary = Commit summary
|
||||||
|
@ -2401,6 +2402,7 @@ settings.sourcehut_builds.manifest_path = Build manifest path
|
||||||
settings.sourcehut_builds.visibility = Job visibility
|
settings.sourcehut_builds.visibility = Job visibility
|
||||||
settings.sourcehut_builds.secrets = Secrets
|
settings.sourcehut_builds.secrets = Secrets
|
||||||
settings.sourcehut_builds.secrets_helper = Give the job access to the build secrets (requires the SECRETS:RO grant)
|
settings.sourcehut_builds.secrets_helper = Give the job access to the build secrets (requires the SECRETS:RO grant)
|
||||||
|
settings.sourcehut_builds.access_token_helper = Access token that has JOBS:RW grant. Generate a <a target="_blank" rel="noopener noreferrer" href="%s">builds.sr.ht token</a> or a <a target="_blank" rel="noopener noreferrer" href="%s">builds.sr.ht token with secrets access</a> on meta.sr.ht.
|
||||||
settings.deploy_keys = Deploy keys
|
settings.deploy_keys = Deploy keys
|
||||||
settings.add_deploy_key = Add deploy key
|
settings.add_deploy_key = Add deploy key
|
||||||
settings.deploy_key_desc = Deploy keys have read-only pull access to the repository.
|
settings.deploy_key_desc = Deploy keys have read-only pull access to the repository.
|
||||||
|
|
|
@ -49,6 +49,7 @@ type buildsForm struct {
|
||||||
ManifestPath string `binding:"Required"`
|
ManifestPath string `binding:"Required"`
|
||||||
Visibility string `binding:"Required;In(PUBLIC,UNLISTED,PRIVATE)"`
|
Visibility string `binding:"Required;In(PUBLIC,UNLISTED,PRIVATE)"`
|
||||||
Secrets bool
|
Secrets bool
|
||||||
|
AccessToken string `binding:"Required"`
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ binding.Validator = &buildsForm{}
|
var _ binding.Validator = &buildsForm{}
|
||||||
|
@ -63,13 +64,7 @@ func (f *buildsForm) Validate(req *http.Request, errs binding.Errors) binding.Er
|
||||||
Message: ctx.Locale.TrString("repo.settings.add_webhook.invalid_path"),
|
Message: ctx.Locale.TrString("repo.settings.add_webhook.invalid_path"),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
if !strings.HasPrefix(f.AuthorizationHeader, "Bearer ") {
|
f.AuthorizationHeader = "Bearer " + strings.TrimSpace(f.AccessToken)
|
||||||
errs = append(errs, binding.Error{
|
|
||||||
FieldNames: []string{"AuthorizationHeader"},
|
|
||||||
Classification: "",
|
|
||||||
Message: ctx.Locale.TrString("form.required_prefix", "Bearer "),
|
|
||||||
})
|
|
||||||
}
|
|
||||||
return errs
|
return errs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -29,5 +29,11 @@
|
||||||
<span class="help">{{ctx.Locale.Tr "repo.settings.sourcehut_builds.secrets_helper"}}</span>
|
<span class="help">{{ctx.Locale.Tr "repo.settings.sourcehut_builds.secrets_helper"}}</span>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
<!-- Access Token -->
|
||||||
|
<div class="field required {{if .Err_AccessToken}}error{{end}}">
|
||||||
|
<label for="access_token">{{ctx.Locale.Tr "form.AccessToken"}}</label>
|
||||||
|
<input id="access_token" name="access_token" type="password" value="{{.Webhook.HeaderAuthorizationTrimPrefix "Bearer "}}" required>
|
||||||
|
<span class="help">{{ctx.Locale.Tr "repo.settings.sourcehut_builds.access_token_helper" "https://meta.sr.ht/oauth2/personal-token?grants=builds.sr.ht/JOBS:RW" "https://meta.sr.ht/oauth2/personal-token?grants=builds.sr.ht/JOBS:RW+builds.sr.ht/SECRETS:RO"}}</span>
|
||||||
|
</div>
|
||||||
{{template "webhook/shared-settings" .}}
|
{{template "webhook/shared-settings" .}}
|
||||||
</form>
|
</form>
|
||||||
|
|
|
@ -258,14 +258,17 @@
|
||||||
<span class="help">{{ctx.Locale.Tr "repo.settings.branch_filter_desc"}}</span>
|
<span class="help">{{ctx.Locale.Tr "repo.settings.branch_filter_desc"}}</span>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<!-- Authorization Header -->
|
{{$skipAuthorizationHeader := (eq .HookType "sourcehut_builds")}}
|
||||||
<div class="field{{if eq .HookType "matrix"}} required{{end}} {{if .Err_AuthorizationHeader}}error{{end}}">
|
{{if not $skipAuthorizationHeader}}
|
||||||
|
<!-- Authorization Header -->
|
||||||
|
<div class="field{{if eq .HookType "matrix"}} required{{end}} {{if .Err_AuthorizationHeader}}error{{end}}">
|
||||||
<label for="authorization_header">{{ctx.Locale.Tr "repo.settings.authorization_header"}}</label>
|
<label for="authorization_header">{{ctx.Locale.Tr "repo.settings.authorization_header"}}</label>
|
||||||
<input id="authorization_header" name="authorization_header" type="text" value="{{.Webhook.HeaderAuthorization}}"{{if eq .HookType "matrix"}} placeholder="Bearer $access_token" required{{end}}>
|
<input id="authorization_header" name="authorization_header" type="text" value="{{.Webhook.HeaderAuthorization}}"{{if eq .HookType "matrix"}} placeholder="Bearer $access_token" required{{end}}>
|
||||||
{{if ne .HookType "matrix"}}{{/* Matrix doesn't make the authorization optional but it is implied by the help string, should be changed.*/}}
|
{{if ne .HookType "matrix"}}{{/* Matrix doesn't make the authorization optional but it is implied by the help string, should be changed.*/}}
|
||||||
<span class="help">{{ctx.Locale.Tr "repo.settings.authorization_header_desc" ("<code>Bearer token123456</code>, <code>Basic YWxhZGRpbjpvcGVuc2VzYW1l</code>" | SafeHTML)}}</span>
|
<span class="help">{{ctx.Locale.Tr "repo.settings.authorization_header_desc" ("<code>Bearer token123456</code>, <code>Basic YWxhZGRpbjpvcGVuc2VzYW1l</code>" | SafeHTML)}}</span>
|
||||||
{{end}}
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
|
{{end}}
|
||||||
|
|
||||||
<div class="divider"></div>
|
<div class="divider"></div>
|
||||||
|
|
||||||
|
|
|
@ -270,11 +270,9 @@ func TestWebhookForms(t *testing.T) {
|
||||||
"payload_url": "https://sourcehut_builds.example.com",
|
"payload_url": "https://sourcehut_builds.example.com",
|
||||||
"manifest_path": ".build.yml",
|
"manifest_path": ".build.yml",
|
||||||
"visibility": "PRIVATE",
|
"visibility": "PRIVATE",
|
||||||
"authorization_header": "Bearer 123456",
|
"access_token": "123456",
|
||||||
}, map[string]string{
|
}, map[string]string{
|
||||||
"authorization_header": "",
|
"access_token": "",
|
||||||
}, map[string]string{
|
|
||||||
"authorization_header": "token ",
|
|
||||||
}, map[string]string{
|
}, map[string]string{
|
||||||
"manifest_path": "",
|
"manifest_path": "",
|
||||||
}, map[string]string{
|
}, map[string]string{
|
||||||
|
@ -289,9 +287,9 @@ func TestWebhookForms(t *testing.T) {
|
||||||
"manifest_path": ".build.yml",
|
"manifest_path": ".build.yml",
|
||||||
"visibility": "PRIVATE",
|
"visibility": "PRIVATE",
|
||||||
"secrets": "on",
|
"secrets": "on",
|
||||||
|
"access_token": "123456",
|
||||||
|
|
||||||
"branch_filter": "srht/*",
|
"branch_filter": "srht/*",
|
||||||
"authorization_header": "Bearer 123456",
|
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue