Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: SCM-Manager Webhook Endpoint #1

Closed
wants to merge 4 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added docs/assets/scm-webhook-config.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 5 additions & 0 deletions docs/operator-manual/webhook.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ To prevent DDoS attacks with unauthenticated webhook events (the `/api/webhook`
Azure DevOps optionally supports securing the webhook using basic authentication. To use it, specify the username and password in the webhook configuration and configure the same username/password in `argocd-secret` Kubernetes secret in
`webhook.azuredevops.username` and `webhook.azuredevops.password` keys.

## SCM
![Add Webhook](../assets/scm-webhook-config.png "Add Webhook")
SCM-Manager supports securing the webhook with basic authentication. To use it, install the ArgoCD Plugin from the plugin center and configure your webhook at Administration > Webhooks.
For the URL add the instance of your ArgoCD endpoint.

## 2. Configure Argo CD With The WebHook Secret (Optional)

Configuring a webhook shared secret is optional, since Argo CD will still refresh applications
Expand Down
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ require (
github.com/r3labs/diff v1.1.0
github.com/redis/go-redis/v9 v9.7.0
github.com/robfig/cron/v3 v3.0.1
github.com/scm-manager/goscm v0.0.4
github.com/sirupsen/logrus v1.9.3
github.com/skratchdot/open-golang v0.0.0-20160302144031-75fb7ed4208c
github.com/soheilhy/cmux v0.1.5
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -866,6 +866,8 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
github.com/scm-manager/goscm v0.0.4 h1:zGf2rUz8rUWBGs4MiEJfYBGb/uL7t2sP2ZC95zHTupw=
github.com/scm-manager/goscm v0.0.4/go.mod h1:1pYGtYGb1pHUh5eQQ3bwUIdMh9ahcFrZh2ti4wV7rCc=
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
Expand Down
2 changes: 2 additions & 0 deletions util/settings/settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ type ArgoCDSettings struct {
WebhookGitLabSecret string `json:"webhookGitLabSecret,omitempty"`
// WebhookBitbucketUUID holds the UUID for authenticating Bitbucket webhook events
WebhookBitbucketUUID string `json:"webhookBitbucketUUID,omitempty"`
// ScmWebhookSecret holds the secret for authenticating SCMM webhook events
WebhookScmSecret string `json:"webhookScmSecret,omitempty"`
// WebhookBitbucketServerSecret holds the shared secret for authenticating BitbucketServer webhook events
WebhookBitbucketServerSecret string `json:"webhookBitbucketServerSecret,omitempty"`
// WebhookGogsSecret holds the shared secret for authenticating Gogs webhook events
Expand Down
7 changes: 7 additions & 0 deletions util/webhook/testdata/scm-webhook-data.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"HTMLURL": "github.com/scm-manager/argocd-test",
"Branch": {
"Name": "testrepo",
"DefaultBranch": true
}
}
17 changes: 17 additions & 0 deletions util/webhook/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
"github.com/argoproj/argo-cd/v2/util/db"
"github.com/argoproj/argo-cd/v2/util/glob"
"github.com/argoproj/argo-cd/v2/util/settings"
"github.com/scm-manager/goscm"
)

type settingsSource interface {
Expand Down Expand Up @@ -63,6 +64,7 @@ type ArgoCDWebhookHandler struct {
gogs *gogs.Webhook
settingsSrc settingsSource
queue chan interface{}
scmm *goscm.ArgoCDWebhook
maxWebhookPayloadSizeB int64
}

Expand Down Expand Up @@ -91,6 +93,10 @@ func NewHandler(namespace string, applicationNamespaces []string, webhookParalle
if err != nil {
log.Warnf("Unable to init the Azure DevOps webhook")
}
scmmWebhook, err := goscm.New(goscm.Options.Secret(set.WebhookScmSecret))
if err != nil {
log.Warnf("Unable to init the SCM Webhook")
}

acdWebhook := ArgoCDWebhookHandler{
ns: namespace,
Expand All @@ -107,6 +113,7 @@ func NewHandler(namespace string, applicationNamespaces []string, webhookParalle
serverCache: serverCache,
db: argoDB,
queue: make(chan interface{}, payloadQueueSize),
scmm: scmmWebhook,
maxWebhookPayloadSizeB: maxWebhookPayloadSizeB,
}

Expand Down Expand Up @@ -240,6 +247,11 @@ func affectedRevisionInfo(payloadIf interface{}) (webURLs []string, revision str
changedFiles = append(changedFiles, commit.Modified...)
changedFiles = append(changedFiles, commit.Removed...)
}

case goscm.PushEventPayload:
webURLs = append(webURLs, payload.HTMLURL)
touchedHead = payload.Branch.DefaultBranch
revision = payload.Branch.Name
}
return webURLs, revision, change, touchedHead, changedFiles
}
Expand Down Expand Up @@ -445,6 +457,11 @@ func (a *ArgoCDWebhookHandler) Handler(w http.ResponseWriter, r *http.Request) {
if errors.Is(err, bitbucketserver.ErrHMACVerificationFailed) {
log.WithField(common.SecurityField, common.SecurityHigh).Infof("BitBucket webhook HMAC verification failed")
}
case r.Header.Get("X-SCM-PushEvent") != "":
payload, err = a.scmm.Parse(r, goscm.PushEvent)
if errors.Is(err, goscm.ErrSecretVerification) {
log.WithField(common.SecurityField, common.SecurityHigh).Infof("SCM Manager webhook verification failed")
}
default:
log.Debug("Ignoring unknown webhook event")
http.Error(w, "Unknown webhook event", http.StatusBadRequest)
Expand Down
16 changes: 16 additions & 0 deletions util/webhook/webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,22 @@
hook.Reset()
}

func TestScmWebhook(t *testing.T) {
hook := test.NewGlobal()
h := NewMockHandler(nil, []string{})
req := httptest.NewRequest(http.MethodPost, "/api/webhook", nil)
req.Header.Set("X-SCM-PushEvent", "Push")
eventJSON, err := os.ReadFile("testdata/scm-webhook-data.json")
assert.NoError(t, err)

Check failure on line 129 in util/webhook/webhook_test.go

View workflow job for this annotation

GitHub Actions / Lint Go code

require-error: for error assertions use require (testifylint)
req.Body = io.NopCloser(bytes.NewReader(eventJSON))
w := httptest.NewRecorder()
h.Handler(w, req)
assert.Equal(t, w.Code, http.StatusOK)

Check failure on line 133 in util/webhook/webhook_test.go

View workflow job for this annotation

GitHub Actions / Lint Go code

expected-actual: need to reverse actual and expected values (testifylint)
expectedLogResult := "Received push event repo: github.com/scm-manager/argocd-test, revision: testrepo, touchedHead: true"
assert.Equal(t, expectedLogResult, hook.LastEntry().Message)
hook.Reset()
}

// TestGitHubCommitEvent_MultiSource_Refresh makes sure that a webhook will refresh a multi-source app when at least
// one source matches.
func TestGitHubCommitEvent_MultiSource_Refresh(t *testing.T) {
Expand Down
Loading