Hide sensitive information in webhook urls

[eclipse-csi-bot]

In GitLab by @netomi on Jul 25, 2023, 09:14

Currently, the webhook url is used as key for associating a webhook defined in the configuration to available live webhooks.
In some cases, the webhook url might contains tokens, e.g. as query parameter, that we do not want to expose to the public as these tokens might be misused. We need to find a way to store the query parameters in a separate field that can be resolved using a credential provider to avoid exposing this information. Example: adoptium/.eclipsefdn#13

[eclipse-csi-bot]

In GitLab by @netomi on Dec 11, 2023, 09:48

One idea would be to add a url_part field that would be appended to the url if not empty.
This field would contain the sensitive parts of the url and could be resolved e.g. with pass.

I tested this out locally, and it would work, however it is in the responsibility of the user to setup this correctly after an import as the import will have the full url including any sensitive parts:

This is how it would look like:

  orgs.newRepoWebhook('https://hooks.slack.com/services/') {
     url_part: "pass:bots/ecd.theia/slack/webhook-token-fragment",
     ...

@fgurr