diff --git a/examples/webhook.pp b/examples/webhook.pp deleted file mode 100644 index f1425159..00000000 --- a/examples/webhook.pp +++ /dev/null @@ -1 +0,0 @@ -include r10k::webhook diff --git a/examples/webhook/config.pp b/examples/webhook/config.pp deleted file mode 100644 index 75567b44..00000000 --- a/examples/webhook/config.pp +++ /dev/null @@ -1,18 +0,0 @@ -include r10k::webhook - -file { '/usr/local/bin/prefix_command.rb': - ensure => file, - mode => '0755', - owner => 'root', - group => '0', - source => 'puppet:///modules/r10k/prefix_command.rb', -} - -class { 'r10k::webhook::config': - prefix => true, - prefix_command => '/usr/local/bin/prefix_command.rb', - enable_ssl => false, - protected => false, - notify => Service['webhook'], - require => File['/usr/local/bin/prefix_command.rb'], -} diff --git a/spec/acceptance/basic_webhook_spec.rb b/spec/acceptance/basic_webhook_spec.rb deleted file mode 100644 index 3211d106..00000000 --- a/spec/acceptance/basic_webhook_spec.rb +++ /dev/null @@ -1,74 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper_acceptance' - -describe 'System Ruby with No SSL, Not protected, No mcollective', unless: default[:platform] =~ %r{archlinux} do - context 'with basics parameters' do - hosts_as('agent').each do |agent| - it 'applies with no errors and idempotently' do - pp = %( - class { 'r10k': - remote => 'git@github.com:someuser/puppet.git', - } - class {'r10k::webhook::config': - enable_ssl => false, - protected => false, - use_mcollective => false, - notify => Service['webhook.service'], - } - - class {'r10k::webhook': - require => Class['r10k::webhook::config'], - } - ) - - apply_manifest_on(agent, pp, catch_failures: true) - apply_manifest_on(agent, pp, catch_changes: true) - end - - describe service('webhook') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - # rubocop:disable RSpec/RepeatedExampleGroupBody - describe command('/usr/bin/curl -d \'{ "repository": { "name": "puppetlabs-stdlib" } }\' -H "Accept: application/json" "http://localhost:8088/module" -k -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe command('/usr/bin/curl -X POST -d \'{ "repository": { "full_name": "puppetlabs/puppetlabs-stdlib", "name": "PuppetLabs : StdLib" } }\' "http://localhost:8088/module" -k -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe command('/usr/bin/curl -d \'{ "ref": "refs/heads/production" }\' -H "Accept: application/json" "http://localhost:8088/payload" -k -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe command('/usr/bin/curl -X POST -d \'%7b%22ref%22%3a%22maste%r22%7d\' "http://localhost:8088/payload" -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe command('/usr/bin/curl -X POST -d \'{ "push": { "changes": [ { "new": { "name": "production" } } ] } }\' "http://localhost:8088/payload" -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - # Following test is let here commented to rememeber it. - # * it does not work as is. - # * it is interesting to add this tests when possible. - # - # it 'successfully locks when hammered with multiple requests' do - # 4.times do - # Thread.new do - # result = on(agent, '/usr/bin/curl -d \'{ "ref": "refs/heads/production" }\' -H "Accept: application/json" "http://localhost:8088/payload" -k -q') - # result.exit_code.should == 0 - # end - # end - # end - end - # rubocop:enable RSpec/RepeatedExampleGroupBody - end -end diff --git a/spec/acceptance/gitlab_token_webhook_spec.rb b/spec/acceptance/gitlab_token_webhook_spec.rb deleted file mode 100644 index 41f1c157..00000000 --- a/spec/acceptance/gitlab_token_webhook_spec.rb +++ /dev/null @@ -1,55 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper_acceptance' -require 'openssl' - -describe 'GitLab Secret Token Enabled, System Ruby with No SSL, Not protected, No mcollective', unless: default[:platform] =~ %r{archlinux} do - context 'default parameters' do - pp = %( - class { 'r10k': - remote => 'git@gitlab.com:someuser/puppet.git', - } - class {'r10k::webhook::config': - enable_ssl => false, - protected => false, - use_mcollective => false, - gitlab_token => 'secret', - } - - class {'r10k::webhook': - require => Class['r10k::webhook::config'], - } - ) - - it 'applies with no errors' do - apply_manifest(pp, catch_failures: true) - end - - it 'is idempotent' do - apply_manifest(pp, catch_changes: true) - end - - describe service('webhook') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - context 'supports Gitlab style payloads via module end point with token in header' do - token = 'secret' - - describe command("/usr/bin/curl -d '{ \"repository\": { \"name\": \"puppetlabs-stdlib\" } }' -H \"Accept: application/json\" \"http://localhost:8088/module\" -H \"X-Gitlab-Token: #{token}\" -k -q") do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - end - - context 'supports Gitlab style payloads via payload end point with token in header' do - token = 'secret' - - describe command("/usr/bin/curl -d '{ \"ref\": \"refs/heads/production\" }' -H \"Accept: application/json\" -H \"X-Gitlab-Token: #{token}\" \"http://localhost:8088/payload\" -k -q") do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - end - end -end diff --git a/spec/acceptance/prefix_webhook_spec.rb b/spec/acceptance/prefix_webhook_spec.rb deleted file mode 100644 index bbbce7b9..00000000 --- a/spec/acceptance/prefix_webhook_spec.rb +++ /dev/null @@ -1,87 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper_acceptance' - -describe 'Prefix Enabled,System Ruby with No SSL, Not protected, No mcollective', unless: default[:platform] =~ %r{archlinux} do - context 'default parameters' do - pp = %( - file {'/usr/local/bin/prefix_command.rb': - ensure => file, - mode => '0755', - owner => 'root', - group => '0', - source => 'puppet:///modules/r10k/prefix_command.rb', - } - class { 'r10k': - sources => { - 'webteam' => { - 'remote' => 'https://github.com/webteam/somerepo.git', - 'basedir' => '${::settings::confdir}/environments', - 'prefix' => true, - }, - 'secteam' => { - 'remote' => 'https://github.com/secteam/someotherrepo.git', - 'basedir' => '${::settings::confdir}/environments', - 'prefix' => true, - }, - 'noprefix' => { - 'remote' => 'https://github.com/noprefix/repo.git', - 'basedir' => '${::settings::confdir}/environments' - }, - 'customprefix' => { - 'remote' => 'https://github.com/customprefix/repo.git', - 'basedir' => '${::settings::confdir}/environments', - 'prefix' => 'custom' - } - }, - } - class {'r10k::webhook::config': - enable_ssl => false, - protected => false, - use_mcollective => false, - prefix => true, - prefix_command => '/usr/local/bin/prefix_command.rb', - require => File['/usr/local/bin/prefix_command.rb'], - notify => Service['webhook.service'], - } - class {'r10k::webhook': - require => Class['r10k::webhook::config'], - } - ) - - it 'applies with no errors' do - apply_manifest(pp, catch_failures: true) - end - - it 'is idempotent' do - apply_manifest(pp, catch_changes: true) - end - - describe service('webhook') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - # rubocop:disable RSpec/RepeatedExampleGroupBody - describe command('/usr/bin/curl -d \'{ "ref": "refs/heads/production", "repository": { "name": "puppet-control" , "url": "https://github.com/webteam/somerepo.git"} }\' -H "Accept: application/json" "http://localhost:8088/payload" -k -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe command('/usr/bin/curl -d \'{ "ref": "refs/heads/production", "repository": { "name": "puppet-control" , "url": "https://github.com/secteam/someotherrepo.git"} }\' -H "Accept: application/json" "http://localhost:8088/payload" -k -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe command('/usr/bin/curl -d \'{ "ref": "refs/heads/production", "repository": { "name": "puppet-control" , "url": "https://github.com/customprefix/repo.git"} }\' -H "Accept: application/json" "http://localhost:8088/payload" -k -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - - describe command('/usr/bin/curl -d \'{ "ref": "refs/heads/production", "repository": { "name": "puppet-control" , "url": "https://github.com/noprefix/repo.git"} }\' -H "Accept: application/json" "http://localhost:8088/payload" -k -q') do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - # rubocop:enable RSpec/RepeatedExampleGroupBody - end -end diff --git a/spec/acceptance/signature_webhook_bitbucket_spec.rb b/spec/acceptance/signature_webhook_bitbucket_spec.rb deleted file mode 100644 index 285762b1..00000000 --- a/spec/acceptance/signature_webhook_bitbucket_spec.rb +++ /dev/null @@ -1,57 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper_acceptance' -require 'openssl' - -describe 'BitBucket Secret Enabled, System Ruby with No SSL, Not protected, No mcollective', unless: default[:platform] =~ %r{archlinux} do - context 'default parameters' do - pp = %( - class { 'r10k': - remote => 'git@yourbitbucketserver.com:someuser/puppet.git', - } - class {'r10k::webhook::config': - enable_ssl => false, - protected => false, - use_mcollective => false, - bitbucket_secret => 'secret', - } - - class {'r10k::webhook': - require => Class['r10k::webhook::config'], - } - ) - - it 'applies with no errors' do - apply_manifest(pp, catch_failures: true) - end - - it 'is idempotent' do - apply_manifest(pp, catch_changes: true) - end - - describe service('webhook') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - context 'supports style BitBucket payloads via module end point with signature in header' do - hmac_digest = OpenSSL::Digest.new('sha256') - signature = "sha1=#{OpenSSL::HMAC.hexdigest(hmac_digest, 'secret', '{ "repository": { "name": "puppetlabs-stdlib" } }')}" - - describe command("/usr/bin/curl -d '{ \"repository\": { \"name\": \"puppetlabs-stdlib\" } }' -H \"Accept: application/json\" \"http://localhost:8088/module\" -H \"X-Hub-Signature: #{signature}\" -k -q") do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - end - - context 'supports style BitBucket payloads via payload end point with signature in header' do - hmac_digest = OpenSSL::Digest.new('sha256') - signature = "sha1=#{OpenSSL::HMAC.hexdigest(hmac_digest, 'secret', '{ "ref": "refs/heads/production" }')}" - - describe command("/usr/bin/curl -d '{ \"ref\": \"refs/heads/production\" }' -H \"Accept: application/json\" -H \"X-Hub-Signature: #{signature}\" \"http://localhost:8088/payload\" -k -q") do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - end - end -end diff --git a/spec/acceptance/signature_webhook_github_spec.rb b/spec/acceptance/signature_webhook_github_spec.rb deleted file mode 100644 index 848dd3d0..00000000 --- a/spec/acceptance/signature_webhook_github_spec.rb +++ /dev/null @@ -1,57 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper_acceptance' -require 'openssl' - -describe 'GitHub Secret Enabled, System Ruby with No SSL, Not protected, No mcollective', unless: default[:platform] =~ %r{archlinux} do - context 'default parameters' do - pp = %( - class { 'r10k': - remote => 'git@github.com:someuser/puppet.git', - } - class {'r10k::webhook::config': - enable_ssl => false, - protected => false, - use_mcollective => false, - github_secret => 'secret', - } - - class {'r10k::webhook': - require => Class['r10k::webhook::config'], - } - ) - - it 'applies with no errors' do - apply_manifest(pp, catch_failures: true) - end - - it 'is idempotent' do - apply_manifest(pp, catch_changes: true) - end - - describe service('webhook') do - it { is_expected.to be_enabled } - it { is_expected.to be_running } - end - - context 'supports style Github payloads via module end point with signature in header' do - hmac_digest = OpenSSL::Digest.new('sha1') - signature = "sha1=#{OpenSSL::HMAC.hexdigest(hmac_digest, 'secret', '{ "repository": { "name": "puppetlabs-stdlib" } }')}" - - describe command("/usr/bin/curl -d '{ \"repository\": { \"name\": \"puppetlabs-stdlib\" } }' -H \"Accept: application/json\" \"http://localhost:8088/module\" -H \"X-Hub-Signature: #{signature}\" -k -q") do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - end - - context 'supports style Github payloads via payload end point with signature in header' do - hmac_digest = OpenSSL::Digest.new('sha1') - signature = "sha1=#{OpenSSL::HMAC.hexdigest(hmac_digest, 'secret', '{ "ref": "refs/heads/production" }')}" - - describe command("/usr/bin/curl -d '{ \"ref\": \"refs/heads/production\" }' -H \"Accept: application/json\" -H \"X-Hub-Signature: #{signature}\" \"http://localhost:8088/payload\" -k -q") do - its(:stdout) { is_expected.not_to match %r{.*You shall not pass.*} } - its(:exit_status) { is_expected.to eq 0 } - end - end - end -end diff --git a/spec/classes/webhook/config_spec.rb b/spec/classes/webhook/config_spec.rb deleted file mode 100644 index eda10352..00000000 --- a/spec/classes/webhook/config_spec.rb +++ /dev/null @@ -1,586 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' -describe 'r10k::webhook::config', type: :class do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - let :pre_condition do - 'include r10k::webhook' - end - - context 'Puppet Enterprise 2016.4.2 with defaults' do - let :facts do - facts.merge( - pe_server_version: '2016.4.2' - ) - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -certname: "peadmin" -certpath: "/var/lib/peadmin/.mcollective.d" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -ignore_environments: [] -pass: "peadmin" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -private_key_path: "/var/lib/peadmin/.mcollective.d/peadmin-private.pem" -protected: true -public_key_path: "/var/lib/peadmin/.mcollective.d/peadmin-cert.pem" -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "peadmin" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'Puppet Enterprise 2016.4.2 with events defined' do - let :params do - { - repository_events: %w[merge release] - } - end - let :facts do - facts.merge( - pe_server_version: '2016.4.2' - ) - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -certname: "peadmin" -certpath: "/var/lib/peadmin/.mcollective.d" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -ignore_environments: [] -pass: "peadmin" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -private_key_path: "/var/lib/peadmin/.mcollective.d/peadmin-private.pem" -protected: true -public_key_path: "/var/lib/peadmin/.mcollective.d/peadmin-cert.pem" -r10k_deploy_arguments: "-pv" -repository_events: ["merge", "release"] -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "peadmin" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'Puppet Enterprise 2016.4.2 removing Webhook Config' do - let :params do - { - ensure: false - } - end - let :facts do - facts.merge( - pe_server_version: '2016.4.2' - ) - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - ensure: 'absent', - path: '/etc/webhook.yaml' - ) - end - end - - context 'FOSS with defaults' do - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -ignore_environments: [] -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'FOSS with mutex lock enabled' do - let :params do - { - enable_mutex_lock: true - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: true -enable_ssl: true -generate_types: false -ignore_environments: [] -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'FOSS with github secret enabled' do - let :params do - { - github_secret: 'secret' - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -github_secret: "secret" -ignore_environments: [] -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'FOSS with gitlab token enabled' do - let :params do - { - gitlab_token: 'secret' - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -gitlab_token: "secret" -ignore_environments: [] -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'FOSS with access_logfile = stderr' do - let :params do - { - access_logfile: 'stderr', - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -allow_uppercase: true -bind_address: "*" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -ignore_environments: [] -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'FOSS with BitBucket server secret enabled' do - let :params do - { - bitbucket_secret: 'secret' - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -bitbucket_secret: "secret" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -ignore_environments: [] -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'FOSS with slack webhook enabled' do - let :params do - { - slack_webhook: 'slack_webhook' - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -ignore_environments: [] -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -slack_webhook: "slack_webhook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'FOSS with Rocket.Chat webhook enabled' do - let :params do - { - rocketchat_webhook: 'rocketchat_webhook' - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -ignore_environments: [] -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -rocketchat_webhook: "rocketchat_webhook" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - - context 'Puppet Enterprise 2015.3.1 removing Webhook Config' do - let :params do - { - ensure: false - } - end - let :facts do - facts.merge( - is_pe: 'true', - pe_server_version: '2015.3.1' - ) - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - ensure: 'absent', - path: '/etc/webhook.yaml' - ) - end - end - - context 'FOSS with custom permissions for webhook.yaml' do - let :params do - { - configfile_owner: 'r10k', - configfile_group: 'r10k', - configfile_mode: '0600' - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'r10k', - group: 'r10k', - mode: '0600', - notify: 'Service[webhook.service]' - ) - end - end - - context 'FOSS with extra mco argument' do - let :params do - { - mco_arguments: '--no-progress' - } - end - - it do - expect(subject).to contain_file('webhook.yaml').with( - path: '/etc/webhook.yaml', - ensure: 'file', - owner: 'root', - group: 'root', - mode: '0644', - notify: 'Service[webhook.service]' - ) - end - - content = '--- -access_logfile: "/var/log/webhook/access.log" -allow_uppercase: true -bind_address: "*" -client_cfg: "/var/lib/peadmin/.mcollective" -client_timeout: "120" -command_prefix: "umask 0022;" -default_branch: "production" -discovery_timeout: "10" -enable_mutex_lock: false -enable_ssl: true -generate_types: false -ignore_environments: [] -mco_arguments: "--no-progress" -pass: "puppet" -port: "8088" -prefix: false -prefix_command: "/bin/echo example" -protected: true -r10k_deploy_arguments: "-pv" -server_software: "WebHook" -use_mco_ruby: false -use_mcollective: true -user: "puppet" -' - it { is_expected.to contain_file('webhook.yaml').with_content(content) } - end - end - end -end diff --git a/spec/classes/webhook/package_spec.rb b/spec/classes/webhook/package_spec.rb deleted file mode 100644 index c1a751e8..00000000 --- a/spec/classes/webhook/package_spec.rb +++ /dev/null @@ -1,94 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' -describe 'r10k::webhook::package', type: :class do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :ruby_version do - if facts[:aio_agent_version] - # If the facts come from some kind of AIO puppet, match the version - # of Ruby corresponding to the version of puppet we simulate. - if puppetversion[0] == '6' - '2.5.0' - else - '2.7.0' - end - else - # Otherwise, assume a recent Ruby - '3.0.0' - end - end - let :facts do - facts.merge( - is_pe: is_pe, - puppetversion: puppetversion, - ruby: { - version: ruby_version - } - ) - end - - let :pre_condition do - "service { 'webhook.service': ensure => 'running'}" - end - - context 'package provider' do - let(:is_pe) { false } - let(:puppetversion) { '7.10.0' } - - provider = case facts[:os]['name'] - when 'Archlinux' - 'pacman' - when 'Gentoo' - 'portage' - else - 'puppet_gem' - end - it { is_expected.to contain_package('sinatra').with(provider: provider) } - end - - context 'Puppet Enterprise 2019.8.7' do - let :params do - { - is_pe_server: true - } - end - let :facts do - facts.merge( - pe_server_version: '2019.8.7' - ) - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.not_to contain_package('webrick') } - it { is_expected.not_to contain_package('json') } - end - - context 'Puppet FOSS 6' do - let(:puppetversion) { '6.24.0' } - let(:is_pe) { false } - - it { is_expected.to compile.with_all_deps } - - case facts[:os]['name'] - when 'Archlinux', 'Gentoo' - it { is_expected.to contain_package('sinatra').with(ensure: 'installed') } - else - it { is_expected.to contain_package('sinatra').with(ensure: '~> 2.0') } - end - it { is_expected.to contain_package('webrick').with(ensure: 'installed') } - it { is_expected.to contain_package('json').with(ensure: 'installed') } - end - - context 'Puppet FOSS 7' do - let(:puppetversion) { '7.10.0' } - let(:is_pe) { false } - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_package('sinatra').with(ensure: 'installed') } - it { is_expected.to contain_package('webrick').with(ensure: 'installed') } - it { is_expected.to contain_package('json').with(ensure: 'installed') } - end - end - end -end diff --git a/spec/classes/webhook_spec.rb b/spec/classes/webhook_spec.rb deleted file mode 100644 index 93551947..00000000 --- a/spec/classes/webhook_spec.rb +++ /dev/null @@ -1,28 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' -describe 'r10k::webhook', type: :class do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context 'With FOSS and the mcollective webhook' do - let :params do - { - use_mcollective: true - } - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('r10k::webhook::package') } - it { is_expected.not_to contain_file('peadmin-cert.pem').with(path: '/var/lib/peadmin/.mcollective.d/peadmin-cert.pem') } - it { is_expected.to contain_package('sinatra') } - it { is_expected.to contain_package('json') } - it { is_expected.to contain_package('webrick') } - it { is_expected.to contain_systemd__unit_file('webhook.service') } - end - end - end -end diff --git a/templates/webhook.bin.erb b/templates/webhook.bin.erb deleted file mode 100755 index c458362e..00000000 --- a/templates/webhook.bin.erb +++ /dev/null @@ -1,578 +0,0 @@ -<% if @ruby_bin -%> -#!<%= @ruby_bin %> -<% else -%> -<% if @is_pe == true or @is_pe == 'true' -%> -#!/opt/puppet/bin/ruby -<% elsif Puppet::Util::Package.versioncmp(Puppet.version, '4.2.0') >= 0 -%> -#!/opt/puppetlabs/puppet/bin/ruby -<% else -%> -#!/usr/bin/ruby -<% end -%> -<% end -%> -# This mini-webserver is meant to be run as the peadmin user -# so that it can call mcollective from a puppetmaster -# Authors: -# Ben Ford -# Adam Crews -# Zack Smith -# Jeff Malnick - -require 'rubygems' -require 'sinatra/base' -require 'webrick' -require 'webrick/https' -require 'openssl' -require 'resolv' -require 'json' -require 'yaml' -require 'cgi' -require 'open3' -require 'shellwords' - -WEBHOOK_CONFIG = '/etc/webhook.yaml' -PIDFILE = '/var/run/webhook/webhook.pid' -LOCKFILE = '/var/run/webhook/webhook.lock' -APP_ROOT = '/var/run/webhook' - -if (File.exists?(WEBHOOK_CONFIG)) - $config = YAML.load_file(WEBHOOK_CONFIG) -else - raise "Configuration file: #{WEBHOOK_CONFIG} does not exist" -end - -<% if @user == 'peadmin' -%> -ENV['HOME'] = '/var/lib/<%= @user %>' -<% end -%> -ENV['PATH'] = '/sbin:/usr/sbin:/bin:/usr/bin:/opt/puppetlabs/puppet/bin:<%= if @is_pe == true or @is_pe == 'true' then '/opt/puppet/bin' else '/usr/local/bin' end %>' - -$logger = WEBrick::Log::new($config['access_logfile'], WEBrick::Log::DEBUG) - -opts = { - :Host => $config['bind_address'], - :Port => $config['port'], - :Logger => $logger, - :ServerType => <%= @server_type %>, - :ServerSoftware => $config['server_software'], - :SSLEnable => $config['enable_ssl'], - :StartCallback => Proc.new { File.open(PIDFILE, 'w') {|f| f.write Process.pid } }, -} -if $config['enable_ssl'] then - CERT_PATTERN = /-----BEGIN.+?CERTIFICATE-----.+?-----END.+?CERTIFICATE-----/m - certs = File.open("#{$config['public_key_path']}").read.scan(CERT_PATTERN) - opts[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_NONE - opts[:SSLCertificate] = OpenSSL::X509::Certificate.new(certs.shift) - opts[:SSLPrivateKey] = OpenSSL::PKey::RSA.new(File.open("#{$config['private_key_path']}").read) - opts[:SSLCertName] = [ [ "CN",WEBrick::Utils::getservername ] ] - if ! certs.empty? then - opts[:SSLExtraChainCert] = certs.map { |x| OpenSSL::X509::Certificate.new(x) } - end -end - -if $config['use_mcollective'] then - require 'mcollective' - include MCollective::RPC -end - -if $config['slack_webhook'] then - require 'slack-notifier' -end - -if $config['rocketchat_webhook'] then - require 'rocket-chat-notifier' -end - -$command_prefix = $config['command_prefix'] || '' - -class Server < Sinatra::Base - - set :static, false - if $config['enable_mutex_lock'] then - set :lock, true - end - - get '/' do - raise Sinatra::NotFound - end - - get '/heartbeat' do - return 200, {:status => :success, :message => 'running' }.to_json - end - - # Simulate a github post: - # curl -d '{ "repository": { "name": "puppetlabs-stdlib" } }' -H "Accept: application/json" 'https://puppet:487156B2-7E67-4E1C-B447-001603C6B8B2@localhost:8088/module' -k -q - # - # Simulate a BitBucket post: - # curl -X POST -d '{ "repository": { "full_name": "puppetlabs/puppetlabs-stdlib", "name": "PuppetLabs : StdLib" } }' 'https://puppet:puppet@localhost:8088/module' -k -q - # This example shows that, unlike github, BitBucket allows special characters - # in repository names but translates it to generate a full_name which - # is used in the repository URL and is most useful for this webhook handler. - post '/module' do - protected! if $config['protected'] - request.body.rewind # in case someone already read it - - # Short circuit if we're ignoring this event - return 200 if ignore_event? - - decoded = request.body.read - verify_signature(decoded, 'sha1', $config['github_secret']) if $config['github_secret'] - verify_signature(decoded, 'sha256', $config['bitbucket_secret']) if $config['bitbucket_secret'] - verify_token($config['gitlab_token']) if $config['gitlab_token'] - data = JSON.parse(decoded, :quirks_mode => true) - - if data['repository'].has_key?('full_name') - # handle BitBucket webhook... - module_name = ( data['repository']['full_name'] ).sub(/^.*\/(.*-)?/, '') - else - module_name = ( data['repository']['name'] ).sub(/^.*-/, '') - end - - module_name = sanitize_input(module_name) - $logger.info("Deploying module #{module_name} in the background.") - Process.detach(fork { deploy_module(module_name) }) - - return 202, {:status => :accepted, :message => 'accepted' }.to_json - end - - # Simulate a github post: - # curl -d '{ "ref": "refs/heads/production" }' -H "Accept: application/json" 'https://puppet:puppet@localhost:8088/payload' -k -q - # - # If using stash look at the stash_mco.rb script included here. - # It will filter the stash post and make it look like a github post. - # - # Simulate a Gitorious post: - # curl -X POST -d '%7b%22ref%22%3a%22master%22%7d' 'http://puppet:puppet@localhost:8088/payload' -q - # Yes, Gitorious does not support https... - # - # Simulate a BitBucket post: - # curl -X POST -d '{ "push": { "changes": [ { "new": { "name": "production" } } ] } }' 'https://puppet:puppet@localhost:8088/payload' -k -q - - post '/payload' do - protected! if $config['protected'] - request.body.rewind # in case someone already read it - - # Short circuit if we're ignoring this event - return 200 if ignore_event? - - # Check if content type is x-www-form-urlencoded - if request.content_type.to_s.downcase.eql?('application/x-www-form-urlencoded') - decoded = CGI::unescape(request.body.read).gsub(/^payload\=/,'') - else - decoded = request.body.read - end - verify_signature(decoded, 'sha1', $config['github_secret']) if $config['github_secret'] - verify_signature(decoded, 'sha256', $config['bitbucket_secret']) if $config['bitbucket_secret'] - verify_token($config['gitlab_token']) if $config['gitlab_token'] - data = JSON.parse(decoded, :quirks_mode => true) - - # Iterate the data structure to determine what's should be deployed - branch = ( - data['ref'] || # github & gitlab - data['refChanges'][0]['refId'] rescue nil || # stash - data['push']['changes'][0]['new']['name'] rescue nil || # bitbucket - data['changes'][0]['ref']['displayId'] rescue nil || # bitbucket server repository event - data['pullRequest']['fromRef']['displayId'] rescue nil || # bitbucket server pull request event - data['resource']['refUpdates'][0]['name'] rescue nil || # TFS/VisualStudio-Git - data['repository']['default_branch'] # github tagged release; no ref. - ).sub('refs/heads/', '') rescue nil - - # If prefix is enabled in our config file, determine what the prefix should be - prefix = case $config['prefix'] - when :repo - repo_name(data) - when :user - repo_user(data) - when :command, TrueClass - run_prefix_command(data.to_json) - when String - $config['prefix'] - end - - # When a branch is being deleted, a deploy against it will result in a failure, as it no longer exists. - # Instead, deploy the default branch, which will purge deleted branches per the user's configuration - branch_deleted = ( - data['deleted'] rescue false || # Github - data['push']['changes'][0]['closed'] rescue false || # Bitbucket - data['refChanges'][0]['type'] rescue false || # Stash/Bitbucket Server - data['after'] rescue false # Gitlab - ) - - if [true, 'DELETED', '0000000000000000000000000000000000000000'].include?(branch_deleted) - deleted = true - else - deleted = false - end - - if deleted - branch = $config['default_branch'] - else - branch = sanitize_input(branch) - end - - # r10k doesn't yet know how to deploy all branches from a single source. - # The best we can do is just deploy all environments by passing nil to - # deploy() if we don't know the correct branch. - if prefix.nil? or prefix.empty? or branch.nil? or branch.empty? - env = normalize(branch) - else - env = normalize("#{prefix}_#{branch}") - end - - if ignore_env?(env) - $logger.info("Skipping deployment of environment #{env} according to ignore_environments configuration parameter") - return 200 - else - $logger.info("Deploying environment #{env} in the background") - Process.detach(fork { deploy(env, deleted) }) - - return 202, {:status => :accepted, :message => 'accepted' }.to_json - end - end - - not_found do - halt 404, "You shall not pass! (page not found)\n" - end - - helpers do - - # Ignore environments that we don't care about e.g. feature or bugfix branches - def ignore_env?(env) - list = $config['ignore_environments'] - return false if list.nil? or list.empty? - - list.each do |l| - # Even unquoted array elements wrapped by slashes becomes strings after YAML parsing - # So we need to convert it into Regexp manually - if l =~ /^\/.+\/$/ - return true if env =~ Regexp.new(l[1..-2]) - else - return true if env == l - end - end - - return false - end - - # Check to see if this is an event we care about. Default to responding to all events - def ignore_event? - # Explicitly ignore GitHub ping events - return true if request.env['HTTP_X_GITHUB_EVENT'] == 'ping' - - list = $config['repository_events'] - event = request.env['HTTP_X_GITHUB_EVENT'] - - # negate this, because we should respond if any of these conditions are true - ! (list.nil? or list == event or list.include?(event)) - end - - def run_command(command) - message = '' - File.open(LOCKFILE, 'w+') do |file| - # r10k has a small race condition which can cause failed deploys if two happen - # more or less simultaneously. To mitigate, we just lock on a file and wait for - # the other one to complete. - file.flock(File::LOCK_EX) - - message = "triggered: #{command}" - stdout, stderr, exit_status = Open3.capture3(command) - raise "#{stdout}\n#{stderr}" if exit_status != 0 - end - message - end - - def generate_types(environment) - begin -<% if @user != 'root' -%> -<%# explicitly set working directories for non-root accounts -%> -<% @generate_suffix=' --confdir ' + scope.lookupvar('settings::confdir') + - ' --codedir ' + scope.lookupvar('settings::codedir') + - ' --vardir ' + scope.lookupvar('settings::vardir') --%> -<% else -%> -<% @generate_suffix='' -%> -<% end -%> - command = "#{$command_prefix} /opt/puppetlabs/bin/puppet generate types --environment #{environment.gsub(/\W/, '_')}<%= @generate_suffix %>" - - message = run_command(command) - $logger.info("message: #{message} environment: #{environment}") - status_message = {:status => :success, :message => message.to_s, :environment => environment, :status_code => 200} - notify_slack(status_message) if slack? - rescue => e - $logger.error("message: #{e.message} trace: #{e.backtrace}") - status_message = {:status => :fail, :message => e.message, :trace => e.backtrace, :environment => environment, :status_code => 500} - notify_slack(status_message) if slack? - end - end - - def notify_slack(status_message) - if $config['slack_channel'] - slack_channel = $config['slack_channel'] - else - slack_channel = '#default' - end - - if $config['slack_username'] - slack_user = $config['slack_username'] - else - slack_user = 'r10k' - end - - if $config['slack_icon'] - slack_icon = ":#{$config['slack_icon']}:" - else - slack_icon = ':ocean:' - end - - if $config['slack_proxy_url'] - uri = URI($config['slack_proxy_url']) - http_options = { - proxy_address: uri.hostname, - proxy_port: uri.port, - proxy_from_env: false - } - else - http_options = {} - end - - notifier = Slack::Notifier.new $config['slack_webhook'] do - defaults channel: slack_channel, - username: slack_user, - icon_emoji: slack_icon, - http_options: http_options - end - - if status_message[:environment] # generate_types - target = status_message[:environment] - msg = "Generation of Puppet resource types for #{target}" - elsif status_message[:branch] # deploy - target = status_message[:branch] - msg = "Deployment of Puppet environment #{target}" - elsif status_message[:module] # deploy_module - target = status_message[:module] - msg = "Deployment of Puppet module #{target}" - end - - message = { - author: 'r10k for Puppet', - title: msg - } - - case status_message[:status_code] - when 200 - message.merge!( - color: "good", - text: "Successfully deployed #{target}", - fallback: "Successfully deployed #{target}" - ) - when 500 - message.merge!( - color: "bad", - text: "Failed to deploy #{target}", - fallback: "Failed to deploy #{target}" - ) - end - - notifier.post text: 'r10k deployment', attachments: [message] - end - - def notify_rocketchat(status_message) - if $config['rocketchat_channel'] - rocketchat_channel = $config['rocketchat_channel'] - else - rocketchat_channel = '#r10k' - end - - if $config['rocketchat_username'] - rocketchat_user = $config['rocketchat_username'] - else - rocketchat_user = 'r10k' - end - - notifier = RocketChat::Notifier.new $config['rocketchat_webhook'] - notifier.username = rocketchat_user - notifier.channel = rocketchat_channel - - if status_message[:environment] # generate_types - target = status_message[:environment] - msg = "Generation of Puppet resource types for #{target}" - elsif status_message[:branch] # deploy - target = status_message[:branch] - msg = "Deployment of Puppet environment #{target}" - elsif status_message[:module] # deploy_module - target = status_message[:module] - msg = "Deployment of Puppet module #{target}" - end - - message = "r10k deployment" - attachments = { - author: 'r10k for Puppet', - title: msg, - } - - case status_message[:status_code] - when 200 - attachments.merge!( - color: "good", - text: "Successfully deployed #{target}", - fallback: "Successfully deployed #{target}", - ) - when 500 - attachments.merge!( - color: "bad", - text: "Failed to deploy #{target}", - fallback: "Failed to deploy #{target}", - ) - end - - notifier.ping message, attachments: [attachments] - - end - - def deploy_module(module_name) - begin - if $config['use_mcollective'] - command = "#{$command_prefix} mco r10k deploy_module #{module_name} #{$config['mco_arguments']}" - else - # If you don't use mcollective then this hook needs to be running as r10k's user i.e. root - command = "#{$command_prefix} r10k deploy module #{module_name}" - end - message = run_command(command) - $logger.info("message: #{message} module_name: #{module_name}") - status_message = {:status => :success, :message => message.to_s, :module_name => module_name, :status_code => 200} - notify_slack(status_message) if slack? - notify_rocketchat(status_message) if rocketchat? - status_message.to_json - rescue => e - $logger.error("message: #{e.message} trace: #{e.backtrace}") - status 500 - status_message = {:status => :fail, :message => e.message, :trace => e.backtrace, :module_name => module_name, :status_code => 500} - notify_slack(status_message) if slack? - notify_rocketchat(status_message) if rocketchat? - status_message.to_json - end - end - - def deploy(branch, deleted) - begin - if $config['use_mco_ruby'] - result = mco(branch).first - if result.results[:statuscode] == 0 - message = result.results[:statusmsg] - else - raise result.results[:statusmsg] - end - else - if $config['use_mcollective'] - command = "#{$command_prefix} mco r10k deploy #{branch} #{$config['mco_arguments']}" - else - # If you don't use mcollective then this hook needs to be running as r10k's user i.e. root - command = "#{$command_prefix} r10k deploy environment #{branch} #{$config['r10k_deploy_arguments']}" - end - message = run_command(command) - end - status_message = {:status => :success, :message => message.to_s, :branch => branch, :status_code => 200} - $logger.info("message: #{message} branch: #{branch}") - notify_slack(status_message) if slack? - notify_rocketchat(status_message) if rocketchat? - unless deleted - generate_types(branch) if types? - end - status_message.to_json - rescue => e - status_message = {:status => :fail, :message => e.message, :trace => e.backtrace, :branch => branch, :status_code => 500} - $logger.error("message: #{e.message} trace: #{e.backtrace}") - status 500 - notify_slack(status_message) if slack? - notify_rocketchat(status_message) if rocketchat? - status_message.to_json - end - end #end deploy() - - def mco(branch) - options = MCollective::Util.default_options - options[:config] = $config['client_cfg'] - client = rpcclient('r10k', :exit_on_failure => false,:options => options) - client.discovery_timeout = $config['discovery_timeout'] - client.timeout = $config['client_timeout'] - result = client.send('deploy',{:environment => branch}) - end # end mco() - - def protected! - unless authorized? - response['WWW-Authenticate'] = %(Basic realm="Restricted Area") - $logger.error("Authentication failure from IP #{request.ip}") - throw(:halt, [401, "Not authorized\n"]) - else - $logger.info("Authenticated as user #{$config['user']} from IP #{request.ip}") - end - end #end protected! - - def authorized? - @auth ||= Rack::Auth::Basic::Request.new(request.env) - @auth.provided? && @auth.basic? && @auth.credentials && - @auth.credentials == [$config['user'],$config['pass']] - end #end authorized? - - def slack? - !!$config['slack_webhook'] - end - - def rocketchat? - !!$config['rocketchat_webhook'] - end - - def types? - !!$config['generate_types'] - end - - def verify_signature(payload_body, algorithm, secret) - signature = algorithm + '=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new(algorithm), secret, payload_body) - throw(:halt, [500, "Signatures didn't match!\n"]) unless Rack::Utils.secure_compare(signature, request.env['HTTP_X_HUB_SIGNATURE']) - end - - def verify_token(token) - throw(:halt, [500, "Incorrect Gitlab token!\n"]) unless request.env['HTTP_X_GITLAB_TOKEN'] == token - end - - def repo_name(data) - # Tested with GitHub only - data['repository']['name'] rescue nil - end - - def repo_user(data) - # Tested with GitHub only - data['repository']['owner']['login'] rescue nil - end - - def normalize(str) - # one could argue that r10k should do this along with the other normalization it does... - $config['allow_uppercase'] ? str : str.downcase - end - - def run_prefix_command(payload) - IO.popen($config['prefix_command'], mode='r+') do |io| - io.write payload.to_s - io.close_write - begin - result = io.readlines.first.chomp - rescue - result = '' - end - end - end #end run_prefix_command - - - # :deploy and :deploy_module methods are vulnerable to shell - # injection. e.g. a branch named ";yes". Or a malicious POST request with - # "; rm -rf *;" as the payload. - def sanitize_input(input_string) - sanitized = Shellwords.shellescape(input_string) - $logger.info("module or branch name #{sanitized} had to be escaped!") unless input_string == sanitized - sanitized - end - - end #end helpers -end - -Rack::Handler::WEBrick.run(Server, opts) do |server| - [:INT, :TERM].each { |sig| trap(sig) { server.stop } } -end diff --git a/templates/webhook.service.epp b/templates/webhook.service.epp deleted file mode 100644 index 37359554..00000000 --- a/templates/webhook.service.epp +++ /dev/null @@ -1,18 +0,0 @@ -<%- | String[1] $user | -%> -# THIS FILE IS MANAGED BY PUPPET -[Unit] -Description=R10K Webhook Service -After=syslog.target network.target - -[Service] -Type=simple -EnvironmentFile=-/etc/sysconfig/webhook -RuntimeDirectory=webhook -User=<%= $user %> -TimeoutStartSec=90 -TimeoutStopSec=30 -RestartSec=10000 -ExecStart=/usr/local/bin/webhook - -[Install] -WantedBy=multi-user.target diff --git a/templates/webhook.yaml.erb b/templates/webhook.yaml.erb deleted file mode 100644 index fa116b7a..00000000 --- a/templates/webhook.yaml.erb +++ /dev/null @@ -1,20 +0,0 @@ ---- -<% @webhook_hash.sort.each do |key,value| -%> -<%- if key == 'access_logfile' and value == 'stderr' -%> -<%# Don't output access_logfile if its value is stderr -%> -<% elsif value != :undef and ! value.nil? -%> -<% - value = case value - when TrueClass, FalseClass - value - when Array - value.sort.inspect.to_s - when /^:/ - value.to_sym - else - "\"#{value}\"" - end --%> -<%=key-%>: <%= value %> -<% end -%> -<% end -%>