File: web_hook.rb

package info (click to toggle)
gitlab 17.6.5-19
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 629,368 kB
  • sloc: ruby: 1,915,304; javascript: 557,307; sql: 60,639; xml: 6,509; sh: 4,567; makefile: 1,239; python: 406
file content (199 lines) | stat: -rw-r--r-- 6,251 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
 
# frozen_string_literal: true

class WebHook < ApplicationRecord
  include Sortable
  include WebHooks::AutoDisabling

  InterpolationError = Class.new(StandardError)

  SECRET_MASK = '************'

  attr_encrypted :token,
    mode: :per_attribute_iv,
    algorithm: 'aes-256-gcm',
    key: Settings.attr_encrypted_db_key_base_32

  attr_encrypted :url,
    mode: :per_attribute_iv,
    algorithm: 'aes-256-gcm',
    key: Settings.attr_encrypted_db_key_base_32

  attr_encrypted :url_variables,
    mode: :per_attribute_iv,
    key: Settings.attr_encrypted_db_key_base_32,
    algorithm: 'aes-256-gcm',
    marshal: true,
    marshaler: ::Gitlab::Json,
    encode: false,
    encode_iv: false

  attr_encrypted :custom_headers,
    mode: :per_attribute_iv,
    key: Settings.attr_encrypted_db_key_base_32,
    algorithm: 'aes-256-gcm',
    marshal: true,
    marshaler: ::Gitlab::Json,
    encode: false,
    encode_iv: false

  has_many :web_hook_logs

  validates :url, presence: true
  validates :url, public_url: true, unless: ->(hook) { hook.is_a?(SystemHook) || hook.url_variables? }

  validates :token, format: { without: /\n/ }
  after_initialize :initialize_url_variables
  after_initialize :initialize_custom_headers

  before_validation :reset_token
  before_validation :reset_url_variables, unless: ->(hook) { hook.is_a?(ServiceHook) }, on: :update
  before_validation :reset_custom_headers, unless: ->(hook) { hook.is_a?(ServiceHook) }, on: :update
  before_validation :set_branch_filter_nil, if: :branch_filter_strategy_all_branches?
  validates :push_events_branch_filter, untrusted_regexp: true, if: :branch_filter_strategy_regex?
  validates :push_events_branch_filter, "web_hooks/wildcard_branch_filter": true, if: :branch_filter_strategy_wildcard?

  validates :url_variables, json_schema: { filename: 'web_hooks_url_variables' }
  validate :no_missing_url_variables
  validates :interpolated_url, public_url: true, if: ->(hook) { hook.url_variables? && hook.errors.empty? }
  validates :custom_headers, json_schema: { filename: 'web_hooks_custom_headers' }
  validates :custom_webhook_template, length: { maximum: 4096 }

  enum branch_filter_strategy: {
    wildcard: 0,
    regex: 1,
    all_branches: 2
  }, _prefix: true

  # rubocop: disable CodeReuse/ServiceClass
  def execute(data, hook_name, idempotency_key: nil, force: false)
    # hook.executable? is checked in WebHookService#execute
    WebHookService.new(self, data, hook_name, idempotency_key: idempotency_key, force: force).execute
  end
  # rubocop: enable CodeReuse/ServiceClass

  # rubocop: disable CodeReuse/ServiceClass
  def async_execute(data, hook_name, idempotency_key: nil)
    WebHookService.new(self, data, hook_name, idempotency_key: idempotency_key).async_execute if executable?
  end
  # rubocop: enable CodeReuse/ServiceClass

  # Allow urls pointing localhost and the local network
  def allow_local_requests?
    Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
  end

  def help_path
    'user/project/integrations/webhooks'
  end

  # @return [Boolean] Whether or not the WebHook is currently throttled.
  def rate_limited?
    rate_limiter.rate_limited?
  end

  # @return [Integer] The rate limit for the WebHook. `0` for no limit.
  def rate_limit
    rate_limiter.limit
  end

  # Returns the associated Project or Group for the WebHook if one exists.
  # Overridden by inheriting classes.
  def parent; end

  # Custom attributes to be included in the worker context.
  def application_context
    { related_class: type }
  end

  # Exclude binary columns by default - they have no sensible JSON encoding
  def serializable_hash(options = nil)
    options = options.try(:dup) || {}
    options[:except] = Array(options[:except]).dup
    options[:except].concat [:encrypted_url_variables, :encrypted_url_variables_iv]

    super(options)
  end

  # See app/validators/json_schemas/web_hooks_url_variables.json
  VARIABLE_REFERENCE_RE = /\{([A-Za-z]+[0-9]*(?:[._-][A-Za-z0-9]+)*)\}/

  def interpolated_url(url = self.url, url_variables = self.url_variables)
    return url unless url.include?('{')

    vars = url_variables
    url.gsub(VARIABLE_REFERENCE_RE) do
      vars.fetch(_1.delete_prefix('{').delete_suffix('}'))
    end
  rescue KeyError => e
    raise InterpolationError, "Invalid URL template. Missing key #{e.key}"
  end

  def masked_token
    token.present? ? SECRET_MASK : nil
  end

  private

  def reset_token
    self.token = nil if url_changed? && !encrypted_token_changed?
  end

  def reset_url_variables
    return if url_variables_were.blank? || !interpolated_url_changed?

    self.url_variables = {} if url_variables_were.keys.intersection(url_variables.keys).any?
    self.url_variables = {} if url_changed? && url_variables_were.to_a.intersection(url_variables.to_a).any?
  end

  def reset_custom_headers
    return if url.nil? # checking interpolated_url with a nil url causes errors
    return unless interpolated_url_changed?

    self.custom_headers = {}
  rescue InterpolationError
    # ignore -- record is invalid and won't be saved. no need to reset custom_headers
  end

  def interpolated_url_changed?
    interpolated_url_was = interpolated_url(decrypt_url_was, url_variables_were)

    interpolated_url_was != interpolated_url
  end

  def decrypt_url_was
    self.class.decrypt_url(encrypted_url_was, iv: Base64.decode64(encrypted_url_iv_was))
  end

  def url_variables_were
    self.class.decrypt_url_variables(encrypted_url_variables_was, iv: encrypted_url_variables_iv_was)
  end

  def initialize_url_variables
    self.url_variables = {} if encrypted_url_variables.nil?
  end

  def initialize_custom_headers
    self.custom_headers = {} if encrypted_custom_headers.nil?
  end

  def rate_limiter
    @rate_limiter ||= Gitlab::WebHooks::RateLimiter.new(self)
  end

  def no_missing_url_variables
    return if url.nil?

    variable_names = url_variables.keys
    used_variables = url.scan(VARIABLE_REFERENCE_RE).map(&:first)

    missing = used_variables - variable_names

    return if missing.empty?

    errors.add(:url, "Invalid URL template. Missing keys: #{missing}")
  end

  def set_branch_filter_nil
    self.push_events_branch_filter = nil
  end
end