diff --git a/applicationset/webhook/webhook.go b/applicationset/webhook/webhook.go index 4fb4d6668bc2f..7704edce69544 100644 --- a/applicationset/webhook/webhook.go +++ b/applicationset/webhook/webhook.go @@ -2,7 +2,6 @@ package webhook import ( "context" - "errors" "fmt" "html" "net/http" @@ -29,18 +28,15 @@ import ( const payloadQueueSize = 50000 -var errBasicAuthVerificationFailed = errors.New("basic auth verification failed") - type WebhookHandler struct { - sync.WaitGroup // for testing - namespace string - github *github.Webhook - gitlab *gitlab.Webhook - azuredevops *azuredevops.Webhook - azuredevopsAuthHandler func(r *http.Request) error - client client.Client - generators map[string]generators.Generator - queue chan interface{} + sync.WaitGroup // for testing + namespace string + github *github.Webhook + gitlab *gitlab.Webhook + azuredevops *azuredevops.Webhook + client client.Client + generators map[string]generators.Generator + queue chan interface{} } type gitGeneratorInfo struct { @@ -85,29 +81,19 @@ func NewWebhookHandler(namespace string, webhookParallelism int, argocdSettingsM if err != nil { return nil, fmt.Errorf("Unable to init GitLab webhook: %w", err) } - azuredevopsHandler, err := azuredevops.New() + azuredevopsHandler, err := azuredevops.New(azuredevops.Options.BasicAuth(argocdSettings.WebhookAzureDevOpsUsername, argocdSettings.WebhookAzureDevOpsPassword)) if err != nil { return nil, fmt.Errorf("Unable to init Azure DevOps webhook: %w", err) } - azuredevopsAuthHandler := func(r *http.Request) error { - if argocdSettings.WebhookAzureDevOpsUsername != "" && argocdSettings.WebhookAzureDevOpsPassword != "" { - username, password, ok := r.BasicAuth() - if !ok || username != argocdSettings.WebhookAzureDevOpsUsername || password != argocdSettings.WebhookAzureDevOpsPassword { - return errBasicAuthVerificationFailed - } - } - return nil - } webhookHandler := &WebhookHandler{ - namespace: namespace, - github: githubHandler, - gitlab: gitlabHandler, - azuredevops: azuredevopsHandler, - azuredevopsAuthHandler: azuredevopsAuthHandler, - client: client, - generators: generators, - queue: make(chan interface{}, payloadQueueSize), + namespace: namespace, + github: githubHandler, + gitlab: gitlabHandler, + azuredevops: azuredevopsHandler, + client: client, + generators: generators, + queue: make(chan interface{}, payloadQueueSize), } webhookHandler.startWorkerPool(webhookParallelism) @@ -179,13 +165,7 @@ func (h *WebhookHandler) Handler(w http.ResponseWriter, r *http.Request) { case r.Header.Get("X-Gitlab-Event") != "": payload, err = h.gitlab.Parse(r, gitlab.PushEvents, gitlab.TagEvents, gitlab.MergeRequestEvents) case r.Header.Get("X-Vss-Activityid") != "": - if err = h.azuredevopsAuthHandler(r); err != nil { - if errors.Is(err, errBasicAuthVerificationFailed) { - log.WithField(common.SecurityField, common.SecurityHigh).Infof("Azure DevOps webhook basic auth verification failed") - } - } else { - payload, err = h.azuredevops.Parse(r, azuredevops.GitPushEventType, azuredevops.GitPullRequestCreatedEventType, azuredevops.GitPullRequestUpdatedEventType, azuredevops.GitPullRequestMergedEventType) - } + payload, err = h.azuredevops.Parse(r, azuredevops.GitPushEventType, azuredevops.GitPullRequestCreatedEventType, azuredevops.GitPullRequestUpdatedEventType, azuredevops.GitPullRequestMergedEventType) default: log.Debug("Ignoring unknown webhook event") http.Error(w, "Unknown webhook event", http.StatusBadRequest) diff --git a/go.mod b/go.mod index e0529daa9137b..53e26cef8542f 100644 --- a/go.mod +++ b/go.mod @@ -33,7 +33,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/go-openapi/loads v0.22.0 github.com/go-openapi/runtime v0.28.0 - github.com/go-playground/webhooks/v6 v6.3.0 + github.com/go-playground/webhooks/v6 v6.4.0 github.com/go-redis/cache/v9 v9.0.0 github.com/gobwas/glob v0.2.3 github.com/gogits/go-gogs-client v0.0.0-20200905025246-8bb8a50cb355 diff --git a/go.sum b/go.sum index d2795086e51ee..0b04debbca6d4 100644 --- a/go.sum +++ b/go.sum @@ -999,8 +999,8 @@ github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD87 github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= github.com/go-playground/validator/v10 v10.2.0 h1:KgJ0snyC2R9VXYN2rneOtQcw5aHQB1Vv0sFl1UcHBOY= github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= -github.com/go-playground/webhooks/v6 v6.3.0 h1:zBLUxK1Scxwi97TmZt5j/B/rLlard2zY7P77FHg58FE= -github.com/go-playground/webhooks/v6 v6.3.0/go.mod h1:GCocmfMtpJdkEOM1uG9p2nXzg1kY5X/LtvQgtPHUaaA= +github.com/go-playground/webhooks/v6 v6.4.0 h1:KLa6y7bD19N48rxJDHM0DpE3T4grV7GxMy1b/aHMWPY= +github.com/go-playground/webhooks/v6 v6.4.0/go.mod h1:5lBxopx+cAJiBI4+kyRbuHrEi+hYRDdRHuRR4Ya5Ums= github.com/go-redis/cache/v9 v9.0.0 h1:0thdtFo0xJi0/WXbRVu8B066z8OvVymXTJGaXrVWnN0= github.com/go-redis/cache/v9 v9.0.0/go.mod h1:cMwi1N8ASBOufbIvk7cdXe2PbPjK/WMRL95FFHWsSgI= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= diff --git a/util/webhook/webhook.go b/util/webhook/webhook.go index 31d39621325d4..0aeca6a1cb023 100644 --- a/util/webhook/webhook.go +++ b/util/webhook/webhook.go @@ -45,8 +45,7 @@ const usernameRegex = `[a-zA-Z0-9_\.][a-zA-Z0-9_\.-]{0,30}[a-zA-Z0-9_\.\$-]?` const payloadQueueSize = 50000 var ( - _ settingsSource = &settings.SettingsManager{} - errBasicAuthVerificationFailed = errors.New("basic auth verification failed") + _ settingsSource = &settings.SettingsManager{} ) type ArgoCDWebhookHandler struct { @@ -62,7 +61,6 @@ type ArgoCDWebhookHandler struct { bitbucket *bitbucket.Webhook bitbucketserver *bitbucketserver.Webhook azuredevops *azuredevops.Webhook - azuredevopsAuthHandler func(r *http.Request) error gogs *gogs.Webhook settingsSrc settingsSource queue chan interface{} @@ -90,19 +88,10 @@ func NewHandler(namespace string, applicationNamespaces []string, webhookParalle if err != nil { log.Warnf("Unable to init the Gogs webhook") } - azuredevopsWebhook, err := azuredevops.New() + azuredevopsWebhook, err := azuredevops.New(azuredevops.Options.BasicAuth(set.WebhookAzureDevOpsUsername, set.WebhookAzureDevOpsPassword)) if err != nil { log.Warnf("Unable to init the Azure DevOps webhook") } - azuredevopsAuthHandler := func(r *http.Request) error { - if set.WebhookAzureDevOpsUsername != "" && set.WebhookAzureDevOpsPassword != "" { - username, password, ok := r.BasicAuth() - if !ok || username != set.WebhookAzureDevOpsUsername || password != set.WebhookAzureDevOpsPassword { - return errBasicAuthVerificationFailed - } - } - return nil - } acdWebhook := ArgoCDWebhookHandler{ ns: namespace, @@ -113,7 +102,6 @@ func NewHandler(namespace string, applicationNamespaces []string, webhookParalle bitbucket: bitbucketWebhook, bitbucketserver: bitbucketserverWebhook, azuredevops: azuredevopsWebhook, - azuredevopsAuthHandler: azuredevopsAuthHandler, gogs: gogsWebhook, settingsSrc: settingsSrc, repoCache: repoCache, @@ -423,12 +411,10 @@ func (a *ArgoCDWebhookHandler) Handler(w http.ResponseWriter, r *http.Request) { switch { case r.Header.Get("X-Vss-Activityid") != "": - if err = a.azuredevopsAuthHandler(r); err != nil { - if errors.Is(err, errBasicAuthVerificationFailed) { - log.WithField(common.SecurityField, common.SecurityHigh).Infof("Azure DevOps webhook basic auth verification failed") - } - } else { - payload, err = a.azuredevops.Parse(r, azuredevops.GitPushEventType) + payload, err = a.azuredevops.Parse(r, azuredevops.GitPushEventType) + if errors.Is(err, azuredevops.ErrBasicAuthVerificationFailed) { + log.WithField(common.SecurityField, common.SecurityHigh).Infof("Azure DevOps webhook basic auth verification failed") + } // Gogs needs to be checked before GitHub since it carries both Gogs and (incompatible) GitHub headers case r.Header.Get("X-Gogs-Event") != "":