mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2025-01-05 10:20:36 +02:00
ef1d286596
closes https://github.com/woodpecker-ci/woodpecker/issues/3071 1. If a secret can be used on PRs, it can also be used on PR close. 2. If no events are set, disallow access to secret. This was different before, secrets without any event set were allowed for all events. 3. Compare strings instead of patterns. --------- Co-authored-by: 6543 <6543@obermui.de>
183 lines
5.5 KiB
Go
183 lines
5.5 KiB
Go
// Copyright 2021 Woodpecker Authors
|
|
// Copyright 2018 Drone.IO Inc.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package model
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"regexp"
|
|
"sort"
|
|
)
|
|
|
|
var (
|
|
ErrSecretNameInvalid = errors.New("Invalid Secret Name")
|
|
ErrSecretImageInvalid = errors.New("Invalid Secret Image")
|
|
ErrSecretValueInvalid = errors.New("Invalid Secret Value")
|
|
ErrSecretEventInvalid = errors.New("Invalid Secret Event")
|
|
)
|
|
|
|
// SecretService defines a service for managing secrets.
|
|
type SecretService interface {
|
|
SecretListPipeline(*Repo, *Pipeline, *ListOptions) ([]*Secret, error)
|
|
// Repository secrets
|
|
SecretFind(*Repo, string) (*Secret, error)
|
|
SecretList(*Repo, *ListOptions) ([]*Secret, error)
|
|
SecretCreate(*Repo, *Secret) error
|
|
SecretUpdate(*Repo, *Secret) error
|
|
SecretDelete(*Repo, string) error
|
|
// Organization secrets
|
|
OrgSecretFind(int64, string) (*Secret, error)
|
|
OrgSecretList(int64, *ListOptions) ([]*Secret, error)
|
|
OrgSecretCreate(int64, *Secret) error
|
|
OrgSecretUpdate(int64, *Secret) error
|
|
OrgSecretDelete(int64, string) error
|
|
// Global secrets
|
|
GlobalSecretFind(string) (*Secret, error)
|
|
GlobalSecretList(*ListOptions) ([]*Secret, error)
|
|
GlobalSecretCreate(*Secret) error
|
|
GlobalSecretUpdate(*Secret) error
|
|
GlobalSecretDelete(string) error
|
|
}
|
|
|
|
// SecretStore persists secret information to storage.
|
|
type SecretStore interface {
|
|
SecretFind(*Repo, string) (*Secret, error)
|
|
SecretList(*Repo, bool, *ListOptions) ([]*Secret, error)
|
|
SecretCreate(*Secret) error
|
|
SecretUpdate(*Secret) error
|
|
SecretDelete(*Secret) error
|
|
OrgSecretFind(int64, string) (*Secret, error)
|
|
OrgSecretList(int64, *ListOptions) ([]*Secret, error)
|
|
GlobalSecretFind(string) (*Secret, error)
|
|
GlobalSecretList(*ListOptions) ([]*Secret, error)
|
|
SecretListAll() ([]*Secret, error)
|
|
}
|
|
|
|
// Secret represents a secret variable, such as a password or token.
|
|
type Secret struct {
|
|
ID int64 `json:"id" xorm:"pk autoincr 'secret_id'"`
|
|
OrgID int64 `json:"org_id" xorm:"NOT NULL DEFAULT 0 UNIQUE(s) INDEX 'secret_org_id'"`
|
|
RepoID int64 `json:"repo_id" xorm:"NOT NULL DEFAULT 0 UNIQUE(s) INDEX 'secret_repo_id'"`
|
|
Name string `json:"name" xorm:"NOT NULL UNIQUE(s) INDEX 'secret_name'"`
|
|
Value string `json:"value,omitempty" xorm:"TEXT 'secret_value'"`
|
|
Images []string `json:"images" xorm:"json 'secret_images'"`
|
|
Events []WebhookEvent `json:"events" xorm:"json 'secret_events'"`
|
|
} // @name Secret
|
|
|
|
// TableName return database table name for xorm
|
|
func (Secret) TableName() string {
|
|
return "secrets"
|
|
}
|
|
|
|
// BeforeInsert will sort events before inserted into database
|
|
func (s *Secret) BeforeInsert() {
|
|
s.Events = sortEvents(s.Events)
|
|
}
|
|
|
|
// Global secret.
|
|
func (s Secret) IsGlobal() bool {
|
|
return s.RepoID == 0 && s.OrgID == 0
|
|
}
|
|
|
|
// Organization secret.
|
|
func (s Secret) IsOrganization() bool {
|
|
return s.RepoID == 0 && s.OrgID != 0
|
|
}
|
|
|
|
// Repository secret.
|
|
func (s Secret) IsRepository() bool {
|
|
return s.RepoID != 0 && s.OrgID == 0
|
|
}
|
|
|
|
// Match returns true if an image and event match the restricted list.
|
|
// Note that EventPullClosed are treated as EventPull.
|
|
func (s *Secret) Match(event WebhookEvent) bool {
|
|
// if there is no filter set secret matches all webhook events
|
|
if len(s.Events) == 0 {
|
|
return true
|
|
}
|
|
// tread all pull events the same way
|
|
if event == EventPullClosed {
|
|
event = EventPull
|
|
}
|
|
// one match is enough
|
|
for _, e := range s.Events {
|
|
if e == event {
|
|
return true
|
|
}
|
|
}
|
|
// a filter is set but the webhook did not match it
|
|
return false
|
|
}
|
|
|
|
var validDockerImageString = regexp.MustCompile(
|
|
`^(` +
|
|
`[\w\d\-_\.]+` + // hostname
|
|
`(:\d+)?` + // optional port
|
|
`/)?` + // optional hostname + port
|
|
`([\w\d\-_\.][\w\d\-_\.\/]*/)?` + // optional url prefix
|
|
`([\w\d\-_]+)` + // image name
|
|
`(:[\w\d\-_]+)?` + // optional image tag
|
|
`$`,
|
|
)
|
|
|
|
// Validate validates the required fields and formats.
|
|
func (s *Secret) Validate() error {
|
|
for _, event := range s.Events {
|
|
if err := ValidateWebhookEvent(event); err != nil {
|
|
return errors.Join(err, ErrSecretEventInvalid)
|
|
}
|
|
}
|
|
if len(s.Events) == 0 {
|
|
return fmt.Errorf("%w: no event specified", ErrSecretEventInvalid)
|
|
}
|
|
|
|
for _, image := range s.Images {
|
|
if len(image) == 0 {
|
|
return fmt.Errorf("%w: empty image in images", ErrSecretImageInvalid)
|
|
}
|
|
if !validDockerImageString.MatchString(image) {
|
|
return fmt.Errorf("%w: image '%s' do not match regexp '%s'", ErrSecretImageInvalid, image, validDockerImageString.String())
|
|
}
|
|
}
|
|
|
|
switch {
|
|
case len(s.Name) == 0:
|
|
return fmt.Errorf("%w: empty name", ErrSecretNameInvalid)
|
|
case len(s.Value) == 0:
|
|
return fmt.Errorf("%w: empty value", ErrSecretValueInvalid)
|
|
default:
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// Copy makes a copy of the secret without the value.
|
|
func (s *Secret) Copy() *Secret {
|
|
return &Secret{
|
|
ID: s.ID,
|
|
OrgID: s.OrgID,
|
|
RepoID: s.RepoID,
|
|
Name: s.Name,
|
|
Images: s.Images,
|
|
Events: sortEvents(s.Events),
|
|
}
|
|
}
|
|
|
|
func sortEvents(wel WebhookEventList) WebhookEventList {
|
|
sort.Sort(wel)
|
|
return wel
|
|
}
|