webhooks: add test with TODOs for github/gitea authentitcation

Mic92 · Mic92 · commit bf060e45eb46 · 2025-08-03T07:31:13.000+02:00
diff --git a/t/Hydra/Controller/API/webhooks.t b/t/Hydra/Controller/API/webhooks.t
@@ -0,0 +1,257 @@
+use strict;
+use warnings;
+use Setup;
+use Test2::V0;
+use Test2::Tools::Subtest qw(subtest_streamed);
+use Catalyst::Test ();
+use HTTP::Request;
+use HTTP::Request::Common;
+use JSON::MaybeXS qw(decode_json encode_json);
+use Digest::SHA qw(hmac_sha256_hex);
+
+my $ctx = test_context();
+Catalyst::Test->import('Hydra');
+
+# Create webhook configuration
+my $github_secret = "github-test-secret-12345";
+my $gitea_secret = "gitea-test-secret-abcdef";
+
+# Write test configuration
+my $config = {
+    webhooks => {
+        github => {
+            secret_files => [ $ctx->tmpdir . "/github-secret" ]
+        },
+        gitea => {
+            secret_files => [ $ctx->tmpdir . "/gitea-secret" ]
+        }
+    }
+};
+
+# Write secret files
+write_file($ctx->tmpdir . "/github-secret", $github_secret);
+write_file($ctx->tmpdir . "/gitea-secret", $gitea_secret);
+chmod 0600, $ctx->tmpdir . "/github-secret";
+chmod 0600, $ctx->tmpdir . "/gitea-secret";
+
+# Create a project and jobset for testing
+my $user = $ctx->db()->resultset('Users')->create({
+    username => "webhook-test",
+    emailaddress => 'webhook-test@example.org',
+    password => ''
+});
+
+my $project = $ctx->db()->resultset('Projects')->create({
+    name => "webhook-test",
+    displayname => "webhook-test",
+    owner => $user->username
+});
+
+my $jobset = $project->jobsets->create({
+    name => "test-jobset",
+    nixexprinput => "src",
+    nixexprpath => "default.nix",
+    emailoverride => ""
+});
+
+my $jobsetinput = $jobset->jobsetinputs->create({name => "src", type => "git"});
+$jobsetinput->jobsetinputalts->create({altnr => 0, value => "https://github.com/owner/repo.git"});
+
+# Create another jobset for Gitea
+my $jobset_gitea = $project->jobsets->create({
+    name => "test-jobset-gitea",
+    nixexprinput => "src",
+    nixexprpath => "default.nix",
+    emailoverride => ""
+});
+
+my $jobsetinput_gitea = $jobset_gitea->jobsetinputs->create({name => "src", type => "git"});
+$jobsetinput_gitea->jobsetinputalts->create({altnr => 0, value => "https://gitea.example.com/owner/repo.git"});
+
+subtest "GitHub webhook authentication" => sub {
+    my $payload = encode_json({
+        repository => {
+            owner => { name => "owner" },
+            name => "repo"
+        }
+    });
+
+    subtest "without authentication (current behavior - should succeed but shouldn't)" => sub {
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 200, "Unauthenticated request currently succeeds (VULNERABILITY)");
+
+        my $data = decode_json($response->content);
+        is($data->{jobsetsTriggered}, ["webhook-test:test-jobset"], "Jobset was triggered without authentication");
+    };
+
+    subtest "with valid signature (will fail until implemented)" => sub {
+        my $signature = "sha256=" . hmac_sha256_hex($payload, $github_secret);
+
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        todo "Not implemented yet" => sub {
+            is($response->code, 200, "Valid signature should be accepted");
+        };
+    };
+
+    subtest "with invalid signature (will fail until implemented)" => sub {
+        my $signature = "sha256=" . hmac_sha256_hex($payload, "wrong-secret");
+
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        todo "Not implemented yet" => sub {
+            is($response->code, 401, "Invalid signature should be rejected");
+        };
+    };
+
+    subtest "without signature when configured (will fail until implemented)" => sub {
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "Content" => $payload;
+
+        my $response = request($req);
+        todo "Not implemented yet - currently allows unauthenticated requests" => sub {
+            is($response->code, 401, "Missing signature should be rejected when authentication is configured");
+        };
+    };
+};
+
+subtest "Gitea webhook authentication" => sub {
+    my $payload = encode_json({
+        repository => {
+            owner => { username => "owner" },
+            name => "repo",
+            clone_url => "https://gitea.example.com/owner/repo.git"
+        }
+    });
+
+    subtest "without authentication (current behavior - should succeed but shouldn't)" => sub {
+        my $req = POST '/api/push-gitea',
+            "Content-Type" => "application/json",
+            "Content" => $payload;
+
+        my $response = request($req);
+        is($response->code, 200, "Unauthenticated request currently succeeds (VULNERABILITY)");
+
+        my $data = decode_json($response->content);
+        is($data->{jobsetsTriggered}, ["webhook-test:test-jobset-gitea"], "Jobset was triggered without authentication");
+    };
+
+    subtest "with valid signature (will fail until implemented)" => sub {
+        # Note: Gitea doesn't use sha256= prefix
+        my $signature = hmac_sha256_hex($payload, $gitea_secret);
+
+        my $req = POST '/api/push-gitea',
+            "Content-Type" => "application/json",
+            "X-Gitea-Signature" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        todo "Not implemented yet" => sub {
+            is($response->code, 200, "Valid signature should be accepted");
+        };
+    };
+
+    subtest "with invalid signature (will fail until implemented)" => sub {
+        my $signature = hmac_sha256_hex($payload, "wrong-secret");
+
+        my $req = POST '/api/push-gitea',
+            "Content-Type" => "application/json",
+            "X-Gitea-Signature" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        todo "Not implemented yet" => sub {
+            is($response->code, 401, "Invalid signature should be rejected");
+        };
+    };
+};
+
+subtest "Multiple secrets support" => sub {
+    # Test configuration with multiple secrets
+    my $alt_github_secret = "github-alternative-secret";
+    write_file($ctx->tmpdir . "/github-secret-alt", $alt_github_secret);
+    chmod 0600, $ctx->tmpdir . "/github-secret-alt";
+
+    # This would require updating config to include both secret files
+    # secret_files = [
+    #   /path/to/github-secret
+    #   /path/to/github-secret-alt
+    # ]
+
+    my $payload = encode_json({
+        repository => {
+            owner => { name => "owner" },
+            name => "repo"
+        }
+    });
+
+    subtest "with first valid secret (will fail until implemented)" => sub {
+        my $signature = "sha256=" . hmac_sha256_hex($payload, $github_secret);
+
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        todo "Not implemented yet" => sub {
+            is($response->code, 200, "First valid secret should be accepted");
+        };
+    };
+
+    subtest "with second valid secret (will fail until implemented)" => sub {
+        my $signature = "sha256=" . hmac_sha256_hex($payload, $alt_github_secret);
+
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        todo "Not implemented yet" => sub {
+            is($response->code, 200, "Second valid secret should be accepted");
+        };
+    };
+
+    subtest "with invalid secret when multiple configured (will fail until implemented)" => sub {
+        my $signature = "sha256=" . hmac_sha256_hex($payload, "neither-secret");
+
+        my $req = POST '/api/push-github',
+            "Content-Type" => "application/json",
+            "X-Hub-Signature-256" => $signature,
+            "Content" => $payload;
+
+        my $response = request($req);
+        todo "Not implemented yet" => sub {
+            is($response->code, 401, "Invalid secret should be rejected even with multiple configured");
+        };
+    };
+};
+
+subtest "Security considerations" => sub {
+    subtest "file permission warnings" => sub {
+        my $insecure_secret_path = $ctx->tmpdir . "/insecure-secret";
+        write_file($insecure_secret_path, "insecure-secret");
+        chmod 0644, $insecure_secret_path;  # Too permissive
+
+        todo "Not implemented yet" => sub {
+            # This would need to check logs for warnings about insecure permissions
+            ok(0, "Should warn about insecure file permissions");
+        };
+    };
+};
+
+done_testing;
