cfg: allow repo-specific configuration of gh_token and gh_hook_token

Define custom getters for retrieving GH secret values. As the
getter for each token type defaults to looking for a global value
if a repo-specific vaue isn't found, existing deployments don't
need to change.

Author: yasunariw

lib/action.ml

@@ -211,16 +211,17 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
     | _ -> Lwt.return @@ Ok ()
 
   let process_github_notification (ctx : Context.t) headers body =
-    let validate_signature secrets =
-      let signing_key = secrets.gh_hook_token in
+    let validate_signature secrets payload =
+      let repo = Github.repo_of_notification payload in
+      let signing_key = Context.gh_hook_token_of_secrets secrets repo.url in
       Github.validate_signature ?signing_key ~headers body
     in
     try%lwt
       let secrets = Context.get_secrets_exn ctx in
       match Github.parse_exn headers body with
       | exception exn -> Exn_lwt.fail ~exn "failed to parse payload"
       | payload ->
-      match validate_signature secrets with
+      match validate_signature secrets payload with
       | Error e -> action_error e
       | Ok () ->
         ( match%lwt refresh_repo_config ctx payload with

lib/api_remote.ml

@@ -23,7 +23,8 @@ module Github : Api.Github = struct
   let get_config ~(ctx : Context.t) ~repo =
     let secrets = Context.get_secrets_exn ctx in
     let url = contents_url ~repo ~path:ctx.config_filename in
-    let headers = build_headers ?token:secrets.gh_token () in
+    let token = Context.gh_token_of_secrets secrets repo.url in
+    let headers = build_headers ?token () in
     match%lwt http_request ~headers `GET url with
     | Error e -> Lwt.return @@ fmt_error "error while querying remote: %s\nfailed to get config from file %s" e url
     | Ok res ->
@@ -44,23 +45,23 @@ module Github : Api.Github = struct
         @@ fmt_error "unexpected encoding '%s' in Github response\nfailed to get config from file %s" encoding url
       )
 
-  let get_resource (ctx : Context.t) url =
-    let secrets = Context.get_secrets_exn ctx in
-    let headers = build_headers ?token:secrets.gh_token () in
+  let get_resource secrets repo_url url =
+    let token = Context.gh_token_of_secrets secrets repo_url in
+    let headers = build_headers ?token () in
     match%lwt http_request ~headers `GET url with
     | Ok res -> Lwt.return @@ Ok res
     | Error e -> Lwt.return @@ fmt_error "error while querying remote: %s\nfailed to get resource from %s" e url
 
-  let get_api_commit ~(ctx : Context.t) ~repo ~sha =
-    let%lwt res = commits_url ~repo ~sha |> get_resource ctx in
+  let get_api_commit ~(ctx : Context.t) ~(repo : Github_t.repository) ~sha =
+    let%lwt res = commits_url ~repo ~sha |> get_resource (Context.get_secrets_exn ctx) repo.url in
     Lwt.return @@ Result.map res ~f:Github_j.api_commit_of_string
 
-  let get_pull_request ~(ctx : Context.t) ~repo ~number =
-    let%lwt res = pulls_url ~repo ~number |> get_resource ctx in
+  let get_pull_request ~(ctx : Context.t) ~(repo : Github_t.repository) ~number =
+    let%lwt res = pulls_url ~repo ~number |> get_resource (Context.get_secrets_exn ctx) repo.url in
     Lwt.return @@ Result.map res ~f:Github_j.pull_request_of_string
 
-  let get_issue ~(ctx : Context.t) ~repo ~number =
-    let%lwt res = issues_url ~repo ~number |> get_resource ctx in
+  let get_issue ~(ctx : Context.t) ~(repo : Github_t.repository) ~number =
+    let%lwt res = issues_url ~repo ~number |> get_resource (Context.get_secrets_exn ctx) repo.url in
     Lwt.return @@ Result.map res ~f:Github_j.issue_of_string
 end
 

lib/config.atd

@@ -1,6 +1,7 @@
 type status_rule <ocaml from="Rule"> = abstract
 type prefix_rule <ocaml from="Rule"> = abstract
 type label_rule <ocaml from="Rule"> = abstract
+type 'v map_as_object <ocaml from="Common"> = abstract
 
 (* This type of rule is used for CI build notifications. *)
 type status_rules = {
@@ -37,9 +38,18 @@ type webhook = {
   channel : string; (* name of the Slack channel to post the message *)
 }
 
+type gh_repo_secrets = {
+  (* GitHub personal access token, if repo access requires it *)
+  ?gh_token : string nullable;
+  (* GitHub webhook token to secure the webhook *)
+  ?gh_hook_token : string nullable;
+}
+
 (* This is the structure of the secrets file which stores sensitive information, and
    shouldn't be checked into version control.  *)
 type secrets = {
+  (* repo-specific secrets; overrides global values if defined for a given repo *)
+  ~repo_secrets <ocaml default="Common.StringMap.empty"> : gh_repo_secrets map_as_object;
   (* GitHub personal access token, if repo access requires it *)
   ?gh_token : string nullable;
   (* GitHub webhook token to secure the webhook *)

lib/context.ml

@@ -43,6 +43,16 @@ let find_repo_config_exn ctx repo_url =
 
 let set_repo_config ctx repo_url config = Stringtbl.set ctx.config ~key:repo_url ~data:config
 
+let gh_token_of_secrets (secrets : Config_t.secrets) repo_url =
+  match Map.find secrets.repo_secrets repo_url with
+  | None -> secrets.gh_token
+  | Some repo_secrets -> repo_secrets.gh_token
+
+let gh_hook_token_of_secrets (secrets : Config_t.secrets) repo_url =
+  match Map.find secrets.repo_secrets repo_url with
+  | None -> secrets.gh_hook_token
+  | Some repo_secrets -> repo_secrets.gh_hook_token
+
 let hook_of_channel ctx channel_name =
   let secrets = get_secrets_exn ctx in
   match List.find secrets.slack_hooks ~f:(fun webhook -> String.equal webhook.channel channel_name) with
@@ -93,8 +103,9 @@ let refresh_state ctx =
 let print_config ctx repo_url =
   let cfg = find_repo_config_exn ctx repo_url in
   let secrets = get_secrets_exn ctx in
+  let token = gh_hook_token_of_secrets secrets repo_url in
   log#info "using prefix routing:";
   Rule.Prefix.print_prefix_routing cfg.prefix_rules.rules;
   log#info "using label routing:";
   Rule.Label.print_label_routing cfg.label_rules.rules;
-  log#info "signature checking %s" (if Option.is_some secrets.gh_hook_token then "enabled" else "disabled")
+  log#info "signature checking %s" (if Option.is_some token then "enabled" else "disabled")