Properly set webhook secret

Signed-off-by: Gabriel Adrian Samfira <[email protected]>

Author: gabriel-samfira

apiserver/controllers/controllers.go

@@ -103,7 +103,6 @@ func (a *APIController) handleWorkflowJobEvent(ctx context.Context, w http.Respo
 		handleError(ctx, w, gErrors.NewBadRequestError("invalid post body: %s", err))
 		return
 	}
-	slog.Debug("received workflow job event", "body", string(body))
 
 	signature := r.Header.Get("X-Hub-Signature-256")
 	hookType := r.Header.Get("X-Github-Hook-Installation-Target-Type")
@@ -162,9 +161,6 @@ func (a *APIController) WebhookHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	headers := r.Header.Clone()
-	for k, v := range headers {
-		slog.Debug("header", "key", k, "value", v)
-	}
 
 	event := runnerParams.Event(headers.Get("X-Github-Event"))
 	switch event {

params/github.go

@@ -171,7 +171,9 @@ type WorkflowJob struct {
 		DefaultBranch string `json:"default_branch"`
 	} `json:"repository"`
 	Organization struct {
-		Login            string `json:"login"`
+		Login string `json:"login"`
+		// Name is a gitea specific field
+		Name             string `json:"name"`
 		ID               int64  `json:"id"`
 		NodeID           string `json:"node_id"`
 		URL              string `json:"url"`
@@ -218,6 +220,13 @@ type WorkflowJob struct {
 	} `json:"sender"`
 }
 
+func (w WorkflowJob) GetOrgName(forgeType EndpointType) string {
+	if forgeType == GiteaEndpointType {
+		return w.Organization.Name
+	}
+	return w.Organization.Login
+}
+
 type RunnerSetting struct {
 	Ephemeral     bool `json:"ephemeral,omitempty"`
 	IsElastic     bool `json:"isElastic,omitempty"`

runner/pool/pool.go

@@ -152,6 +152,7 @@ func (r *basePoolManager) getProviderBaseParams(pool params.Pool) common.Provide
 
 func (r *basePoolManager) HandleWorkflowJob(job params.WorkflowJob) error {
 	if err := r.ValidateOwner(job); err != nil {
+		slog.ErrorContext(r.ctx, "failed to validate owner", "error", err)
 		return errors.Wrap(err, "validating owner")
 	}
 
@@ -164,6 +165,7 @@ func (r *basePoolManager) HandleWorkflowJob(job params.WorkflowJob) error {
 
 	jobParams, err := r.paramsWorkflowJobToParamsJob(job)
 	if err != nil {
+		slog.ErrorContext(r.ctx, "failed to convert job to params", "error", err)
 		return errors.Wrap(err, "converting job to params")
 	}
 
@@ -1962,7 +1964,7 @@ func (r *basePoolManager) ValidateOwner(job params.WorkflowJob) error {
 			return runnerErrors.NewBadRequestError("job not meant for this pool manager")
 		}
 	case params.ForgeEntityTypeOrganization:
-		if !strings.EqualFold(job.Organization.Login, r.entity.Owner) {
+		if !strings.EqualFold(job.GetOrgName(r.entity.Credentials.ForgeType), r.entity.Owner) {
 			return runnerErrors.NewBadRequestError("job not meant for this pool manager")
 		}
 	case params.ForgeEntityTypeEnterprise:

runner/runner.go

@@ -668,8 +668,8 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType
 	case OrganizationHook:
 		slog.DebugContext(
 			r.ctx, "got hook for organization",
-			"organization", util.SanitizeLogEntry(job.Organization.Login))
-		poolManager, err = r.findOrgPoolManager(job.Organization.Login, endpoint.Name)
+			"organization", util.SanitizeLogEntry(job.GetOrgName(forgeType)))
+		poolManager, err = r.findOrgPoolManager(job.GetOrgName(forgeType), endpoint.Name)
 	case EnterpriseHook:
 		slog.DebugContext(
 			r.ctx, "got hook for enterprise",
@@ -679,7 +679,9 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType
 		return runnerErrors.NewBadRequestError("cannot handle hook target type %s", hookTargetType)
 	}
 
+	slog.DebugContext(r.ctx, "found pool manager", "pool_manager", poolManager.ID())
 	if err != nil {
+		slog.ErrorContext(r.ctx, "failed to find pool manager", "error", err, "hook_target_type", hookTargetType)
 		// We don't have a repository or organization configured that
 		// can handle this workflow job.
 		return errors.Wrap(err, "fetching poolManager")
@@ -689,10 +691,12 @@ func (r *Runner) DispatchWorkflowJob(hookTargetType, signature string, forgeType
 	// we make sure that the source of this workflow job is valid.
 	secret := poolManager.WebhookSecret()
 	if err := r.validateHookBody(signature, secret, jobData); err != nil {
+		slog.ErrorContext(r.ctx, "failed to validate webhook data", "error", err)
 		return errors.Wrap(err, "validating webhook data")
 	}
 
 	if err := poolManager.HandleWorkflowJob(job); err != nil {
+		slog.ErrorContext(r.ctx, "failed to handle workflow job", "error", err)
 		return errors.Wrap(err, "handling workflow job")
 	}
 

util/github/gitea.go

@@ -32,6 +32,7 @@ func (g *githubClient) createGiteaRepoHook(ctx context.Context, owner, name stri
 			"content_type": hook.GetConfig().GetContentType(),
 			"url":          hook.GetConfig().GetURL(),
 			"http_method":  "post",
+			"secret":       hook.GetConfig().GetSecret(),
 		},
 	}
 
@@ -59,6 +60,7 @@ func (g *githubClient) createGiteaOrgHook(ctx context.Context, owner string, hoo
 			"content_type": hook.GetConfig().GetContentType(),
 			"url":          hook.GetConfig().GetURL(),
 			"http_method":  "post",
+			"secret":       hook.GetConfig().GetSecret(),
 		},
 	}