Merge branch 'main' into feb_03_gql_error

Author: JerrySentry

webhook_handlers/views/__init__.py

@@ -0,0 +1,22 @@
+from shared.metrics import Counter
+
+WEBHOOKS_RECEIVED = Counter(
+    "api_webhooks_received",
+    "Incoming webhooks, broken down by service, event type, and action",
+    [
+        "service",
+        "event",
+        "action",
+    ],
+)
+
+WEBHOOKS_ERRORED = Counter(
+    "api_webhooks_errored",
+    "Webhooks that cannot be processed, broken down by service and error reason",
+    [
+        "service",
+        "event",
+        "action",
+        "error_reason",
+    ],
+)

webhook_handlers/views/bitbucket.py

@@ -14,23 +14,47 @@
     WebhookHandlerErrorMessages,
 )
 
+from . import WEBHOOKS_ERRORED, WEBHOOKS_RECEIVED
+
 log = logging.getLogger(__name__)
 
 
 class BitbucketWebhookHandler(APIView):
     permission_classes = [AllowAny]
+    service_name = "bitbucket"
+
+    def _inc_recv(self):
+        event, _, action = self.event.partition(":")
+        WEBHOOKS_RECEIVED.labels(
+            service=self.service_name, event=event, action=action
+        ).inc()
+
+    def _inc_err(self, reason: str):
+        event, _, action = self.event.partition(":")
+        WEBHOOKS_ERRORED.labels(
+            service=self.service_name,
+            event=event,
+            action=action,
+            error_reason=reason,
+        ).inc()
 
     def post(self, request, *args, **kwargs):
         self.event = self.request.META.get(BitbucketHTTPHeaders.EVENT)
         event_hook_id = self.request.META.get(BitbucketHTTPHeaders.UUID)
 
-        repo = get_object_or_404(
-            Repository,
-            author__service="bitbucket",
-            service_id=self.request.data["repository"]["uuid"][1:-1],
-            hookid=event_hook_id,
-        )
+        try:
+            repo = get_object_or_404(
+                Repository,
+                author__service="bitbucket",
+                service_id=self.request.data["repository"]["uuid"][1:-1],
+                hookid=event_hook_id,
+            )
+        except Exception as e:
+            self._inc_err("repo_not_found")
+            raise e
+
         if not repo.active:
+            self._inc_err("repo_not_active")
             return Response(data=WebhookHandlerErrorMessages.SKIP_NOT_ACTIVE)
 
         log.info(
@@ -39,20 +63,25 @@ def post(self, request, *args, **kwargs):
         )
 
         if self.event == BitbucketWebhookEvents.PULL_REQUEST_CREATED:
+            self._inc_recv()
             return self._handle_pull_request_created_event(repo)
         elif self.event in (
             BitbucketWebhookEvents.PULL_REQUEST_FULFILLED,
             BitbucketWebhookEvents.PULL_REQUEST_REJECTED,
         ):
+            self._inc_recv()
             return self._handle_pull_request_state_change(repo)
         elif self.event == BitbucketWebhookEvents.REPO_PUSH:
+            self._inc_recv()
             return self._handle_repo_push_event(repo)
         elif self.event in (
             BitbucketWebhookEvents.REPO_COMMIT_STATUS_CREATED,
             BitbucketWebhookEvents.REPO_COMMIT_STATUS_UPDATED,
         ):
+            self._inc_recv()
             return self._handle_repo_commit_status_change(repo)
 
+        self._inc_err("unhandled_event")
         return Response()
 
     def _handle_pull_request_created_event(self, repo):

webhook_handlers/views/bitbucket_server.py

@@ -13,29 +13,52 @@
     WebhookHandlerErrorMessages,
 )
 
+from . import WEBHOOKS_ERRORED, WEBHOOKS_RECEIVED
+
 log = logging.getLogger(__name__)
 
 
 class BitbucketServerWebhookHandler(APIView):
     # https://confluence.atlassian.com/bitbucketserver/event-payload-938025882.html
     permission_classes = [AllowAny]
+    service_name = "bitbucket_server"
+
+    def _inc_recv(self):
+        event, _, action = self.event.partition(":")
+        WEBHOOKS_RECEIVED.labels(
+            service=self.service_name, event=event, action=action
+        ).inc()
+
+    def _inc_err(self, reason: str):
+        event, _, action = self.event.partition(":")
+        WEBHOOKS_ERRORED.labels(
+            service=self.service_name,
+            event=event,
+            action=action,
+            error_reason=reason,
+        ).inc()
 
     def _get_repo(self, event, body):
         if event.startswith("repo:"):
             repo_id = body["repository"]["id"]
         elif event.startswith("pr:"):
             repo_id = body["pullRequest"]["toRef"]["repository"]["id"]
 
-        return get_object_or_404(
-            Repository, author__service="bitbucket_server", service_id=repo_id
-        )
+        try:
+            return get_object_or_404(
+                Repository, author__service="bitbucket_server", service_id=repo_id
+            )
+        except Exception as e:
+            self._inc_err("repo_not_found")
+            raise e
 
     def post(self, request, *args, **kwargs):
         self.event = self.request.META.get(BitbucketServerHTTPHeaders.EVENT)
         event_hook_id = self.request.META.get(BitbucketServerHTTPHeaders.UUID)
 
         repo = self._get_repo(self.event, self.request.data)
         if not repo.active:
+            self._inc_err("repo_not_active")
             return Response(data=WebhookHandlerErrorMessages.SKIP_NOT_ACTIVE)
 
         log.info(
@@ -44,15 +67,19 @@ def post(self, request, *args, **kwargs):
         )
 
         if self.event == BitbucketServerWebhookEvents.PULL_REQUEST_CREATED:
+            self._inc_recv()
             return self._handle_pull_request_created_event(repo)
         elif self.event in (
             BitbucketServerWebhookEvents.PULL_REQUEST_MERGED,
             BitbucketServerWebhookEvents.PULL_REQUEST_REJECTED,
         ):
+            self._inc_recv()
             return self._handle_pull_request_state_change(repo)
         elif self.event == BitbucketServerWebhookEvents.REPO_REFS_CHANGED:
+            self._inc_recv()
             return self._handle_repo_refs_change(repo)
 
+        self._inc_err("unhandled_event")
         return Response()
 
     def _handle_pull_request_created_event(self, repo):

webhook_handlers/views/github.py

@@ -30,6 +30,8 @@
     WebhookHandlerErrorMessages,
 )
 
+from . import WEBHOOKS_ERRORED, WEBHOOKS_RECEIVED
+
 log = logging.getLogger(__name__)
 
 
@@ -49,6 +51,21 @@ class GithubWebhookHandler(APIView):
 
     service_name = "github"
 
+    def _inc_recv(self):
+        action = self.request.data.get("action", "")
+        WEBHOOKS_RECEIVED.labels(
+            service=self.service_name, event=self.event, action=action
+        ).inc()
+
+    def _inc_err(self, reason: str):
+        action = self.request.data.get("action", "")
+        WEBHOOKS_ERRORED.labels(
+            service=self.service_name,
+            event=self.event,
+            action=action,
+            error_reason=reason,
+        ).inc()
+
     def validate_signature(self, request):
         key = get_config(
             self.service_name,
@@ -79,9 +96,11 @@ def validate_signature(self, request):
             or len(computed_sig) != len(expected_sig)
             or not constant_time_compare(computed_sig, expected_sig)
         ):
+            self._inc_err("validation_failed")
             raise PermissionDenied()
 
     def unhandled_webhook_event(self, request, *args, **kwargs):
+        self._inc_err("unhandled_event")
         return Response(data=WebhookHandlerErrorMessages.UNSUPPORTED_EVENT)
 
     def _get_repo(self, request):
@@ -117,6 +136,7 @@ def _get_repo(self, request):
                     "Received event for non-existent repository",
                     extra=dict(repo_service_id=repo_service_id, repo_slug=repo_slug),
                 )
+                self._inc_err("repo_not_found")
                 raise NotFound("Repository does not exist")
         else:
             try:
@@ -142,6 +162,7 @@ def _get_repo(self, request):
                     "Received event for non-existent repository",
                     extra=dict(repo_service_id=repo_service_id, repo_slug=repo_slug),
                 )
+                self._inc_err("repo_not_found")
                 raise NotFound("Repository does not exist")
 
     def ping(self, request, *args, **kwargs):
@@ -708,8 +729,12 @@ def post(self, request, *args, **kwargs):
 
         self.validate_signature(request)
 
-        handler = getattr(self, self.event, self.unhandled_webhook_event)
-        return handler(request, *args, **kwargs)
+        if handler := getattr(self, self.event, None):
+            self._inc_recv()
+            return handler(request, *args, **kwargs)
+        else:
+            self._inc_err("unhandled_event")
+            return self.unhandled_webhook_event(request, *args, **kwargs)
 
 
 class GithubEnterpriseWebhookHandler(GithubWebhookHandler):

webhook_handlers/views/gitlab.py

@@ -19,13 +19,38 @@
     WebhookHandlerErrorMessages,
 )
 
+from . import WEBHOOKS_ERRORED, WEBHOOKS_RECEIVED
+
 log = logging.getLogger(__name__)
 
 
 class GitLabWebhookHandler(APIView):
     permission_classes = [AllowAny]
     service_name = "gitlab"
 
+    def _inc_recv(self):
+        event_name = self.request.data.get("event_name")
+        if not event_name:
+            event_name = self.request.data.get("object_kind")
+        action = self.request.data.get("object_attributes", {}).get("action", "")
+
+        WEBHOOKS_RECEIVED.labels(
+            service=self.service_name, event=event_name, action=action
+        ).inc()
+
+    def _inc_err(self, reason: str):
+        event_name = self.request.data.get("event_name")
+        if not event_name:
+            event_name = self.request.data.get("object_kind")
+        action = self.request.data.get("object_attributes", {}).get("action", "")
+
+        WEBHOOKS_ERRORED.labels(
+            service=self.service_name,
+            event=event_name,
+            action=action,
+            error_reason=reason,
+        ).inc()
+
     def post(self, request, *args, **kwargs):
         """
         Helpful docs for working with GitLab webhooks
@@ -50,14 +75,20 @@ def post(self, request, *args, **kwargs):
         # special case - only event that doesn't have a repo yet
         if event_name == "project_create":
             if event == GitLabWebhookEvents.SYSTEM and is_enterprise:
+                self._inc_recv()
                 return self._handle_system_project_create_hook_event()
             else:
+                self._inc_err("permission_denied")
                 raise PermissionDenied()
 
-        # all other events should correspond to a repo in the db
-        repo = get_object_or_404(
-            Repository, author__service=self.service_name, service_id=project_id
-        )
+        try:
+            # all other events should correspond to a repo in the db
+            repo = get_object_or_404(
+                Repository, author__service=self.service_name, service_id=project_id
+            )
+        except Exception as e:
+            self._inc_err("repo_not_found")
+            raise e
 
         webhook_validation = bool(
             get_config(
@@ -68,17 +99,23 @@ def post(self, request, *args, **kwargs):
             self._validate_secret(request, repo.webhook_secret)
 
         if event == GitLabWebhookEvents.PUSH:
+            self._inc_recv()
             return self._handle_push_event(repo)
         elif event == GitLabWebhookEvents.JOB:
+            self._inc_recv()
             return self._handle_job_event(repo)
         elif event == GitLabWebhookEvents.MERGE_REQUEST:
+            self._inc_recv()
             return self._handle_merge_request_event(repo)
         elif event == GitLabWebhookEvents.SYSTEM:
             # SYSTEM events have always been gated behind is_enterprise, requires an enterprise_license
             if not is_enterprise:
+                self._inc_err("permission_denied")
                 raise PermissionDenied()
+            self._inc_recv()
             return self._handle_system_hook_event(repo, event_name)
 
+        self._inc_err("unhandled_event")
         return Response()
 
     def _handle_push_event(self, repo):
@@ -251,6 +288,7 @@ def _validate_secret(self, request: HttpRequest, webhook_secret: str):
         if token and webhook_secret:
             if constant_time_compare(webhook_secret, token):
                 return
+        self._inc_err("validation_failed")
         raise PermissionDenied()