repo allow list (#1636)

motatoes · web-flow · commit 1f3ea07c67ac · 2024-07-25T12:46:12.000+01:00
* repo allow list for gitlab
diff --git a/backend/utils/allowlist.go b/backend/utils/allowlist.go
@@ -0,0 +1,52 @@
+package utils
+
+import (
+	"github.com/samber/lo"
+	"log"
+	"net/url"
+	"os"
+	"strings"
+)
+
+func contains(slice []string, item string) bool {
+	for _, s := range slice {
+		if s == item {
+			return true
+		}
+	}
+	return false
+}
+
+func ExtractCleanRepoName(gitlabURL string) (string, error) {
+	// Parse the URL
+	parsedURL, err := url.Parse(gitlabURL)
+	if err != nil {
+		return "", err
+	}
+
+	// The repository name is typically the last part of the path
+	// We use path.Base to handle cases where there might be a trailing slash
+	repoName := parsedURL.Hostname() + parsedURL.Path
+
+	// If the URL ends with .git, remove it
+	repoName = strings.TrimSuffix(repoName, ".git")
+
+	return repoName, nil
+}
+
+func IsInRepoAllowList(repoUrl string) bool {
+	allowList := os.Getenv("DIGGER_REPO_ALLOW_LIST")
+	allowedReposUrls := strings.Split(allowList, ",")
+	// gitlab.com/diggerhq/test
+	// https://gitlab.com/diggerhq/test
+
+	repoName, err := ExtractCleanRepoName(repoUrl)
+	if err != nil {
+		log.Printf("warning could not parse url: %v", repoUrl)
+	}
+
+	exists := lo.Contains(allowedReposUrls, repoName)
+
+	return exists
+
+}
diff --git a/backend/utils/allowlist_test.go b/backend/utils/allowlist_test.go
@@ -0,0 +1,33 @@
+package utils
+
+import (
+	"github.com/stretchr/testify/assert"
+	"os"
+	"testing"
+)
+
+func TestExtractRepoName(t *testing.T) {
+	url := "http://gitlab.com/mike/dispora.git"
+	repoName, _ := ExtractCleanRepoName(url)
+	assert.Equal(t, "gitlab.com/mike/dispora", repoName)
+
+	url = "http://git.mydomain.com/mike/dispora.git"
+	repoName, _ = ExtractCleanRepoName(url)
+	assert.Equal(t, "git.mydomain.com/mike/dispora", repoName)
+}
+
+func TestRepoAllowList(t *testing.T) {
+	os.Setenv("DIGGER_REPO_ALLOW_LIST", "gitlab.com/diggerdev/digger-demo,gitlab.com/diggerdev/alsoallowed")
+	url := "http://gitlab.com/mike/dispora.git"
+	allowed := IsInRepoAllowList(url)
+	assert.False(t, allowed)
+
+	url = "http://gitlab.com/diggerdev/digger-demo2.git"
+	allowed = IsInRepoAllowList(url)
+	assert.False(t, allowed)
+
+	url = "http://gitlab.com/diggerdev/digger-demo.git"
+	allowed = IsInRepoAllowList(url)
+	assert.True(t, allowed)
+
+}
diff --git a/ee/backend/controllers/gitlab.go b/ee/backend/controllers/gitlab.go
@@ -67,6 +67,12 @@ func (d DiggerEEController) GitlabWebHookHandler(c *gin.Context) {
 
 	log.Printf("gitlab event type: %v\n", reflect.TypeOf(event))
 
+	repoUrl := GetGitlabRepoUrl(event)
+	if !utils.IsInRepoAllowList(repoUrl) {
+		log.Printf("repo: '%v' is not in allow list, ignoring ...", repoUrl)
+		return
+	}
+
 	switch event := event.(type) {
 	case *gitlab.MergeCommentEvent:
 		log.Printf("IssueCommentEvent, action: %v \n", event.ObjectAttributes.Description)
@@ -100,6 +106,21 @@ func (d DiggerEEController) GitlabWebHookHandler(c *gin.Context) {
 	c.JSON(200, "ok")
 }
 
+func GetGitlabRepoUrl(event interface{}) string {
+	var repoUrl = ""
+	switch event := event.(type) {
+	case *gitlab.MergeCommentEvent:
+		repoUrl = event.Project.GitHTTPURL
+	case *gitlab.MergeEvent:
+		repoUrl = event.Project.GitHTTPURL
+	case *gitlab.PushEvent:
+		repoUrl = event.Project.GitHTTPURL
+	default:
+		log.Printf("Unhandled event, event type %v", reflect.TypeOf(event))
+	}
+	return repoUrl
+}
+
 func handlePullRequestEvent(gitlabProvider utils.GitlabProvider, payload *gitlab.MergeEvent, ciBackendProvider ci_backends.CiBackendProvider, organisationId uint) error {
 	projectId := payload.Project.ID
 	repoFullName := payload.Project.PathWithNamespace
