Allow setting a gitlab user and webhook secrets

Author: oliverguenther

modules/gitlab_integration/app/components/gitlab_integration/admin/page_header_component.html.erb

@@ -0,0 +1,35 @@
+<%#-- copyright
+OpenProject is an open source project management software.
+Copyright (C) the OpenProject GmbH
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License version 3.
+
+OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+Copyright (C) 2006-2013 Jean-Philippe Lang
+Copyright (C) 2010-2013 the ChiliProject Team
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+See COPYRIGHT and LICENSE files for more details.
+
+++#%>
+
+<%=
+  render(Primer::OpenProject::PageHeader.new) do |header|
+    header.with_title { t(:label_gitlab_integration) }
+    header.with_breadcrumbs(breadcrumb_items)
+  end
+%>

modules/gitlab_integration/app/components/gitlab_integration/admin/page_header_component.rb

@@ -0,0 +1,40 @@
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module GitlabIntegration
+  module Admin
+    class PageHeaderComponent < ApplicationComponent
+      def breadcrumb_items
+        [
+          { href: admin_index_path, text: t("label_administration") },
+          t(:label_gitlab_integration)
+        ]
+      end
+    end
+  end
+end

modules/gitlab_integration/app/controllers/gitlab_integration/admin/settings_controller.rb

@@ -0,0 +1,63 @@
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module GitlabIntegration
+  module Admin
+    class SettingsController < ApplicationController
+      layout "admin"
+
+      menu_item :admin_gitlab_integration
+
+      before_action :require_admin
+
+      def show
+        settings = plugin_settings
+        user_id = settings[:gitlab_user_id].presence
+        @gitlab_comment_user = user_id ? User.find_by(id: user_id) : nil
+        @webhook_secret = settings[:webhook_secret]
+      end
+
+      def update
+        merged = plugin_settings.merge(permitted_params)
+        Setting.plugin_openproject_gitlab_integration = merged
+        flash[:notice] = I18n.t(:notice_successful_update)
+        redirect_to gitlab_integration_admin_settings_path
+      end
+
+      private
+
+      def permitted_params
+        params.permit(:gitlab_user_id, :webhook_secret).to_h
+      end
+
+      def plugin_settings
+        Hash(Setting.plugin_openproject_gitlab_integration).with_indifferent_access
+      end
+    end
+  end
+end

modules/gitlab_integration/app/forms/gitlab_integration/admin/settings_form.rb

@@ -0,0 +1,67 @@
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module GitlabIntegration
+  module Admin
+    class SettingsForm < ApplicationForm
+      form do |f|
+        f.autocompleter(
+          name: :gitlab_user_id,
+          label: I18n.t(:label_gitlab_actor),
+          caption: I18n.t(:text_gitlab_actor_info),
+          autocomplete_options: {
+            component: "opce-user-autocompleter",
+            allowEmpty: true,
+            defaultData: false,
+            model: @comment_user_model
+          }
+        )
+
+        f.text_field(
+          name: :webhook_secret,
+          label: I18n.t(:label_gitlab_webhook_secret),
+          caption: I18n.t(:text_gitlab_webhook_secret_info),
+          value: @webhook_secret,
+          input_width: :xxlarge
+        )
+
+        f.submit(
+          name: :submit,
+          label: I18n.t(:button_save),
+          scheme: :primary
+        )
+      end
+
+      def initialize(comment_user: nil, webhook_secret: nil)
+        super()
+        @comment_user_model = comment_user.present? ? { id: comment_user.id, name: comment_user.name } : nil
+        @webhook_secret = webhook_secret
+      end
+    end
+  end
+end

modules/gitlab_integration/app/views/gitlab_integration/admin/settings/show.html.erb

@@ -0,0 +1,42 @@
+<%#-- copyright
+OpenProject is an open source project management software.
+Copyright (C) the OpenProject GmbH
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License version 3.
+
+OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+Copyright (C) 2006-2013 Jean-Philippe Lang
+Copyright (C) 2010-2013 the ChiliProject Team
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+See COPYRIGHT and LICENSE files for more details.
+
+++#%>
+<% html_title t(:label_administration), t(:label_gitlab_integration), t(:label_setting_plural) %>
+
+<%= render(GitlabIntegration::Admin::PageHeaderComponent.new) %>
+
+<%= settings_primer_form_with(url: gitlab_integration_admin_settings_path, method: :patch) do |f| %>
+  <% if @webhook_secret.blank? %>
+    <%= render(Primer::Alpha::Banner.new(scheme: :warning, icon: :alert, mb: 4)) do %>
+      <%= t(:text_gitlab_webhook_secret_missing_warning) %>
+    <% end %>
+  <% end %>
+  <%= render GitlabIntegration::Admin::SettingsForm.new(f,
+                                                        comment_user: @gitlab_comment_user,
+                                                        webhook_secret: @webhook_secret) %>
+<% end %>

modules/gitlab_integration/config/locales/en.yml

@@ -56,6 +56,22 @@ en:
             labels:
               invalid_schema: "must be an array of hashes with keys: color, title"
 
+  label_gitlab_integration: "GitLab Integration"
+  label_gitlab_actor: "GitLab actor"
+  label_gitlab_webhook_secret: "Webhook secret"
+  text_gitlab_actor_info: >
+    The OpenProject user whose API key must be used to authenticate incoming webhook requests.
+    When set, requests authenticated with any other user's credentials are rejected.
+    This user also posts automated comments on work packages. Defaults to the system user when not set.
+  text_gitlab_webhook_secret_info: >
+    A secret token shared with GitLab when configuring the webhook.
+    When set, OpenProject verifies the X-Gitlab-Token header on every incoming request,
+    rejecting payloads that do not match. Leave blank to skip verification (not recommended).
+  text_gitlab_webhook_secret_missing_warning: >
+    No webhook secret is configured. Any request to the GitLab webhook endpoint will be accepted
+    without verification, which may allow unauthorized actors to forge events. It is strongly
+    recommended to set a secret.
+
   project_module_gitlab: "GitLab"
   permission_show_gitlab_content: "Show GitLab content"
 

modules/gitlab_integration/config/routes.rb

@@ -0,0 +1,35 @@
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+Rails.application.routes.draw do
+  namespace "gitlab_integration" do
+    namespace "admin" do
+      resource :settings, only: %i[show update]
+    end
+  end
+end

modules/gitlab_integration/lib/open_project/gitlab_integration/engine.rb

@@ -40,9 +40,27 @@ class Engine < ::Rails::Engine
 
     include OpenProject::Plugins::ActsAsOpEngine
 
+    def self.settings
+      {
+        default: {
+          "gitlab_user_id" => nil,
+          "webhook_secret" => nil
+        }
+      }
+    end
+
     register "openproject-gitlab_integration",
              author_url: "https://github.com/btey/openproject",
-             bundled: true do
+             bundled: true,
+             settings: do
+      ::Redmine::MenuManager.map(:admin_menu) do |menu|
+        menu.push :admin_gitlab_integration,
+                  { controller: "/gitlab_integration/admin/settings", action: "show" },
+                  if: ->(_) { User.current.admin? },
+                  caption: :label_gitlab_integration,
+                  icon: :"op-logo-gitlab"
+      end
+
       project_module(:gitlab, dependencies: :work_package_tracking) do
         permission(:show_gitlab_content,
                    {},

modules/gitlab_integration/lib/open_project/gitlab_integration/hook_handler.rb

@@ -50,7 +50,9 @@ def process(_hook, request, params, user)
       Rails.logger.debug { "Received gitlab webhook #{event_type}" }
 
       return 404 unless KNOWN_EVENTS.include?(event_type)
+      return 403 unless valid_token?(request)
       return 403 if user.blank?
+      return 403 if configured_user_id.present? && user.id != configured_user_id
 
       payload = params[:payload]
                 .permit!
@@ -63,5 +65,25 @@ def process(_hook, request, params, user)
 
       200
     end
+
+    private
+
+    def valid_token?(request)
+      secret = plugin_settings[:webhook_secret].presence
+      return true if secret.blank?
+
+      token_header = request.env["HTTP_X_GITLAB_TOKEN"]
+      return false if token_header.blank?
+
+      ActiveSupport::SecurityUtils.secure_compare(secret, token_header)
+    end
+
+    def configured_user_id
+      plugin_settings[:gitlab_user_id].presence&.to_i
+    end
+
+    def plugin_settings
+      Hash(Setting.plugin_openproject_gitlab_integration).with_indifferent_access
+    end
   end
 end