Merge pull request '[v7.0/forgejo] [FEAT] sourcehut webhooks' (go-gitea#3065) from bp-v7.0/forgejo-ed9dd0e-04a398a into v7.0/forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3065
Reviewed-by: Earl Warren <[email protected]>

Author: Earl Warren

modules/structs/repo.go

@@ -115,6 +115,16 @@ type Repository struct {
 	RepoTransfer  *RepoTransfer `json:"repo_transfer"`
 }
 
+// GetName implements the gitrepo.Repository interface
+func (r Repository) GetName() string {
+	return r.Name
+}
+
+// GetOwnerName implements the gitrepo.Repository interface
+func (r Repository) GetOwnerName() string {
+	return r.Owner.UserName
+}
+
 // CreateRepoOption options when creating repository
 // swagger:model
 type CreateRepoOption struct {

modules/webhook/type.go

@@ -73,18 +73,19 @@ type HookType = string
 
 // Types of webhooks
 const (
-	FORGEJO    HookType = "forgejo"
-	GITEA      HookType = "gitea"
-	GOGS       HookType = "gogs"
-	SLACK      HookType = "slack"
-	DISCORD    HookType = "discord"
-	DINGTALK   HookType = "dingtalk"
-	TELEGRAM   HookType = "telegram"
-	MSTEAMS    HookType = "msteams"
-	FEISHU     HookType = "feishu"
-	MATRIX     HookType = "matrix"
-	WECHATWORK HookType = "wechatwork"
-	PACKAGIST  HookType = "packagist"
+	FORGEJO          HookType = "forgejo"
+	GITEA            HookType = "gitea"
+	GOGS             HookType = "gogs"
+	SLACK            HookType = "slack"
+	DISCORD          HookType = "discord"
+	DINGTALK         HookType = "dingtalk"
+	TELEGRAM         HookType = "telegram"
+	MSTEAMS          HookType = "msteams"
+	FEISHU           HookType = "feishu"
+	MATRIX           HookType = "matrix"
+	WECHATWORK       HookType = "wechatwork"
+	PACKAGIST        HookType = "packagist"
+	SOURCEHUT_BUILDS HookType = "sourcehut_builds" //nolint:revive
 )
 
 // HookStatus is the status of a web hook

options/locale/locale_en-US.ini

@@ -640,6 +640,8 @@ target_branch_not_exist = Target branch does not exist.
 
 admin_cannot_delete_self = You cannot delete yourself when you are an admin. Please remove your admin privileges first.
 
+required_prefix = Input must start with "%s"
+
 [user]
 change_avatar = Change your avatar…
 joined_on = Joined on %s
@@ -2269,6 +2271,7 @@ settings.delete_team_tip = This team has access to all repositories and can't be
 settings.remove_team_success = The team's access to the repository has been removed.
 settings.add_webhook = Add webhook
 settings.add_webhook.invalid_channel_name = Webhook channel name cannot be empty and cannot contain only a # character.
+settings.add_webhook.invalid_path = Path must not contain a part that is "." or ".." or the empty string. It cannot start or end with a slash.
 settings.hooks_desc = Webhooks automatically make HTTP POST requests to a server when certain Forgejo events trigger. Read more in the <a target="_blank" rel="noopener noreferrer" href="%s">webhooks guide</a>.
 settings.webhook_deletion = Remove webhook
 settings.webhook_deletion_desc = Removing a webhook deletes its settings and delivery history. Continue?
@@ -2384,6 +2387,12 @@ settings.web_hook_name_packagist = Packagist
 settings.packagist_username = Packagist username
 settings.packagist_api_token = API token
 settings.packagist_package_url = Packagist package URL
+settings.web_hook_name_sourcehut_builds = SourceHut Builds
+settings.sourcehut_builds.manifest_path = Build manifest path
+settings.sourcehut_builds.graphql_url = GraphQL URL (e.g. https://builds.sr.ht/query)
+settings.sourcehut_builds.visibility = Job visibility
+settings.sourcehut_builds.secrets = Secrets
+settings.sourcehut_builds.secrets_helper = Give the job access to the build secrets (requires the SECRETS:RO grant)
 settings.deploy_keys = Deploy keys
 settings.add_deploy_key = Add deploy key
 settings.deploy_key_desc = Deploy keys have read-only pull access to the repository.

public/assets/img/sourcehut.svg

@@ -148,7 +148,7 @@ func WebhookNew(ctx *context.Context) {
 }
 
 // ParseHookEvent convert web form content to webhook.HookEvent
-func ParseHookEvent(form forms.WebhookForm) *webhook_module.HookEvent {
+func ParseHookEvent(form forms.WebhookCoreForm) *webhook_module.HookEvent {
 	return &webhook_module.HookEvent{
 		PushOnly:       form.PushOnly(),
 		SendEverything: form.SendEverything(),
@@ -188,7 +188,7 @@ func WebhookCreate(ctx *context.Context) {
 		return
 	}
 
-	fields := handler.FormFields(func(form any) {
+	fields := handler.UnmarshalForm(func(form any) {
 		errs := binding.Bind(ctx.Req, form)
 		middleware.Validate(errs, ctx.Data, form, ctx.Locale) // error checked below in ctx.HasError
 	})
@@ -215,10 +215,10 @@ func WebhookCreate(ctx *context.Context) {
 		w.URL = fields.URL
 		w.ContentType = fields.ContentType
 		w.Secret = fields.Secret
-		w.HookEvent = ParseHookEvent(fields.WebhookForm)
-		w.IsActive = fields.WebhookForm.Active
+		w.HookEvent = ParseHookEvent(fields.WebhookCoreForm)
+		w.IsActive = fields.Active
 		w.HTTPMethod = fields.HTTPMethod
-		err := w.SetHeaderAuthorization(fields.WebhookForm.AuthorizationHeader)
+		err := w.SetHeaderAuthorization(fields.AuthorizationHeader)
 		if err != nil {
 			ctx.ServerError("SetHeaderAuthorization", err)
 			return
@@ -245,14 +245,14 @@ func WebhookCreate(ctx *context.Context) {
 		HTTPMethod:      fields.HTTPMethod,
 		ContentType:     fields.ContentType,
 		Secret:          fields.Secret,
-		HookEvent:       ParseHookEvent(fields.WebhookForm),
-		IsActive:        fields.WebhookForm.Active,
+		HookEvent:       ParseHookEvent(fields.WebhookCoreForm),
+		IsActive:        fields.Active,
 		Type:            hookType,
 		Meta:            string(meta),
 		OwnerID:         orCtx.OwnerID,
 		IsSystemWebhook: orCtx.IsSystemWebhook,
 	}
-	err = w.SetHeaderAuthorization(fields.WebhookForm.AuthorizationHeader)
+	err = w.SetHeaderAuthorization(fields.AuthorizationHeader)
 	if err != nil {
 		ctx.ServerError("SetHeaderAuthorization", err)
 		return
@@ -286,7 +286,7 @@ func WebhookUpdate(ctx *context.Context) {
 		return
 	}
 
-	fields := handler.FormFields(func(form any) {
+	fields := handler.UnmarshalForm(func(form any) {
 		errs := binding.Bind(ctx.Req, form)
 		middleware.Validate(errs, ctx.Data, form, ctx.Locale) // error checked below in ctx.HasError
 	})
@@ -295,11 +295,11 @@ func WebhookUpdate(ctx *context.Context) {
 	w.URL = fields.URL
 	w.ContentType = fields.ContentType
 	w.Secret = fields.Secret
-	w.HookEvent = ParseHookEvent(fields.WebhookForm)
-	w.IsActive = fields.WebhookForm.Active
+	w.HookEvent = ParseHookEvent(fields.WebhookCoreForm)
+	w.IsActive = fields.Active
 	w.HTTPMethod = fields.HTTPMethod
 
-	err := w.SetHeaderAuthorization(fields.WebhookForm.AuthorizationHeader)
+	err := w.SetHeaderAuthorization(fields.AuthorizationHeader)
 	if err != nil {
 		ctx.ServerError("SetHeaderAuthorization", err)
 		return

routers/web/repo/setting/webhook.go

@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models"
 	issues_model "code.gitea.io/gitea/models/issues"
 	project_model "code.gitea.io/gitea/models/project"
+	webhook_model "code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/web/middleware"
@@ -235,8 +236,8 @@ func (f *ProtectBranchForm) Validate(req *http.Request, errs binding.Errors) bin
 //   \__/\  /  \___  >___  /___|  /\____/ \____/|__|_ \
 //        \/       \/    \/     \/                   \/
 
-// WebhookForm form for changing web hook
-type WebhookForm struct {
+// WebhookCoreForm form for changing web hook (common to all webhook types)
+type WebhookCoreForm struct {
 	Events                   string
 	Create                   bool
 	Delete                   bool
@@ -265,20 +266,30 @@ type WebhookForm struct {
 }
 
 // PushOnly if the hook will be triggered when push
-func (f WebhookForm) PushOnly() bool {
+func (f WebhookCoreForm) PushOnly() bool {
 	return f.Events == "push_only"
 }
 
 // SendEverything if the hook will be triggered any event
-func (f WebhookForm) SendEverything() bool {
+func (f WebhookCoreForm) SendEverything() bool {
 	return f.Events == "send_everything"
 }
 
 // ChooseEvents if the hook will be triggered choose events
-func (f WebhookForm) ChooseEvents() bool {
+func (f WebhookCoreForm) ChooseEvents() bool {
 	return f.Events == "choose_events"
 }
 
+// WebhookForm form for changing web hook (specific handling depending on the webhook type)
+type WebhookForm struct {
+	WebhookCoreForm
+	URL         string
+	ContentType webhook_model.HookContentType
+	Secret      string
+	HTTPMethod  string
+	Metadata    any
+}
+
 // .___
 // |   | ______ ________ __   ____
 // |   |/  ___//  ___/  |  \_/ __ \

services/forms/repo_form.go

@@ -5,13 +5,8 @@ package webhook
 
 import (
 	"context"
-	"crypto/hmac"
-	"crypto/sha1"
-	"crypto/sha256"
-	"encoding/hex"
 	"fmt"
 	"html/template"
-	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -21,6 +16,7 @@ import (
 	"code.gitea.io/gitea/modules/svg"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 	"code.gitea.io/gitea/services/forms"
+	"code.gitea.io/gitea/services/webhook/shared"
 )
 
 var _ Handler = defaultHandler{}
@@ -39,16 +35,16 @@ func (dh defaultHandler) Type() webhook_module.HookType {
 func (dh defaultHandler) Icon(size int) template.HTML {
 	if dh.forgejo {
 		// forgejo.svg is not in web_src/svg/, so svg.RenderHTML does not work
-		return imgIcon("forgejo.svg", size)
+		return shared.ImgIcon("forgejo.svg", size)
 	}
 	return svg.RenderHTML("gitea-gitea", size, "img")
 }
 
 func (defaultHandler) Metadata(*webhook_model.Webhook) any { return nil }
 
-func (defaultHandler) FormFields(bind func(any)) FormFields {
+func (defaultHandler) UnmarshalForm(bind func(any)) forms.WebhookForm {
 	var form struct {
-		forms.WebhookForm
+		forms.WebhookCoreForm
 		PayloadURL  string `binding:"Required;ValidUrl"`
 		HTTPMethod  string `binding:"Required;In(POST,GET)"`
 		ContentType int    `binding:"Required"`
@@ -60,13 +56,13 @@ func (defaultHandler) FormFields(bind func(any)) FormFields {
 	if webhook_model.HookContentType(form.ContentType) == webhook_model.ContentTypeForm {
 		contentType = webhook_model.ContentTypeForm
 	}
-	return FormFields{
-		WebhookForm: form.WebhookForm,
-		URL:         form.PayloadURL,
-		ContentType: contentType,
-		Secret:      form.Secret,
-		HTTPMethod:  form.HTTPMethod,
-		Metadata:    nil,
+	return forms.WebhookForm{
+		WebhookCoreForm: form.WebhookCoreForm,
+		URL:             form.PayloadURL,
+		ContentType:     contentType,
+		Secret:          form.Secret,
+		HTTPMethod:      form.HTTPMethod,
+		Metadata:        nil,
 	}
 }
 
@@ -130,42 +126,5 @@ func (defaultHandler) NewRequest(ctx context.Context, w *webhook_model.Webhook,
 	}
 
 	body = []byte(t.PayloadContent)
-	return req, body, addDefaultHeaders(req, []byte(w.Secret), t, body)
-}
-
-func addDefaultHeaders(req *http.Request, secret []byte, t *webhook_model.HookTask, payloadContent []byte) error {
-	var signatureSHA1 string
-	var signatureSHA256 string
-	if len(secret) > 0 {
-		sig1 := hmac.New(sha1.New, secret)
-		sig256 := hmac.New(sha256.New, secret)
-		_, err := io.MultiWriter(sig1, sig256).Write(payloadContent)
-		if err != nil {
-			// this error should never happen, since the hashes are writing to []byte and always return a nil error.
-			return fmt.Errorf("prepareWebhooks.sigWrite: %w", err)
-		}
-		signatureSHA1 = hex.EncodeToString(sig1.Sum(nil))
-		signatureSHA256 = hex.EncodeToString(sig256.Sum(nil))
-	}
-
-	event := t.EventType.Event()
-	eventType := string(t.EventType)
-	req.Header.Add("X-Forgejo-Delivery", t.UUID)
-	req.Header.Add("X-Forgejo-Event", event)
-	req.Header.Add("X-Forgejo-Event-Type", eventType)
-	req.Header.Add("X-Forgejo-Signature", signatureSHA256)
-	req.Header.Add("X-Gitea-Delivery", t.UUID)
-	req.Header.Add("X-Gitea-Event", event)
-	req.Header.Add("X-Gitea-Event-Type", eventType)
-	req.Header.Add("X-Gitea-Signature", signatureSHA256)
-	req.Header.Add("X-Gogs-Delivery", t.UUID)
-	req.Header.Add("X-Gogs-Event", event)
-	req.Header.Add("X-Gogs-Event-Type", eventType)
-	req.Header.Add("X-Gogs-Signature", signatureSHA256)
-	req.Header.Add("X-Hub-Signature", "sha1="+signatureSHA1)
-	req.Header.Add("X-Hub-Signature-256", "sha256="+signatureSHA256)
-	req.Header["X-GitHub-Delivery"] = []string{t.UUID}
-	req.Header["X-GitHub-Event"] = []string{event}
-	req.Header["X-GitHub-Event-Type"] = []string{eventType}
-	return nil
+	return req, body, shared.AddDefaultHeaders(req, []byte(w.Secret), t, body)
 }

services/webhook/default.go

@@ -17,28 +17,29 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
 	"code.gitea.io/gitea/services/forms"
+	"code.gitea.io/gitea/services/webhook/shared"
 )
 
 type dingtalkHandler struct{}
 
 func (dingtalkHandler) Type() webhook_module.HookType       { return webhook_module.DINGTALK }
 func (dingtalkHandler) Metadata(*webhook_model.Webhook) any { return nil }
-func (dingtalkHandler) Icon(size int) template.HTML         { return imgIcon("dingtalk.ico", size) }
+func (dingtalkHandler) Icon(size int) template.HTML         { return shared.ImgIcon("dingtalk.ico", size) }
 
-func (dingtalkHandler) FormFields(bind func(any)) FormFields {
+func (dingtalkHandler) UnmarshalForm(bind func(any)) forms.WebhookForm {
 	var form struct {
-		forms.WebhookForm
+		forms.WebhookCoreForm
 		PayloadURL string `binding:"Required;ValidUrl"`
 	}
 	bind(&form)
 
-	return FormFields{
-		WebhookForm: form.WebhookForm,
-		URL:         form.PayloadURL,
-		ContentType: webhook_model.ContentTypeJSON,
-		Secret:      "",
-		HTTPMethod:  http.MethodPost,
-		Metadata:    nil,
+	return forms.WebhookForm{
+		WebhookCoreForm: form.WebhookCoreForm,
+		URL:             form.PayloadURL,
+		ContentType:     webhook_model.ContentTypeJSON,
+		Secret:          "",
+		HTTPMethod:      http.MethodPost,
+		Metadata:        nil,
 	}
 }
 
@@ -225,8 +226,8 @@ func createDingtalkPayload(title, text, singleTitle, singleURL string) DingtalkP
 
 type dingtalkConvertor struct{}
 
-var _ payloadConvertor[DingtalkPayload] = dingtalkConvertor{}
+var _ shared.PayloadConvertor[DingtalkPayload] = dingtalkConvertor{}
 
 func (dingtalkHandler) NewRequest(ctx context.Context, w *webhook_model.Webhook, t *webhook_model.HookTask) (*http.Request, []byte, error) {
-	return newJSONRequest(dingtalkConvertor{}, w, t, true)
+	return shared.NewJSONRequest(dingtalkConvertor{}, w, t, true)
 }