Skip to content

Commit

Permalink
feat: Added support for white listing of repositories (#915)
Browse files Browse the repository at this point in the history
* add white listing of repositories

Signed-off-by: ravenolf <[email protected]>

* fix variable naming

Signed-off-by: ravenolf <[email protected]>

* add unit test

* update docs

* add successful unit test

Co-authored-by: ravenolf <[email protected]>
  • Loading branch information
2 people authored and npalm committed Jul 7, 2021
1 parent a6b9a29 commit b5096bb
Show file tree
Hide file tree
Showing 8 changed files with 51 additions and 0 deletions.
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ This [Terraform](https://www.terraform.io/) module creates the required infrastr
- [Debugging](#debugging)
- [Requirements](#requirements)
- [Providers](#providers)
- [Modules](#modules)
- [Resources](#resources)
- [Inputs](#inputs)
- [Outputs](#outputs)
- [Contribution](#contribution)
Expand Down Expand Up @@ -366,6 +368,7 @@ No requirements.
| manage\_kms\_key | Let the module manage the KMS key. | `bool` | `true` | no |
| market\_options | Market options for the action runner instances. Setting the value to `null` let the scaler create on-demand instances instead of spot instances. | `string` | `"spot"` | no |
| minimum\_running\_time\_in\_minutes | The time an ec2 action runner should be running at minimum before terminated if non busy. | `number` | `5` | no |
| repository\_white\_list | (optional) List of github repository full names (owner/repo_name) that will be allowed to call the runners. Leave empty for no filtering | `list(string)` | `[]` | no |
| role\_path | The path that will be added to role path for created roles, if not set the environment name will be used. | `string` | `null` | no |
| role\_permissions\_boundary | Permissions boundary that will be added to the created roles. | `string` | `null` | no |
| runner\_additional\_security\_group\_ids | (optional) List of additional security groups IDs to apply to the runner | `list(string)` | `[]` | no |
Expand Down
1 change: 1 addition & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ module "webhook" {

role_path = var.role_path
role_permissions_boundary = var.role_permissions_boundary
repository_white_list = var.repository_white_list
}

module "runners" {
Expand Down
1 change: 1 addition & 0 deletions modules/webhook/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ No requirements.
| lambda\_timeout | Time out of the lambda in seconds. | `number` | `10` | no |
| lambda\_zip | File location of the lambda zip file. | `string` | `null` | no |
| logging\_retention\_in\_days | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `7` | no |
| repository\_white\_list | List of github repository full names (owner/repo_name) that will be allowed to call the runners. Leave empty for no filtering | `list(string)` | `[]` | no |
| role\_path | The path that will be added to the role, if not set the environment name will be used. | `string` | `null` | no |
| role\_permissions\_boundary | Permissions boundary that will be added to the created role for the lambda. | `string` | `null` | no |
| sqs\_build\_queue | SQS queue to publish accepted build events. | <pre>object({<br> id = string<br> arn = string<br> })</pre> | n/a | yes |
Expand Down
22 changes: 22 additions & 0 deletions modules/webhook/lambdas/webhook/src/webhook/handler.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ describe('handler', () => {
let originalError: Console['error'];

beforeEach(() => {
process.env.REPOSITORY_WHITE_LIST = '[]';
process.env.GITHUB_APP_WEBHOOK_SECRET = 'TEST_SECRET';
originalError = console.error;
console.error = jest.fn();
Expand Down Expand Up @@ -71,4 +72,25 @@ describe('handler', () => {
expect(resp).toBe(200);
expect(sendActionRequest).not.toBeCalled();
});

it('does not handle check_run events from unlisted repositories', async () => {
process.env.REPOSITORY_WHITE_LIST = '["NotCodertocat/Hello-World"]';
const resp = await handle(
{ 'X-Hub-Signature': 'sha1=4a82d2f60346e16dab3546eb3b56d8dde4d5b659', 'X-GitHub-Event': 'check_run' },
JSON.stringify(check_run_event),
);
expect(resp).toBe(500);
expect(sendActionRequest).not.toBeCalled();
});

it('handles check_run events from whitelisted repositories', async () => {
process.env.REPOSITORY_WHITE_LIST = '["Codertocat/Hello-World"]';
const resp = await handle(
{ 'X-Hub-Signature': 'sha1=4a82d2f60346e16dab3546eb3b56d8dde4d5b659', 'X-GitHub-Event': 'check_run' },
JSON.stringify(check_run_event),
);
expect(resp).toBe(200);
expect(sendActionRequest).toBeCalled();
});

});
12 changes: 12 additions & 0 deletions modules/webhook/lambdas/webhook/src/webhook/handler.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,18 @@ export const handle = async (headers: IncomingHttpHeaders, payload: any): Promis

if (githubEvent === 'check_run') {
const body = JSON.parse(payload) as CheckRunEvent;

const repositoryWhiteListEnv = process.env.REPOSITORY_WHITE_LIST as string || "[]";
const repositoryWhiteList = JSON.parse(repositoryWhiteListEnv) as Array<string>;

if (repositoryWhiteList.length > 0) {
const repositoryFullName = body.repository.full_name;
if (!repositoryWhiteList.includes(repositoryFullName)) {
console.error(`Received event from unauthorized repository ${repositoryFullName}`);
return 500;
}
}

let installationId = body.installation?.id;
if (installationId == null) {
installationId = 0;
Expand Down
5 changes: 5 additions & 0 deletions modules/webhook/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -79,3 +79,8 @@ variable "webhook_lambda_s3_object_version" {
default = null
}

variable "repository_white_list" {
description = "List of repositories allowed to use the github app"
type = list(string)
default = []
}
1 change: 1 addition & 0 deletions modules/webhook/webhook.tf
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ resource "aws_lambda_function" "webhook" {
KMS_KEY_ID = var.encryption.kms_key_id
GITHUB_APP_WEBHOOK_SECRET = local.github_app_webhook_secret
SQS_URL_WEBHOOK = var.sqs_build_queue.id
REPOSITORY_WHITE_LIST = jsonencode(var.repository_white_list)
}
}

Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -360,3 +360,9 @@ variable "instance_types" {
type = set(string)
default = null
}

variable "repository_white_list" {
description = "List of repositories allowed to use the github app"
type = list(string)
default = []
}

0 comments on commit b5096bb

Please sign in to comment.