stacklok / minder / 10899488435

53%

Build Type

push

github

Committed by web-flow

Commit Message

Add webhook secret bootstrap and verification for Gitlab (#4492)

Gitlab allows for setting up a shared secret for webhook authentication [1].
This shared secret is passed on via the `X-Gitlab-Token` header, and
it's the receiver's responsibility to verify it.

In our implementation, we take the secret from Gitlab's provider
configuration (it'll be a secret in k8s), append the unique identifier
we create for the webhook, and then apply sha 512. This ensures that we
have a section that's secret, while not passing in the actual secret to
Gitlab. It also ensures that if a secret token get compromised on the
gitlab side, it'll only be applicable to a single entity.

In your local configuration, this would look similar to this:

```
provider:
  gitlab:
      client_id: "XXXX"
      client_secret: "XXXX"
      redirect_uri: "http://localhost:8080/api/v1/auth/callback/gitlab"
      webhook_secret: <A SECRET GOES HERE>
      scopes:
        - api
        - read_api
        - read_repository
        - write_repository
        - read_registry
        - write_registry
        - openid
        - profile
        - email
```

[1] https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#create-a-webhook

Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

Run Details

17 of 96 new or added lines in 6 files covered. (17.71%)

2 existing lines in 2 files now uncovered.

13741 of 26053 relevant lines covered (52.74%)

43.26 hits per line