diff --git a/models/webhook/webhook.go b/models/webhook/webhook.go index 4ab806573..f3370f3db 100644 --- a/models/webhook/webhook.go +++ b/models/webhook/webhook.go @@ -361,6 +361,15 @@ func (w Webhook) HeaderAuthorization() (string, error) { return secret.DecryptSecret(setting.SecretKey, w.HeaderAuthorizationEncrypted) } +// HeaderAuthorizationTrimPrefix returns the decrypted Authorization with a specified prefix trimmed. +func (w Webhook) HeaderAuthorizationTrimPrefix(prefix string) (string, error) { + s, err := w.HeaderAuthorization() + if err != nil { + return "", err + } + return strings.TrimPrefix(s, prefix), nil +} + // SetHeaderAuthorization encrypts and sets the Authorization header. func (w *Webhook) SetHeaderAuthorization(cleartext string) error { if cleartext == "" { diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini index 37fef6d22..79eb86a17 100644 --- a/options/locale/locale_en-US.ini +++ b/options/locale/locale_en-US.ini @@ -561,6 +561,7 @@ TeamName = Team name AuthName = Authorization name AdminEmail = Admin email To = Branch name +AccessToken = Access token NewBranchName = New branch name CommitSummary = Commit summary @@ -2378,6 +2379,7 @@ settings.slack_token = Token settings.slack_domain = Domain settings.slack_channel = Channel settings.add_web_hook_desc = Integrate %s into your repository. +settings.graphql_url = GraphQL URL settings.web_hook_name_gitea = Gitea settings.web_hook_name_forgejo = Forgejo settings.web_hook_name_gogs = Gogs @@ -2397,10 +2399,10 @@ settings.packagist_api_token = API token settings.packagist_package_url = Packagist package URL settings.web_hook_name_sourcehut_builds = SourceHut Builds settings.sourcehut_builds.manifest_path = Build manifest path -settings.sourcehut_builds.graphql_url = GraphQL URL (e.g. https://builds.sr.ht/query) settings.sourcehut_builds.visibility = Job visibility settings.sourcehut_builds.secrets = Secrets settings.sourcehut_builds.secrets_helper = Give the job access to the build secrets (requires the SECRETS:RO grant) +settings.sourcehut_builds.access_token_helper = Access token that has JOBS:RW grant. Generate a builds.sr.ht token or a builds.sr.ht token with secrets access on meta.sr.ht. settings.deploy_keys = Deploy keys settings.add_deploy_key = Add deploy key settings.deploy_key_desc = Deploy keys have read-only pull access to the repository. @@ -2507,6 +2509,8 @@ settings.thread_id = Thread ID settings.matrix.homeserver_url = Homeserver URL settings.matrix.room_id = Room ID settings.matrix.message_type = Message type +settings.matrix.access_token_helper = It is recommended to setup a dedicated Matrix account for this. The access token can be retrieved from the Element web client (in a private/incognito tab) > User menu (top left) > All settings > Help & About > Advanced > Access Token (right below the Homeserver URL). Close the private/incognito tab (logging out would invalidate the token). +settings.matrix.room_id_helper = The Room ID can be retrieved from the Element web client > Room Settings > Advanced > Internal room ID. Example: %s. settings.archive.button = Archive repo settings.archive.header = Archive this repo settings.archive.text = Archiving the repo will make it entirely read-only. It will be hidden from the dashboard. Nobody (not even you!) will be able to make new commits, or open any issues or pull requests. diff --git a/services/webhook/deliver.go b/services/webhook/deliver.go index d488b1725..8db1c7257 100644 --- a/services/webhook/deliver.go +++ b/services/webhook/deliver.go @@ -78,7 +78,13 @@ func Deliver(ctx context.Context, t *webhook_model.HookTask) error { } if authorization != "" { req.Header.Set("Authorization", authorization) - t.RequestInfo.Headers["Authorization"] = "******" + redacted := "******" + if strings.HasPrefix(authorization, "Bearer ") { + redacted = "Bearer " + redacted + } else if strings.HasPrefix(authorization, "Basic ") { + redacted = "Basic " + redacted + } + t.RequestInfo.Headers["Authorization"] = redacted } t.ResponseInfo = &webhook_model.HookResponse{ diff --git a/services/webhook/deliver_test.go b/services/webhook/deliver_test.go index c68933266..0311d810e 100644 --- a/services/webhook/deliver_test.go +++ b/services/webhook/deliver_test.go @@ -132,7 +132,7 @@ func TestWebhookDeliverAuthorizationHeader(t *testing.T) { } assert.True(t, hookTask.IsSucceed) - assert.Equal(t, "******", hookTask.RequestInfo.Headers["Authorization"]) + assert.Equal(t, "Bearer ******", hookTask.RequestInfo.Headers["Authorization"]) } func TestWebhookDeliverHookTask(t *testing.T) { @@ -152,7 +152,6 @@ func TestWebhookDeliverHookTask(t *testing.T) { case "/webhook/6db5dc1e282529a8c162c7fe93dd2667494eeb51": // Version 2 - assert.Equal(t, "push", r.Header.Get("X-GitHub-Event")) assert.Equal(t, "application/json", r.Header.Get("Content-Type")) body, err := io.ReadAll(r.Body) assert.NoError(t, err) diff --git a/services/webhook/matrix.go b/services/webhook/matrix.go index 697e33e94..24d6cc6d9 100644 --- a/services/webhook/matrix.go +++ b/services/webhook/matrix.go @@ -42,16 +42,15 @@ func (matrixHandler) UnmarshalForm(bind func(any)) forms.WebhookForm { HomeserverURL string `binding:"Required;ValidUrl"` RoomID string `binding:"Required"` MessageType int - - // enforce requirement of authorization_header - // (value will still be set in the embedded WebhookCoreForm) - AuthorizationHeader string `binding:"Required"` + AccessToken string `binding:"Required"` } bind(&form) + form.AuthorizationHeader = "Bearer " + strings.TrimSpace(form.AccessToken) + // https://spec.matrix.org/v1.10/client-server-api/#sending-events-to-a-room return forms.WebhookForm{ WebhookCoreForm: form.WebhookCoreForm, - URL: fmt.Sprintf("%s/_matrix/client/r0/rooms/%s/send/m.room.message", form.HomeserverURL, url.PathEscape(form.RoomID)), + URL: fmt.Sprintf("%s/_matrix/client/v3/rooms/%s/send/m.room.message", form.HomeserverURL, url.PathEscape(form.RoomID)), ContentType: webhook_model.ContentTypeJSON, Secret: "", HTTPMethod: http.MethodPut, @@ -91,7 +90,7 @@ func (matrixHandler) NewRequest(ctx context.Context, w *webhook_model.Webhook, t } req.Header.Set("Content-Type", "application/json") - return req, body, shared.AddDefaultHeaders(req, []byte(w.Secret), t, body) // likely useless, but has always been sent historially + return req, body, nil } const matrixPayloadSizeLimit = 1024 * 64 diff --git a/services/webhook/matrix_test.go b/services/webhook/matrix_test.go index 0269cccce..7031a45be 100644 --- a/services/webhook/matrix_test.go +++ b/services/webhook/matrix_test.go @@ -201,7 +201,7 @@ func TestMatrixJSONPayload(t *testing.T) { RepoID: 3, IsActive: true, Type: webhook_module.MATRIX, - URL: "https://matrix.example.com/_matrix/client/r0/rooms/ROOM_ID/send/m.room.message", + URL: "https://matrix.example.com/_matrix/client/v3/rooms/ROOM_ID/send/m.room.message", Meta: `{"message_type":0}`, // text } task := &webhook_model.HookTask{ @@ -217,8 +217,7 @@ func TestMatrixJSONPayload(t *testing.T) { require.NoError(t, err) assert.Equal(t, "PUT", req.Method) - assert.Equal(t, "/_matrix/client/r0/rooms/ROOM_ID/send/m.room.message/6db5dc1e282529a8c162c7fe93dd2667494eeb51", req.URL.Path) - assert.Equal(t, "sha256=", req.Header.Get("X-Hub-Signature-256")) + assert.Equal(t, "/_matrix/client/v3/rooms/ROOM_ID/send/m.room.message/6db5dc1e282529a8c162c7fe93dd2667494eeb51", req.URL.Path) assert.Equal(t, "application/json", req.Header.Get("Content-Type")) var body MatrixPayload err = json.NewDecoder(req.Body).Decode(&body) diff --git a/services/webhook/sourcehut/builds.go b/services/webhook/sourcehut/builds.go index 1561b9e6e..e7501110a 100644 --- a/services/webhook/sourcehut/builds.go +++ b/services/webhook/sourcehut/builds.go @@ -49,6 +49,7 @@ type buildsForm struct { ManifestPath string `binding:"Required"` Visibility string `binding:"Required;In(PUBLIC,UNLISTED,PRIVATE)"` Secrets bool + AccessToken string `binding:"Required"` } var _ binding.Validator = &buildsForm{} @@ -63,13 +64,7 @@ func (f *buildsForm) Validate(req *http.Request, errs binding.Errors) binding.Er Message: ctx.Locale.TrString("repo.settings.add_webhook.invalid_path"), }) } - if !strings.HasPrefix(f.AuthorizationHeader, "Bearer ") { - errs = append(errs, binding.Error{ - FieldNames: []string{"AuthorizationHeader"}, - Classification: "", - Message: ctx.Locale.TrString("form.required_prefix", "Bearer "), - }) - } + f.AuthorizationHeader = "Bearer " + strings.TrimSpace(f.AccessToken) return errs } diff --git a/templates/webhook/new/dingtalk.tmpl b/templates/webhook/new/dingtalk.tmpl index 398cb45f8..e805eadc0 100644 --- a/templates/webhook/new/dingtalk.tmpl +++ b/templates/webhook/new/dingtalk.tmpl @@ -5,5 +5,5 @@ - {{template "repo/settings/webhook/settings" .}} + {{template "webhook/shared-settings" .}} diff --git a/templates/webhook/new/discord.tmpl b/templates/webhook/new/discord.tmpl index c6a7ea7d1..48ac84fc6 100644 --- a/templates/webhook/new/discord.tmpl +++ b/templates/webhook/new/discord.tmpl @@ -13,5 +13,5 @@ - {{template "repo/settings/webhook/settings" .}} + {{template "webhook/shared-settings" .}} diff --git a/templates/webhook/new/feishu.tmpl b/templates/webhook/new/feishu.tmpl index ead11770d..10c2827d6 100644 --- a/templates/webhook/new/feishu.tmpl +++ b/templates/webhook/new/feishu.tmpl @@ -6,5 +6,5 @@ - {{template "repo/settings/webhook/settings" .}} + {{template "webhook/shared-settings" .}} diff --git a/templates/webhook/new/forgejo.tmpl b/templates/webhook/new/forgejo.tmpl index 6bc4eb489..cdb333469 100644 --- a/templates/webhook/new/forgejo.tmpl +++ b/templates/webhook/new/forgejo.tmpl @@ -34,5 +34,5 @@ - {{template "repo/settings/webhook/settings" .}} + {{template "webhook/shared-settings" .}} diff --git a/templates/webhook/new/gitea.tmpl b/templates/webhook/new/gitea.tmpl index a8e66202d..3926370be 100644 --- a/templates/webhook/new/gitea.tmpl +++ b/templates/webhook/new/gitea.tmpl @@ -34,5 +34,5 @@ - {{template "repo/settings/webhook/settings" .}} + {{template "webhook/shared-settings" .}} diff --git a/templates/webhook/new/gogs.tmpl b/templates/webhook/new/gogs.tmpl index 876c0e2be..5b6cd7235 100644 --- a/templates/webhook/new/gogs.tmpl +++ b/templates/webhook/new/gogs.tmpl @@ -22,5 +22,5 @@ - {{template "repo/settings/webhook/settings" .}} + {{template "webhook/shared-settings" .}} diff --git a/templates/webhook/new/matrix.tmpl b/templates/webhook/new/matrix.tmpl index afa28941b..920180d4c 100644 --- a/templates/webhook/new/matrix.tmpl +++ b/templates/webhook/new/matrix.tmpl @@ -5,9 +5,16 @@ + +
!opaque_id:example.org
"|SafeHTML)}}
Bearer token123456
, Basic YWxhZGRpbjpvcGVuc2VzYW1l
" | SafeHTML)}}
- {{end}}
-