Enable TriggerBindings to validate requests

This PR resolves the issue tektoncd#45. It assumes that a task has been defined which can validate requests. That task will receive header and payload as params. Before the creation of resources, task will be called alongwith serviceaccount which has github-secret used to create webhook. Assumption: 1. Task is defined in such a way that it can use headers and payload received as params. 2. Apart from serviceaccount, payload and headers, task doesn't need anything else. 3. Task gives us non zero exit if validation failed. A sample task and main.go is provided. Updated tektoncd/pipeline to v0.6.0 pipeline Factored out execute trigger & run it as goroutine
khrm · Sep 10, 2019 · a129be3 · a129be3
1 parent 31a03e8
commit a129be3
Show file tree

Hide file tree

Showing 296 changed files with 158,635 additions and 356 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -15,8 +15,7 @@ required = [
 
 [[constraint]]
   name = "github.com/tektoncd/pipeline"
-  # HEAD as of 2019-08-05
-  revision = "33ea1a03b3d4fb6b0c8ae22abda5f335dc0b7997"
+  version = "v0.6.0"
 
 [[override]]
   name = "k8s.io/klog"
@@ -50,6 +49,11 @@ required = [
   name = "k8s.io/apiextensions-apiserver"
   version = "kubernetes-1.12.9"
 
+[[override]]
+  name = "k8s.io/kubernetes"
+  # version = "1.13.3"
+  revision = "721bfa751924da8d1680787490c54b9179b1fed0"
+
 [[constraint]]
   name = "knative.dev/caching"
   # HEAD as of 2019-07-23

diff --git a/cmd/eventlistenersink/main.go b/cmd/eventlistenersink/main.go
@@ -42,6 +42,7 @@ func main() {
 		DiscoveryClient:        sinkClients.DiscoveryClient,
 		RESTClient:             sinkClients.RESTClient,
 		TriggersClient:         sinkClients.TriggersClient,
+		PipelineClient:         sinkClients.PipelineClient,
 		EventListenerName:      sinkArgs.ElName,
 		EventListenerNamespace: sinkArgs.ElNamespace,
 	}

diff --git a/docs/validate-github-webhook.yaml b/docs/validate-github-webhook.yaml
@@ -0,0 +1,47 @@
+apiVersion: tekton.dev/v1alpha1
+kind: Task
+metadata:
+  name: validate-webhook
+spec:
+  inputs:
+    params:
+      - name: Payload
+        description: Payload of Event Received
+      - name: X-Hub-Signature
+        description: Hash of the Request Received
+      - name: Github-Secret
+        description: Secret name used to configure webhook
+      - name: Github-Secret-Key
+        description: Secret key used to configured webhook
+  steps:
+    - name: validate
+      image: python:alpine
+      command: ["/bin/sh"]
+      args:
+      - -ce
+      - |
+        set -e
+        cat <<EOF | python
+        import hashlib, os, hmac
+        secret = bytes(os.environ.get('GithubSecret'), 'utf-8')
+        payload = bytes("$(inputs.params.Payload)",'utf-8')
+        signature = "$(inputs.params.X-Hub-Signature)"
+        expected = hmac.new(secret, payload, hashlib.sha1).hexdigest()
+        if expected is not None:
+          if not isinstance(expected, str):
+            expected = str(expected)
+          sig_parts = signature.split("=", 1)
+          if not isinstance(sig_parts[1], str):
+            sig_parts1 = str(sig_parts[1])
+          else:
+            sig_parts1 = sig_parts[1]
+          if len(sig_parts) > 1 and sig_parts[0] == "sha1" and hmac.compare_digest(sig_parts1, expected):
+            exit(0)
+        exit(1)
+        EOF
+      env:
+        - name: GithubSecret
+          valueFrom:
+            secretKeyRef:
+              name: $(inputs.params.Github-Secret)
+              key: $(inputs.params.Github-Secret-Key)
diff --git a/docs/validate-webook.md b/docs/validate-webook.md
@@ -0,0 +1,3 @@
+# Validate Webhook Tekton Task
+The validate webhook task configures provides a task to validate an incoming event to the addressable endpoint.
+Task receives request headers and payload as Params. Sample Task provided for github.
diff --git a/pkg/apis/triggers/v1alpha1/event_listener_types.go b/pkg/apis/triggers/v1alpha1/event_listener_types.go
@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	pipelinev1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"knative.dev/pkg/apis"
@@ -36,10 +37,18 @@ type EventListenerSpec struct {
 //
 // +k8s:deepcopy-gen=true
 type Trigger struct {
+	TriggerValidate *TriggerValidate   `json:"validate,omitempty"`
 	TriggerBinding  TriggerBindingRef  `json:"binding"`
 	TriggerTemplate TriggerTemplateRef `json:"template"`
 }
 
+// TriggerValidate represents the image to run taskrun for validating that trigger comes from the source which is desired
+type TriggerValidate struct {
+	TaskRef            pipelinev1.TaskRef `json:"taskRef"`
+	ServiceAccountName string             `json:"serviceAccountName"`
+	Params             []pipelinev1.Param `json:"params,omitempty"`
+}
+
 // TriggerBindingRef refers to a particular TriggerBinding resource.
 type TriggerBindingRef struct {
 	Name       string `json:"name"`