Add event type filtering to the gitlab interceptor.

docs/eventlisteners.md

@@ -159,12 +159,17 @@ spec:
 
 ### GitLab Interceptors
 
-GitLab interceptors contain logic to validate that a webhook actually came from Gitlab,
-using the logic outlined in GitLab [documentation](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html/).
+GitLab interceptors contain logic to validate and filter requests that come from Gitlab.
+Supported features include validating that a webhook actually came from Gitlab, using the logic outlined
+in GitLab [documentation](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html/),
+and to filter incoming events based on the event types.
+Event types can be found in Gitlab [documentation](https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#events).
 
-To use this interceptor, create a secret string using the method of your choice, and configure the Gitlab
-webhook to use that secret value.
-Create a Kubernetes secret containing this value, and pass that as a reference to the `gitlab` interceptor:
+To use this interceptor as a validator, create a secret string using the method of your choice, and configure
+the Gitlab webhook to use that secret value.
+Create a Kubernetes secret containing this value, and pass that as a reference to the `gitlab` interceptor.
+
+To use this interceptor as a filter, add the event types you would like to accept to the `eventTypes` field.
 
 <!-- FILE: examples/eventlisteners/gitlab-eventlistener-interceptor.yaml -->
 ```YAML
@@ -182,6 +187,8 @@ spec:
             secretName: foo
             secretKey: bar
             namespace: baz
+          eventTypes:
+          - Push Hook
       bindings:
       - name: pipeline-binding
       template:

examples/eventlisteners/gitlab-eventlistener-interceptor.yaml

@@ -12,6 +12,8 @@ spec:
             secretName: foo
             secretKey: bar
             namespace: baz
+          eventTypes:
+          - Push Hook
       bindings:
       - name: pipeline-binding
       template:

pkg/apis/triggers/v1alpha1/event_listener_types.go

@@ -97,7 +97,8 @@ type GithubInterceptor struct {
 
 // GitlabInterceptor provides a webhook to intercept and pre-process events
 type GitlabInterceptor struct {
-	SecretRef *SecretRef `json:"secretRef,omitempty"`
+	SecretRef  *SecretRef `json:"secretRef,omitempty"`
+	EventTypes []string   `json:"eventTypes,omitempty"`
 }
 
 // SecretRef contains the information required to reference a single secret string

pkg/interceptors/gitlab/gitlab.go

@@ -19,6 +19,7 @@ package gitlab
 import (
 	"crypto/subtle"
 	"errors"
+	"fmt"
 	"net/http"
 
 	"github.com/tektoncd/triggers/pkg/interceptors"
@@ -46,23 +47,35 @@ func NewInterceptor(gl *triggersv1.GitlabInterceptor, k kubernetes.Interface, ns
 }
 
 func (w *Interceptor) ExecuteTrigger(payload []byte, request *http.Request, _ *triggersv1.EventListenerTrigger, _ string) ([]byte, error) {
-	// No secret set, just continue
-	if w.Gitlab.SecretRef == nil {
-		return payload, nil
-	}
-	header := request.Header.Get("X-Gitlab-Token")
-	if header == "" {
-		return nil, errors.New("no X-Gitlab-Token header set")
-	}
+	// Validate the secret first, if set.
+	if w.Gitlab.SecretRef != nil {
+		header := request.Header.Get("X-Gitlab-Token")
+		if header == "" {
+			return nil, errors.New("no X-Gitlab-Token header set")
+		}
 
-	secretToken, err := interceptors.GetSecretToken(w.KubeClientSet, w.Gitlab.SecretRef, w.EventListenerNamespace)
-	if err != nil {
-		return nil, err
-	}
+		secretToken, err := interceptors.GetSecretToken(w.KubeClientSet, w.Gitlab.SecretRef, w.EventListenerNamespace)
+		if err != nil {
+			return nil, err
+		}
 
-	// Make sure to use a constant time comparison here.
-	if subtle.ConstantTimeCompare([]byte(header), secretToken) == 0 {
-		return nil, errors.New("Invalid X-Gitlab-Token")
+		// Make sure to use a constant time comparison here.
+		if subtle.ConstantTimeCompare([]byte(header), secretToken) == 0 {
+			return nil, errors.New("Invalid X-Gitlab-Token")
+		}
+	}
+	if w.Gitlab.EventTypes != nil {
+		actualEvent := request.Header.Get("X-Gitlab-Event")
+		isAllowed := false
+		for _, allowedEvent := range w.Gitlab.EventTypes {
+			if actualEvent == allowedEvent {
+				isAllowed = true
+				break
+			}
+		}
+		if !isAllowed {
+			return nil, fmt.Errorf("event type %s is not allowed", actualEvent)
+		}
 	}
 
 	return payload, nil

pkg/interceptors/gitlab/gitlab_test.go

@@ -34,9 +34,10 @@ import (
 
 func TestInterceptor_ExecuteTrigger(t *testing.T) {
 	type args struct {
-		payload []byte
-		secret  *corev1.Secret
-		token   string
+		payload   []byte
+		secret    *corev1.Secret
+		token     string
+		eventType string
 	}
 	tests := []struct {
 		name    string
@@ -100,6 +101,101 @@ func TestInterceptor_ExecuteTrigger(t *testing.T) {
 			wantErr: false,
 			want:    []byte("somepayload"),
 		},
+		{
+			name: "valid event",
+			Gitlab: &triggersv1.GitlabInterceptor{
+				EventTypes: []string{"foo", "bar"},
+			},
+			args: args{
+				eventType: "foo",
+				payload:   []byte("somepayload"),
+			},
+			wantErr: false,
+			want:    []byte("somepayload"),
+		},
+		{
+			name: "invalid event",
+			Gitlab: &triggersv1.GitlabInterceptor{
+				EventTypes: []string{"foo", "bar"},
+			},
+			args: args{
+				eventType: "baz",
+				payload:   []byte("somepayload"),
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid event, invalid secret",
+			Gitlab: &triggersv1.GitlabInterceptor{
+				EventTypes: []string{"foo", "bar"},
+				SecretRef: &triggersv1.SecretRef{
+					SecretName: "mysecret",
+					SecretKey:  "token",
+				},
+			},
+			args: args{
+				eventType: "bar",
+				payload:   []byte("somepayload"),
+				token:     "foo",
+				secret: &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "mysecret",
+					},
+					Data: map[string][]byte{
+						"token": []byte("secrettoken"),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "invalid event, valid secret",
+			Gitlab: &triggersv1.GitlabInterceptor{
+				EventTypes: []string{"foo", "bar"},
+				SecretRef: &triggersv1.SecretRef{
+					SecretName: "mysecret",
+					SecretKey:  "token",
+				},
+			},
+			args: args{
+				eventType: "baz",
+				payload:   []byte("somepayload"),
+				token:     "secrettoken",
+				secret: &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "mysecret",
+					},
+					Data: map[string][]byte{
+						"token": []byte("secrettoken"),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid event, valid secret",
+			Gitlab: &triggersv1.GitlabInterceptor{
+				EventTypes: []string{"foo", "bar"},
+				SecretRef: &triggersv1.SecretRef{
+					SecretName: "mysecret",
+					SecretKey:  "token",
+				},
+			},
+			args: args{
+				eventType: "bar",
+				payload:   []byte("somepayload"),
+				token:     "secrettoken",
+				secret: &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "mysecret",
+					},
+					Data: map[string][]byte{
+						"token": []byte("secrettoken"),
+					},
+				},
+			},
+			want: []byte("somepayload"),
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -115,6 +211,9 @@ func TestInterceptor_ExecuteTrigger(t *testing.T) {
 			if tt.args.token != "" {
 				request.Header.Add("X-Gitlab-Token", tt.args.token)
 			}
+			if tt.args.eventType != "" {
+				request.Header.Add("X-Gitlab-Event", tt.args.eventType)
+			}
 			if tt.args.secret != nil {
 				ns := tt.Gitlab.SecretRef.Namespace
 				if ns == "" {

third_party/VENDOR-LICENSE

@@ -7517,4 +7517,3 @@ Import: github.com/tektoncd/triggers/vendor/knative.dev/pkg
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-