feat: add support for gitlab webhook secrets

Author: jippi

cmd/cmd_server.go

@@ -47,13 +47,24 @@ func errHandler(w http.ResponseWriter, code int, err error) {
 func Server(cCtx *cli.Context) error { //nolint:unparam
 	mux := http.NewServeMux()
 
+	ourSecret := cCtx.String(FlagWebhookSecret)
+
 	// Initialize GitLab client
 	client, err := gitlab.NewClient(cCtx.String(FlagAPIToken), cCtx.String(FlagSCMBaseURL))
 	if err != nil {
 		return err
 	}
 
 	mux.HandleFunc("POST /gitlab", func(writer http.ResponseWriter, reader *http.Request) {
+		if len(ourSecret) > 0 {
+			theirSecret := reader.Header.Get("X-Gitlab-Token")
+			if ourSecret != theirSecret {
+				errHandler(writer, http.StatusForbidden, errors.New("Missing or invalid X-Gitlab-Token header"))
+
+				return
+			}
+		}
+
 		// Validate headers
 		if reader.Header.Get("Content-Type") != "application/json" {
 			errHandler(writer, http.StatusInternalServerError, errors.New("not json"))

cmd/conventions.go

@@ -6,4 +6,5 @@ const (
 	FlagSCMProject     = "project"
 	FlagSCMBaseURL     = "base-url"
 	FlagMergeRequestID = "id"
+	FlagWebhookSecret  = "webhook-secret"
 )

main.go

@@ -86,6 +86,15 @@ func main() {
 				Name:   "server",
 				Usage:  "Start HTTP server for webhook event driven usage",
 				Action: cmd.Server,
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:  cmd.FlagWebhookSecret,
+						Usage: "Used to validate received payloads. Sent with the request in the X-Gitlab-Token HTTP header",
+						EnvVars: []string{
+							"SCM_ENGINE_WEBHOOK_SECRET",
+						},
+					},
+				},
 			},
 		},
 	}