131868bdca
Major security, observability, and configuration improvements:
## Security Hardening
- Implemented configurable CORS (no more wildcards)
- Added comprehensive auth middleware for admin endpoints
- Enhanced webhook HMAC validation
- Added input validation and rate limiting
- Security headers and CSP policies
## Configuration Management
- Made N8N webhook URL configurable (WHOOSH_N8N_BASE_URL)
- Replaced all hardcoded endpoints with environment variables
- Added feature flags for LLM vs heuristic composition
- Gitea fetch hardening with EAGER_FILTER and FULL_RESCAN options
## API Completeness
- Implemented GetCouncilComposition function
- Added GET /api/v1/councils/{id} endpoint
- Council artifacts API (POST/GET /api/v1/councils/{id}/artifacts)
- /admin/health/details endpoint with component status
- Database lookup for repository URLs (no hardcoded fallbacks)
## Observability & Performance
- Added OpenTelemetry distributed tracing with goal/pulse correlation
- Performance optimization database indexes
- Comprehensive health monitoring
- Enhanced logging and error handling
## Infrastructure
- Production-ready P2P discovery (replaces mock implementation)
- Removed unused Redis configuration
- Enhanced Docker Swarm integration
- Added migration files for performance indexes
## Code Quality
- Comprehensive input validation
- Graceful error handling and failsafe fallbacks
- Backwards compatibility maintained
- Following security best practices
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
273 lines
7.5 KiB
Go
273 lines
7.5 KiB
Go
package gitea
|
|
|
|
import (
|
|
"context"
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/rs/zerolog/log"
|
|
"go.opentelemetry.io/otel/attribute"
|
|
|
|
"github.com/chorus-services/whoosh/internal/tracing"
|
|
)
|
|
|
|
type WebhookHandler struct {
|
|
secret string
|
|
}
|
|
|
|
func NewWebhookHandler(secret string) *WebhookHandler {
|
|
return &WebhookHandler{
|
|
secret: secret,
|
|
}
|
|
}
|
|
|
|
func (h *WebhookHandler) ValidateSignature(payload []byte, signature string) bool {
|
|
if signature == "" {
|
|
log.Warn().Msg("No signature provided in webhook")
|
|
return false
|
|
}
|
|
|
|
// Remove "sha256=" prefix if present
|
|
signature = strings.TrimPrefix(signature, "sha256=")
|
|
|
|
// Calculate expected signature
|
|
mac := hmac.New(sha256.New, []byte(h.secret))
|
|
mac.Write(payload)
|
|
expectedSignature := hex.EncodeToString(mac.Sum(nil))
|
|
|
|
// Compare signatures
|
|
return hmac.Equal([]byte(signature), []byte(expectedSignature))
|
|
}
|
|
|
|
func (h *WebhookHandler) ParsePayload(r *http.Request) (*WebhookPayload, error) {
|
|
return h.ParsePayloadWithContext(r.Context(), r)
|
|
}
|
|
|
|
func (h *WebhookHandler) ParsePayloadWithContext(ctx context.Context, r *http.Request) (*WebhookPayload, error) {
|
|
ctx, span := tracing.StartWebhookSpan(ctx, "parse_payload", "gitea")
|
|
defer span.End()
|
|
|
|
// Add tracing attributes
|
|
span.SetAttributes(
|
|
attribute.String("webhook.source", "gitea"),
|
|
attribute.String("webhook.content_type", r.Header.Get("Content-Type")),
|
|
attribute.String("webhook.user_agent", r.Header.Get("User-Agent")),
|
|
attribute.String("webhook.remote_addr", r.RemoteAddr),
|
|
)
|
|
|
|
// Limit request body size to prevent DoS attacks (max 10MB for webhooks)
|
|
r.Body = http.MaxBytesReader(nil, r.Body, 10*1024*1024)
|
|
|
|
// Read request body
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
tracing.SetSpanError(span, err)
|
|
span.SetAttributes(attribute.String("webhook.parse.status", "failed"))
|
|
return nil, fmt.Errorf("failed to read request body: %w", err)
|
|
}
|
|
|
|
span.SetAttributes(attribute.Int("webhook.payload.size_bytes", len(body)))
|
|
|
|
// Validate signature if secret is configured
|
|
if h.secret != "" {
|
|
signature := r.Header.Get("X-Gitea-Signature")
|
|
span.SetAttributes(attribute.Bool("webhook.signature_required", true))
|
|
if signature == "" {
|
|
err := fmt.Errorf("webhook signature required but missing")
|
|
tracing.SetSpanError(span, err)
|
|
span.SetAttributes(attribute.String("webhook.parse.status", "signature_missing"))
|
|
return nil, err
|
|
}
|
|
if !h.ValidateSignature(body, signature) {
|
|
log.Warn().
|
|
Str("remote_addr", r.RemoteAddr).
|
|
Str("user_agent", r.Header.Get("User-Agent")).
|
|
Msg("Invalid webhook signature attempt")
|
|
err := fmt.Errorf("invalid webhook signature")
|
|
tracing.SetSpanError(span, err)
|
|
span.SetAttributes(attribute.String("webhook.parse.status", "invalid_signature"))
|
|
return nil, err
|
|
}
|
|
span.SetAttributes(attribute.Bool("webhook.signature_valid", true))
|
|
} else {
|
|
span.SetAttributes(attribute.Bool("webhook.signature_required", false))
|
|
}
|
|
|
|
// Validate Content-Type header
|
|
contentType := r.Header.Get("Content-Type")
|
|
if !strings.Contains(contentType, "application/json") {
|
|
err := fmt.Errorf("invalid content type: expected application/json")
|
|
tracing.SetSpanError(span, err)
|
|
span.SetAttributes(attribute.String("webhook.parse.status", "invalid_content_type"))
|
|
return nil, err
|
|
}
|
|
|
|
// Parse JSON payload with size validation
|
|
if len(body) == 0 {
|
|
err := fmt.Errorf("empty webhook payload")
|
|
tracing.SetSpanError(span, err)
|
|
span.SetAttributes(attribute.String("webhook.parse.status", "empty_payload"))
|
|
return nil, err
|
|
}
|
|
|
|
var payload WebhookPayload
|
|
if err := json.Unmarshal(body, &payload); err != nil {
|
|
tracing.SetSpanError(span, err)
|
|
span.SetAttributes(attribute.String("webhook.parse.status", "json_parse_failed"))
|
|
return nil, fmt.Errorf("failed to parse webhook payload: %w", err)
|
|
}
|
|
|
|
// Add payload information to span
|
|
span.SetAttributes(
|
|
attribute.String("webhook.event_type", payload.Action),
|
|
attribute.String("webhook.parse.status", "success"),
|
|
)
|
|
|
|
// Add repository and issue information if available
|
|
if payload.Repository.FullName != "" {
|
|
span.SetAttributes(
|
|
attribute.String("webhook.repository.full_name", payload.Repository.FullName),
|
|
attribute.Int64("webhook.repository.id", payload.Repository.ID),
|
|
)
|
|
}
|
|
|
|
if payload.Issue != nil {
|
|
span.SetAttributes(
|
|
attribute.Int64("webhook.issue.id", payload.Issue.ID),
|
|
attribute.String("webhook.issue.title", payload.Issue.Title),
|
|
attribute.String("webhook.issue.state", payload.Issue.State),
|
|
)
|
|
}
|
|
|
|
return &payload, nil
|
|
}
|
|
|
|
func (h *WebhookHandler) IsTaskIssue(issue *Issue) bool {
|
|
if issue == nil {
|
|
return false
|
|
}
|
|
|
|
// Check for bzzz-task label
|
|
for _, label := range issue.Labels {
|
|
if label.Name == "bzzz-task" {
|
|
return true
|
|
}
|
|
}
|
|
|
|
// Also check title/body for task indicators (MVP fallback)
|
|
title := strings.ToLower(issue.Title)
|
|
body := strings.ToLower(issue.Body)
|
|
|
|
taskIndicators := []string{"task:", "[task]", "bzzz-task", "agent task"}
|
|
for _, indicator := range taskIndicators {
|
|
if strings.Contains(title, indicator) || strings.Contains(body, indicator) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (h *WebhookHandler) ExtractTaskInfo(issue *Issue) map[string]interface{} {
|
|
if issue == nil {
|
|
return nil
|
|
}
|
|
|
|
taskInfo := map[string]interface{}{
|
|
"id": issue.ID,
|
|
"number": issue.Number,
|
|
"title": issue.Title,
|
|
"body": issue.Body,
|
|
"state": issue.State,
|
|
"url": issue.HTMLURL,
|
|
"repository": issue.Repository.FullName,
|
|
"created_at": issue.CreatedAt,
|
|
"updated_at": issue.UpdatedAt,
|
|
"labels": make([]string, len(issue.Labels)),
|
|
}
|
|
|
|
// Extract label names
|
|
for i, label := range issue.Labels {
|
|
taskInfo["labels"].([]string)[i] = label.Name
|
|
}
|
|
|
|
// Extract task priority from labels
|
|
priority := "normal"
|
|
for _, label := range issue.Labels {
|
|
switch strings.ToLower(label.Name) {
|
|
case "priority:high", "high-priority", "urgent":
|
|
priority = "high"
|
|
case "priority:low", "low-priority":
|
|
priority = "low"
|
|
case "priority:critical", "critical":
|
|
priority = "critical"
|
|
}
|
|
}
|
|
taskInfo["priority"] = priority
|
|
|
|
// Extract task type from labels
|
|
taskType := "general"
|
|
for _, label := range issue.Labels {
|
|
switch strings.ToLower(label.Name) {
|
|
case "type:bug", "bug":
|
|
taskType = "bug"
|
|
case "type:feature", "feature", "enhancement":
|
|
taskType = "feature"
|
|
case "type:docs", "documentation":
|
|
taskType = "documentation"
|
|
case "type:refactor", "refactoring":
|
|
taskType = "refactor"
|
|
case "type:test", "testing":
|
|
taskType = "test"
|
|
}
|
|
}
|
|
taskInfo["task_type"] = taskType
|
|
|
|
return taskInfo
|
|
}
|
|
|
|
type WebhookEvent struct {
|
|
Type string `json:"type"`
|
|
Action string `json:"action"`
|
|
Repository string `json:"repository"`
|
|
Issue *Issue `json:"issue,omitempty"`
|
|
TaskInfo map[string]interface{} `json:"task_info,omitempty"`
|
|
Timestamp int64 `json:"timestamp"`
|
|
}
|
|
|
|
func (h *WebhookHandler) ProcessWebhook(payload *WebhookPayload) *WebhookEvent {
|
|
event := &WebhookEvent{
|
|
Type: "gitea_webhook",
|
|
Action: payload.Action,
|
|
Repository: payload.Repository.FullName,
|
|
Timestamp: time.Now().Unix(),
|
|
}
|
|
|
|
|
|
if payload.Issue != nil {
|
|
event.Issue = payload.Issue
|
|
|
|
// Check if this is a task issue
|
|
if h.IsTaskIssue(payload.Issue) {
|
|
event.TaskInfo = h.ExtractTaskInfo(payload.Issue)
|
|
|
|
log.Info().
|
|
Str("action", payload.Action).
|
|
Str("repository", payload.Repository.FullName).
|
|
Int64("issue_number", payload.Issue.Number).
|
|
Str("title", payload.Issue.Title).
|
|
Msg("Processing task issue webhook")
|
|
}
|
|
}
|
|
|
|
return event
|
|
}
|
|
|