Verified Commit 70007a70 authored by Sebastian Schüpbach's avatar Sebastian Schüpbach
Browse files

check for secure token when communicating with gitlab

parent fc2331d7
Pipeline #34242 passed with stages
in 1 minute and 55 seconds
......@@ -3,7 +3,7 @@ from flask import request as flaskRequest
import json
import subprocess
from re import match
from os import environ, listdir, path
from os import environ, listdir, path, getenv
from shutil import rmtree
from tempfile import mkdtemp
from autodeploy_service_app.app import app
......@@ -46,6 +46,14 @@ class AutoDeploy(Resource):
output = []
try:
headers = flaskRequest.headers
secure_token = getenv('SECURE_TOKEN')
if secure_token and not headers['X-Gitlab-Token']:
app.logger.info('Request does not have an X-Gitlab-Token in headers')
return '{}', 403
if secure_token and headers['X-Gitlab-Token'].rstrip() is not secure_token.rstrip():
app.logger.warning('Request does not have a valid X-Gitlab-Token in headers')
return '{}', 403
body = json.loads(flaskRequest.data.decode('utf-8'))
tag = ''
branch = ''
......
......@@ -24,6 +24,12 @@ spec:
- name: "{{ .Values.k8sGroupId }}-{{ .Values.k8sName }}-{{ .Values.k8sEnvironment }}-container"
image: "{{ .Values.registry }}/{{ .Values.image }}:{{ .Values.tag }}"
imagePullPolicy: Always
env:
- name: SECURE_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.secureTokenSecretName }}
key: SECURE_TOKEN
envFrom:
- configMapRef:
name: "{{ .Values.k8sGroupId }}-{{ .Values.k8sName }}-{{ .Values.k8sEnvironment }}-config-map"
......
......@@ -15,4 +15,6 @@ k8sLimitsMemory: placeholder
k8sHost: placeholder
k8sPort: 5000
secureTokenSecretName: "gitlab-webhook-secure-token"
chartRegistryDomain: "cr.gitlab.switch.ch"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment