Remove signature check
All checks were successful
ci/woodpecker/tag/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/tag/woodpecker Pipeline was successful
This commit is contained in:
parent
ac43fa1572
commit
81019dc330
@ -22,8 +22,6 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o /woodpecker-config-service
|
||||
# the application is going to listen on by default.
|
||||
# https://docs.docker.com/engine/reference/builder/#expose
|
||||
EXPOSE 8000
|
||||
VOLUME [ "/data/woodpecker.pub" ]
|
||||
ENV CONFIG_SERVICE_PUBLIC_KEY_FILE=/data/woodpecker.pub
|
||||
|
||||
# Run
|
||||
CMD ["/woodpecker-config-service"]
|
52
main.go
52
main.go
@ -1,18 +1,12 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/ed25519"
|
||||
"crypto/x509"
|
||||
_ "embed"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/go-ap/httpsig"
|
||||
"github.com/woodpecker-ci/woodpecker/server/model"
|
||||
"gopkg.in/yaml.v3"
|
||||
)
|
||||
@ -35,56 +29,12 @@ type pipeline struct {
|
||||
func main() {
|
||||
log.Println("Woodpecker central config server")
|
||||
|
||||
pubKeyPath := os.Getenv("CONFIG_SERVICE_PUBLIC_KEY_FILE") // Key in format of the one fetched from http(s)://your-woodpecker-server/api/signature/public-key
|
||||
|
||||
if pubKeyPath == "" {
|
||||
log.Fatal("Please make sure CONFIG_SERVICE_PUBLIC_KEY_FILE is set properly")
|
||||
}
|
||||
|
||||
pubKeyRaw, err := ioutil.ReadFile(pubKeyPath)
|
||||
if err != nil {
|
||||
log.Fatal("Failed to read public key file")
|
||||
}
|
||||
|
||||
pemblock, _ := pem.Decode(pubKeyRaw)
|
||||
|
||||
b, err := x509.ParsePKIXPublicKey(pemblock.Bytes)
|
||||
if err != nil {
|
||||
log.Fatal("Failed to parse public key file ", err)
|
||||
}
|
||||
pubKey, ok := b.(ed25519.PublicKey)
|
||||
if !ok {
|
||||
log.Fatal("Failed to parse public key file")
|
||||
}
|
||||
|
||||
http.HandleFunc("/ciconfig", func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.Method != http.MethodPost {
|
||||
w.WriteHeader(http.StatusMethodNotAllowed)
|
||||
return
|
||||
}
|
||||
|
||||
// check signature
|
||||
pubKeyID := "woodpecker-ci-plugins"
|
||||
|
||||
keystore := httpsig.NewMemoryKeyStore()
|
||||
keystore.SetKey(pubKeyID, pubKey)
|
||||
|
||||
verifier := httpsig.NewVerifier(keystore)
|
||||
verifier.SetRequiredHeaders([]string{"(request-target)", "date"})
|
||||
|
||||
keyID, err := verifier.Verify(r)
|
||||
if err != nil {
|
||||
log.Printf("config: invalid or missing signature in http.Request")
|
||||
http.Error(w, "Invalid or Missing Signature", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if keyID != pubKeyID {
|
||||
log.Printf("config: invalid signature in http.Request")
|
||||
http.Error(w, "Invalid Signature", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
var req incoming
|
||||
body, err := ioutil.ReadAll(r.Body)
|
||||
if err != nil {
|
||||
@ -141,7 +91,7 @@ func main() {
|
||||
}
|
||||
})
|
||||
|
||||
err = http.ListenAndServe(":8000", nil)
|
||||
err := http.ListenAndServe(":8000", nil)
|
||||
if err != nil {
|
||||
log.Fatalf("Error on listen: %v", err)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user