Remove signature check
All checks were successful
ci/woodpecker/tag/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/tag/woodpecker Pipeline was successful
This commit is contained in:
parent
ac43fa1572
commit
81019dc330
@ -22,8 +22,6 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o /woodpecker-config-service
|
|||||||
# the application is going to listen on by default.
|
# the application is going to listen on by default.
|
||||||
# https://docs.docker.com/engine/reference/builder/#expose
|
# https://docs.docker.com/engine/reference/builder/#expose
|
||||||
EXPOSE 8000
|
EXPOSE 8000
|
||||||
VOLUME [ "/data/woodpecker.pub" ]
|
|
||||||
ENV CONFIG_SERVICE_PUBLIC_KEY_FILE=/data/woodpecker.pub
|
|
||||||
|
|
||||||
# Run
|
# Run
|
||||||
CMD ["/woodpecker-config-service"]
|
CMD ["/woodpecker-config-service"]
|
52
main.go
52
main.go
@ -1,18 +1,12 @@
|
|||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/ed25519"
|
|
||||||
"crypto/x509"
|
|
||||||
_ "embed"
|
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"encoding/pem"
|
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/go-ap/httpsig"
|
|
||||||
"github.com/woodpecker-ci/woodpecker/server/model"
|
"github.com/woodpecker-ci/woodpecker/server/model"
|
||||||
"gopkg.in/yaml.v3"
|
"gopkg.in/yaml.v3"
|
||||||
)
|
)
|
||||||
@ -35,56 +29,12 @@ type pipeline struct {
|
|||||||
func main() {
|
func main() {
|
||||||
log.Println("Woodpecker central config server")
|
log.Println("Woodpecker central config server")
|
||||||
|
|
||||||
pubKeyPath := os.Getenv("CONFIG_SERVICE_PUBLIC_KEY_FILE") // Key in format of the one fetched from http(s)://your-woodpecker-server/api/signature/public-key
|
|
||||||
|
|
||||||
if pubKeyPath == "" {
|
|
||||||
log.Fatal("Please make sure CONFIG_SERVICE_PUBLIC_KEY_FILE is set properly")
|
|
||||||
}
|
|
||||||
|
|
||||||
pubKeyRaw, err := ioutil.ReadFile(pubKeyPath)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatal("Failed to read public key file")
|
|
||||||
}
|
|
||||||
|
|
||||||
pemblock, _ := pem.Decode(pubKeyRaw)
|
|
||||||
|
|
||||||
b, err := x509.ParsePKIXPublicKey(pemblock.Bytes)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatal("Failed to parse public key file ", err)
|
|
||||||
}
|
|
||||||
pubKey, ok := b.(ed25519.PublicKey)
|
|
||||||
if !ok {
|
|
||||||
log.Fatal("Failed to parse public key file")
|
|
||||||
}
|
|
||||||
|
|
||||||
http.HandleFunc("/ciconfig", func(w http.ResponseWriter, r *http.Request) {
|
http.HandleFunc("/ciconfig", func(w http.ResponseWriter, r *http.Request) {
|
||||||
if r.Method != http.MethodPost {
|
if r.Method != http.MethodPost {
|
||||||
w.WriteHeader(http.StatusMethodNotAllowed)
|
w.WriteHeader(http.StatusMethodNotAllowed)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// check signature
|
|
||||||
pubKeyID := "woodpecker-ci-plugins"
|
|
||||||
|
|
||||||
keystore := httpsig.NewMemoryKeyStore()
|
|
||||||
keystore.SetKey(pubKeyID, pubKey)
|
|
||||||
|
|
||||||
verifier := httpsig.NewVerifier(keystore)
|
|
||||||
verifier.SetRequiredHeaders([]string{"(request-target)", "date"})
|
|
||||||
|
|
||||||
keyID, err := verifier.Verify(r)
|
|
||||||
if err != nil {
|
|
||||||
log.Printf("config: invalid or missing signature in http.Request")
|
|
||||||
http.Error(w, "Invalid or Missing Signature", http.StatusBadRequest)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if keyID != pubKeyID {
|
|
||||||
log.Printf("config: invalid signature in http.Request")
|
|
||||||
http.Error(w, "Invalid Signature", http.StatusBadRequest)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
var req incoming
|
var req incoming
|
||||||
body, err := ioutil.ReadAll(r.Body)
|
body, err := ioutil.ReadAll(r.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -141,7 +91,7 @@ func main() {
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
err = http.ListenAndServe(":8000", nil)
|
err := http.ListenAndServe(":8000", nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("Error on listen: %v", err)
|
log.Fatalf("Error on listen: %v", err)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user