-
Notifications
You must be signed in to change notification settings - Fork 43
/
bitbucket_hook.go
199 lines (163 loc) · 4.52 KB
/
bitbucket_hook.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
package git
import (
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"net"
"net/http"
"strings"
"sync"
"time"
)
// BitbucketHook is webhook for BitBucket.org.
type BitbucketHook struct{}
type bbPush struct {
Push struct {
Changes []struct {
New struct {
Name string `json:"name,omitempty"`
} `json:"new,omitempty"`
} `json:"changes,omitempty"`
} `json:"push,omitempty"`
}
// DoesHandle satisfies hookHandler.
func (b BitbucketHook) DoesHandle(h http.Header) bool {
event := h.Get("X-Event-Key")
// for Gitlab you can only use X-Gitlab-Event header to test if you could handle the request
if event != "" {
return true
}
return false
}
// Handle satisfies hookHandler.
func (b BitbucketHook) Handle(w http.ResponseWriter, r *http.Request, repo *Repo) (int, error) {
if !b.verifyBitbucketIP(r.RemoteAddr) {
return http.StatusForbidden, errors.New("the request doesn't come from a valid IP")
}
if r.Method != "POST" {
return http.StatusMethodNotAllowed, errors.New("the request had an invalid method")
}
body, err := ioutil.ReadAll(r.Body)
if err != nil {
return http.StatusRequestTimeout, errors.New("could not read body from request")
}
event := r.Header.Get("X-Event-Key")
if event == "" {
return http.StatusBadRequest, errors.New("the 'X-Event-Key' header is required but was missing")
}
switch event {
case "repo:push":
err = b.handlePush(body, repo)
if !hookIgnored(err) && err != nil {
return http.StatusBadRequest, err
}
default:
// return 400 if we do not handle the event type.
return http.StatusBadRequest, nil
}
return http.StatusOK, err
}
func (b BitbucketHook) handlePush(body []byte, repo *Repo) error {
var push bbPush
err := json.Unmarshal(body, &push)
if err != nil {
return err
}
if len(push.Push.Changes) == 0 {
return errors.New("the push was incomplete, missing change list")
}
change := push.Push.Changes[0]
if len(change.New.Name) == 0 {
return errors.New("the push didn't contain a valid branch name")
}
branch := change.New.Name
if branch != repo.Branch {
return hookIgnoredError{hookType: hookName(b), err: fmt.Errorf("found different branch %v", branch)}
}
Logger().Print("Received pull notification for the tracking branch, updating...\n")
repo.Pull()
return nil
}
func hostOnly(remoteAddr string) string {
host, _, _ := net.SplitHostPort(remoteAddr)
if host == "" {
return remoteAddr
}
return host
}
func (b BitbucketHook) verifyBitbucketIP(remoteAddr string) bool {
ipAddress := net.ParseIP(hostOnly(remoteAddr))
updateBitBucketIPs()
atlassianIPsMu.Lock()
ipItems := atlassianIPs.Items
atlassianIPsMu.Unlock()
// if there was a problem getting list of IPs, might as well
// allow it since it could still need authentication anyway
if len(ipItems) == 0 {
return true
}
for _, item := range ipItems {
// it may be regular ip address
if !strings.Contains(item.CIDR, "/") {
ip := net.ParseIP(item.CIDR)
if ip.Equal(ipAddress) {
return true
}
continue
}
_, cidrnet, err := net.ParseCIDR(item.CIDR)
if err != nil {
Logger().Printf("Error parsing CIDR block [%s]. Skipping...\n", item.CIDR)
continue
}
if cidrnet.Contains(ipAddress) {
return true
}
}
return false
}
func updateBitBucketIPs() {
atlassianIPsMu.Lock()
defer atlassianIPsMu.Unlock()
// if list of IP ranges is outdated, get latest
if atlassianIPs.lastUpdated.IsZero() ||
time.Since(atlassianIPs.lastUpdated) > 24*time.Hour {
resp, err := http.Get("https://ip-ranges.atlassian.com/")
if err != nil {
// allow, since we can't know for sure either way, I guess
Logger().Printf("[ERROR] Requesting recent IPs for bitbucket: %v", err)
return
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
Logger().Printf("[ERROR] Getting recent IPs for bitbucket: HTTP %d", resp.StatusCode)
return
}
var newIPs atlassianIPResponse
err = json.NewDecoder(resp.Body).Decode(&newIPs)
if err != nil {
Logger().Printf("[ERROR] Decoding recent IPs for bitbucket: %v", err)
return
}
// replace the IP list
newIPs.lastUpdated = time.Now()
atlassianIPs = newIPs
}
}
type atlassianIPResponse struct {
CreationDate string `json:"creationDate"`
SyncToken int `json:"syncToken"`
Items []atlassianIPRange `json:"items"`
lastUpdated time.Time // added by us
}
type atlassianIPRange struct {
Network string `json:"network"`
MaskLen int `json:"mask_len"`
CIDR string `json:"cidr"`
Mask string `json:"mask"`
}
var (
atlassianIPs atlassianIPResponse
atlassianIPsMu sync.Mutex
)