From be7465feb9fda42e9b25531aa74c7c502cb635ee Mon Sep 17 00:00:00 2001 From: Martin Fechner Date: Wed, 8 Jun 2022 16:24:33 +0200 Subject: [PATCH 1/7] Bugfix github webhook --- src/modules/api.xql | 6 +++--- src/modules/github.xql | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/modules/api.xql b/src/modules/api.xql index 89ffab1..b98c850 100644 --- a/src/modules/api.xql +++ b/src/modules/api.xql @@ -362,12 +362,12 @@ declare function api:hook($request as map(*)) { return if (exists($config)) then ( - let $apikey := doc(config:apikeys())//apikeys/collection[name = $collection]/key/text() + let $apikey := doc(config:apikeys())//apikeys/collection[name = $git-collection]/key/text() return if ($apikey) then ( let $apikey-header := if ($config?vcs = "github" ) then - if (github:check-signature($git-collection, request:get-header("X-Hub-Signature"), request:get-data())) then + if (github:check-signature($git-collection, request:get-header("X-Hub-Signature-256"), util:binary-to-string(request:get-data()))) then $apikey else () else @@ -377,7 +377,7 @@ declare function api:hook($request as map(*)) { let $collection-path := config:prefix() || "/" || $git-collection let $lockfile := $collection-path || "/" || config:lock() let $collection-destination-sha := $collection-path || "/gitsha.xml" - let $login := xmldb:login($collection-path, $config:hookuser, $config:hookpasswd) + let $login := xmldb:login($collection-path, $config?hookuser, $config?hookpasswd) return if (not(exists(doc($lockfile)))) then ( diff --git a/src/modules/github.xql b/src/modules/github.xql index 64216c0..97d93d1 100644 --- a/src/modules/github.xql +++ b/src/modules/github.xql @@ -4,7 +4,7 @@ module namespace github="http://exist-db.org/apps/tuttle/github"; import module namespace http="http://expath.org/ns/http-client"; import module namespace compression="http://exist-db.org/xquery/compression"; -(:import module namespace crypto="http://expath.org/ns/crypto";:) +import module namespace crypto="http://expath.org/ns/crypto"; import module namespace app="http://exist-db.org/apps/tuttle/app" at "app.xql"; import module namespace config="http://exist-db.org/apps/tuttle/config" at "config.xql"; @@ -218,8 +218,8 @@ declare function github:get-url($config as map(*)) { :) declare function github:check-signature($collection as xs:string, $signature as xs:string, $payload as xs:string) as xs:boolean { let $private-key := xs:string(doc(config:apikeys())//apikeys/collection[name = $collection]/key/text()) -(: let $expected-signature := crypto:hmac($payload, $private-key, "HmacSha256", "base64"):) - let $expected-signature := "" + let $expected-signature := "sha256="||crypto:hmac($payload, $private-key, "HmacSha256", "hex") +(: let $expected-signature := "":) return if ($signature = $expected-signature) then From 8ad4542665091137e598d43ebd48dceca98e74be Mon Sep 17 00:00:00 2001 From: Martin Fechner Date: Thu, 9 Jun 2022 12:03:31 +0200 Subject: [PATCH 2/7] Fix security issues for webhook --- src/modules/app.xql | 4 +++- src/post-install.xql | 18 ++++++++++++++++++ src/repo.xml | 1 + 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 src/post-install.xql diff --git a/src/modules/app.xql b/src/modules/app.xql index 00a96ad..554b1f3 100644 --- a/src/modules/app.xql +++ b/src/modules/app.xql @@ -93,7 +93,9 @@ declare function app:write-apikey($collection as xs:string, $apikey as xs:string return update insert $add into doc(config:apikeys())//apikeys else let $add := {$collection}{$apikey} - return xmldb:store($collection-prefix, $apikey-resource, $add) + let $store := xmldb:store($collection-prefix, $apikey-resource, $add) + let $chmod := sm:chmod(config:apikeys(), "rw-r-----") + return $store } catch * { map { diff --git a/src/post-install.xql b/src/post-install.xql new file mode 100644 index 0000000..48534b4 --- /dev/null +++ b/src/post-install.xql @@ -0,0 +1,18 @@ +xquery version "3.1"; + +import module namespace api="http://exist-db.org/apps/tuttle/api" at "/db/apps/tuttle/modules/api.xql"; + +declare namespace sm="http://exist-db.org/xquery/securitymanager"; +declare namespace appconf="http://www.bbaw.de/telota/software/ediarum/web/appconf"; + +(: The following external variables are set by the repo:deploy function :) + +(: file path pointing to the exist installation directory :) +declare variable $home external; +(: path to the directory containing the unpacked .xar package :) +declare variable $dir external; +(: the target collection into which the app is deployed :) +declare variable $target external; + +sm:chmod(xs:anyURI($target||"/modules/api.xql"), "rwxr-sr-x"), +sm:chmod(xs:anyURI($target||"/data/tuttle.xml"), "rw-r-----") diff --git a/src/repo.xml b/src/repo.xml index 3f1af07..4c5f9d0 100644 --- a/src/repo.xml +++ b/src/repo.xml @@ -9,4 +9,5 @@ true application tuttle + post-install.xql From eee79045a099e1e7fbc00fd647317dfb05379657 Mon Sep 17 00:00:00 2001 From: Martin Fechner Date: Tue, 14 Jun 2022 17:29:52 +0200 Subject: [PATCH 3/7] Bugfix api:api-keygen --- src/modules/api.xql | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/modules/api.xql b/src/modules/api.xql index b98c850..c722215 100644 --- a/src/modules/api.xql +++ b/src/modules/api.xql @@ -335,14 +335,16 @@ declare function api:incremental($request as map(*)) { : APIKey generation for webhooks :) declare function api:api-keygen($request as map(*)) { - let $git-collection := config:default-collection() + let $git-collection := + if (not(exists($request?parameters?collection))) + then config:default-collection() + else xmldb:decode-uri($request?parameters?collection) let $config := config:collections($git-collection) - let $collection := config:default-collection() return if (exists($config)) then ( let $apikey := app:random-key(42) - let $write-apikey := app:write-apikey($collection, $apikey) + let $write-apikey := app:write-apikey($git-collection, $apikey) return map { "APIKey" : $apikey From d4e8855caec8e9b935b3fdd82c6b1b2b7a1f41cf Mon Sep 17 00:00:00 2001 From: Lars Windauer Date: Thu, 4 Aug 2022 14:28:59 +0200 Subject: [PATCH 4/7] fixed path to expath-pkg.xml --- build.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.xml b/build.xml index f140130..37f7463 100644 --- a/build.xml +++ b/build.xml @@ -1,7 +1,7 @@ Tuttle Git integration for eXist-db - + From 523619e92bc2371c16168f3c2ead8f5863cb6425 Mon Sep 17 00:00:00 2001 From: dominik kuehne Date: Wed, 28 Sep 2022 15:08:17 +0200 Subject: [PATCH 5/7] add dependency --- src/expath-pkg.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/expath-pkg.xml b/src/expath-pkg.xml index 3acb8c5..7c1b76f 100644 --- a/src/expath-pkg.xml +++ b/src/expath-pkg.xml @@ -2,10 +2,10 @@ + abbrev="tuttle" version="1.1.2" spec="1.0"> Tuttle - Git for eXist-db - + From 40e1e213235626f082d7c662c7be753a0a89686c Mon Sep 17 00:00:00 2001 From: dominik kuehne Date: Wed, 28 Sep 2022 15:29:26 +0200 Subject: [PATCH 6/7] Add some hook documentation --- README.md | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index bb631f1..3a246ed 100644 --- a/README.md +++ b/README.md @@ -20,11 +20,6 @@ Synchronizes your data collection with GitHub and GitLab. - the data xar containing the target collection must be installed prior to using Tuttle - Authtoken for git repository to use -## Current restrictions - -In version 1.1.1 not implemented: -- webhooks are not fully implemented. - ## Building and Installation Tuttle uses Gulp as its build tool which itself builds on NPM. @@ -94,8 +89,21 @@ Gitserver type: 'github' or 'gitlab' #### ref Define the working branch of the git repository -#### hookuser & hookpasswd (future use not implemented yet) -tba +#### hookuser & hookpasswd + +##### Create API-Keys for Github / Gitlab + +At this stage of development, the API keys must be generated via the API endpoint '/git/apikey' or for a specific collection '/git/{collection}/apikey'. + +In the configuration "tuttle.xml" the "hookuser" is used to define the dbuser which executes the update. + +Example configuration for GitHub: + * 'Payload URL': https://existdb:8443/exist/apps/tuttle/git/hook + * 'Content type': application/json + +Example configuration for GitLab: + * 'URL' : https://46.23.86.66:8443/exist/apps/tuttle/git/hook + ## Dashboard From 7cc4bebf443c47f9d335c48a4bed8997c93afa24 Mon Sep 17 00:00:00 2001 From: dominik kuehne Date: Wed, 28 Sep 2022 15:29:38 +0200 Subject: [PATCH 7/7] Version: 1.1.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 9ce7e60..2045d9d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "tuttle", - "version": "1.1.1", + "version": "1.1.2", "description": "tuttle - a Git-integration for eXist-db", "scripts": { "test": "gulp install && mocha --exit",