www/githook.php

<?php
/* So, this webhook current accepts hooks for www, ansible, and soon
 * gopher.  It's pretty extensible, and is currently written for gitea,
 * but things like gitlab, github, etc should be feasible, if not
 * downright easy.
 * 
 * While this 'should' work fine with numberic keys, and has been
 * tested, php's loose casting makes it a crap shoot.  We should
 * probably not start tokens with a 0, or a number for that matter?
 * All project hooks need to use the same key.
 * 
 * Also, tildegit's IP address is hard-wired here, so we only accept
 * hooks from tildegit.  This will need that change, if it moves.
*/

/* security */
$access_token     = (string)'asdfghjkl';
$ansible_lastrun  = '/dev/shm/ansible-hook-last-run';
$ansible_dropfile = '/dev/shm/run-ansible';
$www_lastrun      = '/dev/shm/www-hook-last-run';
$www_dropfile     = '/dev/shm/run-www';
$gopher_lastrun   = '/dev/shm/gopher-hook-last-run';
$gopher_dropfile  = '/dev/shm/run-gopher';
//$remoteip         = '195.201.242.48';
$remoteip         = $_SERVER["REMOTE_ADDR"];
$allowedip        = '195.201.242.48';
$ratelimit        = 300;

/* get json data */
$json = file_get_contents('php://input');
$data = json_decode($json, true);

/* check our token */
$client_token = $data["secret"];
if ((string)$client_token !== (string)$access_token)
{
	http_response_code(403); 
	echo "HTTP 403 - Forbidden, P1.\n";
	exit(0);
}

/* check our source ip for the hook */
if ($remoteip != $allowedip)
{
	http_response_code(403);
	echo "HTTP 403 - Forbidden, P2.\n";
	exit(0);
}

// Hook for ansible here
if ($data["repository"]["full_name"] == 'thunix/ansible') {
	syslog(LOG_INFO, 'Ansible Webhook recieved.');
	// We limit runs to once per 5 minutes, so they don't try
	// overlapping.  Systemd shouldn't allow it, but we'll check
	// anyways
	if ( time () - filemtime ( $ansible_lastrun ) > $ratelimit ) {
		touch ( $ansible_dropfile );
		touch ( $ansible_lastrun );
		echo "HTTP 200 - Ansible webhook recieved.\n";
		}
	else {
		http_response_code(429);
		echo "HTTP 429 - Rate Limited.\n";
		exit(0);
		}
}

// Hook for www repo here.  Same rules apply, as above, for www.  We
// could probably make it able to run more frequently.  Backend job is
// just a git pull, and is quick.
elseif ($data["repository"]["full_name"] == 'thunix/www') {
	syslog(LOG_INFO, 'WWW Webhook recieved.');
	if ( time () - filemtime ( $www_lastrun ) > $ratelimit ) {
		touch ( $www_dropfile );
		touch ( $www_lastrun );
		http_response_code(200);
		echo "HTTP 200 - WWW webhook recieved.\n";
		} 
	else {
		http_response_code(429);
		echo "HTTP 429 - Rate Limited.\n";
		exit(0);
		}
}

// Hook for gopher.  Not implemented on the backend yet.
elseif ($data["repository"]["full_name"] == 'thunix/gopher') {
	syslog(LOG_INFO, 'Gopher Webhook recieved.');
	if ( time () - filemtime ( $gopher_lastrun ) > $ratelimit ) {
		touch ( $gopher_dropfile );
		touch ( $gopher_lastrun );
		http_response_code(200);
		echo "HTTP 200 - Gopher webhook recieved.\n";
		} 
	else {
		http_response_code(429);
		echo "HTTP 429 - Rate Limited.\n";
		exit(0);
		}
}

// Easter egg for anyone probing the hook.  Enjoy.  We're a coffee maker
// and not a teapot :)
else {
	http_response_code(418);
	echo "HTTP 418 - I'm a teapot.\n";
	exit(0);
	}
?>
Adding githook 2019-03-17 01:31:59 +00:00			`<?php`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`/* So, this webhook current accepts hooks for www, ansible, and soon`
			`* gopher. It's pretty extensible, and is currently written for gitea,`
			`* but things like gitlab, github, etc should be feasible, if not`
			`* downright easy.`
			`*`
			`* While this 'should' work fine with numberic keys, and has been`
			`* tested, php's loose casting makes it a crap shoot. We should`
			`* probably not start tokens with a 0, or a number for that matter?`
			`* All project hooks need to use the same key.`
			`*`
			`* Also, tildegit's IP address is hard-wired here, so we only accept`
			`* hooks from tildegit. This will need that change, if it moves.`
			`*/`
Adding githook 2019-03-17 01:31:59 +00:00
Fixed githook for reals 2019-03-21 14:49:58 +00:00			`/* security */`
Better key, and safer 2019-03-22 16:56:32 +00:00			`$access_token = (string)'asdfghjkl';`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`$ansible_lastrun = '/dev/shm/ansible-hook-last-run';`
			`$ansible_dropfile = '/dev/shm/run-ansible';`
			`$www_lastrun = '/dev/shm/www-hook-last-run';`
			`$www_dropfile = '/dev/shm/run-www';`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`$gopher_lastrun = '/dev/shm/gopher-hook-last-run';`
			`$gopher_dropfile = '/dev/shm/run-gopher';`
			`//$remoteip = '195.201.242.48';`
			`$remoteip = $_SERVER["REMOTE_ADDR"];`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`$allowedip = '195.201.242.48';`
			`$ratelimit = 300;`
Adding githook 2019-03-17 01:31:59 +00:00
			`/* get json data */`
			`$json = file_get_contents('php://input');`
			`$data = json_decode($json, true);`

Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`/* check our token */`
Adding githook 2019-03-17 01:31:59 +00:00			`$client_token = $data["secret"];`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`if ((string)$client_token !== (string)$access_token)`
Adding githook 2019-03-17 01:31:59 +00:00			`{`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`http_response_code(403);`
			`echo "HTTP 403 - Forbidden, P1.\n";`
			`exit(0);`
Adding githook 2019-03-17 01:31:59 +00:00			`}`

Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`/* check our source ip for the hook */`
			`if ($remoteip != $allowedip)`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`{`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`http_response_code(403);`
			`echo "HTTP 403 - Forbidden, P2.\n";`
			`exit(0);`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`}`
Adding githook 2019-03-17 01:31:59 +00:00
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`// Hook for ansible here`
Fixed githook for reals 2019-03-21 14:49:58 +00:00			`if ($data["repository"]["full_name"] == 'thunix/ansible') {`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`syslog(LOG_INFO, 'Ansible Webhook recieved.');`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`// We limit runs to once per 5 minutes, so they don't try`
			`// overlapping. Systemd shouldn't allow it, but we'll check`
			`// anyways`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`if ( time () - filemtime ( $ansible_lastrun ) > $ratelimit ) {`
			`touch ( $ansible_dropfile );`
			`touch ( $ansible_lastrun );`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`echo "HTTP 200 - Ansible webhook recieved.\n";`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`}`
			`else {`
			`http_response_code(429);`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`echo "HTTP 429 - Rate Limited.\n";`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`exit(0);`
			`}`
			`}`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00
			`// Hook for www repo here. Same rules apply, as above, for www. We`
			`// could probably make it able to run more frequently. Backend job is`
			`// just a git pull, and is quick.`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`elseif ($data["repository"]["full_name"] == 'thunix/www') {`
			`syslog(LOG_INFO, 'WWW Webhook recieved.');`
Hopefully, fixed again 2019-03-21 15:26:54 +00:00			`if ( time () - filemtime ( $www_lastrun ) > $ratelimit ) {`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`touch ( $www_dropfile );`
			`touch ( $www_lastrun );`
			`http_response_code(200);`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`echo "HTTP 200 - WWW webhook recieved.\n";`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`}`
Adding githook 2019-03-17 01:31:59 +00:00			`else {`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`http_response_code(429);`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`echo "HTTP 429 - Rate Limited.\n";`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`exit(0);`
			`}`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`}`

			`// Hook for gopher. Not implemented on the backend yet.`
			`elseif ($data["repository"]["full_name"] == 'thunix/gopher') {`
			`syslog(LOG_INFO, 'Gopher Webhook recieved.');`
			`if ( time () - filemtime ( $gopher_lastrun ) > $ratelimit ) {`
			`touch ( $gopher_dropfile );`
			`touch ( $gopher_lastrun );`
			`http_response_code(200);`
			`echo "HTTP 200 - Gopher webhook recieved.\n";`
			`}`
			`else {`
			`http_response_code(429);`
			`echo "HTTP 429 - Rate Limited.\n";`
			`exit(0);`
			`}`
			`}`

			`// Easter egg for anyone probing the hook. Enjoy. We're a coffee maker`
			`// and not a teapot :)`
Updating the githook, and adding teapot easter egg. 2019-03-20 13:12:42 +00:00			`else {`
			`http_response_code(418);`
Ok, pretty sure I got it now 2019-03-22 16:52:54 +00:00			`echo "HTTP 418 - I'm a teapot.\n";`
Adding githook 2019-03-17 01:31:59 +00:00			`exit(0);`
			`}`
			`?>`