thunix
/
www
4
1
Fork 6
Code Issues 2 Pull Requests Releases Wiki Activity

Ok, pretty sure I got it now

This commit is contained in:
Ubergeek 2019-03-22 16:52:54 +00:00
parent 197b25b76f
commit 1920355074
1 changed files with 61 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
githook.php
View File

@ -1,14 +1,28 @@
<?php
/* gitea deploy webhook */
/* So, this webhook current accepts hooks for www, ansible, and soon
* gopher. It's pretty extensible, and is currently written for gitea,
* but things like gitlab, github, etc should be feasible, if not
* downright easy.
*
* While this 'should' work fine with numberic keys, and has been
* tested, php's loose casting makes it a crap shoot. We should
* probably not start tokens with a 0, or a number for that matter?
* All project hooks need to use the same key.
*
* Also, tildegit's IP address is hard-wired here, so we only accept
* hooks from tildegit. This will need that change, if it moves.
*/
/* security */
$access_token = 'abcdefghijklmnop';
$access_token = (string)'01234567890';
$ansible_lastrun = '/dev/shm/ansible-hook-last-run';
$ansible_dropfile = '/dev/shm/run-ansible';
$www_lastrun = '/dev/shm/www-hook-last-run';
$www_dropfile = '/dev/shm/run-www';
$remoteip = $_SERVER['REMOTE_ADDR'];
$gopher_lastrun = '/dev/shm/gopher-hook-last-run';
$gopher_dropfile = '/dev/shm/run-gopher';
//$remoteip = '195.201.242.48';
$remoteip = $_SERVER["REMOTE_ADDR"];
$allowedip = '195.201.242.48';
$ratelimit = 300;
@ -16,54 +30,80 @@ $ratelimit = 300;
$json = file_get_contents('php://input');
$data = json_decode($json, true);
/* check our token */
$client_token = $data["secret"];
if ($client_token !== $access_token)
if ((string)$client_token !== (string)$access_token)
{
http_response_code(403);
echo "HTTP 403 - Forbidden, P1.";
exit(0);
http_response_code(403);
echo "HTTP 403 - Forbidden, P1.\n";
exit(0);
}
if ($remoteip !== $allowedip)
/* check our source ip for the hook */
if ($remoteip != $allowedip)
{
http_repsonse_code(403);
echo "HTTP 403 - Forbidden, P2.";
exit(0);
http_response_code(403);
echo "HTTP 403 - Forbidden, P2.\n";
exit(0);
}
//* if you need get full json input */
//fwrite($fs, 'DATA: '.print_r($data, true).PHP_EOL);
// Hook for ansible here
if ($data["repository"]["full_name"] == 'thunix/ansible') {
syslog(LOG_INFO, 'Ansible Webhook recieved.');
// We limit runs to once per 5 minutes, so they don't try
// overlapping. Systemd shouldn't allow it, but we'll check
// anyways
if ( time () - filemtime ( $ansible_lastrun ) > $ratelimit ) {
touch ( $ansible_dropfile );
touch ( $ansible_lastrun );
echo "HTTP 200 - Ansible webhook recieved.";
echo "HTTP 200 - Ansible webhook recieved.\n";
}
else {
http_response_code(429);
echo "HTTP 429 - Rate Limited.";
echo "HTTP 429 - Rate Limited.\n";
exit(0);
}
}
// Hook for www repo here. Same rules apply, as above, for www. We
// could probably make it able to run more frequently. Backend job is
// just a git pull, and is quick.
elseif ($data["repository"]["full_name"] == 'thunix/www') {
syslog(LOG_INFO, 'WWW Webhook recieved.');
if ( time () - filemtime ( $www_lastrun ) > $ratelimit ) {
touch ( $www_dropfile );
touch ( $www_lastrun );
http_response_code(200);
echo "HTTP 200 - WWW webhook recieved.";
echo "HTTP 200 - WWW webhook recieved.\n";
}
else {
http_response_code(429);
echo "HTTP 429 - Rate Limited.";
echo "HTTP 429 - Rate Limited.\n";
exit(0);
}
}
}
// Hook for gopher. Not implemented on the backend yet.
elseif ($data["repository"]["full_name"] == 'thunix/gopher') {
syslog(LOG_INFO, 'Gopher Webhook recieved.');
if ( time () - filemtime ( $gopher_lastrun ) > $ratelimit ) {
touch ( $gopher_dropfile );
touch ( $gopher_lastrun );
http_response_code(200);
echo "HTTP 200 - Gopher webhook recieved.\n";
}
else {
http_response_code(429);
echo "HTTP 429 - Rate Limited.\n";
exit(0);
}
}
// Easter egg for anyone probing the hook. Enjoy. We're a coffee maker
// and not a teapot :)
else {
http_response_code(418);
echo "HTTP 418 - I'm a teapot.";
echo "HTTP 418 - I'm a teapot.\n";
exit(0);
}
?>