work in progress but global config to set webhook secret working

Author: Bernhard Grünewaldt

DEVELOPMENT.md

@@ -22,7 +22,7 @@ Howto manually checkout certain branch at specific revision
 
 ```
 # Clone develop branch
-git clone --single-branch --branch develop https://github.com/codeclou/test-webhook.git .
+git clone --single-branch --branch develop https://github.com/codeclou/test-webhook.git foo
 # Switch to revision
 git reset --hard 495140cf2b763b8bc3821e25b4c26dd1273d6206
 ```

README.md

@@ -20,6 +20,9 @@ to a state where if your job just build your `master` Branch and you create a ta
 and push that tag, that the jenkins job will not be triggered, since the revisions are equal.
 
 
+### NOTE
+
+When using matrix-based security the 'Anonymous' user needs 'Job' `build,discover,read` rights.
 
 
 

pom.xml

@@ -52,10 +52,5 @@
       <artifactId>commons-io</artifactId>
       <version>2.5</version>
     </dependency>
-    <dependency>
-      <groupId>org.jenkins-ci.plugins</groupId>
-      <artifactId>git</artifactId>
-      <version>3.2.0</version>
-    </dependency>
   </dependencies>
 </project>

src/main/java/io/codeclou/jenkins/githubwebhooknotifierplugin/GithubWebhookEnvironmentContributionAction.java

@@ -0,0 +1,90 @@
+/*
+ * Licensed under MIT License
+ * Copyright (c) 2017 Bernhard Grünewaldt
+ */
+package io.codeclou.jenkins.githubwebhooknotifierplugin;
+
+import hudson.EnvVars;
+import hudson.model.AbstractBuild;
+import hudson.model.EnvironmentContributingAction;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class GithubWebhookEnvironmentContributionAction implements EnvironmentContributingAction {
+
+    private transient Map<String, String> environmentVariables = new HashMap<>();
+    private transient String envVarInfo;
+
+    public GithubWebhookEnvironmentContributionAction(GithubWebhookPayload payload) {
+        String normalizedBranch = this.normalizeBranchNameOrEmptyString(payload.getRef());
+        String normalizedTag = this.normalizeTagNameOrEmptyString(payload.getRef());
+        StringBuilder info = new StringBuilder();
+        info.append("   ref\n      -> $GWNP_REF            : ").append(payload.getRef()).append("\n");
+        info.append("      -> $GWNP_TAG            : ").append(normalizedTag).append("\n");
+        info.append("      -> $GWNP_BRANCH         : ").append(normalizedBranch).append("\n\n");
+        info.append("   before\n      -> $GWNP_COMMIT_BEFORE  : ").append(payload.getBefore()).append("\n\n");
+        info.append("   after\n      -> $GWNP_COMMIT_AFTER   : ").append(payload.getAfter()).append("\n\n");
+        info.append("   repository.clone_url\n      -> $GWNP_REPO_CLONE_URL : ").append(payload.getRepository().getClone_url()).append("\n\n");
+        info.append("   repository.html_url\n      -> $GWNP_REPO_HTML_URL  : ").append(payload.getRepository().getHtml_url()).append("\n\n");
+        info.append("   repository.full_name\n      -> $GWNP_REPO_FULL_NAME : ").append(payload.getRepository().getFull_name()).append("\n\n");
+        info.append("   repository.name\n      -> $GWNP_REPO_NAME      : ").append(payload.getRepository().getName()).append("\n\n");
+        this.envVarInfo = info.toString();
+        this.environmentVariables.put("GWNP_REF", payload.getRef());
+        this.environmentVariables.put("GWNP_TAG", normalizedTag);
+        this.environmentVariables.put("GWNP_BRANCH", normalizedBranch);
+        this.environmentVariables.put("GWNP_COMMIT_BEFORE", payload.getBefore());
+        this.environmentVariables.put("GWNP_COMMIT_AFTER", payload.getAfter());
+        this.environmentVariables.put("GWNP_REPO_CLONE_URL", payload.getRepository().getClone_url());
+        this.environmentVariables.put("GWNP_REPO_HTML_URL", payload.getRepository().getHtml_url());
+        this.environmentVariables.put("GWNP_REPO_FULL_NAME", payload.getRepository().getFull_name());
+        this.environmentVariables.put("GWNP_REPO_NAME", payload.getRepository().getName());
+    }
+
+    /*
+     * converts "refs/heads/develop" to "develop"
+     */
+    private String normalizeBranchNameOrEmptyString(String branchname) {
+        if (branchname.startsWith("refs/heads/")) {
+            return branchname.replace("refs/heads/", "");
+        }
+        return "";
+    }
+
+    /*
+     * converts "refs/tags/1.0.0" to "1.0.0"
+     */
+    private String normalizeTagNameOrEmptyString(String tagname) {
+        if (tagname.startsWith("refs/tags/")) {
+            return tagname.replace("refs/tags/", "");
+        }
+        return "";
+    }
+
+    protected String getEnvVarInfo() {
+        return this.envVarInfo;
+    }
+
+
+    public String getIconFileName() {
+        return null;
+    }
+
+    public String getDisplayName() {
+        return "GithubWebhookEnvironmentContributionAction";
+    }
+
+    public String getUrlName() {
+        return "GithubWebhookEnvironmentContributionAction";
+    }
+
+    @Override
+    public void buildEnvVars(AbstractBuild<?, ?> build, EnvVars env) {
+        if (env == null) {
+            return;
+        }
+        if (environmentVariables != null) {
+            env.putAll(environmentVariables);
+        }
+    }
+}

src/main/java/io/codeclou/jenkins/githubwebhooknotifierplugin/GithubWebhookNotifyAction.java

@@ -7,7 +7,10 @@
 import com.google.gson.Gson;
 import com.google.gson.JsonSyntaxException;
 import hudson.Extension;
-import hudson.model.UnprotectedRootAction;
+import hudson.model.*;
+import hudson.scm.SCMRevisionState;
+import hudson.triggers.SCMTrigger;
+import hudson.triggers.Trigger;
 import hudson.util.HttpResponses;
 import jenkins.model.Jenkins;
 import org.apache.commons.io.IOUtils;
@@ -32,6 +35,9 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
 
 @Extension
 public class GithubWebhookNotifyAction implements UnprotectedRootAction {
@@ -56,65 +62,60 @@ public String getDisplayName() {
      */
     @RequirePOST
     public HttpResponse doReceive(HttpServletRequest request, StaplerRequest staplerRequest) throws IOException, ServletException {
-        String jenkinsRootUrl = Jenkins.getInstance().getRootUrl(); // will return something like: http://localhost:8080/jenkins/
         BufferedReader reader = request.getReader();
         Gson gson = new Gson();
         try {
             GithubWebhookPayload githubWebhookPayload = gson.fromJson(reader, GithubWebhookPayload.class);
-            // Trigger Git-Plugins notify push SCM Polling Endpoint
-            String gitPluginNotifyUrl = jenkinsRootUrl +
-                    "git/notifyCommit?url=" +
-                    githubWebhookPayload.getRepository().getClone_url() +
-                    "&branches=" +
-                    this.normalizeBranchNameForJenkins(githubWebhookPayload.getRef()) +
-                    "&sha1=" +
-                    githubWebhookPayload.getAfter();
-            SSLContext sslContext = new SSLContextBuilder()
-                    .loadTrustMaterial(null, new TrustStrategy() {
-                        @Override
-                        public boolean isTrusted(X509Certificate[] certificate, String authType) throws CertificateException {
-                            return true;
-                        }
-                    }).build();
-            CloseableHttpClient client = HttpClients.custom()
-                    .setSSLContext(sslContext)
-                    .setSSLHostnameVerifier(new NoopHostnameVerifier())
-                    .build();
-            HttpGet httpGet = new HttpGet(gitPluginNotifyUrl);
-            CloseableHttpResponse response = client.execute(httpGet);
-            int statusCode = response.getStatusLine().getStatusCode();
-            String gitNotificationResponse = IOUtils.toString(response.getEntity().getContent(), "UTF-8");
-            StringBuilder responseText = new StringBuilder();
-            responseText.append("----------------------------------------------------------------------------------\n");
-            responseText.append("github-webhook-notifier-plugin - parsed webhook payload:\n");
-            responseText.append("   ref:       ").append(githubWebhookPayload.getRef()).append("\n");
-            responseText.append("   before:    ").append(githubWebhookPayload.getBefore()).append("\n");
-            responseText.append("   after:     ").append(githubWebhookPayload.getAfter()).append("\n");
-            responseText.append("   clone_url: ").append(githubWebhookPayload.getRepository().getClone_url()).append("\n");
-            responseText.append("----------------------------------------------------------------------------------\n");
-            responseText.append(">> REQUEST\n").append(gitPluginNotifyUrl).append("\n\n");
-            responseText.append("<< RESPONSE HTTP ").append(statusCode).append("\n");
-            responseText.append(gitNotificationResponse);
-            if (statusCode != 200) {
-                return HttpResponses.error(400, responseText.toString());
+            GithubWebhookEnvironmentContributionAction environmentContributionAction = new GithubWebhookEnvironmentContributionAction(githubWebhookPayload);
+            String jobNamePrefix = this.normalizeRepoFullName(githubWebhookPayload.getRepository().getFull_name());
+            StringBuilder jobsTriggered = new StringBuilder();
+            ArrayList<String> jobsAlreadyTriggered = new ArrayList<>();
+            StringBuilder causeNote = new StringBuilder();
+            causeNote.append("github-webhook-notifier-plugin:\n");
+            causeNote.append(githubWebhookPayload.getAfter()).append("\n");
+            causeNote.append(githubWebhookPayload.getRef()).append("\n");
+            causeNote.append(githubWebhookPayload.getRepository().getClone_url());
+            Cause cause = new Cause.RemoteCause("github.com", causeNote.toString());
+            Collection<Job> jobs = Jenkins.getInstance().getAllItems(Job.class);
+            if (jobs.isEmpty()) {
+                jobsTriggered.append("WARNING NO JOBS FOUND!\n");
+                jobsTriggered.append("If you are using matrix-based security, please give the following rights to 'Anonymous'.\n");
+                jobsTriggered.append("'Job' -> build, discover, read.\n");
             }
-            return HttpResponses.plainText(responseText.toString());
+            for (Job job: jobs) {
+                if (job.getName().startsWith(jobNamePrefix) && ! jobsAlreadyTriggered.contains(job.getName())) {
+                    jobsTriggered.append("   ").append(job.getName()).append("\n");
+                    jobsAlreadyTriggered.add(job.getName());
+                    AbstractProject projectScheduable = (AbstractProject) job;
+                    projectScheduable.scheduleBuild(0, cause, environmentContributionAction);
+                }
+            }
+            StringBuilder info = new StringBuilder();
+            info.append(">> webhook content to env vars").append("\n");
+            info.append(environmentContributionAction.getEnvVarInfo());
+            info.append("\n");
+            info.append(">> jobs triggered with name matching '").append(jobNamePrefix).append("*'").append("\n");
+            info.append(jobsTriggered.toString());
+            return HttpResponses.plainText(this.getTextEnvelopedInBanner(info.toString()));
         } catch (JsonSyntaxException ex) {
-            return HttpResponses.error(500, "github-webhook-notifier-plugin: github webhook json invalid");
-        } catch (NoSuchAlgorithmException ex) {
-            return HttpResponses.error(500, "github-webhook-notifier-plugin: internal error NoSuchAlgorithmException");
-        } catch (KeyStoreException ex) {
-            return HttpResponses.error(500, "github-webhook-notifier-plugin: internal error KeyStoreException");
-        } catch (KeyManagementException ex) {
-            return HttpResponses.error(500, "github-webhook-notifier-plugin: internal error KeyManagementException");
+            return HttpResponses.error(500, this.getTextEnvelopedInBanner("github webhook json invalid"));
         }
     }
 
     /*
-     * converts "refs/heads/develop" to "origin/develop"
+     * converts "codeclou/foo" to "codeclou---foo"
      */
-    private String normalizeBranchNameForJenkins(String branchname) {
-        return branchname.replace("refs/heads/", "origin/");
+    private String normalizeRepoFullName(String reponame) {
+        return reponame.replace("/", "---");
     }
 
+    private String getTextEnvelopedInBanner(String text) {
+        StringBuilder banner = new StringBuilder();
+        banner.append("----------------------------------------------------------------------------------\n");
+        banner.append("github-webhook-notifier-plugin").append("\n");
+        banner.append("----------------------------------------------------------------------------------\n");
+        banner.append(text);
+        banner.append("\n----------------------------------------------------------------------------------\n");
+        return banner.toString();
+    }
 }

src/main/java/io/codeclou/jenkins/githubwebhooknotifierplugin/config/GithubWebhookNotifierPluginBuilder.java

@@ -0,0 +1,61 @@
+package io.codeclou.jenkins.githubwebhooknotifierplugin.config;
+
+import hudson.Extension;
+import hudson.model.AbstractProject;
+import hudson.tasks.BuildStepDescriptor;
+import hudson.tasks.Builder;
+import hudson.tasks.Publisher;
+import net.sf.json.JSONObject;
+import org.kohsuke.stapler.StaplerRequest;
+
+
+public class GithubWebhookNotifierPluginBuilder extends Builder {
+
+    @Extension
+    public static final class DescriptorImpl extends BuildStepDescriptor<Builder> {
+
+        private String webhookSecret;
+        private static DescriptorImpl descriptor=null;
+
+        public DescriptorImpl() {
+            load();
+            descriptor=this;
+        }
+        public DescriptorImpl(String webhookSecret) {
+            load();
+            this.webhookSecret=webhookSecret;
+            descriptor=this;
+        }
+        public static DescriptorImpl getDescriptor() {
+            return descriptor;
+        }
+
+        @Override
+        public boolean isApplicable(Class<? extends AbstractProject> jobType) {
+            return true;
+        }
+
+        @Override
+        public String getDisplayName() {
+            return "GithubWebhookNotifierPlugin";
+        }
+
+        @Override
+        public boolean configure(StaplerRequest req, JSONObject json) throws FormException {
+            json = json.getJSONObject("config");
+            webhookSecret = json.getString("webhookSecret");
+            save();
+            return true;
+        }
+
+        public String getWebhookSecret() {
+            return webhookSecret;
+        }
+
+        public void setWebhookSecret(String webhookSecret) {
+            this.webhookSecret = webhookSecret;
+        }
+
+    }
+
+}

src/main/resources/io/codeclou/jenkins/githubwebhooknotifierplugin/config/GithubWebhookNotifierPluginBuilder/global.jelly

@@ -0,0 +1,9 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
+         xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
+    <f:section title="${%Github Webhook Notifier Plugin}" name="config">
+        <f:entry title="${%GitHub webhook secret}" field="webhookSecret">
+            <f:textbox/>
+        </f:entry>
+    </f:section>
+</j:jelly>