pact_broker 2.19.2 → 2.20.0

data/lib/pact_broker/locale/en.yml

@@ -9,6 +9,8 @@ en:
     valid_consumer_version_number?: "Consumer version number '%{value}' cannot be parsed to a version number. The expected format (unless this configuration has been overridden) is a semantic version. eg. 1.3.0 or 2.0.4.rc1"
 
   pact_broker:
+    messages:
+      response_body_hidden: For security purposes, the response details are not logged. To enable response logging, configure the webhook_host_whitelist property. See /doc/webhooks#whitelist for more information.
     errors:
       validation:
         blank: "cannot be blank."

data/lib/pact_broker/version.rb

@@ -1,3 +1,3 @@
 module PactBroker
-  VERSION = '2.19.2'
+  VERSION = '2.20.0'
 end

data/lib/pact_broker/webhooks/check_host_whitelist.rb

@@ -0,0 +1,22 @@
+module PactBroker
+  module Webhooks
+    class CheckHostWhitelist
+
+      def self.call(host, whitelist = PactBroker.configuration.webhook_host_whitelist)
+        whitelist.select{ | whitelist_host | match?(host, whitelist_host) }
+      end
+
+      def self.match?(host, whitelist_host)
+        if whitelist_host.is_a?(Regexp)
+          host =~ whitelist_host
+        else
+          begin
+            IPAddr.new(whitelist_host) === IPAddr.new(host)
+          rescue IPAddr::Error
+            host == whitelist_host
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pact_broker/webhooks/render.rb

@@ -0,0 +1,23 @@
+module PactBroker
+  module Webhooks
+    class Render
+      def self.call(body, pact, verification = nil, &escaper)
+        base_url = PactBroker.configuration.base_url
+        params = {
+          '${pactbroker.pactUrl}' => PactBroker::Api::PactBrokerUrls.pact_url(base_url, pact),
+          '${pactbroker.consumerVersionNumber}' => pact.consumer_version_number
+        }
+
+        if escaper
+          params.keys.each do | key |
+            params[key] = escaper.call(params[key])
+          end
+        end
+
+        params.inject(body) do | body, (key, value) |
+          body.gsub(key, value)
+        end
+      end
+    end
+  end
+end

data/lib/pact_broker/webhooks/service.rb

@@ -61,7 +61,8 @@ module PactBroker
 
       def self.execute_webhook_now webhook, pact
         triggered_webhook = webhook_repository.create_triggered_webhook(next_uuid, webhook, pact, USER)
-        webhook_execution_result = execute_triggered_webhook_now triggered_webhook, failure_log_message: "Webhook execution failed"
+        options = { failure_log_message: "Webhook execution failed", show_response: PactBroker.configuration.show_webhook_response?}
+        webhook_execution_result = execute_triggered_webhook_now triggered_webhook, options
         if webhook_execution_result.success?
           webhook_repository.update_triggered_webhook_status triggered_webhook, TriggeredWebhook::STATUS_SUCCESS
         else

data/lib/pact_broker/webhooks/webhook.rb

@@ -5,7 +5,6 @@ require 'pact_broker/domain/pacticipant'
 module PactBroker
   module Webhooks
     class Webhook < Sequel::Model
-
       set_primary_key :id
       associate(:many_to_one, :provider, :class => "PactBroker::Domain::Pacticipant", :key => :provider_id, :primary_key => :id)
       associate(:many_to_one, :consumer, :class => "PactBroker::Domain::Pacticipant", :key => :consumer_id, :primary_key => :id)
@@ -84,13 +83,11 @@ module PactBroker
           is_json_request_body: is_json_request_body
         }
       end
-
     end
 
     Webhook.plugin :timestamps, :update_on_create=>true
 
     class WebhookHeader < Sequel::Model
-
       associate(:many_to_one, :webhook, :class => "PactBroker::Repositories::Webhook", :key => :webhook_id, :primary_key => :id)
 
       def self.from_domain name, value, webhook_id
@@ -100,8 +97,6 @@ module PactBroker
         db_header.webhook_id = webhook_id
         db_header
       end
-
     end
   end
-
 end

data/spec/features/create_webhook_spec.rb

@@ -24,7 +24,7 @@ describe "Creating a webhook" do
 
     it "returns a JSON content type" do
       subject
-      expect(last_response.headers['Content-Type']).to eq 'application/json;charset=utf-8'
+      expect(last_response.headers['Content-Type']).to eq 'application/hal+json;charset=utf-8'
     end
 
     it "returns the validation errors" do
@@ -43,7 +43,7 @@ describe "Creating a webhook" do
         }],
         request: {
           method: 'POST',
-          url: 'http://example.org',
+          url: 'https://example.org',
           headers: {
             :"Content-Type" => "application/json"
           },
@@ -76,5 +76,4 @@ describe "Creating a webhook" do
       expect(response_body).to include webhook_hash
     end
   end
-
 end

data/spec/features/edit_webhook_spec.rb

@@ -14,7 +14,7 @@ describe "Creating a webhook" do
   let(:response_body) { JSON.parse(last_response.body, symbolize_names: true)}
   let(:webhook_json) do
     h = load_json_fixture('webhook_valid.json')
-    h['request']['method'] = 'GET'
+    h['request']['url'] = 'https://bar.com'
     h.to_json
   end
 
@@ -55,7 +55,7 @@ describe "Creating a webhook" do
 
     it "updates the webhook" do
       subject
-      expect(reloaded_webhook.request.method).to eq 'GET'
+      expect(reloaded_webhook.request.url).to eq 'https://bar.com'
     end
   end
 end

data/spec/features/execute_webhook_spec.rb

@@ -23,8 +23,9 @@ describe "Execute a webhook" do
 
   context "when the execution is successful" do
     let!(:request) do
-      stub_request(:post, /http/).with(body: 'http://example.org/pacts/provider/Bar/consumer/Foo/version/1').to_return(:status => 200)
+      stub_request(:post, /http/).with(body: 'http://example.org/pacts/provider/Bar/consumer/Foo/version/1').to_return(:status => 200, body: response_body)
     end
+    let(:response_body) { "webhook-response-body" }
 
     it "performs the HTTP request" do
       subject
@@ -42,6 +43,36 @@ describe "Execute a webhook" do
     it "saves a WebhookExecution" do
       expect { subject }.to change { PactBroker::Webhooks::Execution.count }.by(1)
     end
+
+    context "when a webhook host whitelist is not configured" do
+      before do
+        allow(PactBroker.configuration).to receive(:show_webhook_response?).and_return(false)
+      end
+
+      it "does not show any response details" do
+        expect(subject.body).to_not include response_body
+      end
+
+      it "does not log any response details" do
+        subject
+        expect(PactBroker::Webhooks::Execution.order(:id).last.logs).to_not include response_body
+      end
+    end
+
+    context "when a webhook host whitelist is configured" do
+      before do
+        allow(PactBroker.configuration).to receive(:show_webhook_response?).and_return(true)
+      end
+
+      it "includes response details" do
+        expect(subject.body).to include response_body
+      end
+
+      it "logs the response details" do
+        subject
+        expect(PactBroker::Webhooks::Execution.order(:id).last.logs).to include response_body
+      end
+    end
   end
 
   context "when an error occurs", no_db_clean: true do

data/spec/fixtures/webhook_valid.json

@@ -4,7 +4,7 @@
   }],
   "request": {
     "method": "POST",
-    "url": "http://some.url",
+    "url": "HTTPS://some.url",
     "username": "username",
     "password": "password",
     "headers": {

data/spec/lib/pact_broker/api/contracts/webhook_contract_spec.rb

@@ -10,6 +10,7 @@ module PactBroker
         let(:hash) { JSON.parse(json) }
         let(:webhook) { PactBroker::Api::Decorators::WebhookDecorator.new(Domain::Webhook.new).from_json(json) }
         let(:subject) { WebhookContract.new(webhook) }
+        let(:matching_hosts) { ['foo'] }
 
         def valid_webhook_with
           hash = load_json_fixture 'webhook_valid.json'
@@ -18,11 +19,17 @@ module PactBroker
         end
 
         describe "errors" do
-
           before do
+            PactBroker.configuration.webhook_http_method_whitelist = webhook_http_method_whitelist
+            PactBroker.configuration.webhook_host_whitelist = webhook_host_whitelist
+            allow(PactBroker::Webhooks::CheckHostWhitelist).to receive(:call).and_return(whitelist_matches)
             subject.validate(hash)
           end
 
+          let(:webhook_http_method_whitelist) { ['POST'] }
+          let(:whitelist_matches) { ['foo'] }
+          let(:webhook_host_whitelist) { [] }
+
           context "with valid fields" do
             it "is empty" do
               expect(subject.errors).to be_empty
@@ -81,6 +88,62 @@ module PactBroker
             end
           end
 
+          context "with an invalid scheme" do
+            let(:json) do
+              valid_webhook_with do |hash|
+                hash['request']['url'] = 'ftp://foo'
+              end
+            end
+
+            it "contains an error for the URL" do
+              expect(subject.errors[:"request.url"]).to include "scheme must be https. See /doc/webhooks#whitelist for more information."
+            end
+          end
+
+          context "with an HTTP method that is not whitelisted" do
+            let(:json) do
+              valid_webhook_with do |hash|
+                hash['request']['method'] = 'DELETE'
+              end
+            end
+
+            context "when there is only one allowed HTTP method" do
+              it "contains an error for invalid method" do
+                expect(subject.errors[:"request.http_method"]).to include "must be POST. See /doc/webhooks#whitelist for more information."
+              end
+            end
+
+            context "when there is more than one allowed HTTP method", pending: "need to work out how to dynamically create this message" do
+              let(:webhook_http_method_whitelist) { ['POST', 'GET'] }
+
+              it "contains an error for invalid method" do
+                expect(subject.errors[:"request.http_method"]).to include "must be one of POST, GET"
+              end
+            end
+          end
+
+          context "when the host whitelist is empty" do
+            it "does not attempt to validate the host" do
+              expect(PactBroker::Webhooks::CheckHostWhitelist).to_not have_received(:call)
+            end
+          end
+
+          context "when the host whitelist is populated" do
+            let(:webhook_host_whitelist) { [/foo/, "bar"] }
+
+            it "validates the host" do
+              expect(PactBroker::Webhooks::CheckHostWhitelist).to have_received(:call).with("some.url", webhook_host_whitelist)
+            end
+
+            context "when the host does not match the whitelist" do
+              let(:whitelist_matches) { [] }
+
+              it "contains an error", pending: "need to work out how to do dynamic messages" do
+                expect(subject.errors[:"request.url"]).to include "host must be in the whitelist /foo/, \"bar\" . See /doc/webhooks#whitelist for more information."
+              end
+            end
+          end
+
           context "with no URL" do
             let(:json) do
               valid_webhook_with do |hash|

data/spec/lib/pact_broker/api/decorators/webhook_execution_result_decorator_spec.rb

@@ -14,10 +14,11 @@ module PactBroker
           let(:response) { double('http_response', code: '200', body: response_body, to_hash: headers) }
           let(:response_body) { 'body' }
           let(:error) { nil }
-          let(:webhook) { instance_double(PactBroker::Domain::Webhook, uuid: 'some-uuid')}
+          let(:webhook) { instance_double(PactBroker::Domain::Webhook, uuid: 'some-uuid') }
+          let(:show_response) { true }
           let(:json) {
             WebhookExecutionResultDecorator.new(webhook_execution_result)
-            .to_json(user_options: { base_url: 'http://example.org', webhook: webhook })
+            .to_json(user_options: { base_url: 'http://example.org', webhook: webhook, show_response: show_response })
           }
 
           let(:subject) { JSON.parse(json, symbolize_names: true)}
@@ -30,11 +31,7 @@ module PactBroker
             expect(subject[:_links][:webhook][:href]).to eq 'http://example.org/webhooks/some-uuid'
           end
 
-          it "includes a message about the response being redacted" do
-            expect(subject[:message]).to match /redacted/
-          end
-
-          context "when there is an error", pending: "temporarily disabled" do
+          context "when there is an error" do
             let(:error) { double('error', message: 'message', backtrace: ['blah','blah']) }
 
             it "includes the message" do
@@ -46,7 +43,7 @@ module PactBroker
             end
           end
 
-          context "when there is a response", pending: "temporarily disabled" do
+          context "when there is a response" do
             it "includes the response code" do
               expect(subject[:response][:status]).to eq 200
             end
@@ -66,8 +63,19 @@ module PactBroker
               end
             end
           end
-        end
 
+          context "when show_response is false" do
+            let(:show_response) { false }
+
+            it "does not include the response" do
+              expect(subject).to_not have_key(:response)
+            end
+
+            it "includes a message about why the response is hidden" do
+              expect(subject[:message]).to match /security purposes/
+            end
+          end
+        end
       end
     end
   end

data/spec/lib/pact_broker/api/resources/pact_spec.rb

@@ -76,7 +76,7 @@ module PactBroker::Api
           end
 
           it "returns a JSON content type" do
-            expect(response.headers['Content-Type']).to eq "application/json;charset=utf-8"
+            expect(response.headers['Content-Type']).to eq "application/hal+json;charset=utf-8"
           end
 
           it "returns an error message" do

data/spec/lib/pact_broker/api/resources/pact_webhooks_spec.rb

@@ -93,7 +93,7 @@ module PactBroker::Api
 
           it "returns a JSON content type" do
             subject
-            expect(last_response.headers['Content-Type']).to eq 'application/json;charset=utf-8'
+            expect(last_response.headers['Content-Type']).to eq 'application/hal+json;charset=utf-8'
           end
 
           it "returns an error message" do
@@ -111,7 +111,7 @@ module PactBroker::Api
 
           it "returns a JSON content type" do
             subject
-            expect(last_response.headers['Content-Type']).to eq 'application/json;charset=utf-8'
+            expect(last_response.headers['Content-Type']).to eq 'application/hal+json;charset=utf-8'
           end
 
           it "returns an error message" do
@@ -132,7 +132,7 @@ module PactBroker::Api
 
           it "returns a JSON content type" do
             subject
-            expect(last_response.headers['Content-Type']).to eq 'application/json;charset=utf-8'
+            expect(last_response.headers['Content-Type']).to eq 'application/hal+json;charset=utf-8'
           end
 
           it "returns the validation errors" do

data/spec/lib/pact_broker/api/resources/webhook_execution_spec.rb

@@ -57,7 +57,8 @@ module PactBroker
               end
 
               it "generates a JSON response body for the execution result" do
-                expect(decorator).to receive(:to_json).with(user_options: { base_url: 'http://example.org', webhook: webhook })
+                allow(PactBroker.configuration).to receive(:show_webhook_response?).and_return('foo')
+                expect(decorator).to receive(:to_json).with(user_options: { base_url: 'http://example.org', webhook: webhook, show_response: 'foo' })
                 subject
               end
 
@@ -69,6 +70,7 @@ module PactBroker
 
             context "when execution is not successful" do
               let(:success) { false }
+
               it "returns a 500 JSON response" do
                 subject
                 expect(last_response.status).to eq 500

data/spec/lib/pact_broker/domain/webhook_request_spec.rb

@@ -8,9 +8,9 @@ module PactBroker
       before do
         allow(PactBroker::Api::PactBrokerUrls).to receive(:pact_url).and_return('http://example.org/pact-url')
         allow(PactBroker.configuration).to receive(:base_url).and_return('http://example.org')
-        allow(PactBroker.logger).to receive(:info).and_call_original
-        allow(PactBroker.logger).to receive(:debug).and_call_original
-        allow(PactBroker.logger).to receive(:warn).and_call_original
+        allow(PactBroker::Webhooks::Render).to receive(:call) do | content, pact, verification, &block |
+          content
+        end
       end
 
       let(:username) { nil }
@@ -19,7 +19,8 @@ module PactBroker
       let(:body) { 'body' }
       let(:logs) { StringIO.new }
       let(:execution_logger) { Logger.new(logs) }
-      let(:options) { {failure_log_message: 'oops'}}
+      let(:options) { {failure_log_message: 'oops', show_response: show_response} }
+      let(:show_response) { true }
       let(:pact) { instance_double('PactBroker::Domain::Pact') }
 
       subject do
@@ -57,51 +58,37 @@ module PactBroker
       describe "execute" do
         let!(:http_request) do
           stub_request(:post, "http://example.org/hook").
-            with(:headers => {'Content-Type'=>'text/plain'}, :body => 'body').
+            with(:headers => {'Content-Type'=>'text/plain'}, :body => request_body).
             to_return(:status => 200, :body => "respbod", :headers => {'Content-Type' => 'text/foo, blah'})
         end
 
-        describe "when the String body contains a ${pactbroker.pactUrl} parameter" do
-          let!(:http_request) do
-            stub_request(:post, "http://example.org/hook").
-              with(:headers => {'Content-Type'=>'text/plain'}, :body => "<xml><url>http://example.org/pact-url</url></xml>").
-              to_return(:status => 200)
-          end
-
-          let(:body) { "<xml><url>${pactbroker.pactUrl}</url></xml>" }
+        let(:request_body) { 'body' }
 
-          it "replaces the token with the live value" do
-            subject.execute(pact, options)
-            expect(http_request).to have_been_made
+        it "renders the url template" do
+          expect(PactBroker::Webhooks::Render).to receive(:call).with("http://example.org/hook", pact) do | content, pact, verification, &block |
+            expect(content).to eq "http://example.org/hook"
+            expect(pact).to be pact
+            expect(verification).to be nil
+            expect(block.call("foo bar")).to eq "foo+bar"
+            "http://example.org/hook"
           end
+          subject.execute(pact, options)
         end
 
-        describe "when the JSON body contains a ${pactbroker.pactUrl} parameter" do
-          let!(:http_request) do
-            stub_request(:post, "http://example.org/hook").
-              with(:headers => {'Content-Type'=>'text/plain'}, :body => '{"url":"http://example.org/pact-url"}').
-              to_return(:status => 200)
-          end
-
-          let(:body) { { url: '${pactbroker.pactUrl}' } }
-
-          it "replaces the token with the live value" do
+        context "when the body is a string" do
+          it "renders the body template with the String" do
+            expect(PactBroker::Webhooks::Render).to receive(:call).with('body', pact)
             subject.execute(pact, options)
-            expect(http_request).to have_been_made
           end
         end
 
-        describe "when the URL contains a ${pactbroker.pactUrl} parameter" do
-          let!(:http_request) do
-            stub_request(:post, "http://example.org/hook?url=http%3A%2F%2Fexample.org%2Fpact-url").
-              to_return(:status => 200)
-          end
-
-          let(:url) { 'http://example.org/hook?url=${pactbroker.pactUrl}' }
+        context "when the body is an object" do
+          let(:body) { {"foo" => "bar"} }
+          let(:request_body) { '{"foo":"bar"}' }
 
-          it "replaces the token with the live value" do
+          it "renders the body template with JSON" do
+            expect(PactBroker::Webhooks::Render).to receive(:call).with(request_body, pact)
             subject.execute(pact, options)
-            expect(http_request).to have_been_made
           end
         end
 
@@ -120,18 +107,11 @@ module PactBroker
           allow(PactBroker.logger).to receive(:info)
           allow(PactBroker.logger).to receive(:debug)
           expect(PactBroker.logger).to receive(:info).with(/response.*200/)
+          expect(PactBroker.logger).to receive(:debug).with(/content-type/)
           expect(PactBroker.logger).to receive(:debug).with(/respbod/)
           subject.execute(pact, options)
         end
 
-        it "does not write the response body to the exeuction log for security purposes" do
-          expect(logs).to_not include "An error"
-        end
-
-        it "logs a message about why there is no response information" do
-          expect(logs).to include "Webhook response has been redacted temporarily for security purposes"
-        end
-
         describe "execution logs" do
 
           it "logs the request method and path" do
@@ -150,16 +130,38 @@ module PactBroker
             expect(logs).to include body
           end
 
-          it "logs the response status" do
-            expect(logs).to include "HTTP/1.0 200"
-          end
+          context "when show_response is true" do
+            it "logs the response status" do
+              expect(logs).to include "HTTP/1.0 200"
+            end
+
+            it "logs the response headers" do
+              expect(logs).to include "Content-Type: text/foo, blah"
+            end
 
-          it "does not log the response headers" do
-            expect(logs).to_not include "Content-Type: text/foo, blah"
+            it "logs the response body" do
+              expect(logs).to include "respbod"
+            end
           end
 
-          it "does not log the response body" do
-            expect(logs).to_not include "respbod"
+          context "when show_response is false" do
+            let(:show_response) { false }
+
+            it "does not log the response status" do
+              expect(logs).to_not include "HTTP/1.0 200"
+            end
+
+            it "does not log the response headers" do
+              expect(logs).to_not include "Content-Type: text/foo, blah"
+            end
+
+            it "does not log the response body" do
+              expect(logs).to_not include "respbod"
+            end
+
+            it "logs a message about why the response is hidden" do
+              expect(logs).to include "security purposes"
+            end
           end
 
           context "when the response code is a success" do
@@ -234,21 +236,6 @@ module PactBroker
           end
         end
 
-        context "when the request has a JSONable body" do
-          let(:body) { [{"some": "json"}] }
-
-          let!(:http_request) do
-            stub_request(:post, "http://example.org/hook").
-              with(:headers => {'Content-Type'=>'text/plain'}, :body => body.to_json).
-              to_return(:status => 200, :body => "respbod", :headers => {'Content-Type' => 'text/foo, blah'})
-          end
-
-          it "converts the body to JSON before submitting the request" do
-            subject.execute(pact, options)
-            expect(http_request).to have_been_made
-          end
-        end
-
         context "when the request has a nil body" do
           let(:body) { nil }
 
@@ -291,7 +278,7 @@ module PactBroker
           end
         end
 
-        context "when the response body contains a non UTF-8 character", pending: "execution logs disabled temporarily for security purposes" do
+        context "when the response body contains a non UTF-8 character" do
           let!(:http_request) do
             stub_request(:post, "http://example.org/hook").
               to_return(:status => 200, :body => "This has some \xC2 invalid chars")
@@ -316,10 +303,10 @@ module PactBroker
 
           before do
             allow(subject).to receive(:http_request).and_raise(WebhookTestError.new("blah"))
+            allow(PactBroker.logger).to receive(:error)
           end
 
           it "logs the error" do
-            allow(PactBroker.logger).to receive(:error)
             expect(PactBroker.logger).to receive(:error).with(/Error.*WebhookTestError.*blah/)
             subject.execute(pact, options)
           end
@@ -335,6 +322,24 @@ module PactBroker
           it "logs the failure_log_message" do
             expect(logs).to include "oops"
           end
+
+          context "when show_response is true" do
+            it "logs the exception information" do
+              expect(logs).to include "blah"
+            end
+          end
+
+          context "when show_response is false" do
+            let(:show_response) { false }
+
+            it "does not logs the exception information" do
+              expect(logs).to_not include "blah"
+            end
+
+            it "logs a message about why the response is hidden" do
+              expect(logs).to include "security purposes"
+            end
+          end
         end
       end
     end