pact_broker 2.19.2 → 2.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6596910c63bcfb8363e958de4bb4bb698df0613e
-  data.tar.gz: 929b0ac8d06300c3a6226f4afb3af099f97c7476
+  metadata.gz: e14b4974d382ad35da338f8b493f4ea721105a7c
+  data.tar.gz: 3d27068e75bea109b5bc3bac0262061ce973f574
 SHA512:
-  metadata.gz: aaf62c676cffcc46679e3cba55afd4234d74208577869803d76e670805b314d7e8a742525de8d3599aafa5f5769d50b62b76ee8464796766c42c92dc73807b36
-  data.tar.gz: 3cb076e57dcb8f23450ddd50e1b8f92f4161f79fd4541799296a5fdc0ed4671e13d1ba409eb0dfeff60c41cc86cc3472a304fb6e1068b6219a2359b3365799e7
+  metadata.gz: bf62aadde7feb83cb578fccb4a853530e1d2c3967f9abfc85d649ff9640c58f410bcfaa5b6a0d347444cf1aab47f7bf5e68d00f67c71d34c9d4fc8ebb3fc8e25
+  data.tar.gz: fb663dbb7503fb6f1d43f53c820257844a2573f9cf1913995e22d04f8cc3e15c53acf59e56fe5bb9e049ef5d9d915e660eeec99f58defcc46b5d22d71df392d4

data/CHANGELOG.md

@@ -1,3 +1,20 @@
+<a name="v2.20.0"></a>
+### v2.20.0 (2018-06-03)
+
+
+#### Features
+
+* only log webhook response details when a webhook host whitelist has been configured	 ([3e1c562](/../../commit/3e1c562))
+* validate webhook host against configurable list on creation	 ([077e37f](/../../commit/077e37f))
+* validate webhook scheme and http method against configurable lists on creation	 ([d7a2b0a](/../../commit/d7a2b0a))
+* add ${pactbroker.consumerVersionNumber} to webhook templates	 ([d525527](/../../commit/d525527))
+
+
+#### Bug Fixes
+
+* correct all content types that were application/json to application/hal+json	 ([690e39b](/../../commit/690e39b))
+
+
 <a name="v2.19.2"></a>
 ### v2.19.2 (2018-05-29)
 

data/example/README.md

@@ -1,5 +1,7 @@
 # Run Pact Broker example
 
+The configuration for this example should not be used in production. Either use the [Docker Pact Broker image][docker-pact-broker], or copy the [pact_broker directory][pact-broker-dir] from the Docker project as your starting point. Ensure you configure a web server/reverse proxy (such as Passenger/Nginx) in front of it (you can also copy the configuration for these from the Docker image.)
+
 Clone project
 
 ```bash
@@ -40,7 +42,7 @@ Set up postgres database
 
 ```bash
 psql postgres -c "CREATE DATABASE pact_broker;"
-psql postgres -c "CREATE ROLE pact_broker WITH LOGIN PASSWORD 'pact_broker';"
+psql postgres -c "CREATE ROLE pact_broker WITH LOGIN PASSWORD 'CHANGE_ME';"
 psql postgres -c "GRANT ALL PRIVILEGES ON DATABASE pact_broker TO pact_broker;"
 ```
 
@@ -63,3 +65,7 @@ psql pact_broker < example_data.sql
 ```
 
 Now Pact Broker can be access locally at [http://localhost:9292](http://localhost:9292).
+
+[docker-pact-broker]: https://github.com/DiUS/pact_broker-docker
+[pact-broker-dir]: https://github.com/DiUS/pact_broker-docker/tree/master/pact_broker
+

data/example/config.ru

@@ -11,10 +11,10 @@ DATABASE_CREDENTIALS = {adapter: "sqlite", database: "pact_broker_database.sqlit
 # For postgres:
 #
 # $ psql postgres -c "CREATE DATABASE pact_broker;"
-# $ psql postgres -c "CREATE ROLE pact_broker WITH LOGIN PASSWORD 'pact_broker';"
+# $ psql postgres -c "CREATE ROLE pact_broker WITH LOGIN PASSWORD 'CHANGE_ME';"
 # $ psql postgres -c "GRANT ALL PRIVILEGES ON DATABASE pact_broker TO pact_broker;"
 #
-# DATABASE_CREDENTIALS = {adapter: "postgres", database: "pact_broker", username: 'pact_broker', password: 'pact_broker', :encoding => 'utf8'}
+# DATABASE_CREDENTIALS = {adapter: "postgres", database: "pact_broker", username: 'pact_broker', password: 'CHANGE_ME', :encoding => 'utf8'}
 
 # Have a look at the Sequel documentation to make decisions about things like connection pooling
 # and connection validation.
@@ -25,7 +25,6 @@ app = PactBroker::App.new do | config |
   # change these from their default values if desired
   # config.log_dir = "./log"
   # config.auto_migrate_db = true
-  # config.use_hal_browser = true
   config.database_connection = Sequel.connect(DATABASE_CREDENTIALS.merge(:logger => config.logger))
 end
 

data/lib/pact_broker/api/contracts/webhook_contract.rb

@@ -1,11 +1,25 @@
 require 'reform'
 require 'reform/form'
+require 'pact_broker/webhooks/check_host_whitelist'
 
 module PactBroker
   module Api
     module Contracts
       class WebhookContract < Reform::Form
 
+        def validate(*)
+          result = super
+          # I just cannot seem to get the validation to stop on the first error.
+          # If one rule fails, they all come back failed, and it's driving me nuts.
+          # Why on earth would I want that behaviour?
+          new_errors = Reform::Contract::Errors.new
+          errors.messages.each do | key, value |
+            new_errors.add(key, value.first)
+          end
+          @errors = new_errors
+          result
+        end
+
         validation do
           configure do
             config.messages_file = File.expand_path("../../../locale/en.yml", __FILE__)
@@ -23,20 +37,73 @@ module PactBroker
             configure do
               config.messages_file = File.expand_path("../../../locale/en.yml", __FILE__)
 
-              def valid_method?(value)
-                Net::HTTP.const_defined?(value.capitalize)
+              def self.messages
+                super.merge(
+                  en: {
+                    errors: {
+                      allowed_webhook_method?: http_method_error_message,
+                      allowed_webhook_scheme?: scheme_error_message,
+                      allowed_webhook_host?: host_error_message
+                    }
+                  }
+                )
+              end
+
+              def self.http_method_error_message
+                if PactBroker.configuration.webhook_http_method_whitelist.size == 1
+                  "must be #{PactBroker.configuration.webhook_http_method_whitelist.first}. See /doc/webhooks#whitelist for more information."
+                else
+                  "must be one of #{PactBroker.configuration.webhook_http_method_whitelist.join(", ")}. See /doc/webhooks#whitelist for more information."
+                end
               end
 
-              def valid_url?(value)
-                uri = URI(value)
+              def self.scheme_error_message
+                "scheme must be #{PactBroker.configuration.webhook_scheme_whitelist.join(", ")}. See /doc/webhooks#whitelist for more information."
+              end
+
+              def self.host_error_message
+                "host must be in the whitelist #{PactBroker.configuration.webhook_host_whitelist.join(",")}. See /doc/webhooks#whitelist for more information."
+              end
+
+              def valid_method?(http_method)
+                Net::HTTP.const_defined?(http_method.capitalize)
+              end
+
+              def valid_url?(url)
+                uri = URI(url)
                 uri.scheme && uri.host
               rescue URI::InvalidURIError
                 false
               end
+
+              def allowed_webhook_method?(http_method)
+                PactBroker.configuration.webhook_http_method_whitelist.any? do | allowed_method |
+                  http_method.downcase == allowed_method.downcase
+                end
+              end
+
+              def allowed_webhook_scheme?(url)
+                scheme = URI(url).scheme
+                PactBroker.configuration.webhook_scheme_whitelist.any? do | allowed_scheme |
+                  scheme.downcase == allowed_scheme.downcase
+                end
+              end
+
+              def allowed_webhook_host?(url)
+                if host_whitelist.any?
+                  PactBroker::Webhooks::CheckHostWhitelist.call(URI(url).host, host_whitelist).any?
+                else
+                  true
+                end
+              end
+
+              def host_whitelist
+                PactBroker.configuration.webhook_host_whitelist
+              end
             end
 
-            required(:http_method).filled(:valid_method?)
-            required(:url).filled(:valid_url?)
+            required(:http_method).filled(:valid_method?, :allowed_webhook_method?)
+            required(:url).filled(:valid_url?, :allowed_webhook_scheme?, :allowed_webhook_host?)
           end
         end
 

data/lib/pact_broker/api/decorators/webhook_execution_result_decorator.rb

@@ -1,21 +1,17 @@
 require_relative 'base_decorator'
 require 'json'
+require 'pact_broker/messages'
 
 module PactBroker
   module Api
     module Decorators
-
       class WebhookExecutionResultDecorator < BaseDecorator
-
         class ErrorDecorator < BaseDecorator
-
           property :message
           property :backtrace
-
         end
 
         class HTTPResponseDecorator < BaseDecorator
-
           property :status, :getter => lambda { |_| code.to_i }
           property :headers, exec_context: :decorator
           property :body, exec_context: :decorator
@@ -36,13 +32,9 @@ module PactBroker
           end
         end
 
-        property :message, exec_context: :decorator
-        # property :error, :extend => ErrorDecorator
-        # property :response, :extend => HTTPResponseDecorator
-
-        def message
-          "Webhook response has been redacted temporarily for security purposes. Please see the Pact Broker application logs for the response body."
-        end
+        property :error, :extend => ErrorDecorator, if: lambda { |context| context[:options][:user_options][:show_response] }
+        property :response, :extend => HTTPResponseDecorator, if: lambda { |context| context[:options][:user_options][:show_response] }
+        property :response_hidden_message, as: :message, exec_context: :decorator, if: lambda { |context| !context[:options][:user_options][:show_response] }
 
         link :webhook do | options |
           {
@@ -56,7 +48,11 @@ module PactBroker
             href: webhook_execution_url(options.fetch(:webhook), options.fetch(:base_url))
           }
         end
+
+        def response_hidden_message
+          PactBroker::Messages.message('messages.response_body_hidden')
+        end
       end
     end
   end
-end
+end

data/lib/pact_broker/api/resources/base_resource.rb

@@ -96,12 +96,12 @@ module PactBroker
         end
 
         def set_json_error_message message
-          response.headers['Content-Type'] = 'application/json;charset=utf-8'
+          response.headers['Content-Type'] = 'application/hal+json;charset=utf-8'
           response.body = {error: message}.to_json
         end
 
         def set_json_validation_error_messages errors
-          response.headers['Content-Type'] = 'application/json;charset=utf-8'
+          response.headers['Content-Type'] = 'application/hal+json;charset=utf-8'
           response.body = {errors: errors}.to_json
         end
 
@@ -128,7 +128,7 @@ module PactBroker
           rescue StandardError => e
             logger.error "Error parsing JSON #{e} - #{request_body}"
             set_json_error_message "Error parsing JSON - #{e.message}"
-            response.headers['Content-Type'] = 'application/json;charset=utf-8'
+            response.headers['Content-Type'] = 'application/hal+json;charset=utf-8'
             true
           end
         end

data/lib/pact_broker/api/resources/pact_webhooks.rb

@@ -38,7 +38,7 @@ module PactBroker
           errors = webhook_service.errors(webhook)
 
           unless errors.empty?
-            response.headers['Content-Type'] = 'application/json;charset=utf-8'
+            response.headers['Content-Type'] = 'application/hal+json;charset=utf-8'
             response.body = { errors: errors.messages }.to_json
           end
 

data/lib/pact_broker/api/resources/webhook_execution.rb

@@ -32,7 +32,7 @@ module PactBroker
         private
 
         def post_response_body webhook_execution_result
-          Decorators::WebhookExecutionResultDecorator.new(webhook_execution_result).to_json(user_options: { base_url: base_url, webhook: webhook })
+          Decorators::WebhookExecutionResultDecorator.new(webhook_execution_result).to_json(user_options: user_options)
         end
 
         def webhook
@@ -46,8 +46,11 @@ module PactBroker
         def uuid
           identifier_from_path[:uuid]
         end
+
+        def user_options
+          { base_url: base_url, webhook: webhook, show_response: PactBroker.configuration.show_webhook_response? }
+        end
       end
     end
   end
-
 end

data/lib/pact_broker/configuration.rb

@@ -30,9 +30,10 @@ module PactBroker
     attr_accessor :validate_database_connection_config, :enable_diagnostic_endpoints, :version_parser, :sha_generator
     attr_accessor :use_case_sensitive_resource_names, :order_versions_by_date
     attr_accessor :check_for_potential_duplicate_pacticipant_names
+    attr_accessor :webhook_http_method_whitelist, :webhook_scheme_whitelist, :webhook_host_whitelist
+    attr_accessor :webhook_retry_schedule
     attr_accessor :semver_formats
     attr_accessor :enable_public_badge_access, :shields_io_base_url
-    attr_accessor :webhook_retry_schedule
     attr_accessor :disable_ssl_verification
     attr_accessor :base_equality_only_on_content_that_affects_verification_results
     attr_reader :api_error_reporters
@@ -74,6 +75,9 @@ module PactBroker
       config.webhook_retry_schedule = [10, 60, 120, 300, 600, 1200] #10 sec, 1 min, 2 min, 5 min, 10 min, 20 min => 38 minutes
       config.check_for_potential_duplicate_pacticipant_names = true
       config.disable_ssl_verification = false
+      config.webhook_http_method_whitelist = ['POST']
+      config.webhook_scheme_whitelist = ['https']
+      config.webhook_host_whitelist = []
       config
     end
 
@@ -142,6 +146,10 @@ module PactBroker
       end
     end
 
+    def show_webhook_response?
+      webhook_host_whitelist.any?
+    end
+
     def enable_badge_resources= enable_badge_resources
       puts "Pact Broker configuration property `enable_badge_resources` is deprecated. Please use `enable_public_badge_access`"
       self.enable_public_badge_access = enable_badge_resources

data/lib/pact_broker/doc/views/webhooks.markdown

@@ -54,6 +54,28 @@ A request body can be specified as well.
 
 **BEWARE** The password can be reverse engineered from the database, so make a separate account for the Pact Broker to use, don't use your personal account!
 
+<a name="whitelist"></a>
+#### Webhook Whitelist
+
+To ensure that webhooks cannot be used maliciously to expose either data about your contracts or your internal network, the following validation rules are applied to webhooks via the Pact Broker configuration settings.
+
+* **Scheme**: Must be included in the `webhook_scheme_whitelist`, which by default only includes `https`. You can change this to include `http` if absolutely necessary, however, keep in mind that the body of any http traffic is visible to the network. You can load a self signed certificate into the Pact Broker to be used for https connections using [script/insert-self-signed-certificate-from-url.rb](https://github.com/pact-foundation/pact_broker/blob/master/script/insert-self-signed-certificate-from-url.rb) in the
+Pact Broker Github repository.
+
+* **HTTP method**: Must be included in the `webhook_http_method_whitelist`, which by default only includes `POST`. It is highly recommended that only `POST` requests are allowed to ensure that webhooks cannot be used to retrieve sensitive information from hosts within the same network.
+
+* **Host**: If the `webhook_host_whitelist` contains any entries, the host must match one or more of the entries. By default, it is empty. For security purposes, if the host whitelist is empty, the response details will not be logged to the UI (though they can be seen in the application logs at debug level).
+
+  The host whitelist may contain hostnames (eg `"github.com"`), IPs (eg `"192.0.345.4"`), network ranges (eg `"10.0.0.0/8"`) or regular expressions (eg `/.*\.foo\.com$/`). Note that IPs are not resolved, so if you specify an IP range, you need to use the IP in the webhook URL. If you wish to allow webhooks to any host (not recommended!), you can set `webhook_host_whitelist` to `[/.*/]`. Beware of any sensitive endpoints that may be exposed within the same network.
+
+  The recommended set of values to start with are:
+
+    * your CI server's hostname (for triggering builds)
+    * your company chat (eg. Slack, for publishing notifications)
+    * your code repository (eg. Github, for sending commit statuses)
+
+  Alternatively, you could use a regular expression to limit requests to your company's domain. eg `/.*\.foo\.com$/` (don't forget the end of string anchor). You can test Ruby regular expressions at [rubular.com](http://rubular.com).
+
 #### Event types
 
 `contract_content_changed:` triggered when the content of the contract has changed since the previous publication. Uses plain string equality, so changes to the ordering of hash keys, or whitespace changes will trigger this webhook.
@@ -65,6 +87,7 @@ A request body can be specified as well.
 The following variables may be used in the request parameters or body, and will be replaced with their appropriate values at runtime.
 
 `${pactbroker.pactUrl}`: the "permalink" URL to the newly published pact (the URL specifying the consumer version URL, rather than the "/latest" format.)
+`${pactbroker.consumerVersionNumber}`: the version number of the most recent consumer version associated with the pact content.
 
 Example usage:
 

data/lib/pact_broker/domain/webhook_request.rb

@@ -5,8 +5,10 @@ require 'pact_broker/logging'
 require 'pact_broker/messages'
 require 'net/http'
 require 'pact_broker/webhooks/redact_logs'
+require 'pact_broker/webhooks/render'
 require 'pact_broker/api/pact_broker_urls'
 require 'pact_broker/build_http_options'
+require 'cgi'
 
 module PactBroker
 
@@ -66,15 +68,14 @@ module PactBroker
         uri = build_uri(pact)
         req = build_request(uri, pact, execution_logger)
         response = do_request(uri, req)
-        log_response(response, execution_logger)
+        log_response(response, execution_logger, options)
         result = WebhookExecutionResult.new(response, logs.string)
         log_completion_message(options, execution_logger, result.success?)
         result
       end
 
       def handle_error_and_build_result e, options, logs, execution_logger
-        logger.error "Error executing webhook #{uuid} #{e.class.name} - #{e.message} #{e.backtrace.join("\n")}"
-        execution_logger.error "Error executing webhook #{uuid} #{e.class.name} - #{e.message}"
+        log_error(e, execution_logger, options)
         log_completion_message(options, execution_logger, false)
         WebhookExecutionResult.new(nil, logs.string, e)
       end
@@ -91,14 +92,10 @@ module PactBroker
         req.basic_auth(username, password) if username
 
         unless body.nil?
-          if String === body
-            req.body = gsub_body(pact, body)
-          else
-            req.body = gsub_body(pact, body.to_json)
-          end
+          req.body = PactBroker::Webhooks::Render.call(String === body ? body : body.to_json, pact)
         end
 
-        execution_logger.info req.body
+        execution_logger.info(req.body) if req.body
         req
       end
 
@@ -110,23 +107,40 @@ module PactBroker
         end
       end
 
-      def log_response response, execution_logger
-        execution_logger.info(" ")
+      def log_response response, execution_logger, options
+        log_response_to_application_logger(response)
+        if options[:show_response]
+          log_response_to_execution_logger(response, execution_logger)
+        else
+          execution_logger.info response_body_hidden_message
+        end
+      end
+
+      def response_body_hidden_message
+        PactBroker::Messages.message('messages.response_body_hidden')
+      end
+
+      def log_response_to_application_logger response
         logger.info "Received response for webhook #{uuid} status=#{response.code}"
-        execution_logger.info "HTTP/#{response.http_version} #{response.code} #{response.message}"
-        #response.each_header do | header |
-        #  execution_logger.info "#{header.split("-").collect(&:capitalize).join('-')}: #{response[header]}"
-        #end
+        logger.debug "headers=#{response.to_hash}"
         logger.debug "body=#{response.body}"
-        # safe_body = nil
-        # if response.body
-        #   safe_body = response.body.encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
-        #   if response.body != safe_body
-        #     execution_logger.debug "Note that invalid UTF-8 byte sequences were removed from response body before saving the logs"
-        #   end
-        # end
-        #execution_logger.info safe_body
-        execution_logger.info "Webhook response has been redacted temporarily for security purposes. Please see the Pact Broker application logs for the response body."
+      end
+
+      def log_response_to_execution_logger response, execution_logger
+        execution_logger.info "HTTP/#{response.http_version} #{response.code} #{response.message}"
+        response.each_header do | header |
+          execution_logger.info "#{header.split("-").collect(&:capitalize).join('-')}: #{response[header]}"
+        end
+
+        safe_body = nil
+
+        if response.body
+          safe_body = response.body.encode('UTF-8', 'binary', invalid: :replace, undef: :replace, replace: '')
+          if response.body != safe_body
+            execution_logger.debug "Note that invalid UTF-8 byte sequences were removed from response body before saving the logs"
+          end
+        end
+        execution_logger.info safe_body
       end
 
       def log_completion_message options, execution_logger, success
@@ -141,6 +155,16 @@ module PactBroker
         end
       end
 
+      def log_error e, execution_logger, options
+        logger.error "Error executing webhook #{uuid} #{e.class.name} - #{e.message} #{e.backtrace.join("\n")}"
+
+        if options[:show_response]
+          execution_logger.error "Error executing webhook #{uuid} #{e.class.name} - #{e.message}"
+        else
+          execution_logger.error "Error executing webhook #{uuid}. #{response_body_hidden_message}"
+        end
+      end
+
       def to_s
         "#{method.upcase} #{url}, username=#{username}, password=#{display_password}, headers=#{headers}, body=#{body}"
       end
@@ -150,7 +174,7 @@ module PactBroker
       end
 
       def build_uri pact
-        URI(gsub_url(pact, url))
+        URI(PactBroker::Webhooks::Render.call(url, pact){ | value | CGI::escape(value)} )
       end
 
       def url_with_credentials pact
@@ -158,18 +182,6 @@ module PactBroker
         u.userinfo = "#{CGI::escape username}:#{display_password}" if username
         u
       end
-
-      def gsub_body pact, body
-        base_url = PactBroker.configuration.base_url
-        body.gsub('${pactbroker.pactUrl}', PactBroker::Api::PactBrokerUrls.pact_url(base_url, pact))
-      end
-
-      def gsub_url pact, url
-        base_url = PactBroker.configuration.base_url
-        pact_url = PactBroker::Api::PactBrokerUrls.pact_url(base_url, pact)
-        escaped_pact_url = CGI::escape(pact_url)
-        url.gsub('${pactbroker.pactUrl}', escaped_pact_url)
-      end
     end
   end
 end