puppet_webhook 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b4b775f68616833562447615df1985dbe31e30227493a4dc027a0d442e797f6d
+  data.tar.gz: f5c53e8e3f2a6ec6bc544f7cc97f5d41cc4af944290859b2286082f4f20ea2c9
+SHA512:
+  metadata.gz: e2f4b7b73d988281ab0b7d081eb2d1e38f9b622ffe0aabfb903452eed7efe3dcf42ef892b9467ad575b14cdeb311a867bdff36480cf8de4b6b26e5644157055f
+  data.tar.gz: aa402a350c235665813ecc06c55b221afbb736a36caee827d732543c72920e0c34b096323041ba92c03c7b908cb89ff6f5a251c1bdfc5aa003d30230cd7e4244

data/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,209 @@
+# Puppet Webhook Server
+
+[![License](https://img.shields.io/github/license/voxpupuli/puppet_webhook.svg)](https://github.com/voxpupuli/puppet_webhook/blob/master/LICENSE)
+[![Build Status](https://img.shields.io/travis/voxpupuli/puppet_webhook.svg)](https://travis-ci.org/voxpupuli/puppet_webhook)
+[![Gem Version](https://img.shields.io/gem/v/puppet_webhook.svg)](https://rubygems.org/gems/puppet_webhook)
+[![Gem Downloads](https://img.shields.io/gem/dt/puppet_webhook.svg)](https://rubygems.org/gems/puppet_webhook)
+[![Coverage Status](https://coveralls.io/repos/github/voxpupuli/puppet_webhook/badge.svg?branch=master)](https://coveralls.io/github/voxpupuli/puppet_webhook?branch=master)
+[![Dependency Status](https://gemnasium.com/badges/github.com/voxpupuli/puppet_webhook.svg)](https://gemnasium.com/github.com/voxpupuli/puppet_webhook)
+
+## What is puppet_webhook
+
+puppet_webhook is a Sinatra-based application receiving REST-based calls to trigger Puppet and r10k-related tasks such as:
+
+* Webhooks from Source Code systems to trigger r10k environment and module deploys
+* REST calls from systems to trigger Puppet Decommissions such as:
+    * `puppet node clean`
+    * `puppet cert clean`
+    * `puppet cert revoke`
+    * etc.
+* Send notifications via Slack
+
+## Prerequisites
+
+* Ruby 2.1.9 or greater
+* Puppet 4.7.1 or greater
+* r10k gem
+* MCollective and MCollective-r10k (Only for multi-master syncronization)
+    * Currently Mcollective-r10k is only available from [puppet-r10k](https://github.com/voxpupuli/puppet-r10k)
+
+## Installation
+
+Currently the only supported installation method is via RubyGems. 
+
+`gem install puppet_webhook`
+
+NOTE: RPM, DEB, and Arch packages are planned for future releases.
+
+## Usage
+
+### Running puppet_webhook
+
+Once installed, you can run the application by simply executing the `puppet_webhook` binary.
+
+This binary will default to using the bundled configuration files and run in a non-daemon mode. This mode is useful for debugging purposes, but it probably not ideal for production use.
+You can also set the `server_type` option in `/etc/puppet_webhook/server.yml` to `daemon` to run the application in the background. By default the application will log to `/var/log/puppet_webhook/access.log`.
+
+NOTE: During the Prerelease stage, the `/etc/puppet_webhook` and `/var/log/puppet_webhook` directories need to be manually created. This will be fixed in for General Availability.
+
+### Configuring puppet_webhook
+
+Puppet_webhook also has several configuration options that can be configured to each user's needs.
+
+The configuration is separated out into Server config (`server.yml`) and Application config (`app.yml`).
+There are default configuration files included in the application's config directory. While these files are editable, it is preferable to create these config files in `/etc/puppet_webhook` to limit potential problems with package updates.
+Any configuration option is placed in `/etc/puppet_webhook/server.yml` or `/etc/puppet_webhook/app.yml` will override the default config defined in `APPDIR/config/server.yml` and `APPDIR/config/app.yml`.
+
+#### Configuration options
+
+#### server.yml
+
+#####`server_type`
+Determines if the Webrick server should run in Simple or Daemon mode.     
+* Valid options: [ `simple`, `daemon` ].      
+* Default: `simple` 
+
+##### `logfile`
+Location to write the log file to.
+* Default: `/var/log/puppet_webhook/access.log`
+
+##### `pidfile`
+Location of the application's PID file
+* Default: `/var/run/puppet_webhook/webhook.pid`
+
+##### `lockfile`
+Location of the application's Lockfile
+* Default: `/var/run/puppet_webhook/webhook.lock`
+
+##### `approot`
+Location of the Root of the application's directory
+* Default: `./`
+NOTE: Currently unused
+
+##### `bind_address`
+IPv4 Address to bind to.
+* MUST BE VALID IPv4 ADDRESS.
+* Default: `0.0.0.0`
+
+##### `port`
+Port number to bind to.
+* Valid options: Integer between `1024` and `65535`
+* Default: `8088`
+
+##### `enable_ssl`
+Whether or not to enable SSL communication.
+* Valid options: [ `true`, `false` ]
+* Default: `false`
+
+##### `verify_ssl`
+Whether or not to verify the SSL CA/Peer on the certifcate. Set to false if using a self-signed certificate and the CA is not installed locally.
+* Valid options: [ `true`, `false` ]
+* Default: `false`
+
+##### `public_key_path`
+Path to the public SSL certificate for puppet_webhook. REQUIRED IF `ssl_enable` IS SET TO `true`
+* Default: ''
+
+##### `private_key_path`
+Path to the SSL Private Key for puppet_webhook. REQUIRED IF `ssl_enable` IS SET TO `true`
+* Default: ''
+
+##### `command_prefix`
+Command to prefix the r10k and puppet commands with when executed.
+* Default: 'umask 0022;'
+
+#### app.yml
+
+##### `enable_mutex_lock`
+Force all requests to syncronize on a mutex lock, ensuring that only a single request is processed at a time.
+* Valid options: [ `true`, `false` ]
+* Default: `false`
+
+##### `user`
+User for which the sending application must authenticate with.
+* Default: `puppet`
+
+##### `pass`
+Password for which the sending application must authenticate with.
+* Default: `puppet`
+
+##### `protected`
+Whether or not to require authentication when sending to puppet_webhook.
+* Valid options: [ `true`, `false` ]
+* Default: `true`
+
+##### client_cfg
+Mcollective client configuration file.
+* Default: `/var/lib/peadmin/.mcollective`
+
+##### client_timeout
+Mcollective client timeout in seconds.
+* MUST BE A STRING
+* Default: `"120"`
+
+##### use_mco_ruby
+Whether or not to execute MCollective via Ruby Client Library or not. REQUIRES MCOLLECTIVE AND MCOLLECTIVE R10K!
+* Valid options: [ `true`, `false` ]
+* Default: `false`
+
+##### discovery_timeout
+MCollective Ruby discovery timeout. REQUIRES `use_mco_ruby` TO BE `true`.
+* Default: `'10'`
+
+##### use_mcollective
+Whether or not to use MCollective CLI command. REQUIRES MCOLLECTIVE AND MCOLLECTIVE R10K.
+* Valid options: [ `true`, `false` ]
+* Default: `false`
+
+##### slack_webhook
+Whether or not to use Slack Notifications.
+* Valid options: [ `true`, `false` ]
+* Default: `false`
+
+##### slack_channel
+Slack channel to notify.
+* Default: `'#default'`
+
+##### slack_user
+Slack user to notify as.
+* Default: `'r10k'`
+
+##### slack_proxy_url
+The proxy URL for Slack if used.
+* MUST BE A VALID URL.
+* Default: `nil`
+
+##### default_branch
+The default git branch to use with the r10k Control Repo.
+* Default: `production`
+
+##### ignore_environment
+An Array of environments for r10k to ignore during deployment.
+* Default: []
+
+##### prefix
+r10k Environment Prefix to use. When set to `repo`, `user`, or `command`, the prefix will be generated from the repo_name, repo_user, or `prefix_command`. Otherwise it will set the prefix to the passed string. `false` disables prefix.
+* Valid Options: [ `repo`, `user`, `command`, `<String_value>`, `false` ]
+* Default: `false`
+
+##### prefix_command
+Command to execute that will generate an r10k environment prefix.
+* Default: ''
+
+##### r10k_deploy_arguments
+r10k command arguments to pass to the `r10k deploy environment` command.
+* Default: `"-pv"`
+
+##### allow_uppercase
+Whether or not to allow uppercase letters in environment names. If false, then puppet_webhook assumes environment names are downcase. If `true`, then puppet_webhook will normalize the environment name.
+* Valid options: [ `true`, `false` ]
+* Default: `true`
+
+##### github_secret
+Used to verify the signature on a repo. Currently only supported for Github repos.
+* MUST BE A VALID OPENSSL `sha1` HASH.
+* Default: `nil`
+
+##### repository_events
+Array of webhook events to ignore.
+* Default: `nil`

data/bin/puppet_webhook

@@ -0,0 +1,43 @@
+#!/usr/bin/env ruby
+require 'openssl'
+require 'sinatra'
+require 'sinatra/config_file'
+require 'webrick'
+require 'webrick/https'
+require 'puppet_webhook'
+
+config_file(File.join(__dir__, '..', 'config', 'server.yml'), '/etc/puppet_webhook/server.yml')
+
+PIDFILE = settings.pidfile
+LOCKFILE = settings.lockfile
+APP_ROOT = settings.approot
+COMMAND_PREFIX = settings.command_prefix
+LOGGER = WEBrick::Log.new(settings.logfile, WEBrick::Log::DEBUG)
+
+case settings.server_type
+when 'simple'
+  server_type = WEBrick::SimpleServer
+when 'daemon'
+  server_type = WEBrick::Daemon
+end
+
+opts = {
+  Host: settings.bind_address,
+  Port: settings.port,
+  Logger: LOGGER,
+  ServerType: server_type,
+  ServerSoftware: settings.server_software,
+  SSLEnable: settings.enable_ssl,
+  StartCallBack: proc { File.open(PIDFILE, 'w') { |f| f.write Process.pid } }
+}
+
+if settings.enable_ssl
+  opts[:SSLVerifyClient] = settings.verify_ssl
+  opts[:SSLCertificate] = OpenSSL::X509::Certificate.new(File.open(settings.public_key_path).read)
+  opts[:SSLPrivateKey] = OpenSSL::PKey::RSA.new(File.open(settings.private_key_path).read)
+  opts[:SSLCertName] = [['CN', WEBrick::Utils.getservername]]
+end
+
+Rack::Handler::WEBrick.run(PuppetWebhook, opts) do |server|
+  %i[INT TERM].each { |sig| trap(sig) { server.stop } }
+end

data/config/app.yml

@@ -0,0 +1,21 @@
+enable_mutex_lock: false
+user: puppet
+pass: puppet
+protected: true
+client_cfg: "/var/lib/peadmin/.mcollective"
+client_timeout: "120"
+use_mco_ruby: false
+use_mcollective: false
+slack_webhook: false
+slack_channel: '#default'
+slack_username: 'r10k'
+slack_proxy_url: ~
+default_branch: production
+discovery_timeout: '10'
+ignore_environments: []
+prefix: ~
+prefix_command: ''
+r10k_deploy_arguments: "-pv"
+allow_uppercase: true
+github_secret: ~
+repository_events: ~

data/config/server.yml

@@ -0,0 +1,13 @@
+server_type: simple
+logfile: /var/log/puppet_webhook/access.log
+pidfile: /var/run/puppet_webhook/webhook.pid
+lockfile: /var/run/puppet_webhook/webhook.lock
+approot: './'
+server_software: PuppetWebhook
+bind_address: 0.0.0.0
+port: 8088
+enable_ssl: false
+verify_ssl: false
+public_key_path: ''
+private_key_path: ''
+command_prefix: 'umask 0022;'

data/lib/helpers/data_parsers.rb

@@ -0,0 +1,18 @@
+require 'shellwords'
+
+module DataParsers # rubocop:disable Style/Documentation
+  def sanitize_input(input_string)
+    sanitized = Shellwords.shellescape(input_string)
+    LOGGER.info("Module or Branch name #{sanitized} had to be escaped") unless input_string == sanitized
+    sanitized
+  end
+
+  def normalize(str)
+    settings.allow_uppercase ? str : str.downcase
+  end
+
+  def verify_signature(payload_body)
+    signature = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), settings.github_secret, payload_body)
+    throw(:halt, [500, "Signatures didn't match!\n"]) unless Rack::Utils.secure_compare(signature, request.env['HTTP_X_HUB_SIGNATURE'])
+  end
+end

data/lib/helpers/deployments.rb

@@ -0,0 +1,50 @@
+module Deployments # rubocop:disable Style/Documentation
+  def deploy(branch, deleted)
+    if settings.use_mco_ruby
+      result = mco(branch).first
+      raise result.results[:statusmsg] unless result.results[:statuscode].zero?
+
+      message = result.results[:statusmsg]
+    else
+      command = if settings.use_mcollective
+                  "#{COMMAND_PREFIX} mco r10k deploy #{branch} #{settings.mco_arguments}"
+                else
+                  # If you don't use mcollective then this hook needs to be running as r10k's user i.e. root
+                  "#{COMMAND_PREFIX} r10k deploy environment #{branch} #{settings.r10k_deploy_arguments}"
+                end
+      message = run_command(command)
+    end
+    status_message = { status: :success, message: message.to_s, branch: branch, status_code: 200 }
+    LOGGER.info("message: #{message} branch: #{branch}")
+    unless deleted
+      generate_types(branch) if types?
+    end
+    notify_slack(status_message) if slack?
+    status_message.to_json
+  rescue StandardError => e
+    status_message = { status: :fail, message: e.message, trace: e.backtrace, branch: branch, status_code: 500 }
+    LOGGER.error("message: #{e.message} trace: #{e.backtrace}")
+    status 500
+    notify_slack(status_message) if slack?
+    status_message.to_json
+  end
+
+  def deploy_module(module_name)
+    command = if settings.use_mcollective
+                "#{COMMAND_PREFIX} mco r10k deploy_module #{module_name} #{settings.mco_arguments}"
+              else
+                "#{COMMAND_PREFIX} r10k deploy module #{module_name}"
+              end
+    message = run_command(command)
+    LOGGER.info("message: #{message} module_name: #{module_name}")
+    status_message = { status: :success, message: message.to_s, module_name: module_name, status_code: 200 }
+    notify_slack(status_message) if slack?
+    status_message.to_json
+  rescue StandardError => e
+    LOGGER.error("message: #{e.message} trace: #{e.backtrace}")
+    status 500
+    status_message = { status: :fail, message: e.message, trace: e.backtrace, module_name: module_name, status_code: 500 }
+    notify_slack(status_message) if slack?
+    status_message.to_json
+  end
+end

data/lib/helpers/init.rb

@@ -0,0 +1,6 @@
+require 'helpers/data_parsers'
+require 'helpers/deployments'
+require 'helpers/tasks'
+PuppetWebhook.helpers DataParsers
+PuppetWebhook.helpers Deployments
+PuppetWebhook.helpers Tasks

data/lib/helpers/tasks.rb

@@ -0,0 +1,174 @@
+require 'open3'
+require 'slack-notifier'
+require 'mcollective'
+include MCollective::RPC
+
+module Tasks # rubocop:disable Style/Documentation
+  def ignore_env?(env)
+    list = settings.ignore_environments
+    return false if list.nil? || list.empty?
+
+    list.each do |l|
+      # Even unquoted array elements wrapped by slashes becomes strings after YAML parsing
+      # So we need to convert it into Regexp manually
+      if l =~ %r{^/.+/$}
+        return true if env =~ Regexp.new(l[1..-2])
+      elsif env == 1
+        return true
+      end
+    end
+
+    false
+  end
+
+  # Check to see if this is an event we care about. Default to responding to all events
+  def ignore_event?
+    # Explicitly ignore Github ping events
+    return true if request.env['HTTP_X_GITHUB_EVENT'] == 'ping'
+
+    list = nil unless settings.repository_events
+    event = request.env['HTTP_X_GITHUB_EVENT']
+
+    # Negate this, because we should respond if any of these conditions are true
+    !(list.nil? || (list == event) || list.include?(event))
+  end
+
+  def run_prefix_command(payload)
+    IO.popen(settings.prefix_command, 'r+') do |io|
+      io.write payload.to_s
+      io.close_write
+      begin
+        io.readlines.first.chomp
+      rescue StandardError
+        ''
+      end
+    end
+  end
+
+  def run_command(command)
+    message = ''
+    File.open(LOCKFILE, 'w+') do |file|
+      # r10k has a small race condition which can cause failed deploys if two happen
+      # more or less simultaneously. To mitigate, we just lock on a file and wait for
+      # the other one to complete.
+      file.flock(File::LOCK_EX)
+
+      if Open3.respond_to?('capture3')
+        stdout, stderr, exit_status = Open3.capture3(command)
+        message = "triggered: #{command}\n#{stdout}\n#{stderr}"
+      else
+        message = "forked: #{command}"
+        Process.detach(fork { exec "#{command} &" })
+        exit_status = 0
+      end
+      raise "#{stdout}\n#{stderr}" if exit_status != 0
+    end
+    message
+  end
+
+  def generate_types(environment)
+    command = "#{COMMAND_PREFIX} /opt/puppetlabs/puppet/bin generate types --environment #{environment}"
+
+    message = run_command(command)
+    LOGGER.info("message: #{message} environment: #{environment}")
+    status_message = { status: :success, message: message.to_s, environment: environment, status_code: 200 }
+    notify_slack(status_message) if slack?
+  rescue StandardError => e
+    LOGGER.error("message: #{e.message} trace: #{e.backtrace}")
+    status_message = { status: :fail, message: e.message, trace: e.backtrace, environment: environment, status_code: 500 }
+    notify_slack(status_message) if slack?
+  end
+
+  def notify_slack(status_message)
+    return unless settings.slack_webhook
+
+    slack_channel = settings.slack_channel  || '#default'
+    slack_user    = settings.slack_username || 'r10k'
+
+    if settings.slack_proxy_url
+      uri = URI(settings.slack_proxy_url)
+      http_options = {
+        proxy_address:  uri.hostname,
+        proxy_port:     uri.port,
+        proxy_from_env: false
+      }
+    else
+      http_options = {}
+    end
+
+    notifier = Slack::Notifier.new settings.slack_webhook do
+      defaults channel: slack_channel,
+               username: slack_user,
+               icon_emoji: ':ocean:',
+               http_options: http_options
+    end
+
+    if status_message[:branch]
+      target = status_message[:branch]
+    elsif status_message[:module]
+      target = status_message[:module]
+    end
+
+    message = {
+      author: 'r10k for Puppet',
+      title: "r10k deployment of Puppet environment #{target}"
+    }
+
+    case status_message[:status_code]
+    when 200
+      message.merge!(
+        color: 'good',
+        text: "Successfully deployed #{target}",
+        fallback: "Successfully deployed #{target}"
+      )
+    when 500
+      message.merge!(
+        color: 'bad',
+        text: "Failed to deploy #{target}",
+        fallback: "Failed to deploy #{target}"
+      )
+    end
+
+    notifier.post text: message[:fallback], attachments: [message]
+  end
+
+  def slack?
+    return false if settings.slack_webhook.nil?
+    settings.slack_webhook
+  end
+
+  def types?
+    return false if settings.generate_tasks.nil?
+    settings.generate_tasks
+  end
+
+  def authorized?
+    # TODO: add token-based authentication?
+    @auth ||= Rack::Auth::Basic::Request.new(request.env)
+    @auth.provided? && @auth.basic? && @auth.credentials &&
+      @auth.credentials == [settings.user, settings.pass]
+  end
+
+  def verify_signature?
+    true unless settings.github_secret.nil?
+  end
+
+  def protected!
+    if authorized?
+      LOGGER.info("Authenticated as user #{settings.user} from IP #{request.ip}")
+    else
+      response['WWW-Authenticate'] = %(Basic realm="Restricted Area")
+      LOGGER.error("Authentication failure from IP #{request.ip}")
+      throw(:halt, [401, "Not authorized\n"])
+    end
+  end
+
+  def mco(branch)
+    options = MCollective::Util.default_options
+    options[:config] = settings.client_cfg
+    client = rpcclient('r10k', exit_on_failure: false, options: options)
+    client.discovery_timeout = settings.discovery_timeout
+    client.timeout           = settings.client_timeout
+    client.send('deploy', environment: branch)
+  end
+end

data/lib/parsers/webhook_json_parser.rb

@@ -0,0 +1,128 @@
+require 'rack/parser'
+require 'json'
+
+module Sinatra
+  module Parsers
+    class WebhookJsonParser # rubocop:disable Style/Documentation
+      def call(body)
+        @data = JSON.parse(body, quirks_mode: true)
+        @vcs  = detect_vcs
+        {
+          branch:    branch,
+          deleted:   deleted?,
+          module_name: repo_name.sub(%r{^.*-}, ''),
+          repo_name: repo_name,
+          repo_user: repo_user
+        }.delete_if { |_k, v| v.nil? }
+      end
+
+      def detect_vcs
+        return 'github'    if github_webhook?
+        return 'gitlab'    if gitlab_webhook?
+        return 'stash'     if stash_webhook?
+        return 'bitbucket' if bitbucket_webhook?
+        return 'tfs'       if tfs_webhook?
+        raise StandardError, 'payload not recognised'
+      end
+
+      def github_webhook?
+        # https://developer.github.com/v3/activity/events/types/#pushevent
+        # X-GitHub-Event header is set, but not accessible here.
+        return false unless @data.key? 'repository'
+        return false unless @data['repository'].key? 'id'
+        return false unless @data['repository'].key? 'html_url'
+        return false unless @data['repository']['html_url'] =~ %r{github\.com}
+        true
+      end
+
+      def gitlab_webhook?
+        # https://docs.gitlab.com/ce/user/project/integrations/webhooks.html
+        # X-Gitlab-Event is set, but not accessible here.
+        return false unless @data.key? 'object_kind'
+        return false unless @data.key? 'ref'
+        true
+      end
+
+      # stash/bitbucket server
+      def stash_webhook?
+        # https://confluence.atlassian.com/bitbucketserver/post-service-webhook-for-bitbucket-server-776640367.html
+        return false unless @data.key? 'refChanges'
+        true
+      end
+
+      def bitbucket_webhook?
+        # https://confluence.atlassian.com/bitbucket/event-payloads-740262817.html
+        return false unless @data.key? 'actor'
+        return false unless @data.key? 'repository'
+        return false unless @data.key? 'push'
+        true
+      end
+
+      def tfs_webhook?
+        # https://docs.microsoft.com/en-us/vsts/service-hooks/services/webhooks
+        return false unless @data.key? 'resource'
+        return false unless @data.key? 'eventType'
+        true
+      end
+
+      def branch
+        case @vcs
+        when 'github'
+          if @data.key? 'ref'
+            @data['ref'].sub('refs/heads/', '')
+          else
+            @data['repository']['default_branch']
+          end
+        when 'gitlab'
+          @data['ref'].sub('refs/heads/', '')
+        when 'stash'
+          @data['refChanges'][0]['refId'].sub('refs/heads/', '')
+        when 'bitbucket'
+          return @data['push']['changes'][0]['new']['name'] unless deleted?
+          @data['push']['changes'][0]['old']['name']
+        when 'tfs'
+          @data['resource']['refUpdates'][0]['name'].sub('refs/heads/', '')
+        end
+      end
+
+      def deleted?
+        case @vcs
+        when 'github'
+          @data['deleted']
+        when 'gitlab'
+          @data['after'] == '0000000000000000000000000000000000000000'
+        when 'stash'
+          @data['refChanges'][0]['type'] == 'DELETE'
+        when 'bitbucket'
+          @data['push']['changes'][0]['closed']
+        when 'tfs'
+          @data['resource']['refUpdates'][0]['newObjectId'] == '0000000000000000000000000000000000000000'
+        else
+          false
+        end
+      end
+
+      def repo_name
+        if @vcs == 'gitlab'
+          @data['project']['name']
+        elsif @vcs == 'tfs'
+          @data['resource']['repository']['name']
+        else
+          @data['repository']['name']
+        end
+      end
+
+      def repo_user
+        # TODO: Clarify what repo_user actually is.
+        # github is currently using the repo's 'owner', gitlab is using the user who pushed.
+        case @vcs
+        when 'github'
+          @data['repository']['owner']['login']
+        when 'gitlab'
+          @data['user_username']
+        end
+        # TODO: Bitbucket, Stash/Bitbucket Server, TFS
+      end
+    end
+  end
+end

data/lib/puppet_webhook.rb

@@ -0,0 +1,153 @@
+require 'sinatra/base'
+require 'sinatra/config_file'
+require 'json'
+require 'cgi'
+require 'parsers/webhook_json_parser'
+
+class PuppetWebhook < Sinatra::Base # rubocop:disable Style/Documentation
+  set :root, File.dirname(__FILE__)
+  use Rack::Parser,
+      parsers: { 'application/json' => Sinatra::Parsers::WebhookJsonParser.new },
+      handlers: { 'application/json' => proc { |e, type| [400, { 'Content-Type' => type }, [{ error: e.to_s }.to_json]] } }
+  register Sinatra::ConfigFile
+
+  config_file(File.join(__dir__, '..', 'config', 'app.yml'), '/etc/puppet_webhook/app.yml')
+
+  set :static, false
+  set :lock, true if settings.enable_mutex_lock
+
+  require 'helpers/init'
+
+  get '/' do
+    raise Sinatra::NotFound
+  end
+
+  get '/heartbeat' do
+    return 200, { status: :success, message: 'running' }.to_json
+  end
+
+  # TODO: Move examples into the README.md
+  # Simulate a github post:
+  # curl -X POST \
+  #      -H "Content-Type: application/json" \
+  #      -d '{ \
+  #            "repository": { \
+  #              "id": 12345, \
+  #              "name": "puppetlabs-stdlib", \
+  #              "html_url": "http://github.com", \
+  #              "owner": {\
+  #                "login": "foo"
+  #              } \
+  #            } \
+  #          }' \
+  #      'https://puppet:puppet@localhost:8088/module' -k -q
+  #
+  # Simulate a BitBucket post:
+  # curl -X POST \
+  #      -H "Content-Type: application/json" \
+  #      -d '{ \
+  #            "repository": { \
+  #              "full_name": "puppetlabs/puppetlabs-stdlib", \
+  #              "name": "PuppetLabs : StdLib"
+  #        } }' \
+  #      'https://puppet:puppet@localhost:8088/module' -k -q
+  #
+  # This example shows that, unlike github, BitBucket allows special characters
+  # in repository names but translates it to generate a full_name which
+  # is used in the repository URL and is most useful for this webhook handler.
+  post '/module' do
+    protected! if settings.protected
+    request.body.rewind # in case someone has already read it
+
+    # Short circuit if we're ignoring this event
+    return 200 if ignore_event?
+
+    # TODO: Move these two lines of code into the parser
+    decoded = request.body.read
+    verify_signature(decoded) if verify_signature?
+
+    module_name = params['module_name']
+
+    module_name = sanitize_input(module_name)
+    LOGGER.info("Deploying module #{module_name}")
+    deploy_module(module_name)
+  end
+
+  # Simulate a github post:
+  # curl -d '{ "ref": "refs/heads/production" }' -H "Accept: application/json" 'https://puppet:puppet@localhost:8088/payload' -k -q
+  #
+  # If using stash look at the stash_mco.rb script included here.
+  # It will filter the stash post and make it look like a github post.
+  #
+  # Simulate a Gitorious post:
+  # curl -X POST -d '%7b%22ref%22%3a%22master%22%7d' 'http://puppet:puppet@localhost:8088/payload' -q
+  # Yes, Gitorious does not support https...
+  #
+  # Simulate a BitBucket post:
+  # curl -X POST -d '{ "push": { "changes": [ { "new": { "name": "production" } } ] } }' \
+  #      'https://puppet:puppet@localhost:8088/payload' -k -q
+
+  post '/payload' do # rubocop:disable Metrics/BlockLength
+    LOGGER.info "params = #{params}"
+    protected! if settings.protected
+    request.body.rewind # in case someone already read it
+
+    # Short circuit if we're ignoring this event
+    return 200 if ignore_event?
+
+    # Check if content type is x-www-form-urlencoded
+    decoded = if request.content_type.to_s.casecmp('application/x-www-form-urlencoded').zero?
+                CGI.unescape(request.body.read).gsub(%r{^payload\=}, '')
+              else
+                request.body.read
+              end
+    verify_signature(decoded) if verify_signature?
+    data = JSON.parse(decoded, quirks_mode: true)
+
+    # Iterate the data structure to determine what's should be deployed
+    branch = params['branch']
+
+    # If prefix is enabled in our config file, determine what the prefix should be
+    prefix = case settings.prefix
+             when :repo
+               params['repo_name']
+             when :user
+               params['repo_user']
+             when :command, TrueClass
+               run_prefix_command(data.to_json)
+             when String
+               settings.prefix
+             end
+
+    # When a branch is being deleted, a deploy against it will result in a failure, as it no longer exists.
+    # Instead, deploy the default branch, which will purge deleted branches per the user's configuration
+    deleted = params['deleted']
+
+    branch = if deleted
+               settings.default_branch
+             else
+               sanitize_input(branch)
+             end
+
+    # r10k doesn't yet know how to deploy all branches from a single source.
+    # The best we can do is just deploy all environments by passing nil to
+    # deploy() if we don't know the correct branch.
+    env = if prefix.nil? || prefix.empty? || branch.nil? || branch.empty?
+            normalize(branch)
+          else
+            normalize("#{prefix}_#{branch}")
+          end
+
+    if ignore_env?(env)
+      LOGGER.info("Skipping deployment of environment #{env} according to ignore_environments configuration parameter")
+      return 200
+    else
+      LOGGER.info("Deploying environment #{env}")
+      deploy(env, deleted)
+    end
+  end
+
+  not_found do
+    halt 404, "You shall not pass! (page not found)\n"
+  end
+end

metadata

@@ -0,0 +1,252 @@
+--- !ruby/object:Gem::Specification
+name: puppet_webhook
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Vox Pupuli
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-11-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mcollective-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-parser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sinatra-contrib
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: slack-notifier
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: github_changelog_generator
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email: voxpupuli@groups.io
+executables:
+- puppet_webhook
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- bin/puppet_webhook
+- config/app.yml
+- config/server.yml
+- lib/helpers/data_parsers.rb
+- lib/helpers/deployments.rb
+- lib/helpers/init.rb
+- lib/helpers/tasks.rb
+- lib/parsers/webhook_json_parser.rb
+- lib/puppet_webhook.rb
+homepage: https://github.com/voxpupuli/puppet_webhook
+licenses:
+- apache
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+- config
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.9
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.2
+signing_key: 
+specification_version: 4
+summary: Sinatra Webhook Server for Puppet/R10K
+test_files: []