feat: [AH-1067]: use internal webhook secret (#3539)

* feat: [AH-1067]: change var name * feat: [AH-1067]: change var name * feat: [AH-1067]: fix lint issues * feat: [AH-1067]: use internal webhook secret
2025-03-12 21:00:50 +00:00 · 2025-03-12 21:00:50 +00:00 · a0461fd870
parent 1e8ae8b47f
commit a0461fd870
4 changed files with 10 additions and 5 deletions
--- a/app/services/webhook/service.go
+++ b/app/services/webhook/service.go
@ -51,9 +51,7 @@ type Config struct {
 	MaxRetries          int
 	AllowPrivateNetwork bool
 	AllowLoopback       bool
-
-	// InternalWebhooksURL specifies the internal webhook URL which will be used if webhook is marked internal
-	InternalWebhooksURL string
+	InternalSecret      string
 }

 func (c *Config) Prepare() error {
@ -81,6 +79,7 @@ func (c *Config) Prepare() error {
 	return nil
 }

+//nolint:revive
 type WebhookExecutorStore interface {
 	Find(ctx context.Context, id int64) (*types.WebhookExecutionCore, error)
 	ListWebhooks(
@ -106,6 +105,7 @@ type WebhookExecutorStore interface {
 	CreateWebhookExecution(ctx context.Context, hook *types.WebhookExecutionCore) error
 }

+//nolint:revive
 type WebhookExecutor struct {
 	secureHTTPClient           *http.Client
 	insecureHTTPClient         *http.Client
--- a/app/services/webhook/trigger.go
+++ b/app/services/webhook/trigger.go
@ -365,7 +365,10 @@ func (w *WebhookExecutor) prepareHTTPRequest(
 	}

 	var secretValue string
-	if webhook.Secret != "" {
+	//nolint:gocritic
+	if webhook.Type == enum.WebhookTypeInternal {
+		secretValue = w.config.InternalSecret
+	} else if webhook.Secret != "" {
 		decryptedSecret, err := w.encrypter.Decrypt([]byte(webhook.Secret))
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt webhook secret: %w", err)
--- a/cli/operations/server/config.go
+++ b/cli/operations/server/config.go
@ -331,6 +331,7 @@ func ProvideWebhookConfig(config *types.Config) webhook.Config {
 		MaxRetries:          config.Webhook.MaxRetries,
 		AllowPrivateNetwork: config.Webhook.AllowPrivateNetwork,
 		AllowLoopback:       config.Webhook.AllowLoopback,
+		InternalSecret:      config.Webhook.InternalSecret,
 	}
 }

--- a/types/config.go
+++ b/types/config.go
@ -339,7 +339,8 @@ type Config struct {
 		AllowPrivateNetwork bool   `envconfig:"GITNESS_WEBHOOK_ALLOW_PRIVATE_NETWORK" default:"false"`
 		AllowLoopback       bool   `envconfig:"GITNESS_WEBHOOK_ALLOW_LOOPBACK" default:"false"`
 		// RetentionTime is the duration after which webhook executions will be purged from the DB.
-		RetentionTime time.Duration `envconfig:"GITNESS_WEBHOOK_RETENTION_TIME" default:"168h"` // 7 days
+		RetentionTime  time.Duration `envconfig:"GITNESS_WEBHOOK_RETENTION_TIME" default:"168h"` // 7 days
+		InternalSecret string        `envconfig:"GITNESS_WEBHOOK_INTERNAL_SECRET"`
 	}

 	Trigger struct {