Encrypted Web Hook tokens - interpolation
What does this MR do and why?
This adds interpolation of url variables.
URLs may take the form:
http://{user}:{password}@example.com/{path}?token={token}
In this case we expect the hook to define variables for user
, password
, path
, and token
,
which will be inserted into the URL template where specified during execution.
The interpolated URI is not logged.
URLs must not refer to missing variables, and this is enforced with a new validation.
Existing hooks may violate this validation - if they do, then their URLs will continue to be processed literally, in a backwards compatible fashion.
An existing hook with a URL such as http://example.com/{foo}
,
will now fail during editing with a validation error.
How to set up and validate locally
No UI exists for this yet, so to test, you will need to use the console.
- Create a new web-hook
- In rails console, edit the URL, replacing parts with variables:
hook = project.hooks.first # or something hook.update!(url: 'http://example.com/foo/{bar}/baz', url_variables: { 'bar' => 'wibble' })
- Trigger the hook
- See that:
- the hook is correctly executed
- the variables do not appear in log output or in the web-hook logs interface.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #361124 (closed)