feat: Fixed manifest-generate-paths monorepo support for Bitbucket #18968 #20993
Conversation
…#18968 Signed-off-by: B Rahul <rahul20bollisetty@gmail.com>
❌ Preview Environment deleted from BunnyshellAvailable commands (reply to this comment):
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #20993 +/- ##
==========================================
- Coverage 55.07% 54.98% -0.10%
==========================================
Files 324 324
Lines 55466 55552 +86
==========================================
- Hits 30547 30543 -4
- Misses 22303 22388 +85
- Partials 2616 2621 +5 ☔ View full report in Codecov by Sentry. |
| if secretRepoURL == repoURL { | ||
| if tokenBytes, exists := secret.Data["accessToken"]; exists { | ||
| return string(tokenBytes), nil | ||
| } |
There was a problem hiding this comment.
I'm a bit uncomfortable with using selector and processing multiple items. What if somebody hijacks the flow by adding a new secret with a different/wrong token?
There was a problem hiding this comment.
Could you please elaborate a bit more about this?
There was a problem hiding this comment.
Why don't we just query a specific secret?
There was a problem hiding this comment.
well see, if we are adding a private repo the secret that are created are of the format repo-178100904 , so you cannot directly query a specific secret, you have to iterate all the repository type secret and the select the one that matches with the URL.
There was a problem hiding this comment.
I think we can have the same repository-access-token (RAT) used while creating the repository for doing a call from the webhook as well.
util/webhook/webhook.go
Outdated
| // Check if a handler was passed | ||
| var webhookHandler *ArgoCDWebhookHandler | ||
| if len(optionalHandler) > 0 { | ||
| if handler, ok := optionalHandler[0].(*ArgoCDWebhookHandler); ok { |
There was a problem hiding this comment.
This leads to a confusing function signature, which implies multiple optional handlers can be passed. Maybe use a pointer and have it be nil if the optional handler is not available?
util/webhook/webhook.go
Outdated
| // https://developer.atlassian.com/cloud/bitbucket/rest/api-group-commits/#api-repositories-workspace-repo-slug-diffstat-spec-get | ||
|
|
||
| url := fmt.Sprintf("https://api.bitbucket.org/2.0/repositories/%s/%s/diffstat/%s", | ||
| workspace, repoSlug, spec) |
There was a problem hiding this comment.
Fix formatting, either one argument per line or all in one line.
Signed-off-by: B Rahul <rahul20bollisetty@gmail.com>
|
|
||
| if webhookHandler != nil { | ||
| spec := change.shaAfter + ".." + change.shaBefore | ||
| accessToken, err := webhookHandler.settingsSrc.GetRepositorySecretAccessToken(webURLs[0]) |
There was a problem hiding this comment.
webURLs[0] doesn't read well here, i.e. what makes index 0 special?
There was a problem hiding this comment.
Pls have a look at the webhook payload, you can see that the bitbucket includes multiple changes in a single event, so I have appended the URL of repo in webURL. So only one webURLs is present in case of bitbucket, whereas it is different for github, gitlab, etc. So it has to be a array, wherein only one item is present in case of bitbucket. That's why index 0 is used.
| return nil, fmt.Errorf("error creating request: %w", err) | ||
| } | ||
|
|
||
| trimmedAccessToken := strings.TrimSpace(accessToken) |
There was a problem hiding this comment.
Why do we have to trim it? Why can't it be without spaces?
There was a problem hiding this comment.
Whenever fetching the accessToken from the secrets, a new line is added by default. When this accessToken is passed without removing the spaces/newline, the HTTP GET call fails, with error - invalid header field value for \"Authorization\""
util/webhook/webhook.go
Outdated
| refParts := strings.SplitN(ref, "/", 3) | ||
| return refParts[len(refParts)-1] | ||
| } | ||
|
|
||
| // affectedRevisionInfo examines a payload from a webhook event, and extracts the repo web URL, | ||
| // the revision, and whether or not this affected origin/HEAD (the default branch of the repository) | ||
| func affectedRevisionInfo(payloadIf interface{}) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) { | ||
| func affectedRevisionInfo(payloadIf interface{}, optionalHandler *ArgoCDWebhookHandler) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) { |
There was a problem hiding this comment.
Why not just call this webhookHandler and use it directly without declaring extra vars?
Signed-off-by: B Rahul <rahul20bollisetty@gmail.com>
The webhook payload didn't consist of files changed. Bitbucket provides API, which gives the path of files that are changed. Using the webhook payload, I pull out the hash of new and old commit, workspace name and repoSlug, and then get the access token from repo secret (repo secret is created when a repo is added using |
|
We really need this fix, any timeline for getting this merged ? |
|
I'll start with reviewing this PR in depth now. |
| // Getting the files changed from diff API: | ||
| // https://developer.atlassian.com/cloud/bitbucket/rest/api-group-commits/#api-repositories-workspace-repo-slug-diffstat-spec-get |
There was a problem hiding this comment.
| // Getting the files changed from diff API: | |
| // https://developer.atlassian.com/cloud/bitbucket/rest/api-group-commits/#api-repositories-workspace-repo-slug-diffstat-spec-get | |
| // fetchDiffstatFromBitbucket gets the files changed from diff API - https://developer.atlassian.com/cloud/bitbucket/rest/api-group-commits/#api-repositories-workspace-repo-slug-diffstat-spec-get |
Please add this as a function comment (at the top of function)
Co-authored-by: Nitish Kumar <justnitish06@gmail.com> Signed-off-by: B Rahul <rahul20bollisetty@gmail.com>
| @@ -244,14 +271,66 @@ func affectedRevisionInfo(payloadIf interface{}) (webURLs []string, revision str | |||
| return webURLs, revision, change, touchedHead, changedFiles | |||
| } | |||
|
|
|||
| func fetchDiffstatFromBitbucket(workspace, repoSlug, spec, accessToken string) ([]string, error) { | |||
There was a problem hiding this comment.
I'm concerned about this. iirc our webhook handler isn't auth-protected. So anyone with API access could hammer the endpoint and trigger SSRF. I don't have time to give a thorough review right now, but requesting changes so this doesn't get merged without further conversation.
|
I have created an improved version of this PR. #21811
|
|
Closing this in favour of #21811 |
Fixes #18968
PR Summary:
This PR addresses an issue with the
argocd.argoproj.io/manifest-generate-pathsManifest Paths Annotation in Argo CD when used with Bitbucket repositories.Key Changes:
manifest-generate-pathsannotation is handled correctly, refreshing the app only when the files changed match with the paths inmanifest-generate-paths.Steps to Implement:
Add Bitbucket Repository to ArgoCD:
Use the following command to add the Bitbucket repository to ArgoCD with authentication:
<REPO_URL>: Replace with your Bitbucket repository URL.<BITBUCKET_USERNAME>: Your Bitbucket account username.<BITBUCKET_APP_PASSWORD>: An app password generated in Bitbucket (can be found in your Bitbucket account settingGenerate an Access Token for the Repository in Bitbucket:
Store the Access Token as a Secret:
Convert the generated access token to Base64 format. You can use the following command:
ACCESS_TOKENwith your actual Bitbucket access token.Step 1.Store the access token in the secret under the keydata.accessTokenChecklist: