zulip/zerver/webhooks/harbor/view.py

# Webhooks for external integrations.
from typing import Optional

from django.db.models import Q
from django.http import HttpRequest, HttpResponse

from zerver.decorator import webhook_view
from zerver.lib.exceptions import UnsupportedWebhookEventTypeError
from zerver.lib.response import json_success
from zerver.lib.typed_endpoint import JsonBodyPayload, typed_endpoint
from zerver.lib.validator import WildValue, check_int, check_string
from zerver.lib.webhooks.common import check_send_webhook_message
from zerver.models import Realm, UserProfile

IGNORED_EVENTS = [
    "DOWNLOAD_CHART",
    "DELETE_CHART",
    "UPLOAD_CHART",
    "PULL_ARTIFACT",
    "DELETE_ARTIFACT",
    "SCANNING_FAILED",
]


def guess_zulip_user_from_harbor(harbor_username: str, realm: Realm) -> Optional[UserProfile]:
    try:
        # Try to find a matching user in Zulip
        # We search a user's full name, short name,
        # and beginning of email address
        user = UserProfile.objects.filter(
            Q(full_name__iexact=harbor_username) | Q(email__istartswith=harbor_username),
            is_active=True,
            realm=realm,
        ).order_by("id")[0]
        return user  # nocoverage
    except IndexError:
        return None


def image_id(payload: WildValue) -> str:
    image_name = payload["event_data"]["repository"]["repo_full_name"].tame(check_string)
    resource = payload["event_data"]["resources"][0]
    if "tag" in resource:
        return image_name + ":" + resource["tag"].tame(check_string)
    else:
        return image_name + "@" + resource["digest"].tame(check_string)


def handle_push_image_event(
    payload: WildValue, user_profile: UserProfile, operator_username: str
) -> str:
    return f"{operator_username} pushed image `{image_id(payload)}`"


SCANNING_COMPLETED_TEMPLATE = """
Image scan completed for `{image_id}`. Vulnerabilities by severity:

{scan_results}
""".strip()


def handle_scanning_completed_event(
    payload: WildValue, user_profile: UserProfile, operator_username: str
) -> str:
    scan_results = ""
    scan_overview = payload["event_data"]["resources"][0]["scan_overview"]
    if "application/vnd.security.vulnerability.report; version=1.1" not in scan_overview:
        raise UnsupportedWebhookEventTypeError(str(list(scan_overview.keys())))
    scan_summaries = scan_overview["application/vnd.security.vulnerability.report; version=1.1"][
        "summary"
    ]["summary"]
    if len(scan_summaries) > 0:
        for severity, count in scan_summaries.items():
            scan_results += f"* {severity}: **{count.tame(check_int)}**\n"
    else:
        scan_results += "None\n"

    return SCANNING_COMPLETED_TEMPLATE.format(
        image_id=image_id(payload),
        scan_results=scan_results,
    )


EVENT_FUNCTION_MAPPER = {
    "PUSH_ARTIFACT": handle_push_image_event,
    "SCANNING_COMPLETED": handle_scanning_completed_event,
}

ALL_EVENT_TYPES = list(EVENT_FUNCTION_MAPPER.keys())


@webhook_view("Harbor", all_event_types=ALL_EVENT_TYPES)
@typed_endpoint
def api_harbor_webhook(
    request: HttpRequest,
    user_profile: UserProfile,
    *,
    payload: JsonBodyPayload[WildValue],
) -> HttpResponse:
    operator_username = "**{}**".format(payload["operator"].tame(check_string))

    if operator_username != "auto":
        operator_profile = guess_zulip_user_from_harbor(operator_username, user_profile.realm)

    if operator_profile:
        operator_username = f"@**{operator_profile.full_name}**"  # nocoverage

    event = payload["type"].tame(check_string)
    topic_name = payload["event_data"]["repository"]["repo_full_name"].tame(check_string)

    if event in IGNORED_EVENTS:
        return json_success(request)

    content_func = EVENT_FUNCTION_MAPPER.get(event)

    if content_func is None:
        raise UnsupportedWebhookEventTypeError(event)

    content: str = content_func(payload, user_profile, operator_username)

    check_send_webhook_message(
        request, user_profile, topic_name, content, event, unquote_url_parameters=True
    )
    return json_success(request)
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00			`# Webhooks for external integrations.`
harbor: Strengthen types using WildValue. 2022-10-08 19:37:05 +02:00			`from typing import Optional`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
			`from django.db.models import Q`
			`from django.http import HttpRequest, HttpResponse`

webhooks: Rename api_key_only_webhook_view to webhook_view. There are no other types of webhook views; this is more concise. 2020-08-20 00:32:15 +02:00			`from zerver.decorator import webhook_view`
ruff: Fix N818 exception name should be named with an Error suffix. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-11-17 09:30:48 +01:00			`from zerver.lib.exceptions import UnsupportedWebhookEventTypeError`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00			`from zerver.lib.response import json_success`
typed_endpoint: Rename WebhookPayload to JsonBodyPayload. This kind of payload that's loaded from json in the body of the request is not only used for webhooks, but also in the push bouncer, and may get used elsewhere too - so a general name is better. 2023-09-27 19:01:31 +02:00			`from zerver.lib.typed_endpoint import JsonBodyPayload, typed_endpoint`
webhooks: Migrate most webhooks to use @typed_endpoint. This converts most webhook integration views to use @typed_endpoint instead of @has_request_variables, rewriting REQ parameters. For these webhooks, it simply requires switching the decorator, rewriting the type annotation of payload/message to WebhookPayload[WildValue], and removing the REQ default that defines the to_wild_value converter. 2023-08-12 09:34:31 +02:00			`from zerver.lib.validator import WildValue, check_int, check_string`
webhooks: Move UnexpectedWebhookEventType into zerver.lib.exceptions. 8e10ab282a moved UnexpectedWebhookEventType into `zerver.lib.exceptions`, but left the import into `zserver.lib.webhooks.common` so that webhooks could continue to import the exception from there. This clutters things and adds complexity; there is no compelling reason that the exception's source of truth should not move alongside all other exceptions. 2020-08-19 22:14:40 +02:00			`from zerver.lib.webhooks.common import check_send_webhook_message`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00			`from zerver.models import Realm, UserProfile`

			`IGNORED_EVENTS = [`
integrations: Update harbor for new payload format. 2022-06-18 11:30:25 +02:00			`"DOWNLOAD_CHART",`
			`"DELETE_CHART",`
			`"UPLOAD_CHART",`
			`"PULL_ARTIFACT",`
			`"DELETE_ARTIFACT",`
			`"SCANNING_FAILED",`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00			`]`


			`def guess_zulip_user_from_harbor(harbor_username: str, realm: Realm) -> Optional[UserProfile]:`
			`try:`
			`# Try to find a matching user in Zulip`
			`# We search a user's full name, short name,`
			`# and beginning of email address`
			`user = UserProfile.objects.filter(`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`Q(full_name__iexact=harbor_username) \| Q(email__istartswith=harbor_username),`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00			`is_active=True,`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`realm=realm,`
			`).order_by("id")[0]`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00			`return user # nocoverage`
			`except IndexError:`
			`return None`


integrations: Support scans of untagged images in Harbor. 2023-05-11 19:14:01 +02:00			`def image_id(payload: WildValue) -> str:`
			`image_name = payload["event_data"]["repository"]["repo_full_name"].tame(check_string)`
			`resource = payload["event_data"]["resources"][0]`
			`if "tag" in resource:`
			`return image_name + ":" + resource["tag"].tame(check_string)`
			`else:`
			`return image_name + "@" + resource["digest"].tame(check_string)`


python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`def handle_push_image_event(`
harbor: Strengthen types using WildValue. 2022-10-08 19:37:05 +02:00			`payload: WildValue, user_profile: UserProfile, operator_username: str`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`) -> str:`
integrations: Support scans of untagged images in Harbor. 2023-05-11 19:14:01 +02:00			return f"{operator_username} pushed image `{image_id(payload)}`"
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00

			`SCANNING_COMPLETED_TEMPLATE = """`
integrations: Support scans of untagged images in Harbor. 2023-05-11 19:14:01 +02:00			Image scan completed for `{image_id}`. Vulnerabilities by severity:
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
			`{scan_results}`
			`""".strip()`


python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`def handle_scanning_completed_event(`
harbor: Strengthen types using WildValue. 2022-10-08 19:37:05 +02:00			`payload: WildValue, user_profile: UserProfile, operator_username: str`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`) -> str:`
python: Modernize legacy Python 2 syntax with pyupgrade. Generated by `pyupgrade --py3-plus --keep-percent-format` on all our Python code except `zthumbor` and `zulip-ec2-configure-interfaces`, followed by manual indentation fixes. Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2020-04-09 21:51:58 +02:00			`scan_results = ""`
integrations: Update harbor for new payload format. 2022-06-18 11:30:25 +02:00			`scan_overview = payload["event_data"]["resources"][0]["scan_overview"]`
			`if "application/vnd.security.vulnerability.report; version=1.1" not in scan_overview:`
webhooks: Pass helpful strings to UnsupportedWebhookEventTypeError. This helps understand _what_ event type was not supported. 2023-10-06 00:20:38 +02:00			`raise UnsupportedWebhookEventTypeError(str(list(scan_overview.keys())))`
integrations: Update harbor for new payload format. 2022-06-18 11:30:25 +02:00			`scan_summaries = scan_overview["application/vnd.security.vulnerability.report; version=1.1"][`
			`"summary"`
			`]["summary"]`
			`if len(scan_summaries) > 0:`
			`for severity, count in scan_summaries.items():`
ruff: Fix UP032 Use f-string instead of `format` call. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2023-01-18 03:23:15 +01:00			`scan_results += f"* {severity}: {count.tame(check_int)}\n"`
integrations: Update harbor for new payload format. 2022-06-18 11:30:25 +02:00			`else:`
			`scan_results += "None\n"`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
			`return SCANNING_COMPLETED_TEMPLATE.format(`
integrations: Support scans of untagged images in Harbor. 2023-05-11 19:14:01 +02:00			`image_id=image_id(payload),`
python: Use trailing commas consistently. Automatically generated by the following script, based on the output of lint with flake8-comma: import re import sys last_filename = None last_row = None lines = [] for msg in sys.stdin: m = re.match( r"\x1b\[35mflake8 \\|\x1b\[0m \x1b\[1;31m(.+):(\d+):(\d+): (\w+)", msg ) if m: filename, row_str, col_str, err = m.groups() row, col = int(row_str), int(col_str) if filename == last_filename: assert last_row != row else: if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) with open(filename) as f: lines = f.readlines() last_filename = filename last_row = row line = lines[row - 1] if err in ["C812", "C815"]: lines[row - 1] = line[: col - 1] + "," + line[col - 1 :] elif err in ["C819"]: assert line[col - 2] == "," lines[row - 1] = line[: col - 2] + line[col - 1 :].lstrip(" ") if last_filename is not None: with open(last_filename, "w") as f: f.writelines(lines) Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2020-04-10 05:23:40 +02:00			`scan_results=scan_results,`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00			`)`


			`EVENT_FUNCTION_MAPPER = {`
integrations: Update harbor for new payload format. 2022-06-18 11:30:25 +02:00			`"PUSH_ARTIFACT": handle_push_image_event,`
			`"SCANNING_COMPLETED": handle_scanning_completed_event,`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00			`}`

webhooks: Add support to event filtering system for webhooks. This add support to event filtering system for most webhooks that require trivial changes to adapt this feature. 2021-07-16 11:40:46 +02:00			`ALL_EVENT_TYPES = list(EVENT_FUNCTION_MAPPER.keys())`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
webhooks: Add support to event filtering system for webhooks. This add support to event filtering system for most webhooks that require trivial changes to adapt this feature. 2021-07-16 11:40:46 +02:00
			`@webhook_view("Harbor", all_event_types=ALL_EVENT_TYPES)`
webhooks: Migrate most webhooks to use @typed_endpoint. This converts most webhook integration views to use @typed_endpoint instead of @has_request_variables, rewriting REQ parameters. For these webhooks, it simply requires switching the decorator, rewriting the type annotation of payload/message to WebhookPayload[WildValue], and removing the REQ default that defines the to_wild_value converter. 2023-08-12 09:34:31 +02:00			`@typed_endpoint`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`def api_harbor_webhook(`
			`request: HttpRequest,`
			`user_profile: UserProfile,`
webhooks: Migrate most webhooks to use @typed_endpoint. This converts most webhook integration views to use @typed_endpoint instead of @has_request_variables, rewriting REQ parameters. For these webhooks, it simply requires switching the decorator, rewriting the type annotation of payload/message to WebhookPayload[WildValue], and removing the REQ default that defines the to_wild_value converter. 2023-08-12 09:34:31 +02:00			`*,`
typed_endpoint: Rename WebhookPayload to JsonBodyPayload. This kind of payload that's loaded from json in the body of the request is not only used for webhooks, but also in the push bouncer, and may get used elsewhere too - so a general name is better. 2023-09-27 19:01:31 +02:00			`payload: JsonBodyPayload[WildValue],`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`) -> HttpResponse:`
harbor: Strengthen types using WildValue. 2022-10-08 19:37:05 +02:00			`operator_username = "{}".format(payload["operator"].tame(check_string))`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
			`if operator_username != "auto":`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`operator_profile = guess_zulip_user_from_harbor(operator_username, user_profile.realm)`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
			`if operator_profile:`
python: Convert "".format to Python 3.6 f-strings. Generated by pyupgrade --py36-plus --keep-percent-format, but with the NamedTuple changes reverted (see commit ba7906a3c657905fa35bbcfb4e97b053f050272d, #15132). Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-09 00:25:09 +02:00			`operator_username = f"@{operator_profile.full_name}" # nocoverage`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
harbor: Strengthen types using WildValue. 2022-10-08 19:37:05 +02:00			`event = payload["type"].tame(check_string)`
webhooks: Rename topic local variables to topic_name. This is preparatory work towards adding a Topic model. We plan to use the local variable name as 'topic' for the Topic model objects. Currently, we use topic as the local variable name for topic names. We rename local variables of the form topic to *topic_name so that we don't need to think about type collisions in individual code paths where we might want to talk about both Topic objects and strings for the topic name. 2024-01-17 15:53:30 +01:00			`topic_name = payload["event_data"]["repository"]["repo_full_name"].tame(check_string)`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
			`if event in IGNORED_EVENTS:`
backend: Add request as parameter to json_success. Adds request as a parameter to json_success as a refactor towards making `ignored_parameters_unsupported` functionality available for all API endpoints. Also, removes any data parameters that are an empty dict or a dict with the generic success response values. 2022-01-31 13:44:02 +01:00			`return json_success(request)`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
			`content_func = EVENT_FUNCTION_MAPPER.get(event)`

			`if content_func is None:`
ruff: Fix N818 exception name should be named with an Error suffix. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2022-11-17 09:30:48 +01:00			`raise UnsupportedWebhookEventTypeError(event)`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2020-04-22 01:09:50 +02:00			`content: str = content_func(payload, user_profile, operator_username)`
webhooks: Add Harbor webhook integration. 2019-10-20 02:12:00 +02:00
webhooks: Add support to event filtering system for webhooks. This add support to event filtering system for most webhooks that require trivial changes to adapt this feature. 2021-07-16 11:40:46 +02:00			`check_send_webhook_message(`
webhooks: Rename topic local variables to topic_name. This is preparatory work towards adding a Topic model. We plan to use the local variable name as 'topic' for the Topic model objects. Currently, we use topic as the local variable name for topic names. We rename local variables of the form topic to *topic_name so that we don't need to think about type collisions in individual code paths where we might want to talk about both Topic objects and strings for the topic name. 2024-01-17 15:53:30 +01:00			`request, user_profile, topic_name, content, event, unquote_url_parameters=True`
webhooks: Add support to event filtering system for webhooks. This add support to event filtering system for most webhooks that require trivial changes to adapt this feature. 2021-07-16 11:40:46 +02:00			`)`
backend: Add request as parameter to json_success. Adds request as a parameter to json_success as a refactor towards making `ignored_parameters_unsupported` functionality available for all API endpoints. Also, removes any data parameters that are an empty dict or a dict with the generic success response values. 2022-01-31 13:44:02 +01:00			`return json_success(request)`