add github and gitlab config shortcuts (#30)

semgrep · Jul 20, 2023 · a96211d · a96211d
1 parent 4392a2a
commit a96211d
Show file tree

Hide file tree

Showing 2 changed files with 148 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -52,9 +52,51 @@ inbound:
   allowlist: [...]
 ```
 
+### GitHub
+
+The `github` configuration section simplifies granting Semgrep access to leave PR comments.
+
+Example:
+```yaml
+inbound:
+  github:
+    baseUrl: https://github.example.com/api/v3
+    token: ...
+```
+
+Under the hood, this config adds these allowlist items:
+
+- GET `https://github.example.com/api/v3/repos/:owner/:repo`
+- GET `https://github.example.com/api/v3/repos/:owner/:repo/pulls`
+- POST `https://github.example.com/api/v3/repos/:owner/:repo/pulls/:number/comments`
+- POST `https://github.example.com/api/v3/repos/:owner/:repo/issues/:number/comments`
+
+### GitLab
+
+Similarly, the `gitlab` configuration section grants Semgrep access to leave MR comments.
+
+Example:
+```yaml
+inbound:
+  gitlab:
+    baseUrl: https://gitlab.example.com/api/v4
+    token: ...
+```
+
+Under the hood, this config adds these allowlist items:
+
+- GET `https://gitlab.example.com/api/v4/projects/:project`
+- GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests`
+- GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/versions`
+- GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions`
+- POST `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions`
+- PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion/notes/:note`
+- PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion`
+
+
 ### Allowlist
 
-The `allowlist` configuration section controls what HTTP requests are allowed to be forwarded out of the broker. The first matching allowlist item is used. No allowlist match means the request will not be proxied.
+The `allowlist` configuration section provides finer-grained control over what HTTP requests are allowed to be forwarded out of the broker. The first matching allowlist item is used. No allowlist match means the request will not be proxied.
 
 Examples:
 ```yaml

diff --git a/pkg/config.go b/pkg/config.go
@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"net/url"
 	"reflect"
 	"strings"
 
@@ -194,13 +195,25 @@ type UnsafeConfig struct {
 	ForceHTTP bool `mapstructure:"forceHttp" json:"forceHttp"`
 }
 
+type GitHub struct {
+	BaseURL string `mapstructure:"baseUrl" json:"baseUrl"`
+	Token   string `mapstructure:"token" json:"token"`
+}
+
+type GitLab struct {
+	BaseURL string `mapstructure:"baseUrl" json:"baseUrl"`
+	Token   string `mapstructure:"token" json:"token"`
+}
+
 type InboundProxyConfig struct {
 	Wireguard       WireguardBase   `mapstructure:"wireguard" json:"wireguard"`
 	Allowlist       Allowlist       `mapstructure:"allowlist" json:"allowlist"`
 	ProxyListenPort int             `mapstructure:"proxyListenPort" json:"proxyListenPort" validate:"gte=0" default:"80"`
 	Logging         LoggingConfig   `mapstructure:"logging" json:"logging"`
 	Heartbeat       HeartbeatConfig `mapstructure:"heartbeat" json:"heartbeat"`
 	Unsafe          UnsafeConfig    `mapstructure:"unsafe" json:"unsafe"`
+	GitHub          *GitHub         `mapstructure:"github" json:"github"`
+	GitLab          *GitLab         `mapstructure:"gitlab" json:"gitlab"`
 }
 
 type FilteredRelayConfig struct {
@@ -234,5 +247,97 @@ func LoadConfig(configFiles []string) (*Config, error) {
 		return nil, fmt.Errorf("failed to unmarshal config: %v", err)
 	}
 	defaults.SetDefaults(config)
+
+	if config.Inbound.GitHub != nil {
+		gitHub := config.Inbound.GitHub
+
+		gitHubBaseUrl, err := url.Parse(gitHub.BaseURL)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse github base URL: %v", err)
+		}
+
+		headers := map[string]string{
+			"Authorization": fmt.Sprintf("Bearer %v", gitHub.Token),
+		}
+
+		config.Inbound.Allowlist = append(config.Inbound.Allowlist,
+			// repo info
+			AllowlistItem{
+				URL:               gitHubBaseUrl.JoinPath("/repos/:owner/:repo").String(),
+				Methods:           HttpMethods(MethodGet),
+				SetRequestHeaders: headers,
+			},
+			// PR info
+			AllowlistItem{
+				URL:               gitHubBaseUrl.JoinPath("/repos/:owner/:repo/pulls").String(),
+				Methods:           HttpMethods(MethodGet),
+				SetRequestHeaders: headers,
+			},
+			// post PR comment
+			AllowlistItem{
+				URL:               gitHubBaseUrl.JoinPath("/repos/:owner/:repo/pulls/:number/comments").String(),
+				Methods:           HttpMethods(MethodPost),
+				SetRequestHeaders: headers,
+			},
+			// post issue comment
+			AllowlistItem{
+				URL:               gitHubBaseUrl.JoinPath("/repos/:owner/:repo/issues/:number/comments").String(),
+				Methods:           HttpMethods(MethodPost),
+				SetRequestHeaders: headers,
+			})
+	}
+
+	if config.Inbound.GitLab != nil {
+		gitLab := config.Inbound.GitLab
+
+		gitLabBaseUrl, err := url.Parse(gitLab.BaseURL)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse gitlab base URL: %v", err)
+		}
+
+		headers := map[string]string{
+			"PRIVATE-TOKEN": gitLab.Token,
+		}
+
+		config.Inbound.Allowlist = append(config.Inbound.Allowlist,
+			// repo info
+			AllowlistItem{
+				URL:               gitLabBaseUrl.JoinPath("/projects/:project").String(),
+				Methods:           HttpMethods(MethodGet),
+				SetRequestHeaders: headers,
+			},
+			// MR info
+			AllowlistItem{
+				URL:               gitLabBaseUrl.JoinPath("/projects/:project/merge_requests").String(),
+				Methods:           HttpMethods(MethodGet),
+				SetRequestHeaders: headers,
+			},
+			// MR versions
+			AllowlistItem{
+				URL:               gitLabBaseUrl.JoinPath("/projects/:project/merge_requests/:number/versions").String(),
+				Methods:           HttpMethods(MethodGet),
+				SetRequestHeaders: headers,
+			},
+			// post MR comment
+			AllowlistItem{
+				URL:               gitLabBaseUrl.JoinPath("/projects/:project/merge_requests/:number/discussions").String(),
+				Methods:           HttpMethods(MethodGet | MethodPost),
+				SetRequestHeaders: headers,
+			},
+			// update MR comment
+			AllowlistItem{
+				URL:               gitLabBaseUrl.JoinPath("/projects/:project/merge_requests/:number/discussions/:discussion/notes/:note").String(),
+				Methods:           HttpMethods(MethodPut),
+				SetRequestHeaders: headers,
+			},
+			// resolve MR comment
+			AllowlistItem{
+				URL:               gitLabBaseUrl.JoinPath("/projects/:project/merge_requests/:number/discussions/:discussion").String(),
+				Methods:           HttpMethods(MethodPut),
+				SetRequestHeaders: headers,
+			},
+		)
+	}
+
 	return config, nil
 }