add white listing of repositories

Signed-off-by: ravenolf <[email protected]>
github-aws-runners · Jun 21, 2021 · a38f774 · a38f774
1 parent 744d977
commit a38f774
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -49,6 +49,7 @@ module "webhook" {
 
   role_path                 = var.role_path
   role_permissions_boundary = var.role_permissions_boundary
+  repository_white_list     = var.webhook_repository_white_list
 }
 
 module "runners" {

diff --git a/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts b/modules/webhook/lambdas/webhook/src/webhook/handler.test.ts
@@ -14,6 +14,7 @@ describe('handler', () => {
   let originalError: Console['error'];
 
   beforeEach(() => {
+    process.env.REPOSITORY_WHITE_LIST = '[]';
     process.env.GITHUB_APP_WEBHOOK_SECRET = 'TEST_SECRET';
     originalError = console.error;
     console.error = jest.fn();
@@ -71,4 +72,5 @@ describe('handler', () => {
     expect(resp).toBe(200);
     expect(sendActionRequest).not.toBeCalled();
   });
+
 });
diff --git a/modules/webhook/lambdas/webhook/src/webhook/handler.ts b/modules/webhook/lambdas/webhook/src/webhook/handler.ts
@@ -40,6 +40,18 @@ export const handle = async (headers: IncomingHttpHeaders, payload: any): Promis
 
   if (githubEvent === 'check_run') {
     const body = JSON.parse(payload) as CheckRunEvent;
+
+    const repositoryWhiteListEnv = process.env.REPOSITORY_WHITE_LIST as string || "[]";
+    const repositoryWhiteList = JSON.parse(repositoryWhiteListEnv) as Array<string>;
+
+    if (repositoryWhiteList.length > 0) {
+      const repositoryFullName = body.repository.full_name;
+      if (!repositoryWhiteList.includes(repositoryFullName)) {
+        console.error(`Received event from unauthorized repository ${repositoryFullName}`);
+        return 500;
+      }
+    }
+
     let installationId = body.installation?.id;
     if (installationId == null) {
       installationId = 0;

diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
@@ -79,3 +79,8 @@ variable "webhook_lambda_s3_object_version" {
   default     = null
 }
 
+variable "webhook_repository_white_list" {
+  description = "List of repositories allowed to use the github app"
+  type        = list(string)
+  default     = []
+}
diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf
@@ -44,6 +44,7 @@ resource "aws_lambda_function" "webhook" {
       KMS_KEY_ID                = var.encryption.kms_key_id
       GITHUB_APP_WEBHOOK_SECRET = local.github_app_webhook_secret
       SQS_URL_WEBHOOK           = var.sqs_build_queue.id
+      REPOSITORY_WHITE_LIST     = jsonencode(var.webhook_repository_white_list)
     }
   }
 

diff --git a/variables.tf b/variables.tf
@@ -360,3 +360,9 @@ variable "instance_types" {
   type        = set(string)
   default     = null
 }
+
+variable "repository_white_list" {
+  description = "List of repositories allowed to use the github app"
+  type        = list(string)
+  default     = []
+}