Commit f77be11c authored by Sean McGivern's avatar Sean McGivern

Ensure hook tokens are write-only in the API

parent c85c146a
...@@ -1139,7 +1139,7 @@ Parameters: ...@@ -1139,7 +1139,7 @@ Parameters:
| `pipeline_events` | boolean | no | Trigger hook on pipeline events | | `pipeline_events` | boolean | no | Trigger hook on pipeline events |
| `wiki_events` | boolean | no | Trigger hook on wiki events | | `wiki_events` | boolean | no | Trigger hook on wiki events |
| `enable_ssl_verification` | boolean | no | Do SSL verification when triggering the hook | | `enable_ssl_verification` | boolean | no | Do SSL verification when triggering the hook |
| `token` | string | no | Secret token to validate received payloads | | `token` | string | no | Secret token to validate received payloads; this will not be returned in the response |
### Edit project hook ### Edit project hook
...@@ -1165,7 +1165,7 @@ Parameters: ...@@ -1165,7 +1165,7 @@ Parameters:
| `pipeline_events` | boolean | no | Trigger hook on pipeline events | | `pipeline_events` | boolean | no | Trigger hook on pipeline events |
| `wiki_events` | boolean | no | Trigger hook on wiki events | | `wiki_events` | boolean | no | Trigger hook on wiki events |
| `enable_ssl_verification` | boolean | no | Do SSL verification when triggering the hook | | `enable_ssl_verification` | boolean | no | Do SSL verification when triggering the hook |
| `token` | string | no | Secret token to validate received payloads | | `token` | string | no | Secret token to validate received payloads; this will not be returned in the response |
### Delete project hook ### Delete project hook
......
...@@ -50,7 +50,7 @@ module API ...@@ -50,7 +50,7 @@ module API
expose :project_id, :push_events expose :project_id, :push_events
expose :issues_events, :merge_requests_events, :tag_push_events expose :issues_events, :merge_requests_events, :tag_push_events
expose :note_events, :build_events, :pipeline_events, :wiki_page_events expose :note_events, :build_events, :pipeline_events, :wiki_page_events
expose :enable_ssl_verification, :token expose :enable_ssl_verification
end end
class BasicProjectDetails < Grape::Entity class BasicProjectDetails < Grape::Entity
......
...@@ -36,7 +36,6 @@ describe API::API, 'ProjectHooks', api: true do ...@@ -36,7 +36,6 @@ describe API::API, 'ProjectHooks', api: true do
expect(json_response.first['pipeline_events']).to eq(true) expect(json_response.first['pipeline_events']).to eq(true)
expect(json_response.first['wiki_page_events']).to eq(true) expect(json_response.first['wiki_page_events']).to eq(true)
expect(json_response.first['enable_ssl_verification']).to eq(true) expect(json_response.first['enable_ssl_verification']).to eq(true)
expect(json_response.first['token']).to eq('S3cr3t')
end end
end end
...@@ -63,7 +62,6 @@ describe API::API, 'ProjectHooks', api: true do ...@@ -63,7 +62,6 @@ describe API::API, 'ProjectHooks', api: true do
expect(json_response['pipeline_events']).to eq(hook.pipeline_events) expect(json_response['pipeline_events']).to eq(hook.pipeline_events)
expect(json_response['wiki_page_events']).to eq(hook.wiki_page_events) expect(json_response['wiki_page_events']).to eq(hook.wiki_page_events)
expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification) expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification)
expect(json_response['token']).to eq(hook.token)
end end
it "returns a 404 error if hook id is not available" do it "returns a 404 error if hook id is not available" do
...@@ -90,6 +88,7 @@ describe API::API, 'ProjectHooks', api: true do ...@@ -90,6 +88,7 @@ describe API::API, 'ProjectHooks', api: true do
expect do expect do
post api("/projects/#{project.id}/hooks", user), url: "http://example.com", issues_events: true post api("/projects/#{project.id}/hooks", user), url: "http://example.com", issues_events: true
end.to change {project.hooks.count}.by(1) end.to change {project.hooks.count}.by(1)
expect(response).to have_http_status(201) expect(response).to have_http_status(201)
expect(json_response['url']).to eq('http://example.com') expect(json_response['url']).to eq('http://example.com')
expect(json_response['issues_events']).to eq(true) expect(json_response['issues_events']).to eq(true)
...@@ -101,7 +100,24 @@ describe API::API, 'ProjectHooks', api: true do ...@@ -101,7 +100,24 @@ describe API::API, 'ProjectHooks', api: true do
expect(json_response['pipeline_events']).to eq(false) expect(json_response['pipeline_events']).to eq(false)
expect(json_response['wiki_page_events']).to eq(false) expect(json_response['wiki_page_events']).to eq(false)
expect(json_response['enable_ssl_verification']).to eq(true) expect(json_response['enable_ssl_verification']).to eq(true)
expect(json_response['token']).to eq('S3cr3t') expect(json_response).not_to include('token')
end
it "adds the token without including it in the response" do
token = "secret token"
expect do
post api("/projects/#{project.id}/hooks", user), url: "http://example.com", token: token
end.to change {project.hooks.count}.by(1)
expect(response).to have_http_status(201)
expect(json_response["url"]).to eq("http://example.com")
expect(json_response).not_to include("token")
hook = project.hooks.find(json_response["id"])
expect(hook.url).to eq("http://example.com")
expect(hook.token).to eq(token)
end end
it "returns a 400 error if url not given" do it "returns a 400 error if url not given" do
...@@ -130,7 +146,19 @@ describe API::API, 'ProjectHooks', api: true do ...@@ -130,7 +146,19 @@ describe API::API, 'ProjectHooks', api: true do
expect(json_response['pipeline_events']).to eq(hook.pipeline_events) expect(json_response['pipeline_events']).to eq(hook.pipeline_events)
expect(json_response['wiki_page_events']).to eq(hook.wiki_page_events) expect(json_response['wiki_page_events']).to eq(hook.wiki_page_events)
expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification) expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification)
expect(json_response['token']).to eq(hook.token) end
it "adds the token without including it in the response" do
token = "secret token"
put api("/projects/#{project.id}/hooks/#{hook.id}", user), url: "http://example.org", token: token
expect(response).to have_http_status(200)
expect(json_response["url"]).to eq("http://example.org")
expect(json_response).not_to include("token")
expect(hook.reload.url).to eq("http://example.org")
expect(hook.reload.token).to eq(token)
end end
it "returns 404 error if hook id not found" do it "returns 404 error if hook id not found" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment