From 71cf9a125e125456533242a9beb1b234ce1d3e54 Mon Sep 17 00:00:00 2001
From: Quentin Dufour <quentin@deuxfleurs.fr>
Date: Thu, 16 Mar 2023 09:34:04 +0100
Subject: [PATCH] First iteration on secret management

---
 .albatros             |  1 +
 example/albatros.json |  5 ++++-
 main.go               | 16 ++++++++++------
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/.albatros b/.albatros
index ee444c8..91e273e 100755
--- a/.albatros
+++ b/.albatros
@@ -3,4 +3,5 @@
 set -euxo pipefail
 
 go build
+cat $SECRET_PATH
 echo "done" >&2
diff --git a/example/albatros.json b/example/albatros.json
index 3228238..4c88848 100644
--- a/example/albatros.json
+++ b/example/albatros.json
@@ -1,11 +1,14 @@
 {
   "ref": "refs/heads/main",
-  "after": "d5b22924745b8ea9fb5618e45cb78d1a2f61734b",
+  "after": "c36a4527c06f0cbea1d4441f859265a73da04cca",
   "repository": {
     "owner": {
       "username": "quentin"
     },
     "name": "albatros",
     "clone_url": "https://git.deuxfleurs.fr/quentin/albatros.git"
+  },
+  "sender": {
+    "username": "quentin"
   }
 }
diff --git a/main.go b/main.go
index 3d79ef8..b0d49f7 100644
--- a/main.go
+++ b/main.go
@@ -8,6 +8,7 @@ import (
 	"github.com/caarlos0/env/v7"
 	consul "github.com/hashicorp/consul/api"
 	nomad "github.com/hashicorp/nomad/api"
+	"golang.org/x/exp/slices"
 	"io"
 	"log"
 	"net/http"
@@ -115,7 +116,7 @@ func notifSummary(notification *GiteaNotification) string {
 func lifecycle(notification *GiteaNotification, dispatch *nomad.JobDispatchResponse, giteaCreds *SecretGitea) {
 	notifInfo := notifSummary(notification)
 
-	log.Printf("[lifecyle] Commit to build: %s, Gitea URL: %s\n", notifInfo, giteaCreds.Url)
+	log.Printf("[lifecycle] Commit to build: %s, Gitea URL: %s\n", notifInfo, giteaCreds.Url)
 	// init Gitea
 	forge, err := gitea.NewClient(giteaCreds.Url, gitea.SetToken(giteaCreds.Token))
 	if err != nil {
@@ -239,19 +240,22 @@ func hook(w http.ResponseWriter, r *http.Request) {
 		"BRANCH": strings.ReplaceAll(notification.Ref, "refs/heads/", ""),
 	}
 
-	// @FIXME logic on how to inject secrets securely
-	// 1. Check senders
-	// 2. Transform the consul object into a nomad payload
+	// Check sender
+	payload := []byte{}
+	if slices.Contains(repoDesc.Trusted.Senders, notification.Sender.Username) {
+		log.Printf("Trusted build of %s as %s in the list of allowed senders, inject secrets\n", notifInfo, notification.Sender.Username)
+		// Write payload
+		payload = []byte(repoDesc.Inject)
+	}
 
 	jobs := NomadClient.Jobs()
-	dres, _, err := jobs.Dispatch("builder", meta, []byte{}, "albatros", &nomad.WriteOptions{})
+	dres, _, err := jobs.Dispatch("builder", meta, payload, "albatros", &nomad.WriteOptions{})
 	if err != nil {
 		http.Error(w, "Can't submit your job to Nomad", http.StatusInternalServerError)
 	}
 	log.Printf("Created job %s for %s\n", dres.DispatchedJobID, notifInfo)
 
 	// Start a lifecycle observer to update gitea status
-	// @FIXME: need to inject gitea descriptor
 	go lifecycle(&notification, dres, &repoDesc.Gitea)
 
 	io.WriteString(w, dres.DispatchedJobID)