feat(hook,api): retrieve hook initiator before running workflow (#6626)

contrib/grpcplugins/action/plugin-archive/go.mod

@@ -64,7 +64,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rockbears/log v0.8.0 // indirect
-	github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 // indirect
+	github.com/rockbears/yaml v0.4.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/sguiheux/go-coverage v0.0.0-20190710153556-287b082a7197 // indirect
 	github.com/sirupsen/logrus v1.9.2 // indirect

contrib/grpcplugins/action/plugin-archive/go.sum

@@ -278,8 +278,8 @@ github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rockbears/log v0.8.0 h1:OClKWGGuMnoem5vl/SNzZRdNsaStP8fBidH5oD46O6E=
 github.com/rockbears/log v0.8.0/go.mod h1:rnSsmxtJcxoslHzIcHkCuSeAsxN46z/EOFIuiWuzefM=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 h1:HQAWw/D9RItCYSoWFs8E7IrGKrX9ivqAlCq47DM3IVU=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
+github.com/rockbears/yaml v0.4.0 h1:Mvxo/KXPdZ2x3XOMM+xj0Vvm3sb6E2uh4jeoCtdHab4=
+github.com/rockbears/yaml v0.4.0/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=

contrib/grpcplugins/action/plugin-artifactory-release-bundle-create/go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/jfrog/jfrog-client-go v1.31.4
 	github.com/ovh/cds v0.0.0-00010101000000-000000000000
 	github.com/pkg/errors v0.9.1
-	github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625
+	github.com/rockbears/yaml v0.4.0
 	github.com/stretchr/testify v1.8.4
 )
 

contrib/grpcplugins/action/plugin-artifactory-release-bundle-create/go.sum

@@ -447,8 +447,8 @@ github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7z
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rockbears/log v0.7.0 h1:DM1rX/X+VsdRnsgVtydnHk47/4pP/mbI/dq2plFRAAc=
 github.com/rockbears/log v0.7.0/go.mod h1:rnSsmxtJcxoslHzIcHkCuSeAsxN46z/EOFIuiWuzefM=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 h1:HQAWw/D9RItCYSoWFs8E7IrGKrX9ivqAlCq47DM3IVU=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
+github.com/rockbears/yaml v0.4.0 h1:Mvxo/KXPdZ2x3XOMM+xj0Vvm3sb6E2uh4jeoCtdHab4=
+github.com/rockbears/yaml v0.4.0/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=

contrib/grpcplugins/action/plugin-artifactory-release-bundle-distribute/go.mod

@@ -74,7 +74,7 @@ require (
 	github.com/prometheus/statsd_exporter v0.22.7 // indirect
 	github.com/rivo/uniseg v0.4.3 // indirect
 	github.com/rockbears/log v0.7.0 // indirect
-	github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 // indirect
+	github.com/rockbears/yaml v0.4.0 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/sguiheux/go-coverage v0.0.0-20190710153556-287b082a7197 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect

contrib/grpcplugins/action/plugin-artifactory-release-bundle-distribute/go.sum

@@ -360,8 +360,8 @@ github.com/rivo/uniseg v0.4.3 h1:utMvzDsuh3suAEnhH0RdHmoPbU648o6CvXxTx4SBMOw=
 github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rockbears/log v0.7.0 h1:DM1rX/X+VsdRnsgVtydnHk47/4pP/mbI/dq2plFRAAc=
 github.com/rockbears/log v0.7.0/go.mod h1:rnSsmxtJcxoslHzIcHkCuSeAsxN46z/EOFIuiWuzefM=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 h1:HQAWw/D9RItCYSoWFs8E7IrGKrX9ivqAlCq47DM3IVU=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
+github.com/rockbears/yaml v0.4.0 h1:Mvxo/KXPdZ2x3XOMM+xj0Vvm3sb6E2uh4jeoCtdHab4=
+github.com/rockbears/yaml v0.4.0/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=

contrib/grpcplugins/action/plugin-npm-audit-parser/go.mod

@@ -61,7 +61,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rockbears/log v0.8.0 // indirect
-	github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 // indirect
+	github.com/rockbears/yaml v0.4.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/sguiheux/go-coverage v0.0.0-20190710153556-287b082a7197 // indirect
 	github.com/sirupsen/logrus v1.9.2 // indirect

contrib/grpcplugins/action/plugin-npm-audit-parser/go.sum

@@ -278,8 +278,8 @@ github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rockbears/log v0.8.0 h1:OClKWGGuMnoem5vl/SNzZRdNsaStP8fBidH5oD46O6E=
 github.com/rockbears/log v0.8.0/go.mod h1:rnSsmxtJcxoslHzIcHkCuSeAsxN46z/EOFIuiWuzefM=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 h1:HQAWw/D9RItCYSoWFs8E7IrGKrX9ivqAlCq47DM3IVU=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
+github.com/rockbears/yaml v0.4.0 h1:Mvxo/KXPdZ2x3XOMM+xj0Vvm3sb6E2uh4jeoCtdHab4=
+github.com/rockbears/yaml v0.4.0/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=

contrib/grpcplugins/action/plugin-tmpl/go.mod

@@ -61,7 +61,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rockbears/log v0.8.0 // indirect
-	github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 // indirect
+	github.com/rockbears/yaml v0.4.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/sguiheux/go-coverage v0.0.0-20190710153556-287b082a7197 // indirect
 	github.com/sirupsen/logrus v1.9.2 // indirect

contrib/grpcplugins/action/plugin-tmpl/go.sum

@@ -278,8 +278,8 @@ github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rockbears/log v0.8.0 h1:OClKWGGuMnoem5vl/SNzZRdNsaStP8fBidH5oD46O6E=
 github.com/rockbears/log v0.8.0/go.mod h1:rnSsmxtJcxoslHzIcHkCuSeAsxN46z/EOFIuiWuzefM=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625 h1:HQAWw/D9RItCYSoWFs8E7IrGKrX9ivqAlCq47DM3IVU=
-github.com/rockbears/yaml v0.1.1-0.20220901090137-13dadb408625/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
+github.com/rockbears/yaml v0.4.0 h1:Mvxo/KXPdZ2x3XOMM+xj0Vvm3sb6E2uh4jeoCtdHab4=
+github.com/rockbears/yaml v0.4.0/go.mod h1:8cDJx2PWQJMtfGgsRCvHVbIB61SV3dvy8o6EGv2cIpg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=

engine/api/api_routes.go

@@ -456,6 +456,9 @@ func (api *API) InitRouter() {
 	r.Handle("/v2/hatchery/{hatcheryIdentifier}", nil, r.GETv2(api.getHatcheryHandler), r.DELETEv2(api.deleteHatcheryHandler))
 
 	r.Handle("/v2/hooks/workflows", nil, r.POSTv2(api.postRetrieveWorkflowToTriggerHandler))
+	r.Handle("/v2/hooks/event/signKey", nil, r.POSTv2(api.postHookEventRetrieveSignKeyHandler))
+	r.Handle("/v2/hooks/event/signKey/{uuid}", nil, r.GETv2(api.getRetrieveSignKeyOperationHandler))
+	r.Handle("/v2/hooks/event/user", nil, r.POSTv2(api.postRetrieveEventUserHandler))
 	r.Handle("/v2/hooks/repositories/{vcsServer}/{repositoryName}", nil, r.GETv2(api.getHooksRepositoriesHandler))
 	r.Handle("/v2/hooks/{projectKey}/vcs/{vcsType}/{vcsServer}/repository/{repositoryName}/secret", nil, r.GETv2(api.getRepositoryWebHookSecretHandler))
 	r.Handle("/v2/hooks/project/{projectKey}/vcs/{vcsIdentifier}/repository/{repositoryIdentifier}/workflow/{workflow}/run", nil, r.POSTv2(api.postWorkflowRunFromHookV2Handler))

engine/api/operation/operation.go

@@ -192,3 +192,33 @@ func Poll(ctx context.Context, db gorp.SqlExecutor, operationUUID string) (*sdk.
 		}
 	}
 }
+
+func CheckoutAndAnalyzeOperation(ctx context.Context, db gorp.SqlExecutor, proj sdk.Project, vcsWithSecret sdk.VCSProject, repoName, repoCloneURL string, commit, branch string) (*sdk.Operation, error) {
+  ope := &sdk.Operation{
+    VCSServer:    vcsWithSecret.Name,
+    RepoFullName: repoName,
+    URL:          repoCloneURL,
+    RepositoryStrategy: sdk.RepositoryStrategy{
+      SSHKey:   vcsWithSecret.Auth.SSHKeyName,
+      User:     vcsWithSecret.Auth.Username,
+      Password: vcsWithSecret.Auth.Token,
+    },
+    Setup: sdk.OperationSetup{
+      Checkout: sdk.OperationCheckout{
+        Commit:         commit,
+        Branch:         branch,
+        CheckSignature: true,
+      },
+    },
+  }
+  if vcsWithSecret.Auth.SSHKeyName != "" {
+    ope.RepositoryStrategy.ConnectionType = "ssh"
+  } else {
+    ope.RepositoryStrategy.ConnectionType = "https"
+  }
+
+  if err := PostRepositoryOperation(ctx, db, proj, ope, nil); err != nil {
+    return nil, err
+  }
+  return ope, nil
+}

engine/api/v2_hooks.go

@@ -9,6 +9,9 @@ import (
 	"github.com/go-gorp/gorp"
 	"github.com/gorilla/mux"
 
+	"github.com/ovh/cds/engine/api/database/gorpmapping"
+	"github.com/ovh/cds/engine/api/operation"
+	"github.com/ovh/cds/engine/api/project"
 	"github.com/ovh/cds/engine/api/repositoriesmanager"
 	"github.com/ovh/cds/engine/api/repository"
 	"github.com/ovh/cds/engine/api/services"
@@ -19,6 +22,134 @@ import (
 	"github.com/rockbears/log"
 )
 
+func (api *API) postRetrieveEventUserHandler() ([]service.RbacChecker, service.Handler) {
+	return service.RBAC(api.isHookService),
+		func(ctx context.Context, w http.ResponseWriter, req *http.Request) error {
+			var r sdk.HookRetrieveUserRequest
+			if err := service.UnmarshalBody(req, &r); err != nil {
+				return err
+			}
+
+			vcsProjectWithSecret, err := vcs.LoadVCSByProject(ctx, api.mustDB(), r.ProjectKey, r.VCSServerName, gorpmapping.GetOptions.WithDecryption)
+			if err != nil {
+				return err
+			}
+
+			resp := sdk.HookRetrieveUserResponse{}
+			u, _, _, err := findCommitter(ctx, api.Cache, api.mustDB(), r.Commit, r.SignKey, r.ProjectKey, *vcsProjectWithSecret, r.RepositoryName, api.Config.VCS.GPGKeys)
+			if err != nil {
+				return err
+			}
+			if u != nil {
+				resp.UserID = u.ID
+			}
+			return service.WriteJSON(w, resp, http.StatusOK)
+		}
+}
+
+func (api *API) getRetrieveSignKeyOperationHandler() ([]service.RbacChecker, service.Handler) {
+	return service.RBAC(api.isHookService),
+		func(ctx context.Context, w http.ResponseWriter, req *http.Request) error {
+			vars := mux.Vars(req)
+			uuid := vars["uuid"]
+
+			ope, err := operation.GetRepositoryOperation(ctx, api.mustDB(), uuid)
+			if err != nil {
+				return err
+			}
+			return service.WriteJSON(w, ope, http.StatusOK)
+		}
+}
+
+func (api *API) postHookEventRetrieveSignKeyHandler() ([]service.RbacChecker, service.Handler) {
+	return service.RBAC(api.isHookService),
+		func(ctx context.Context, w http.ResponseWriter, req *http.Request) error {
+
+			var hookRetrieveSignKey sdk.HookRetrieveSignKeyRequest
+			if err := service.UnmarshalRequest(ctx, req, &hookRetrieveSignKey); err != nil {
+				return err
+			}
+
+			proj, err := project.Load(ctx, api.mustDB(), hookRetrieveSignKey.ProjectKey, project.LoadOptions.WithKeys)
+			if err != nil {
+				return err
+			}
+
+			vcsProjectWithSecret, err := vcs.LoadVCSByProject(ctx, api.mustDB(), hookRetrieveSignKey.ProjectKey, hookRetrieveSignKey.VCSServerName, gorpmapping.GetOptions.WithDecryption)
+			if err != nil {
+				return err
+			}
+
+			tx, err := api.mustDB().Begin()
+			if err != nil {
+				return sdk.WithStack(err)
+			}
+			defer tx.Rollback() // nolint
+
+			vcsClient, err := repositoriesmanager.AuthorizedClient(ctx, tx, api.Cache, hookRetrieveSignKey.ProjectKey, hookRetrieveSignKey.VCSServerName)
+			if err != nil {
+				return err
+			}
+			repo, err := vcsClient.RepoByFullname(ctx, hookRetrieveSignKey.RepositoryName)
+			if err != nil {
+				log.Info(ctx, "unable to get repository %s/%s for project %s", hookRetrieveSignKey.VCSServerName, hookRetrieveSignKey.RepositoryName, hookRetrieveSignKey.ProjectKey)
+				return err
+			}
+			if err := tx.Commit(); err != nil {
+				return sdk.WithStack(err)
+			}
+
+			cloneURL := repo.SSHCloneURL
+			if vcsProjectWithSecret.Auth.SSHKeyName == "" {
+				cloneURL = repo.HTTPCloneURL
+			}
+			ope, err := operation.CheckoutAndAnalyzeOperation(ctx, api.mustDB(), *proj, *vcsProjectWithSecret, repo.Fullname, cloneURL, hookRetrieveSignKey.Commit, hookRetrieveSignKey.Branch)
+			if err != nil {
+				return err
+			}
+
+			api.GoRoutines.Exec(context.Background(), "operation-polling-"+ope.UUID, func(ctx context.Context) {
+				ope, err := operation.Poll(ctx, api.mustDB(), ope.UUID)
+				if err != nil {
+					log.ErrorWithStackTrace(ctx, err)
+					ope.Status = sdk.OperationStatusError
+					ope.Error = &sdk.OperationError{Message: fmt.Sprintf("%v", err)}
+				}
+
+				// Send result to hooks
+				srvs, err := services.LoadAllByType(ctx, api.mustDB(), sdk.TypeHooks)
+				if err != nil {
+					log.ErrorWithStackTrace(ctx, err)
+					return
+				}
+				if len(srvs) < 1 {
+					log.ErrorWithStackTrace(ctx, sdk.NewErrorFrom(sdk.ErrNotFound, "unable to find hook uservice"))
+					return
+				}
+				callback := sdk.HookEventCallback{
+					VCSServerType:      hookRetrieveSignKey.VCSServerType,
+					VCSServerName:      hookRetrieveSignKey.VCSServerName,
+					RepositoryName:     hookRetrieveSignKey.RepositoryName,
+					HookEventUUID:      hookRetrieveSignKey.HookEventUUID,
+					SigningKeyCallback: &sdk.HookSigninKeyCallback{},
+				}
+				if ope.Status == sdk.OperationStatusDone && ope.Setup.Checkout.Result.CommitVerified {
+					callback.SigningKeyCallback.SignKey = ope.Setup.Checkout.Result.SignKeyID
+				} else if ope.Status == sdk.OperationStatusDone && !ope.Setup.Checkout.Result.CommitVerified {
+					callback.SigningKeyCallback.SignKey = ope.Setup.Checkout.Result.SignKeyID
+					callback.SigningKeyCallback.Error = ope.Setup.Checkout.Result.Msg
+				} else {
+					callback.SigningKeyCallback.Error = ope.Error.Message
+				}
+				if _, code, err := services.NewClient(api.mustDB(), srvs).DoJSONRequest(ctx, http.MethodPost, "/v2/repository/event/callback", callback, nil); err != nil {
+					log.ErrorWithStackTrace(ctx, sdk.WrapError(err, "unable to send analysis call to  hook [HTTP: %d]", code))
+					return
+				}
+			})
+			return service.WriteJSON(w, ope, http.StatusOK)
+		}
+}
+
 func (api *API) postRetrieveWorkflowToTriggerHandler() ([]service.RbacChecker, service.Handler) {
 	return service.RBAC(api.isHookService),
 		func(ctx context.Context, w http.ResponseWriter, req *http.Request) error {