fix: gitea connect error & jwt decode (#681)

* test: connect gitea

* test: jwt

* test: jwt

* test: jwt error

* test: jwt

* fix: jwt error

* fix: jwt error

* fix: jwt

* fix: update jwt middleware & gitea connect

Author: ferruhcihan

package-lock.json

@@ -33,7 +33,7 @@
     "json-stable-stringify": "^1.0.1",
     "jsonpath": "^1.1.1",
     "jsonwebtoken": "^9.0.0",
-    "jwt-decode": "^2.2.0",
+    "jwt-decode": "^4.0.0",
     "lightship": "^6.7.2",
     "lodash": "^4.17.21",
     "lowdb": "^1.0.0",

package.json

@@ -3,14 +3,14 @@
 import $parser from '@apidevtools/json-schema-ref-parser'
 import cors from 'cors'
 import Debug from 'debug'
-import express, { request } from 'express'
+import express from 'express'
 import 'express-async-errors'
 import { initialize } from 'express-openapi'
 import { Server } from 'http'
-import httpSignature from 'http-signature'
 import { createLightship } from 'lightship'
 import logger from 'morgan'
 import path from 'path'
+import { CleanOptions } from 'simple-git'
 import { default as Authz } from 'src/authz'
 import {
   authzMiddleware,
@@ -37,7 +37,6 @@ import {
 import swaggerUi from 'swagger-ui-express'
 import giteaCheckLatest from './gitea/connect'
 import { getBuildStatus, getSealedSecretStatus, getServiceStatus, getWorkloadStatus } from './k8s_operations'
-import { CleanOptions } from 'simple-git'
 
 const env = cleanEnv({
   DRONE_WEBHOOK_SECRET,
@@ -61,8 +60,7 @@ type OtomiSpec = {
 const checkAgainstGitea = async () => {
   const encodedToken = Buffer.from(`${env.GIT_USER}:${env.GIT_PASSWORD}`).toString('base64')
   const otomiStack = await getSessionStack()
-  const clusterInfo = otomiStack?.getSettings(['cluster'])
-  const latestOtomiVersion = await giteaCheckLatest(encodedToken, clusterInfo)
+  const latestOtomiVersion = await giteaCheckLatest(encodedToken)
   // check the local version against the latest online version
   // if the latest online is newer it will be pulled locally
   if (latestOtomiVersion && latestOtomiVersion.data[0].sha !== otomiStack.git.commitSha) {
@@ -176,27 +174,6 @@ export async function initApp(inOtomiStack?: OtomiStack | undefined) {
   setInterval(async function () {
     await checkAgainstGitea()
   }, gitCheckVersionInterval)
-  app.all('/drone', async (req, res, next) => {
-    const parsed = httpSignature.parseRequest(req, {
-      algorithm: 'hmac-sha256',
-    })
-    if (!httpSignature.verifyHMAC(parsed, env.DRONE_WEBHOOK_SECRET)) return res.status(401).send()
-    const event = req.headers['x-drone-event']
-    res.send('ok')
-    if (event !== 'build') return
-    const io = getIo()
-    // emit now to let others know, before doing anything else
-    if (io) io.emit('drone', req.body)
-    // deployment might have changed data, so reload
-    const { build } = request.body || {}
-    if (!build) return
-    const { status } = build
-    if (status === 'success') {
-      const stack = await getSessionStack()
-      debug('Drone deployed, root pull')
-      await stack.git.pull()
-    }
-  })
   let server: Server | undefined
   if (!inOtomiStack) {
     // initialize full server

src/app.ts

@@ -1,13 +1,19 @@
 import axios from 'axios'
 import Debug from 'debug'
+import { cleanEnv, GIT_REPO_URL } from 'src/validators'
 
 const debug = Debug('otomi:gitea-connect')
 
+const env = cleanEnv({
+  GIT_REPO_URL,
+})
+
 // get call to the api to retrieve all the commits
-export default async function giteaCheckLatest(token: string, clusterData: any): Promise<any> {
-  const domainSuffix: string | undefined = clusterData?.cluster?.domainSuffix
-  const giteaUrl = `https://gitea.${domainSuffix}/api/v1/repos/otomi/values/commits`
-  if (domainSuffix) {
+export default async function giteaCheckLatest(token: string): Promise<any> {
+  // Extracts "http://gitea-http.gitea.svc.cluster.local:3000" or "https://gitea.<domainSuffix>"
+  const baseDomain = new URL(env.GIT_REPO_URL).origin
+  if (baseDomain) {
+    const giteaUrl = `${baseDomain}/api/v1/repos/otomi/values/commits`
     const response = await axios({
       url: giteaUrl,
       method: 'GET',
@@ -18,7 +24,6 @@ export default async function giteaCheckLatest(token: string, clusterData: any):
     }).catch((error) => {
       debug('Gitea error: ', error.message)
     })
-
     return response
   }
 }

src/gitea/connect.ts

@@ -1,7 +1,7 @@
 /* eslint-disable no-param-reassign */
 import { debug } from 'console'
 import { RequestHandler } from 'express'
-import jwtDecode from 'jwt-decode'
+import { jwtDecode } from 'jwt-decode'
 import { getMockEmail, getMockGroups, getMockName } from 'src/mocks'
 import { JWT, OpenApiRequestExt, SessionUser } from 'src/otomi-models'
 import OtomiStack from 'src/otomi-stack'
@@ -21,7 +21,7 @@ export function getUser(user: JWT, otomi: OtomiStack): SessionUser {
   }
   // keycloak does not (yet) give roles, so
   // for now we map correct group names to roles
-  user.groups.forEach((group) => {
+  user?.groups?.forEach((group) => {
     if (['platform-admin', 'all-teams-admin'].includes(group)) {
       if (!sessionUser.roles.includes('platformAdmin')) {
         sessionUser.isPlatformAdmin = true
@@ -70,8 +70,16 @@ export function jwtMiddleware(): RequestHandler {
       debug('anonymous request')
       return next()
     }
-    const { name, email, roles, groups, sub } = jwtDecode(token)
-    req.user = getUser({ name, email, roles, groups, sub }, otomi)
-    return next()
+    try {
+      const { name, email, roles, groups, sub } = jwtDecode<JWT>(token)
+      req.user = getUser({ name, email, roles, groups, sub }, otomi)
+      return next()
+    } catch (error) {
+      debug('JWT decode fails:', error.message)
+      return res.status(401).send({
+        message: 'Unauthorized',
+        error: 'JWT decode fails',
+      })
+    }
   }
 }