Skip to content

Commit 4f271fe

Browse files
dkarpeleclaude
dkarpele
and
claude
committed
feat(acr-webhook): polish work
Co-authored-by: Claude <noreply@anthropic.com> Signed-off-by: dkarpele <karpelevich@gmail.com>
1 parent 63bc3f3 commit 4f271fe

5 files changed

Lines changed: 34 additions & 19 deletions

File tree

cmd/run_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,7 @@ func TestNewRunCommand(t *testing.T) {
7373
asser.Equal(env.GetStringVal("HARBOR_WEBHOOK_SECRET", ""), controllerCommand.Flag("harbor-webhook-secret").Value.String())
7474
asser.Equal(env.GetStringVal("CLOUDEVENTS_WEBHOOK_SECRET", ""), controllerCommand.Flag("cloudevents-webhook-secret").Value.String())
7575
asser.Equal(env.GetStringVal("ALIYUN_ACR_WEBHOOK_SECRET", ""), controllerCommand.Flag("aliyun-acr-webhook-secret").Value.String())
76+
asser.Equal(env.GetStringVal("ACR_WEBHOOK_SECRET", ""), controllerCommand.Flag("acr-webhook-secret").Value.String())
7677
asser.Equal(strconv.Itoa(env.ParseNumFromEnv("WEBHOOK_RATELIMIT_ALLOWED", 0, 0, math.MaxInt)), controllerCommand.Flag("webhook-ratelimit-allowed").Value.String())
7778

7879
// TLS flags

cmd/webhook_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ func TestNewWebhookCommand(t *testing.T) {
4545
asser.Equal(env.GetStringVal("HARBOR_WEBHOOK_SECRET", ""), controllerCommand.Flag("harbor-webhook-secret").Value.String())
4646
asser.Equal(env.GetStringVal("CLOUDEVENTS_WEBHOOK_SECRET", ""), controllerCommand.Flag("cloudevents-webhook-secret").Value.String())
4747
asser.Equal(env.GetStringVal("ALIYUN_ACR_WEBHOOK_SECRET", ""), controllerCommand.Flag("aliyun-acr-webhook-secret").Value.String())
48+
asser.Equal(env.GetStringVal("ACR_WEBHOOK_SECRET", ""), controllerCommand.Flag("acr-webhook-secret").Value.String())
4849
asser.Equal(strconv.Itoa(env.ParseNumFromEnv("WEBHOOK_RATELIMIT_ALLOWED", 0, 0, math.MaxInt)), controllerCommand.Flag("webhook-ratelimit-allowed").Value.String())
4950

5051
// TLS flags

docs/install/cmd/run.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,14 @@ Runs the Argo CD Image Updater in a reconciliation loop with a set of options.
1010

1111
### Flags
1212

13+
**--acr-webhook-secret *secret***
14+
15+
Secret for validating Azure ACR webhooks. ACR has no built-in signing, so the
16+
secret is sent as the `Authorization` header value, which you configure on the
17+
webhook with `az acr webhook update --headers "Authorization=<secret>"`.
18+
19+
Can also be set with the `ACR_WEBHOOK_SECRET` environment variable.
20+
1321
**--aliyun-acr-webhook-secret *secret***
1422

1523
Secret for validating Aliyun ACR webhooks.

pkg/webhook/acr.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ func (a *ACRWebhook) Validate(r *http.Request) error {
5555
}
5656

5757
if subtle.ConstantTimeCompare([]byte(authHeader), []byte(a.secret)) != 1 {
58-
return fmt.Errorf("incorrect webhook secret")
58+
return fmt.Errorf("invalid webhook secret")
5959
}
6060
}
6161

pkg/webhook/acr_test.go

Lines changed: 23 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -29,12 +29,13 @@ func TestACRWebhook_Validate(t *testing.T) {
2929
webhook := NewACRWebhook(secret)
3030

3131
tests := []struct {
32-
name string
33-
method string
34-
contentType string
35-
authHeader string
36-
noSecret bool
37-
expectError bool
32+
name string
33+
method string
34+
contentType string
35+
authHeader string
36+
noSecret bool
37+
expectError bool
38+
expectedErrMsg string
3839
}{
3940
{
4041
name: "valid POST request with correct secret",
@@ -65,18 +66,20 @@ func TestACRWebhook_Validate(t *testing.T) {
6566
expectError: true,
6667
},
6768
{
68-
name: "missing Authorization header when secret is configured",
69-
method: "POST",
70-
contentType: "application/json",
71-
authHeader: "",
72-
expectError: true,
69+
name: "missing Authorization header when secret is configured",
70+
method: "POST",
71+
contentType: "application/json",
72+
authHeader: "",
73+
expectError: true,
74+
expectedErrMsg: "missing Authorization header when secret is configured",
7375
},
7476
{
75-
name: "incorrect secret",
76-
method: "POST",
77-
contentType: "application/json",
78-
authHeader: "not-the-secret",
79-
expectError: true,
77+
name: "incorrect secret",
78+
method: "POST",
79+
contentType: "application/json",
80+
authHeader: "not-the-secret",
81+
expectError: true,
82+
expectedErrMsg: "invalid webhook secret",
8083
},
8184
}
8285

@@ -99,8 +102,10 @@ func TestACRWebhook_Validate(t *testing.T) {
99102

100103
if tt.expectError {
101104
assert.Error(t, err)
102-
}
103-
if !tt.expectError {
105+
if tt.expectedErrMsg != "" {
106+
assert.EqualError(t, err, tt.expectedErrMsg)
107+
}
108+
} else {
104109
assert.NoError(t, err)
105110
}
106111
})

0 commit comments

Comments
 (0)