Access to api from gitlab webhooks

StackOverflow https://stackoverflow.com/questions/22821767

  •  26-06-2023
  •  | 
  •  

Question

I need to develop a bunch of my own web hooks (or services maybe) for auto deploy, report into project management systems, etc. But data posted to web hook don't have much information to fill my needs.

For example, I've received simple push event, how can I know is it force push or not? Okay, I have 2 treeishes, let's look at repository and check this push — oops, need user token to do it. Sad.

What is the right method to access gitlab api from web hooks? Probably I've missed something important? I'm really confused.

Upd1:

Let's try to find a solution. Possibilities

  1. Imagine we can have a user who can read all projects in gitlab. But that user should be connected to each project to have an access. Ok ;-(

  2. What about to read repo by pusher? We can't because we need to use his private token to do this.

  3. Maybe some internal functionality to read all repos or something? Sure not.

  4. So. Maybe database? Nope. Because we need to clone repo at first and can't save data in DB anyway with refreshing caches.

I think we need a security token and maybe many checkboxes with access permissions for each joined web hook or an app (service).

Please feel free to share your ideas.

Was it helpful?

Solution

I've remembered partial solution. So scenario will be like that:

  1. Create web service with your web hook.
  2. Create a ssh key on the same host for some special (usually owner of web hook service) user to have an access to repos.
  3. Add ssh key created at previous step as deploy key.
  4. Finally: Register your webhook and add your deploy key for that hook to project — repeat it for each project what need this hook.

You have event listener (your web hook service), and you have access to that repository (ssh/git).

But still that solution doesn't have access to API itself.

Probably, there is also an another solution.

  1. Create custom admin user with a big random password and some synthetic name like HookBot or something, remember private_token of that user;
  2. Register your web hook;
  3. Use api access to add your deploy key with HookBot (untested);
  4. Use sudo api to get sources or something else. Just mimicry to pusher's account (sudo -u {author_id}) and go on, read repo, work with it, etc.

Maybe some another solutions? More legit?

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top