[DOP-4171]: Add error state if webhook is hit with invalid branch or org

mongodb · Jan 26, 2024 · a3c52be · a3c52be
1 parent f06af32
commit a3c52be
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/api/controllers/v2/cache.ts b/api/controllers/v2/cache.ts
@@ -130,7 +130,18 @@ export async function rebuildCacheGithubWebhookHandler(event: APIGatewayEvent) {
     };
   }
 
-  const cacheUpdateBody = JSON.stringify([{ repoOwner: body.repository.owner.login, repoName: body.repository.name }]);
+  const repoOwner = body.repository.owner.login;
+  const repoName = body.repository.name;
+
+  const ref = body.ref;
+  if ((ref !== 'refs/head/master' && ref !== 'refs/head/main') || (repoOwner !== '10gen' && repoOwner !== 'mongodb')) {
+    return {
+      statusCode: 403,
+      body: 'Cache job not processed because the request is not for the primary branch and/or the repository does not belong to the 10gen or mongodb organizations',
+    };
+  }
+
+  const cacheUpdateBody = JSON.stringify([{ repoOwner, repoName }]);
   const { GITHUB_SECRET } = process.env;
 
   if (!GITHUB_SECRET) {

diff --git a/cdk-infra/lib/constructs/cache-updater/cache-updater-api-construct.ts b/cdk-infra/lib/constructs/cache-updater/cache-updater-api-construct.ts
@@ -62,6 +62,7 @@ export class CacheUpdaterApiConstruct extends Construct {
     });
 
     taskDefinition.grantRun(cacheWebhookLambda);
+    taskDefinition.grantRun(cacheGithubWebhookLambda);
 
     // generic handler for the root endpoint
     const rootEndpointLambda = new Function(this, 'RootEndpointLambda', {