From a3c52beb3569ca536ab989cddc4418ec5121b48c Mon Sep 17 00:00:00 2001 From: branberry Date: Fri, 26 Jan 2024 09:32:04 -0600 Subject: [PATCH] [DOP-4171]: Add error state if webhook is hit with invalid branch or org --- api/controllers/v2/cache.ts | 13 ++++++++++++- .../cache-updater/cache-updater-api-construct.ts | 1 + 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/api/controllers/v2/cache.ts b/api/controllers/v2/cache.ts index ab7a807db..fd6aff721 100644 --- a/api/controllers/v2/cache.ts +++ b/api/controllers/v2/cache.ts @@ -130,7 +130,18 @@ export async function rebuildCacheGithubWebhookHandler(event: APIGatewayEvent) { }; } - const cacheUpdateBody = JSON.stringify([{ repoOwner: body.repository.owner.login, repoName: body.repository.name }]); + const repoOwner = body.repository.owner.login; + const repoName = body.repository.name; + + const ref = body.ref; + if ((ref !== 'refs/head/master' && ref !== 'refs/head/main') || (repoOwner !== '10gen' && repoOwner !== 'mongodb')) { + return { + statusCode: 403, + body: 'Cache job not processed because the request is not for the primary branch and/or the repository does not belong to the 10gen or mongodb organizations', + }; + } + + const cacheUpdateBody = JSON.stringify([{ repoOwner, repoName }]); const { GITHUB_SECRET } = process.env; if (!GITHUB_SECRET) { diff --git a/cdk-infra/lib/constructs/cache-updater/cache-updater-api-construct.ts b/cdk-infra/lib/constructs/cache-updater/cache-updater-api-construct.ts index b01a908ec..92c8c6f0c 100644 --- a/cdk-infra/lib/constructs/cache-updater/cache-updater-api-construct.ts +++ b/cdk-infra/lib/constructs/cache-updater/cache-updater-api-construct.ts @@ -62,6 +62,7 @@ export class CacheUpdaterApiConstruct extends Construct { }); taskDefinition.grantRun(cacheWebhookLambda); + taskDefinition.grantRun(cacheGithubWebhookLambda); // generic handler for the root endpoint const rootEndpointLambda = new Function(this, 'RootEndpointLambda', {