From 877c3643a3ad05296fdb7f268b7e8c8b39cd1b11 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Aug 10 2016 10:24:00 +0000
Subject: Change the endpoint called by jenkins to include the repo name and username


We can then do a time constant check of the token provided making it
harder to brute force the token since you now have to do it on project
instead of trying until you find a project that works.

---

diff --git a/pagure/api/ci/jenkins.py b/pagure/api/ci/jenkins.py
index 53b41e6..74673a4 100644
--- a/pagure/api/ci/jenkins.py
+++ b/pagure/api/ci/jenkins.py
@@ -10,6 +10,8 @@
 
 import flask
 
+from cryptography.hazmat.primitives import constant_time
+from kitchen.text.converters import to_bytes
 from sqlalchemy.exc import SQLAlchemyError
 
 import pagure
@@ -20,8 +22,10 @@ from pagure import APP, SESSION
 from pagure.api import API, APIERROR
 
 
-@API.route('/ci/jenkins/<pagure_ci_token>/build-finished', methods=['POST'])
-def jenkins_ci_notification(pagure_ci_token):
+
+@API.route('/ci/jenkins/<repo:repo>/<pagure_ci_token>/build-finished', methods=['POST'])
+@API.route('/ci/jenkins/forks/<username>/<repo:repo>/<pagure_ci_token>/build-finished', methods=['POST'])
+def jenkins_ci_notification(repo, pagure_ci_token, username=None):
     """
     Jenkins Build Notification
     --------------------------
@@ -34,9 +38,14 @@ def jenkins_ci_notification(pagure_ci_token):
 
     """
 
-    project = lib_ci.get_project_by_ci_token(SESSION, pagure_ci_token)
-    if not project:
-        flask.abort(404, 'No project corresponding to this CI token')
+    project = pagure.lib.get_project(SESSION, repo, user=username)
+    if repo is None:
+        flask.abort(404, 'Project not found')
+
+    if not constant_time.bytes_eq(
+          to_bytes(pagure_ci_token),
+          to_bytes(project.ci_hook[0].pagure_ci_token)):
+        return ('Token mismatch', 401)
 
     data = flask.request.get_json()
     if not data:
diff --git a/pagure/hooks/pagure_ci.py b/pagure/hooks/pagure_ci.py
index da4fbdf..12c2576 100644
--- a/pagure/hooks/pagure_ci.py
+++ b/pagure/hooks/pagure_ci.py
@@ -68,11 +68,11 @@ The token to be used by jenkins to trigger the build is:
 </pre>
 
 The URL to be used to POST the results of your build is:
-
 <pre>
 {{ (config['APP_URL'][:-1] if config['APP_URL'].endswith('/')
   else config['APP_URL'])
   + url_for('api_ns.%s_ci_notification' % repo.ci_hook[0].ci_type,
+    repo=repo.name, username=username,
     pagure_ci_token=repo.ci_hook[0].pagure_ci_token) }}
 </pre>
 
diff --git a/pagure/templates/plugin.html b/pagure/templates/plugin.html
index ed5c240..63ede4b 100644
--- a/pagure/templates/plugin.html
+++ b/pagure/templates/plugin.html
@@ -24,7 +24,7 @@
   </table>
 
   {% if plugin.extra_info %}
-  {{ plugin.extra_info | render(repo=repo) | safe }}
+  {{ plugin.extra_info | render(repo=repo, username=username) | safe }}
   {% endif %}
   <p class="buttons indent">
       <input type="button" value="Cancel" class="btn btn-secondary" onclick="history.back();">