feat(webhook): Fixed manifest-generate-paths annotation support for monorepos in BitBucket (#21811)

Signed-off-by: anandf <[email protected]>

Author: anandf

docs/operator-manual/webhook.md

@@ -109,3 +109,17 @@ Syntax: `$<k8s_secret_name>:<a_key_in_that_k8s_secret>`
 > NOTE: Secret must have label `app.kubernetes.io/part-of: argocd`
 
 For more information refer to the corresponding section in the [User Management Documentation](user-management/index.md#alternative).
+
+## Special handling for BitBucket Cloud
+BitBucket does not include the list of changed files in the webhook request body.
+This prevents the [Manifest Paths Annotation](high_availability.md#manifest-paths-annotation) feature from working with repositories hosted on BitBucket Cloud.
+BitBucket provides the `diffstat` API to determine the list of changed files between two commits.
+To address the missing changed files list in the webhook, the Argo CD webhook handler makes an API callback to the originating server.
+To prevent Server-side request forgery (SSRF) attacks, Argo CD server supports the callback mechanism only for encrypted webhook requests.
+The incoming webhook must include `X-Hook-UUID` request header. The corresponding UUID must be provided as `webhook.bitbucket.uuid` in `argocd-secret` for verification.
+The callback mechanism supports both public and private repositories on BitBucket Cloud.
+For public repositories, the Argo CD webhook handler uses a no-auth client for the API callback.
+For private repositories, the Argo CD webhook handler searches for a valid repository OAuth token for the HTTP/HTTPS URL.
+The webhook handler uses this OAuth token to make the API request to the originating server.
+If the Argo CD webhook handler cannot find a matching repository credential, the list of changed files would remain empty.
+If errors occur during the callback, the list of changed files will be empty.

go.mod

@@ -59,6 +59,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/improbable-eng/grpc-web v0.15.1-0.20230209220825-1d9bbb09a099
 	github.com/itchyny/gojq v0.12.17
+	github.com/jarcoal/httpmock v1.3.1
 	github.com/jeremywohl/flatten v1.0.2-0.20211013061545-07e4a09fb8e4
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/ktrysmt/go-bitbucket v0.9.81

go.sum

@@ -499,6 +499,8 @@ github.com/itchyny/gojq v0.12.17 h1:8av8eGduDb5+rvEdaOO+zQUjA04MS0m3Ps8HiD+fceg=
 github.com/itchyny/gojq v0.12.17/go.mod h1:WBrEMkgAfAGO1LUcGOckBl5O726KPp+OlkKug0I/FEY=
 github.com/itchyny/timefmt-go v0.1.6 h1:ia3s54iciXDdzWzwaVKXZPbiXzxxnv1SPGFfM/myJ5Q=
 github.com/itchyny/timefmt-go v0.1.6/go.mod h1:RRDZYC5s9ErkjQvTvvU7keJjxUYzIISJGxm9/mAERQg=
+github.com/jarcoal/httpmock v1.3.1 h1:iUx3whfZWVf3jT01hQTO/Eo5sAYtB2/rqaUuOtpInww=
+github.com/jarcoal/httpmock v1.3.1/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
 github.com/jaytaylor/html2text v0.0.0-20190408195923-01ec452cbe43/go.mod h1:CVKlgaMiht+LXvHG173ujK6JUhZXKb2u/BQtjPDIvyk=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
@@ -583,6 +585,8 @@ github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh
 github.com/mattn/go-zglob v0.0.6 h1:mP8RnmCgho4oaUYDIDn6GNxYk+qJGUs8fJLn+twYj2A=
 github.com/mattn/go-zglob v0.0.6/go.mod h1:MxxjyoXXnMxfIpxTK2GAkw1w8glPsQILx3N5wrKakiY=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
+github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.1-0.20241014080628-3045bdf43455 h1:7rDE4oHmFDgf+4fqnT5vztz7Bmcos1tr17VisCXgs/o=
 github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.1-0.20241014080628-3045bdf43455/go.mod h1:mDunUZ1IUJdJIRHvFb+LPBUtxe3AYB5MI6BMXNg8194=
 github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 h1:lYpkrQH5ajf0OXOcUbGjvZxxijuBwbbmlSxLiuofa+g=

util/webhook/webhook.go

@@ -10,6 +10,9 @@ import (
 	"regexp"
 	"strings"
 	"sync"
+	"time"
+
+	bb "github.com/ktrysmt/go-bitbucket"
 
 	"github.com/go-playground/webhooks/v6/azuredevops"
 	"github.com/go-playground/webhooks/v6/bitbucket"
@@ -29,6 +32,7 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/app/path"
 	"github.com/argoproj/argo-cd/v3/util/argo"
 	"github.com/argoproj/argo-cd/v3/util/db"
+	"github.com/argoproj/argo-cd/v3/util/git"
 	"github.com/argoproj/argo-cd/v3/util/glob"
 	"github.com/argoproj/argo-cd/v3/util/settings"
 )
@@ -61,6 +65,7 @@ type ArgoCDWebhookHandler struct {
 	bitbucketserver        *bitbucketserver.Webhook
 	azuredevops            *azuredevops.Webhook
 	gogs                   *gogs.Webhook
+	settings               *settings.ArgoCDSettings
 	settingsSrc            settingsSource
 	queue                  chan any
 	maxWebhookPayloadSizeB int64
@@ -105,6 +110,7 @@ func NewHandler(namespace string, applicationNamespaces []string, webhookParalle
 		settingsSrc:            settingsSrc,
 		repoCache:              repoCache,
 		serverCache:            serverCache,
+		settings:               set,
 		db:                     argoDB,
 		queue:                  make(chan any, payloadQueueSize),
 		maxWebhookPayloadSizeB: maxWebhookPayloadSizeB,
@@ -137,8 +143,8 @@ func ParseRevision(ref string) string {
 }
 
 // affectedRevisionInfo examines a payload from a webhook event, and extracts the repo web URL,
-// the revision, and whether or not this affected origin/HEAD (the default branch of the repository)
-func affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {
+// the revision, and whether, or not this affected origin/HEAD (the default branch of the repository)
+func (a *ArgoCDWebhookHandler) affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, change changeInfo, touchedHead bool, changedFiles []string) {
 	switch payload := payloadIf.(type) {
 	case azuredevops.GitPushEvent:
 		// See: https://learn.microsoft.com/en-us/azure/devops/service-hooks/events?view=azure-devops#git.push
@@ -189,16 +195,55 @@ func affectedRevisionInfo(payloadIf any) (webURLs []string, revision string, cha
 		// See: https://confluence.atlassian.com/bitbucket/event-payloads-740262817.html#EventPayloads-Push
 		// NOTE: this is untested
 		webURLs = append(webURLs, payload.Repository.Links.HTML.Href)
-		// TODO: bitbucket includes multiple changes as part of a single event.
-		// We only pick the first but need to consider how to handle multiple
-		for _, change := range payload.Push.Changes {
-			revision = change.New.Name
+		for _, changes := range payload.Push.Changes {
+			revision = changes.New.Name
+			change.shaBefore = changes.Old.Target.Hash
+			change.shaAfter = changes.New.Target.Hash
 			break
 		}
 		// Not actually sure how to check if the incoming change affected HEAD just by examining the
 		// payload alone. To be safe, we just return true and let the controller check for himself.
 		touchedHead = true
 
+		// Get DiffSet only for authenticated webhooks.
+		// when WebhookBitbucketUUID is set in argocd-secret, then the payload must be signed and
+		// signature is validated before payload is parsed.
+		if len(a.settings.WebhookBitbucketUUID) > 0 {
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+			argoRepo, err := a.lookupRepository(ctx, webURLs[0])
+			if err != nil {
+				log.Warnf("error trying to find a matching repo for URL %s: %v", payload.Repository.Links.HTML.Href, err)
+				break
+			}
+			if argoRepo == nil {
+				// it could be a public repository with no repo creds stored.
+				// initialize with empty bearer token to use the no auth bitbucket client.
+				log.Debugf("no bitbucket repository configured for URL %s, initializing with empty bearer token", webURLs[0])
+				argoRepo = &v1alpha1.Repository{BearerToken: "", Repo: webURLs[0]}
+			}
+			apiBaseURL := strings.ReplaceAll(payload.Repository.Links.Self.Href, "/repositories/"+payload.Repository.FullName, "")
+			bbClient, err := newBitbucketClient(ctx, argoRepo, apiBaseURL)
+			if err != nil {
+				log.Warnf("error creating Bitbucket client for repo %s: %v", payload.Repository.Name, err)
+				break
+			}
+			log.Debugf("created bitbucket client with base URL '%s'", apiBaseURL)
+			owner := strings.ReplaceAll(payload.Repository.FullName, "/"+payload.Repository.Name, "")
+			spec := change.shaBefore + ".." + change.shaAfter
+			diffStatChangedFiles, err := fetchDiffStatFromBitbucket(ctx, bbClient, owner, payload.Repository.Name, spec)
+			if err != nil {
+				log.Warnf("error fetching changed files using bitbucket diffstat api: %v", err)
+			}
+			changedFiles = append(changedFiles, diffStatChangedFiles...)
+			touchedHead, err = isHeadTouched(ctx, bbClient, owner, payload.Repository.Name, revision)
+			if err != nil {
+				log.Warnf("error fetching bitbucket repo details: %v", err)
+				// To be safe, we just return true and let the controller check for himself.
+				touchedHead = true
+			}
+		}
+
 	// Bitbucket does not include a list of changed files anywhere in it's payload
 	// so we cannot update changedFiles for this type of payload
 	case bitbucketserver.RepositoryReferenceChangedPayload:
@@ -251,7 +296,7 @@ type changeInfo struct {
 
 // HandleEvent handles webhook events for repo push events
 func (a *ArgoCDWebhookHandler) HandleEvent(payload any) {
-	webURLs, revision, change, touchedHead, changedFiles := affectedRevisionInfo(payload)
+	webURLs, revision, change, touchedHead, changedFiles := a.affectedRevisionInfo(payload)
 	// NOTE: the webURL does not include the .git extension
 	if len(webURLs) == 0 {
 		log.Info("Ignoring webhook event")
@@ -405,6 +450,23 @@ func (a *ArgoCDWebhookHandler) storePreviouslyCachedManifests(app *v1alpha1.Appl
 	return nil
 }
 
+// lookupRepository returns a repository with its credentials for a given URL. If there are no matching repository secret found,
+// then nil repository is returned.
+func (a *ArgoCDWebhookHandler) lookupRepository(ctx context.Context, repoURL string) (*v1alpha1.Repository, error) {
+	repositories, err := a.db.ListRepositories(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("error listing repositories: %w", err)
+	}
+	var repository *v1alpha1.Repository
+	for _, repo := range repositories {
+		if git.SameURL(repo.Repo, repoURL) {
+			log.Debugf("found a matching repository for URL %s", repoURL)
+			return repo, nil
+		}
+	}
+	return repository, nil
+}
+
 func sourceRevisionHasChanged(source v1alpha1.ApplicationSource, revision string, touchedHead bool) bool {
 	targetRev := ParseRevision(source.TargetRevision)
 	if targetRev == "HEAD" || targetRev == "" { // revision is head
@@ -430,6 +492,76 @@ func sourceUsesURL(source v1alpha1.ApplicationSource, webURL string, repoRegexp
 	return true
 }
 
+// newBitbucketClient creates a new bitbucket client for the given repository and uses the provided apiURL to connect
+// to the bitbucket server. If the repository uses basic auth, then a basic auth client is created or if bearer token
+// is provided, then oauth based client is created.
+func newBitbucketClient(_ context.Context, repository *v1alpha1.Repository, apiBaseURL string) (*bb.Client, error) {
+	var bbClient *bb.Client
+	if repository.Username != "" && repository.Password != "" {
+		log.Debugf("fetched user/password for repository URL '%s', initializing basic auth client", repository.Repo)
+		if repository.Username == "x-token-auth" {
+			bbClient = bb.NewOAuthbearerToken(repository.Password)
+		} else {
+			bbClient = bb.NewBasicAuth(repository.Username, repository.Password)
+		}
+	} else {
+		if repository.BearerToken != "" {
+			log.Debugf("fetched bearer token for repository URL '%s', initializing bearer token auth based client", repository.Repo)
+		} else {
+			log.Debugf("no credentials available for repository URL '%s', initializing no auth client", repository.Repo)
+		}
+		bbClient = bb.NewOAuthbearerToken(repository.BearerToken)
+	}
+	// parse and set the target URL of the Bitbucket server in the client
+	repoBaseURL, err := url.Parse(apiBaseURL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse bitbucket api base URL '%s'", apiBaseURL)
+	}
+	bbClient.SetApiBaseURL(*repoBaseURL)
+	return bbClient, nil
+}
+
+// fetchDiffStatFromBitbucket gets the list of files changed between two commits, by making a diffstat api callback to the
+// bitbucket server from where the webhook orignated.
+func fetchDiffStatFromBitbucket(_ context.Context, bbClient *bb.Client, owner, repoSlug, spec string) ([]string, error) {
+	// Getting the files changed from diff API:
+	// https://developer.atlassian.com/cloud/bitbucket/rest/api-group-commits/#api-repositories-workspace-repo-slug-diffstat-spec-get
+
+	// invoke the diffstat api call to get the list of changed files between two commit shas
+	log.Debugf("invoking diffstat call with parameters: [Owner:%s, RepoSlug:%s, Spec:%s]", owner, repoSlug, spec)
+	diffStatResp, err := bbClient.Repositories.Diff.GetDiffStat(&bb.DiffStatOptions{
+		Owner:    owner,
+		RepoSlug: repoSlug,
+		Spec:     spec,
+		Renames:  true,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("error getting the diffstat: %w", err)
+	}
+	changedFiles := make([]string, len(diffStatResp.DiffStats))
+	for i, value := range diffStatResp.DiffStats {
+		changedFilePath := value.New["path"]
+		if changedFilePath != nil {
+			changedFiles[i] = changedFilePath.(string)
+		}
+	}
+	log.Debugf("changed files for spec %s: %v", spec, changedFiles)
+	return changedFiles, nil
+}
+
+// isHeadTouched returns true if the repository's main branch is modified, false otherwise
+func isHeadTouched(ctx context.Context, bbClient *bb.Client, owner, repoSlug, revision string) (bool, error) {
+	bbRepoOptions := &bb.RepositoryOptions{
+		Owner:    owner,
+		RepoSlug: repoSlug,
+	}
+	bbRepo, err := bbClient.Repositories.Repository.Get(bbRepoOptions.WithContext(ctx))
+	if err != nil {
+		return false, err
+	}
+	return bbRepo.Mainbranch.Name == revision, nil
+}
+
 func (a *ArgoCDWebhookHandler) Handler(w http.ResponseWriter, r *http.Request) {
 	var payload any
 	var err error