chore: support delete pipelinerun and optimize webhook handle and crypto utils

Author: wangeguo

Cargo.lock

@@ -8,7 +8,7 @@ resolver = "2"
 [package]
 name = "backend"
 description = "Backend API and services for StackClass"
-version = "0.41.1"
+version = "0.41.2"
 edition = "2024"
 
 default-run = "stackclass-server"

Cargo.toml

@@ -6,7 +6,7 @@
     "license": {
       "name": ""
     },
-    "version": "0.41.1"
+    "version": "0.41.2"
   },
   "paths": {
     "/v1/courses": {

openapi.json

@@ -17,14 +17,14 @@ use gitea_client::types::Event;
 use std::sync::Arc;
 use uuid::Uuid;
 
-use tracing::{error, info};
+use tracing::{debug, error, info};
 
 use crate::{
     context::Context,
     errors::{ApiError, Result},
     repository::CourseRepository,
     request::event::PipelineEvent,
-    service::{RepoService, StageService},
+    service::{PipelineService, RepoService, StageService},
     utils::crypto,
 };
 
@@ -52,51 +52,54 @@ pub async fn handle_tekton_webhook(
     State(ctx): State<Arc<Context>>,
     Json(event): Json<PipelineEvent>,
 ) -> Result<impl IntoResponse> {
-    info!("Received pipeline event: {:?}", event);
+    debug!("Received pipeline event: {:?}", event);
+    let PipelineEvent { name, status, repo, course, stage, secret, tasks } = &event;
 
     // Verify HMAC signature to prevent request forgery
     let auth_secret = &ctx.config.auth_secret;
-    let payload = format!("{}{}{}", event.repo, event.course, event.stage);
-    let is_valid = crypto::hmac_sha256_verify(&payload, auth_secret, &event.secret)
-        .map_err(|e| ApiError::InternalError(format!("Signature verification failed: {}", e)))?;
-
-    if !is_valid {
+    let payload = format!("{}{}{}", repo, course, stage);
+    if crypto::hmac_sha256_verify(&payload, auth_secret, secret)? {
+        error!("Received pipeline event with invalid signature");
         return Err(ApiError::Unauthorized("Invalid signature".into()));
     }
 
     // Check overall pipeline status first
-    if event.status != "Succeeded" {
-        error!("Pipeline run failed, please check it. Aggregate status: {}", event.status);
+    if status != "Succeeded" {
+        error!("Pipeline run failed, please check it.");
         return Ok(StatusCode::OK);
     }
 
     // Process the pipeline event based on test task status:
     // - If succeeded: mark the stage as complete for the user
     // - If failed: log error (TODO: collect error details from Tekton and save to database)
     // - Other states: log and ignore non-terminal states
-    match event.tasks.test.status.as_str() {
+    match tasks.test.status.as_str() {
         "Succeeded" => {
             // Look up the course to get the user_id
-            let id = Uuid::parse_str(&event.repo)?;
-            let course = CourseRepository::get_user_course_by_id(&ctx.database, &id).await?;
+            let id = Uuid::parse_str(repo)?;
+            let user_course = CourseRepository::get_user_course_by_id(&ctx.database, &id).await?;
 
             // Mark the stage as complete
-            StageService::complete(ctx, &course.user_id, &event.course, &event.stage).await?;
-
-            info!("Stage {} completed successfully for course {}", event.stage, event.course);
+            StageService::complete(ctx.clone(), &user_course.user_id, course, stage).await?;
+            info!("Stage {} completed successfully for course {}", stage, course);
         }
         "Failed" => {
-            info!("Test task failed: reason={}, stage={}", event.tasks.test.reason, event.stage);
+            info!("Test task failed: reason={}, stage={}", tasks.test.reason, stage);
             return Ok(StatusCode::OK);
         }
         _ => {
             error!(
                 "Test task in non-terminal state: status={}, reason={}",
-                event.tasks.test.status, event.tasks.test.reason
+                tasks.test.status, tasks.test.reason
             );
             return Ok(StatusCode::OK);
         }
     }
 
+    // Delete the PipelineRun after successful processing
+    if let Err(e) = PipelineService::new(ctx.clone()).delete(name).await {
+        error!("Failed to delete PipelineRun {}: {}", name, e);
+    }
+
     Ok(StatusCode::OK)
 }

src/handler/webhook.rs

@@ -16,7 +16,7 @@ use std::sync::Arc;
 
 use kube::{
     Api,
-    api::{ApiResource, DynamicObject, GroupVersionKind, PostParams},
+    api::{ApiResource, DeleteParams, DynamicObject, GroupVersionKind, PostParams},
 };
 use serde_json::{Error as JsonError, Value, json};
 use tracing::debug;
@@ -50,6 +50,13 @@ impl PipelineService {
         Ok(())
     }
 
+    /// Deletes a Tekton PipelineRun by name.
+    pub async fn delete(&self, name: &str) -> Result<()> {
+        debug!("Deleting PipelineRun: {name}");
+        self.api().delete(name, &DeleteParams::default()).await?;
+        Ok(())
+    }
+
     #[inline]
     fn api(&self) -> Api<DynamicObject> {
         let gvk = GroupVersionKind::gvk("tekton.dev", "v1", "PipelineRun");
@@ -88,9 +95,7 @@ impl PipelineService {
         // Generate HMAC signature for webhook authentication
         let auth_secret = &self.ctx.config.auth_secret;
         let payload = format!("{}{}{}", repo, course, stage);
-        let secret = crypto::hmac_sha256_sign(&payload, auth_secret).map_err(|e| {
-            ApiError::InternalError(format!("Failed to generate HMAC signature: {}", e))
-        })?;
+        let secret = crypto::hmac_sha256_sign(&payload, auth_secret)?;
 
         // Define parameters for the PipelineRun
         let params = vec![

src/service/pipeline.rs

@@ -16,13 +16,16 @@ use hex;
 use hmac::{Hmac, Mac};
 use sha2::Sha256;
 
+use crate::errors::ApiError;
+
 type HmacSha256 = Hmac<Sha256>;
 
 /// Generates an HMAC-SHA256 signature for the given payload using the provided
 /// secret. Returns the signature as a hex-encoded string.
-pub fn hmac_sha256_sign(payload: &str, secret: &str) -> Result<String, String> {
-    let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
-        .map_err(|e| format!("Failed to create HMAC: {}", e))?;
+pub fn hmac_sha256_sign(payload: &str, secret: &str) -> Result<String, ApiError> {
+    let mut mac = HmacSha256::new_from_slice(secret.as_bytes()).map_err(|e| {
+        ApiError::InternalError(format!("Failed to generate HMAC signature: {}", e))
+    })?;
     mac.update(payload.as_bytes());
     let result = mac.finalize();
 
@@ -31,9 +34,7 @@ pub fn hmac_sha256_sign(payload: &str, secret: &str) -> Result<String, String> {
 
 /// Verifies an HMAC-SHA256 signature for the given payload using the provided
 /// secret. Uses constant-time comparison to prevent timing attacks.
-pub fn hmac_sha256_verify(payload: &str, secret: &str, sign: &str) -> Result<bool, String> {
+pub fn hmac_sha256_verify(payload: &str, secret: &str, sign: &str) -> Result<bool, ApiError> {
     let expected = hmac_sha256_sign(payload, secret)?;
-
-    // Constant-time comparison to prevent timing attacks
     Ok(subtle::ConstantTimeEq::ct_eq(sign.as_bytes(), expected.as_bytes()).into())
 }