feat: add authorization header to webhook configuration

- Add authorization_header field to CreateHookRequest in setup_webhook
- Generate HMAC-SHA256 signature for admin password using crypto utils
- Add AdminBasic authentication to handle_gitea_webhook endpoint
- Update matching function to include authorization_header comparison

Author: wangeguo

Cargo.lock

@@ -35,6 +35,7 @@ harbor-client = { path = "crates/harbor-client" }
 anyhow = "1.0.98"
 axum = { version = "0.8.4" }
 axum-extra = {version = "0.10.1", features = ["typed-header"] }
+base64 = "0.22.1"
 bytes = "1.10.1"
 chrono = { version = "0.4.41", features = ["serde"] }
 clap = { version = "4.5.46", features = ["derive", "env"] }

Cargo.toml

@@ -57,6 +57,7 @@ pub fn matching(hook: &Hook, req: &CreateHookRequest) -> bool {
     hook.kind == req.kind &&
         hook.branch_filter == req.branch_filter &&
         hook.events == req.events &&
+        hook.authorization_header == req.authorization_header &&
         hook.config.get("url") == req.config.get("url") &&
         hook.config.get("content_type") == req.config.get("content_type")
 }

crates/gitea-client/src/types/hook.rs

@@ -21,6 +21,7 @@ use uuid::Uuid;
 use crate::{
     context::Context,
     errors::{ApiError, Result},
+    extractor::AdminBasic,
     repository::CourseRepository,
     request::event::PipelineEvent,
     service::{PipelineCleanupGuard, RepoService, StageService},
@@ -29,6 +30,7 @@ use crate::{
 
 /// Handle Gitea Webhook Event.
 pub async fn handle_gitea_webhook(
+    _: AdminBasic,
     State(ctx): State<Arc<Context>>,
     Json(event): Json<Event>,
 ) -> Result<impl IntoResponse> {

src/handler/webhook.rs

@@ -14,6 +14,7 @@
 
 use std::{collections::HashMap, sync::Arc};
 
+use base64::{Engine, prelude::BASE64_STANDARD as Base64};
 use fs_extra::dir::CopyOptions;
 use gitea_client::{ClientError, types::*};
 use tracing::{debug, info};
@@ -25,7 +26,7 @@ use crate::{
     errors::Result,
     repository::CourseRepository,
     service::{CourseService, PipelineService, StorageError, StorageService},
-    utils::{git, url},
+    utils::{crypto, git, url},
 };
 
 pub struct RepoService {
@@ -193,18 +194,24 @@ impl RepoService {
         let webhook_endpoint = &self.ctx.config.webhook_endpoint;
         let url = format!("{webhook_endpoint}/v1/webhooks/gitea");
 
+        // Generate the HMAC-SHA256 signature for the webhook authorization header
+        // using the admin username and the auth_secret from the configuration.
+        // This ensures that incoming webhook requests are authenticated.
+        let password = crypto::hmac_sha256_sign("admin", &self.ctx.config.auth_secret)?;
+        let auth_header = format!("Basic {}", Base64.encode(format!("admin:{}", password)));
+
         // Define the webhook request body to listen for push events on the main branch
         // and send them to the specified webhook endpoint in JSON format.
         let req = CreateHookRequest {
             active: true,
+            authorization_header: Some(auth_header),
             branch_filter: Some("main".to_string()),
             config: HashMap::from([
                 ("content_type".to_string(), "json".to_string()),
                 ("url".to_string(), url.clone()),
             ]),
             events: vec!["push".to_string()],
             kind: "gitea".to_string(),
-            ..Default::default()
         };
 
         // List all existing hooks