Merge development into main

revert-pr-108.txt

@@ -0,0 +1 @@
+This file was created to revert PR #108

src/github/github-event-handler.ts

@@ -2,23 +2,23 @@ import { EmitterWebhookEvent, Webhooks } from "@octokit/webhooks";
 import { customOctokit } from "./github-client";
 import { GitHubContext, SimplifiedContext } from "./github-context";
 import { createAppAuth } from "@octokit/auth-app";
-import { CloudflareKv } from "./utils/cloudflare-kv";
+import { KvStore } from "./utils/kv-store";
 import { PluginChainState } from "./types/plugin";
 
 export type Options = {
   environment: "production" | "development";
   webhookSecret: string;
   appId: string | number;
   privateKey: string;
-  pluginChainState: CloudflareKv<PluginChainState>;
+  pluginChainState: KvStore<PluginChainState>;
 };
 
 export class GitHubEventHandler {
   public webhooks: Webhooks<SimplifiedContext>;
   public on: Webhooks<SimplifiedContext>["on"];
   public onAny: Webhooks<SimplifiedContext>["onAny"];
   public onError: Webhooks<SimplifiedContext>["onError"];
-  public pluginChainState: CloudflareKv<PluginChainState>;
+  public pluginChainState: KvStore<PluginChainState>;
 
   readonly environment: "production" | "development";
   private readonly _webhookSecret: string;

src/github/handlers/index.ts

@@ -69,50 +69,56 @@ async function handleEvent(event: EmitterWebhookEvent, eventHandler: InstanceTyp
     return;
   }
 
-  for (const pluginChain of pluginChains) {
-    if (await shouldSkipPlugin(context, pluginChain)) {
-      continue;
-    }
-
-    // invoke the first plugin in the chain
-    const { plugin, with: settings } = pluginChain.uses[0];
-    const isGithubPluginObject = isGithubPlugin(plugin);
-    console.log(`Calling handler ${JSON.stringify(plugin)} for event ${event.name}`);
-
-    const stateId = crypto.randomUUID();
-
-    const state = {
-      eventId: context.id,
-      eventName: context.key,
-      eventPayload: event.payload,
-      currentPlugin: 0,
-      pluginChain: pluginChain.uses,
-      outputs: new Array(pluginChain.uses.length),
-      inputs: new Array(pluginChain.uses.length),
-    };
-
-    const ref = isGithubPluginObject ? (plugin.ref ?? (await getDefaultBranch(context, plugin.owner, plugin.repo))) : plugin;
-    const token = await eventHandler.getToken(event.payload.installation.id);
-    const inputs = new PluginInput(context.eventHandler, stateId, context.key, event.payload, settings, token, ref);
-
-    state.inputs[0] = inputs;
-    await eventHandler.pluginChainState.put(stateId, state);
+  await Promise.all(
+    pluginChains.map(async (pluginChain) => {
+      if (await shouldSkipPlugin(context, pluginChain)) {
+        return;
+      }
+      if (!("installation" in event.payload) || event.payload.installation?.id === undefined) {
+        console.log(`No installation found, cannot invoke plugin`, pluginChain);
+        return;
+      }
 
-    // We wrap the dispatch so a failing plugin doesn't break the whole execution
-    try {
-      if (!isGithubPluginObject) {
-        await dispatchWorker(plugin, await inputs.getWorkerInputs());
-      } else {
-        await dispatchWorkflow(context, {
-          owner: plugin.owner,
-          repository: plugin.repo,
-          workflowId: plugin.workflowId,
-          ref: plugin.ref,
-          inputs: await inputs.getWorkflowInputs(),
-        });
+      // invoke the first plugin in the chain
+      const { plugin, with: settings } = pluginChain.uses[0];
+      const isGithubPluginObject = isGithubPlugin(plugin);
+      console.log(`Calling handler ${JSON.stringify(plugin)} for event ${event.name}`);
+
+      const stateId = crypto.randomUUID();
+
+      const state = {
+        eventId: context.id,
+        eventName: context.key,
+        eventPayload: event.payload,
+        currentPlugin: 0,
+        pluginChain: pluginChain.uses,
+        outputs: new Array(pluginChain.uses.length),
+        inputs: new Array(pluginChain.uses.length),
+      };
+
+      const ref = isGithubPluginObject ? (plugin.ref ?? (await getDefaultBranch(context, plugin.owner, plugin.repo))) : plugin;
+      const token = await eventHandler.getToken(event.payload.installation.id);
+      const inputs = new PluginInput(context.eventHandler, stateId, context.key, event.payload, settings, token, ref);
+
+      state.inputs[0] = inputs;
+      await eventHandler.pluginChainState.put(stateId, state);
+
+      // We wrap the dispatch so a failing plugin doesn't break the whole execution
+      try {
+        if (!isGithubPluginObject) {
+          await dispatchWorker(plugin, await inputs.getWorkerInputs());
+        } else {
+          await dispatchWorkflow(context, {
+            owner: plugin.owner,
+            repository: plugin.repo,
+            workflowId: plugin.workflowId,
+            ref: plugin.ref,
+            inputs: await inputs.getWorkflowInputs(),
+          });
+        }
+      } catch (e) {
+        console.error(`An error occurred while processing the plugin chain, will skip plugin ${JSON.stringify(plugin)}`, e);
       }
-    } catch (e) {
-      console.error(`An error occurred while processing the plugin chain, will skip plugin ${JSON.stringify(plugin)}`, e);
-    }
-  }
+    })
+  );
 }

src/github/utils/kv-store.ts

@@ -0,0 +1,51 @@
+/**
+ * KvStore is an interface representing a simple key-value store.
+ *
+ * @template T - The type of the value to be stored and retrieved.
+ */
+export interface KvStore<T> {
+  get(id: string): Promise<T | null>;
+  put(id: string, state: T): Promise<void>;
+}
+
+/**
+ * CloudflareKv is a class that provides an interface to interact with
+ * Cloudflare KV (Key-Value) storage.
+ *
+ * It implements the KvStore interface to handle generic types.
+ *
+ * @template T - The type of the values being stored.
+ */
+// export class CloudflareKv<T> implements KvStore<T> {
+//   private _kv: KVNamespace;
+//
+//   constructor(kv: KVNamespace) {
+//     this._kv = kv;
+//   }
+//
+//   get(id: string): Promise<T | null> {
+//     return this._kv.get(id, "json");
+//   }
+//
+//   put(id: string, state: T): Promise<void> {
+//     return this._kv.put(id, JSON.stringify(state));
+//   }
+// }
+
+/**
+ * A class that implements the KvStore interface, representing an empty key-value store.
+ * All get operations return null and put operations do nothing, but log the action.
+ *
+ * @template T - The type of values to be stored.
+ */
+export class EmptyStore<T> implements KvStore<T> {
+  get(id: string): Promise<T | null> {
+    console.log(`get KV ${id}`);
+    return Promise.resolve(null);
+  }
+
+  put(id: string, state: T): Promise<void> {
+    console.log(`put KV ${id} ${state}`);
+    return Promise.resolve();
+  }
+}

src/sdk/actions.ts

@@ -43,15 +43,18 @@ export async function createActionsPlugin<TConfig = unknown, TEnv = unknown, TSu
     kernelPublicKey: options?.kernelPublicKey || KERNEL_PUBLIC_KEY,
   };
 
-  const githubInputs = { ...github.context.payload.inputs };
-  const signature = githubInputs.signature;
-  delete githubInputs.signature;
-  if (!(await verifySignature(pluginOptions.kernelPublicKey, githubInputs, signature))) {
-    core.setFailed(`Error: Invalid signature`);
+  const pluginGithubToken = process.env.PLUGIN_GITHUB_TOKEN;
+  if (!pluginGithubToken) {
+    core.setFailed("Error: PLUGIN_GITHUB_TOKEN env is not set");
     return;
   }
 
   const inputs = Value.Decode(inputSchema, github.context.payload.inputs);
+  const signature = inputs.signature;
+  if (!(await verifySignature(pluginOptions.kernelPublicKey, inputs, signature))) {
+    core.setFailed(`Error: Invalid signature`);
+    return;
+  }
 
   let config: TConfig;
   if (pluginOptions.settingsSchema) {
@@ -79,7 +82,7 @@ export async function createActionsPlugin<TConfig = unknown, TEnv = unknown, TSu
   try {
     const result = await handler(context);
     core.setOutput("result", result);
-    await returnDataToKernel(inputs.authToken, inputs.stateId, result);
+    await returnDataToKernel(pluginGithubToken, inputs.stateId, result);
   } catch (error) {
     console.error(error);
 

src/sdk/server.ts

@@ -10,6 +10,7 @@ import { Context } from "./context";
 import { customOctokit } from "./octokit";
 import { verifySignature } from "./signature";
 import { sanitizeMetadata } from "./util";
+import { Type as T } from "@sinclair/typebox";
 
 interface Options {
   kernelPublicKey?: string;
@@ -19,7 +20,17 @@ interface Options {
   envSchema?: TAnySchema;
 }
 
-export async function createPlugin<TConfig = unknown, TEnv = unknown, TSupportedEvents extends WebhookEventName = WebhookEventName>(
+const inputSchema = T.Object({
+  stateId: T.String(),
+  eventName: T.String(),
+  eventPayload: T.Record(T.String(), T.Any()),
+  authToken: T.String(),
+  settings: T.Record(T.String(), T.Any()),
+  ref: T.String(),
+  signature: T.String(),
+});
+
+export function createPlugin<TConfig = unknown, TEnv = unknown, TSupportedEvents extends WebhookEventName = WebhookEventName>(
   handler: (context: Context<TConfig, TEnv, TSupportedEvents>) => Promise<Record<string, unknown> | undefined>,
   manifest: Manifest,
   options?: Options
@@ -43,18 +54,17 @@ export async function createPlugin<TConfig = unknown, TEnv = unknown, TSupported
       throw new HTTPException(400, { message: "Content-Type must be application/json" });
     }
 
-    const payload = await ctx.req.json();
-    const signature = payload.signature;
-    delete payload.signature;
-    if (!(await verifySignature(pluginOptions.kernelPublicKey, payload, signature))) {
+    const inputs = Value.Decode(inputSchema, await ctx.req.json());
+    const signature = inputs.signature;
+    if (!(await verifySignature(pluginOptions.kernelPublicKey, inputs, signature))) {
       throw new HTTPException(400, { message: "Invalid signature" });
     }
 
     let config: TConfig;
     if (pluginOptions.settingsSchema) {
-      config = Value.Decode(pluginOptions.settingsSchema, Value.Default(pluginOptions.settingsSchema, payload.settings));
+      config = Value.Decode(pluginOptions.settingsSchema, Value.Default(pluginOptions.settingsSchema, inputs.settings));
     } else {
-      config = payload.settings as TConfig;
+      config = inputs.settings as TConfig;
     }
 
     let env: TEnv;
@@ -65,17 +75,17 @@ export async function createPlugin<TConfig = unknown, TEnv = unknown, TSupported
     }
 
     const context: Context<TConfig, TEnv, TSupportedEvents> = {
-      eventName: payload.eventName,
-      payload: payload.eventPayload,
-      octokit: new customOctokit({ auth: payload.authToken }),
+      eventName: inputs.eventName as TSupportedEvents,
+      payload: inputs.eventPayload,
+      octokit: new customOctokit({ auth: inputs.authToken }),
       config: config,
       env: env,
       logger: new Logs(pluginOptions.logLevel),
     };
 
     try {
       const result = await handler(context);
-      return ctx.json({ stateId: payload.stateId, output: result });
+      return ctx.json({ stateId: inputs.stateId, output: result });
     } catch (error) {
       console.error(error);
 

src/sdk/signature.ts

@@ -1,5 +1,23 @@
-export async function verifySignature(publicKeyPem: string, payload: unknown, signature: string) {
+interface Inputs {
+  stateId: unknown;
+  eventName: unknown;
+  eventPayload: unknown;
+  authToken: unknown;
+  settings: unknown;
+  ref: unknown;
+}
+
+export async function verifySignature(publicKeyPem: string, inputs: Inputs, signature: string) {
   try {
+    const inputsOrdered = {
+      stateId: inputs.stateId,
+      eventName: inputs.eventName,
+      eventPayload: inputs.eventPayload,
+      settings: inputs.settings,
+      authToken: inputs.authToken,
+      ref: inputs.ref,
+    };
+    console.log(JSON.stringify(inputs));
     const pemContents = publicKeyPem.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "").trim();
     const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
 
@@ -15,7 +33,7 @@ export async function verifySignature(publicKeyPem: string, payload: unknown, si
     );
 
     const signatureArray = Uint8Array.from(atob(signature), (c) => c.charCodeAt(0));
-    const dataArray = new TextEncoder().encode(JSON.stringify(payload));
+    const dataArray = new TextEncoder().encode(JSON.stringify(inputsOrdered));
 
     return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", publicKey, signatureArray, dataArray);
   } catch (error) {

src/worker.ts

@@ -3,7 +3,7 @@ import { Value } from "@sinclair/typebox/value";
 import { GitHubEventHandler } from "./github/github-event-handler";
 import { bindHandlers } from "./github/handlers";
 import { Env, envSchema } from "./github/types/env";
-import { CloudflareKv } from "./github/utils/cloudflare-kv";
+import { EmptyStore } from "./github/utils/kv-store";
 import { WebhookEventName } from "@octokit/webhooks-types";
 
 export default {
@@ -18,7 +18,7 @@ export default {
         webhookSecret: env.APP_WEBHOOK_SECRET,
         appId: env.APP_ID,
         privateKey: env.APP_PRIVATE_KEY,
-        pluginChainState: new CloudflareKv(env.PLUGIN_CHAIN_STATE),
+        pluginChainState: new EmptyStore(),
       });
       bindHandlers(eventHandler);
       await eventHandler.webhooks.verifyAndReceive({ id, name: eventName, payload: await request.text(), signature: signatureSha256 });

tests/dispatch.test.ts

@@ -12,11 +12,15 @@ jest.mock("@octokit/auth-app", () => ({
   createAppAuth: jest.fn(() => () => jest.fn(() => "1234")),
 }));
 
-jest.mock("../src/github/utils/cloudflare-kv", () => ({
+jest.mock("../src/github/utils/kv-store", () => ({
   CloudflareKv: jest.fn().mockImplementation(() => ({
     get: jest.fn(),
     put: jest.fn(),
   })),
+  EmptyStore: jest.fn().mockImplementation(() => ({
+    get: jest.fn(),
+    put: jest.fn(),
+  })),
 }));
 
 jest.mock("../src/github/types/plugin", () => {