fix(#19314): allow ssh/altssh subdomains in repo URLs to match webhook payload

[mtbennett-godaddy]

ℹ️ Edit: There was a request to make things reusable between the Application and ApplicationSet webhooks. See #19315 (comment) for notes on those refactors. Original PR description follows.

---

Fixes #19314.

• Updates the Application and ApplicationSet webhooks to allow an optional ssh or altssh subdomain to exist in the resource’s repo URL that doesn’t appear in the webhook payload’s repo URL.
  • GitHub supports ssh subdomain over 443: https://docs.github.com/en/authentication/troubleshooting-ssh/using-ssh-over-the-https-port
  • GitLab supports altssh subdomain over 443: https://about.gitlab.com/blog/2016/02/18/gitlab-dot-com-now-supports-an-alternate-git-plus-ssh-port/#how-to-use-the-alternate-ssh-connection-on-gitlab.com
  • Bitbucket supports altssh subdomain over 443: https://confluence.atlassian.com/bbkb/port-22-is-blocked-on-local-network-1168865232.html
  • Azure DevOps does not support such an alternative: https://developercommunity.visualstudio.com/t/Can-I-use-SSH-on-a-port-other-than-22-in/10699062?sort=active&topics=fixed+in%3A+visual+studio+2019+version+16.6+preview+2
• Updates ApplicationSet webhook regular expression logic to match Application’s:
  • Uses extended usernameRegex instead of just \w+.
  • Calls regexp.QuoteMeta on hostname and path.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

✅ Preview Environment deployed on Bunnyshell

Component	Endpoints
argocd	https://argocd-agrnra.bunnyenv.com/
argocd-ttyd	https://argocd-web-cli-agrnra.bunnyenv.com/

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔴 /bns:stop to stop the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[bunnyshell]

✅ Preview Environment created on Bunnyshell but will not be auto-deployed

See: Environment Details

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[codecov]

Codecov Report

Attention: Patch coverage is 60.39604% with 120 lines in your changes missing coverage. Please review.

Project coverage is 55.72%. Comparing base (b824956) to head (c3396ab).

Files with missing lines	Patch %	Lines
util/webhook/webhook.go	16.66%	65 Missing ⚠️
server/webhookhandler/webhookhandler.go	72.72%	38 Missing and 7 partials ⚠️
applicationset/webhookhandler/webhookhandler.go	88.23%	4 Missing ⚠️
...t-controller/commands/applicationset_controller.go	63.63%	3 Missing and 1 partial ⚠️
server/server.go	86.66%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #19315      +/-   ##
==========================================
- Coverage   55.85%   55.72%   -0.13%     
==========================================
  Files         321      322       +1     
  Lines       44490    44474      -16     
==========================================
- Hits        24849    24784      -65     
- Misses      17077    17136      +59     
+ Partials     2564     2554      -10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mtbennett-godaddy]

Copied directly from https://github.com/argoproj/argo-cd/blob/7746506/util/webhook/webhook.go#L41-L43.

[crenshaw-dev]

Should we instead move this to a common util package?

[mtbennett-godaddy]

I had the same thought but wasn’t sure if I should dig in that much. (Wasn’t sure if the 2 webhooks were being allowed to diverge intentionally for some reason.) There’s another new feature in the Application webhook (maxPayloadSizeMB) that isn’t here either that I wanted to pull in.

I’ll see what I can do about reusing as much as possible between the 2 webhooks.

[robinlieb]

I have a similar PR open where the thing with the util package is already done (#16292). Maybe this can be used as an inspiration to these two PRs can be combined somehow.

[mtbennett-godaddy]

QuoteMeta and Sprintf formatting copied from https://github.com/argoproj/argo-cd/blob/7746506/util/webhook/webhook.go#L348-L351.

[crenshaw-dev]

Should we instead move this to a common util package?

[crenshaw-dev]

Ditto with this, if it's identical to the appset webhook handling logic, can we just move it to a shared location?

[mtbennett-godaddy]

The original regex used for this (here) allowed for SSH URLs which, AFAIK, aren’t valid for an API URL. If I’m mistaken on that, I can easily expand this to account for that. (There were no tests for this regex before. I added basic positive and negative cases in new Test_GetApiUrlRegex.)

[mtbennett-godaddy]

@crenshaw-dev

The common webhook handling code (HTTP- and provider-related bits and the queue logic) has been split from the use case-specific webhook payload handling (to make the former reusable across instances of the latter):

• Webhook
  • util/webhook was refactored to have all the reusable parts of the webhook handling.
  • has a payloadHandler field of type WebhookPayloadHandler, which is an interface for the different webhook payload handlers to implement.
  • has a HandleRequest function that does all the provider-specific payload parsing and authentication and then adds the payload to a queue.
  • has a worker pool running to pull payloads off the queue and call its payload handler’s HandlePayload function.
• WebhookPayloadHandler
  • has a HandlePayload function that handles the payload for the handler’s particular use case.
  • server/webhookhandler is new and contains the ApplicationWebhookPayloadHandler, which implements WebhookPayloadHandler for applications.
  • applicationset/webhook was refactored to applicationset/webhookhandler to be the ApplicationSetWebhookPayloadHandler, which implements WebhookPayloadHandler for application sets.
• server.go creates a Webhook with an ApplicationWebhookPayloadHandler instance and assigns the webhook’s HandleRequest function to the /api/webhook endpoint.
• applicationset_controller.go creates a Webhook with an ApplicationSetWebhookPayloadHandler instance and assigns the webhook’s HandleRequest function to the /api/webhook endpoint.
• Tests
  • The URL regex tests stayed in util/webhook since that functionality is still there. (The existing tests only covered web URLs. I added tests for API URLs.)
  • The remaining tests that were in util/webhook moved to server/webhookhandler with minimal refactors. (server/webhookhandler/webhookhandler_test.go shows as a new file in the diff but it is almost entirely just a copy/paste of the original util/webhook/webhook_test.go file.)
  • The applicationset/webhookhandler tests required minimal refactors.

[mtbennett-godaddy]

@robinlieb As far as I can tell, this regex covers the changes you introduced in #16292.

The updated regex matches the following sequence of parts:

1. optional: protocol (http, https, or ssh) followed by ://
2. optional: username followed by @
   • previously, the regex did not allow for usernames in http, https, or protocol-less URLs.
3. optional: ssh or altssh subdomain
   • this is the tiny change I originally set out to introduce 😅
4. required: hostname parsed from original URL
5. optional: : followed by port number
6. required: : or /
7. required: path parsed from original URL followed by optional .git

Feel free to suggest any additional test cases in webhook_test.go and I’ll incorporate them and make sure the regex works against them.