feat(docker-watcher): phase 5 - registry client & poller

Gitea registry client with tag listing and pattern matching, cron-based
polling scheduler with first-poll safety, poll state persistence.
DeployTriggerer interface for decoupled deploy triggering.

internal/webhook/handler.go

@@ -0,0 +1,254 @@
+package webhook
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+
+	"github.com/alexei/docker-watcher/internal/docker"
+	"github.com/alexei/docker-watcher/internal/store"
+)
+
+// DeployTriggerer is called when a webhook determines a deploy should happen.
+// Same interface as registry.DeployTriggerer — kept separate to avoid import cycles.
+type DeployTriggerer interface {
+	TriggerDeploy(ctx context.Context, projectID, stageID, imageTag string) error
+}
+
+// ImageInspector abstracts Docker image inspection for testability.
+type ImageInspector interface {
+	InspectImage(ctx context.Context, imageRef string) (docker.ImageInfo, error)
+}
+
+// Payload is the expected JSON body for a webhook request.
+type Payload struct {
+	// Image is the full image reference including tag, e.g.
+	// "git.dolgolyov-family.by/alexei/web-app-launcher:dev-abc123".
+	Image string `json:"image"`
+}
+
+// ParsedImage holds the components extracted from a full image reference string.
+type ParsedImage struct {
+	// Registry is the hostname, e.g. "git.dolgolyov-family.by".
+	Registry string
+	// Owner is the namespace/org, e.g. "alexei".
+	Owner string
+	// Name is the repository name, e.g. "web-app-launcher".
+	Name string
+	// Tag is the image tag, e.g. "dev-abc123". Empty string means "latest".
+	Tag string
+}
+
+// FullName returns "owner/name" (the image path without registry and tag).
+func (p ParsedImage) FullName() string {
+	if p.Owner != "" {
+		return p.Owner + "/" + p.Name
+	}
+	return p.Name
+}
+
+// ParseImageRef splits a full image reference into its components.
+// Accepted formats:
+//
+//	registry.example.com/owner/name:tag
+//	registry.example.com/owner/name
+//	owner/name:tag
+//	name:tag
+func ParseImageRef(ref string) (ParsedImage, error) {
+	ref = strings.TrimSpace(ref)
+	if ref == "" {
+		return ParsedImage{}, fmt.Errorf("empty image reference")
+	}
+
+	var parsed ParsedImage
+
+	// Split off tag.
+	if idx := strings.LastIndex(ref, ":"); idx != -1 {
+		// Make sure the colon is not inside the registry host (e.g. "localhost:5000/img").
+		afterColon := ref[idx+1:]
+		if !strings.Contains(afterColon, "/") {
+			parsed.Tag = afterColon
+			ref = ref[:idx]
+		}
+	}
+
+	parts := strings.Split(ref, "/")
+	switch len(parts) {
+	case 1:
+		// "name"
+		parsed.Name = parts[0]
+	case 2:
+		// "owner/name"
+		parsed.Owner = parts[0]
+		parsed.Name = parts[1]
+	default:
+		// "registry/owner/name" or "registry/owner/sub/name" — first segment is registry.
+		parsed.Registry = parts[0]
+		parsed.Owner = strings.Join(parts[1:len(parts)-1], "/")
+		parsed.Name = parts[len(parts)-1]
+	}
+
+	if parsed.Name == "" {
+		return ParsedImage{}, fmt.Errorf("invalid image reference: missing name in %q", ref)
+	}
+
+	return parsed, nil
+}
+
+// Handler is the HTTP handler for webhook requests.
+type Handler struct {
+	store     *store.Store
+	deployer  DeployTriggerer
+	inspector ImageInspector
+}
+
+// NewHandler creates a new webhook Handler.
+func NewHandler(st *store.Store, deployer DeployTriggerer, inspector ImageInspector) *Handler {
+	return &Handler{
+		store:     st,
+		deployer:  deployer,
+		inspector: inspector,
+	}
+}
+
+// Route returns a chi router with the webhook endpoint mounted.
+func (h *Handler) Route() chi.Router {
+	r := chi.NewRouter()
+	r.Post("/{secret}", h.handleWebhook)
+	return r
+}
+
+// handleWebhook processes an incoming webhook request.
+// URL format: POST /api/webhook/{secret-uuid}
+// Returns 404 for invalid secrets (no information leak).
+func (h *Handler) handleWebhook(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	secret := chi.URLParam(r, "secret")
+	if secret == "" {
+		http.NotFound(w, r)
+		return
+	}
+
+	// Validate the webhook secret against stored settings.
+	settings, err := h.store.GetSettings()
+	if err != nil {
+		log.Printf("[webhook] failed to read settings: %v", err)
+		http.NotFound(w, r)
+		return
+	}
+
+	if settings.WebhookSecret == "" || settings.WebhookSecret != secret {
+		http.NotFound(w, r)
+		return
+	}
+
+	// Parse the request body.
+	var payload Payload
+	if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+		http.Error(w, `{"error":"invalid JSON payload"}`, http.StatusBadRequest)
+		return
+	}
+
+	if payload.Image == "" {
+		http.Error(w, `{"error":"missing image field"}`, http.StatusBadRequest)
+		return
+	}
+
+	parsed, err := ParseImageRef(payload.Image)
+	if err != nil {
+		http.Error(w, fmt.Sprintf(`{"error":%q}`, err.Error()), http.StatusBadRequest)
+		return
+	}
+
+	// Default tag to "latest" if omitted.
+	if parsed.Tag == "" {
+		parsed.Tag = "latest"
+	}
+
+	log.Printf("[webhook] received push for image %s:%s", parsed.FullName(), parsed.Tag)
+
+	// Look up a matching project by image name.
+	project, stage, found, err := FindProjectAndStage(ctx, h.store, parsed)
+	if err != nil {
+		log.Printf("[webhook] lookup error: %v", err)
+		http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
+		return
+	}
+
+	if !found {
+		// Unknown project — auto-create with defaults from image inspection.
+		log.Printf("[webhook] unknown image %s, auto-creating project", parsed.FullName())
+		project, stage, err = AutoCreateProject(ctx, h.store, h.inspector, parsed)
+		if err != nil {
+			log.Printf("[webhook] auto-create failed: %v", err)
+			http.Error(w, `{"error":"failed to auto-create project"}`, http.StatusInternalServerError)
+			return
+		}
+		log.Printf("[webhook] auto-created project %s (%s) with stage %s", project.Name, project.ID, stage.Name)
+	}
+
+	// Only deploy if auto_deploy is enabled for the matched stage.
+	if !stage.AutoDeploy {
+		log.Printf("[webhook] auto_deploy disabled for project %s stage %s, skipping deploy", project.Name, stage.Name)
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, `{"status":"accepted","deploy":false,"project":"%s","stage":"%s"}`, project.Name, stage.Name)
+		return
+	}
+
+	if err := h.deployer.TriggerDeploy(ctx, project.ID, stage.ID, parsed.Tag); err != nil {
+		log.Printf("[webhook] deploy trigger failed: %v", err)
+		http.Error(w, `{"error":"deploy trigger failed"}`, http.StatusInternalServerError)
+		return
+	}
+
+	log.Printf("[webhook] triggered deploy for project %s stage %s tag %s", project.Name, stage.Name, parsed.Tag)
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	fmt.Fprintf(w, `{"status":"accepted","deploy":true,"project":"%s","stage":"%s","tag":"%s"}`, project.Name, stage.Name, parsed.Tag)
+}
+
+// EnsureWebhookSecret checks whether a webhook secret exists in settings.
+// If not, it generates a new UUID and stores it. Returns the current secret.
+func EnsureWebhookSecret(st *store.Store) (string, error) {
+	settings, err := st.GetSettings()
+	if err != nil {
+		return "", fmt.Errorf("get settings: %w", err)
+	}
+
+	if settings.WebhookSecret != "" {
+		return settings.WebhookSecret, nil
+	}
+
+	settings.WebhookSecret = uuid.New().String()
+	if err := st.UpdateSettings(settings); err != nil {
+		return "", fmt.Errorf("store webhook secret: %w", err)
+	}
+
+	log.Printf("[webhook] generated new webhook secret")
+	return settings.WebhookSecret, nil
+}
+
+// RegenerateWebhookSecret generates a new webhook secret UUID, replacing and
+// invalidating the old one. Returns the new secret.
+func RegenerateWebhookSecret(st *store.Store) (string, error) {
+	settings, err := st.GetSettings()
+	if err != nil {
+		return "", fmt.Errorf("get settings: %w", err)
+	}
+
+	settings.WebhookSecret = uuid.New().String()
+	if err := st.UpdateSettings(settings); err != nil {
+		return "", fmt.Errorf("store webhook secret: %w", err)
+	}
+
+	log.Printf("[webhook] regenerated webhook secret")
+	return settings.WebhookSecret, nil
+}