1b5827b8f460b1c53181f407659112d9dd852731
14 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
1b5827b8f4 |
v0.1.4: Rollback NRE fix + Gitea Actions builds (#8)
Release (Gitea) / build-installer (push) Failing after 26s
* Fix Rollback NRE: capture filename before refreshing the checkpoint list The actual restore on the service was succeeding but the GUI showed "Rollback failed: Object reference not set to an instance of an object." because RefreshAsync clears the ObservableCollection, the SelectedItem binding goes null when its source item disappears, and the next line dereferenced Selected!.FileName. Cache the filename and timestamp before any await so the post-refresh status update doesn't depend on Selected still being non-null. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * v0.1.4 --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
0b7c20a1fa |
v0.1.3: hide-to-tray + tray toggle + context menu fix (#6)
* GUI: hide-to-tray on X button; tray persists until explicit Exit The minimize-to-tray behavior already worked, but clicking the X button killed the GUI process and took the tray with it. That made "tray when the GUI window is closed" a UX dead end - the only way to get the tray was to leave the window minimized. Now: - X button / Alt+F4 -> hide window, tray stays alive - Tray double-click -> reopens window - File -> Exit (or tray's Exit menu) -> truly quits the process Wired by adding a RealExitRequested event on MainViewModel that the window subscribes to (so File -> Exit sets the ExitForReal flag before calling Shutdown), and a parallel onExit callback on TrayIcon for the tray menu's Exit item. The Closing handler checks ExitForReal: if false (X / Alt+F4) it cancels the close and hides; if true, it disposes the tray and lets the close proceed. Auto-start at login is still TBD - if you want the tray to be there without manually launching the GUI after a reboot, that's a separate Task Scheduler entry. Skipping for now. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add File -> Minimize to tray toggle (default on) Adds a checkable MenuItem so the user can opt out of the hide-to-tray behavior. Persisted per-user to %APPDATA%\WebhookServer\gui.json so the choice survives restarts. When ticked (default): X / Alt+F4 / minimize hide to tray, GUI process keeps running, tray icon persists. When unticked: X actually closes the app, minimize is a regular Windows minimize. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix endpoint-row context menu: bindings via PlacementTarget.Tag The ContextMenu lived in its own popup visual tree, so the menu items' RelativeSource={RelativeSource AncestorType=Window} couldn't find the Window and the bindings silently failed - none of Edit / Copy URL / Toggle / Delete actually fired their commands. Standard WPF workaround: park MainViewModel on each DataGridRow's Tag (still in the Window's visual tree, so the row Setter binding resolves) and reach it from the menu items via PlacementTarget.Tag. The toggle command parameter likewise comes from PlacementTarget.DataContext (the EndpointConfig the row represents). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * v0.1.3 --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
f00ee0cf3a |
v0.1.2: Config Checkpoints dialog, descriptions, daily auto-snapshot, docs (#3)
* Documentation: install/upgrade/uninstall guides + recipes incl. Zerto Adds a docs/ folder under the repo root with full operator documentation aimed at sysadmins (not webhook developers). The Zerto pre/post script recipe is the canonical "why does this exist" walkthrough; the GitHub HMAC, AD password reset, and UI-on-desktop recipes round out common patterns. Pages: - README.md (index) - concepts.md (5-minute "what is a webhook" explainer) - installation.md (interactive + silent install) - upgrading.md (single-click upgrade flow + edge cases) - uninstalling.md (clean removal + wiping ProgramData) - runas-modes.md (Service / InteractiveUser / SpecificUser decision flow) - service-account-and-ad.md (gMSA setup, delegated rights) - network-and-security.md (bind addresses, allowlists, HTTPS, secret storage) - troubleshooting.md (symptom -> first check, common errors) - recipes/zerto-pre-post-scripts.md (canonical use case) - recipes/github-style-hmac.md (GitHub / Stripe-shaped webhooks) - recipes/ad-password-reset.md (gMSA-backed self-service reset) - recipes/ui-on-desktop.md (InteractiveUser pattern) Top-level README.md restructured to point at docs/ as the source of truth, dropping the duplicated installation snippets. Installer ships docs/ alongside the binaries so they're available offline at C:\Program Files\WebhookServer\docs\. GUI Help menu gains a "Documentation" item that opens the docs site in a browser. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Config Checkpoints dialog + daily auto-checkpoint; drop installer GUI launch Three fixes: 1. Config Checkpoints submenu replaced with a proper dialog. Lists checkpoints with timestamp/size/filename, has a "Take Checkpoint Now" button, and a "Roll Back" button that becomes enabled when a row is selected. The previous click-a-menu-entry-immediate-restore flow was too easy to fire by accident. 2. New CheckpointScheduler BackgroundService creates a checkpoint at midnight every day. Combined with the existing auto-on-save snapshots, this guarantees a daily rollback point even if the config wasn't edited that day. A new "create-checkpoint" admin op plus AdminPipeServer.CreateCheckpoint helper does the actual file copy; both manual (via the dialog) and the scheduler use it. 3. Installer: drop the post-install "Launch Webhook Server" wizard step. It tried to launch the GUI un-elevated, which fails because the GUI's manifest is requireAdministrator. The Start Menu shortcut handles elevation correctly, so the user can launch from there. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Docs: replace AD-reset recipe with realistic Zerto failover walkthrough The AD password reset endpoint was a poor fit for what people actually need this server for. Replaced with a realistic Zerto post-failover example that's much closer to the project's purpose: - Update DNS A records for failed-over hostnames - Wait for the VM to come up at the DR site - PowerShell-remote into the VM and check / start critical services - Notify Teams with the result The flagship pattern is now: Zerto post-script (curl, fire-and-forget) calls an Async webhook endpoint -> 202 in milliseconds -> Zerto's failover sequence is never blocked. The server runs the actual work in the background, with full output captured in the daily log. A ready-to-use Zerto-side script ships at scripts/examples/zerto-post-failover.ps1 - pure curl.exe (no PowerShell modules), reads the bearer token from a file the ZVM service account can read. The installer now bundles scripts/examples/ alongside docs/ so the example is also available locally at C:\Program Files\WebhookServer\scripts\examples\. Removed: docs/recipes/ad-password-reset.md. Updated: docs/README.md, README.md, the recipe content itself. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Restore installer GUI launch (via shellexec) + checkpoint descriptions Two follow-ups to the previous Config Checkpoints commit: 1. Bring back the post-install "Launch Webhook Server" checkbox in the installer. The previous attempt failed because Inno Setup's postinstall flag launches via CreateProcess after Setup exits, bypassing the GUI's requireAdministrator manifest. Adding the shellexec flag switches to ShellExecute, which DOES honor the manifest and triggers a clean UAC prompt - so the post-install GUI launch works as expected. 2. Each checkpoint now carries a description, stored in a sidecar .meta.json file next to the snapshot. Defaults: - Auto-on-save: "Before save" - Midnight scheduler: "Nightly auto-checkpoint" - Manual: opens a small dialog so the user can type a meaningful description (defaults to "Manual checkpoint" if blank) The dialog and pruning both clean up sidecars alongside snapshots. The Config Checkpoints grid grows a Description column between When and Size. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * v0.1.2: bump checkpoint retention 30 -> 90 Each checkpoint is a few KB of JSON plus a tiny sidecar; even at 90 entries on a config with hundreds of endpoints the on-disk footprint is negligible (worst case ~20 MB). With daily auto-checkpoints plus on-save snapshots, 30 entries could fill in a couple weeks of moderate use; 90 gives a comfortable ~3-month window. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
7d94535d5d |
v0.1.1: GUI auto-elevates, installer handles upgrades cleanly (#2)
* v0.1.1: GUI auto-elevates, installer stops service before file copy Two fixes for the v0.1.0 install experience: 1. Embed app.manifest with requestedExecutionLevel=requireAdministrator so the GUI always elevates. The named pipe is ACL'd to SYSTEM and the Administrators group, but UAC token splitting puts Admins in deny-only on the standard token, so launching the GUI from the Start Menu fails to connect with "Access is denied". The manifest forces UAC to elevate, surfaces the shield icon on the shortcut, and matches the reality that the GUI cannot function without admin rights. 2. Add a [Code] PrepareToInstall hook to webhook-server.iss that runs `sc stop WebhookServer` before file copy. Upgrade installs were failing on locked binaries because the running service held the exes open. sc returns non-zero on fresh installs (no service yet) which we ignore. Bumps Version to 0.1.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Rename "Backups" menu item to "Config Checkpoints" User-facing copy only; internal API names (Backups collection, BackupEntry, list-backups op, etc.) stay the same to avoid churn through the wire protocol and existing on-disk files. The new phrasing makes the auto-snapshot-before-save model more discoverable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Installer: synchronous service stop + kill stray GUI/Service processes The previous sc.exe stop is fire-and-forget; on slower machines the file-copy step started before the service had actually released its binaries, leaving the upgrade in a broken state. Switch to net.exe stop which blocks until the service reports STOPPED. Also taskkill any running WebhookServer.Gui.exe (the user might have left the tray running) and any orphan WebhookServer.Service.exe (from deploy.ps1 dev runs) so all copies of the binaries are unlocked before [Files] runs. Pre-flight ServiceExists() check via sc query so the installer only calls "net stop" when there is actually a service to stop, rather than relying on net's error code. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
a808964cf1 |
Phases 1-7: GUI polish, icons, tray, backups, installer, CI (#1)
* Phase 3: app icon (multi-resolution ICO + master PNG) scripts/generate-icons.ps1 renders the icon programmatically with System.Drawing - rounded teal square (#0E7C66) with a stylized white hook glyph - at 16/24/32/48/64/128/256 px and assembles a proper multi-resolution Microsoft ICO. The PNG and ICO outputs land in resources/. The script is the source of truth; re-run after editing the design. GUI csproj uses ApplicationIcon for the EXE icon and embeds the .ico + .png as Resources so MainWindow and AboutDialog can use them via WPF's resource URI scheme. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Phase 5: tray icon with minimize-to-tray and context menu GUI csproj enables UseWindowsForms (NotifyIcon lives in WinForms even in .NET 8). New Services/TrayIcon.cs wraps NotifyIcon with a context menu (Open / Restart service / Exit) and the embedded webhook-server icon. MainWindow creates the TrayIcon, hides itself on minimize and restores on tray double-click. Adds GlobalUsings.cs to alias the WPF defaults for types that exist in both WPF and WinForms (Application, MessageBox, TextBox, Binding, etc.) so existing code keeps compiling without per-file changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Phase 6+7: Inno Setup installer + GitHub Actions release pipeline installer/webhook-server.iss is an Inno Setup 6 script that: - Installs to %ProgramFiles%\WebhookServer - Creates Start Menu folder + GUI shortcut (and optional desktop icon) - Runs install-service.ps1 post-install to register the Windows Service - Runs uninstall-service.ps1 pre-uninstall to remove it - Bundles the webhook-server icon for the installer / uninstaller scripts/build-installer.ps1 is the local build helper: publishes both projects, finds ISCC.exe (PATH or standard install path), compiles the installer with the version pulled from Directory.Build.props, drops the output in dist/. .github/workflows/ci.yml runs build + test on every push/PR to main. .github/workflows/release.yml triggers on v* tags (or manual dispatch), runs tests, installs Inno Setup via choco, builds the installer, and attaches the .exe to a GitHub Release. Pre-1.0 versions are flagged prerelease automatically. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Phase 4: backups + import/export config ConfigStore.SaveAsync now snapshots the previous config to %ProgramData%\WebhookServer\backups\config-<timestamp>.json before overwriting, retaining the last 30. Failures are silent so a backup-write hiccup never blocks an actual save. Three new admin pipe ops: - list-backups: returns newest 50 entries with timestamps and sizes - restore-backup: takes a fileName, refuses path-traversal chars, loads the named backup over the live config (which itself triggers a fresh backup of the current state via the SaveAsync hook) - import-config: replaces the current config with a GUI-supplied ServerConfig, merging encrypted secrets where the GUI didn't supply new plaintext GUI File menu items are wired: - Import config: file picker -> ImportConfigAsync - Export config: SaveFileDialog writes the current config as JSON - Backups: dynamic submenu auto-refreshed when opened, listing backups with timestamp + size; click to confirm-and-restore Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
a45d994c18 |
Phase 1: versioning, menu bar, About dialog, right-click context menu
- Directory.Build.props sets Version=0.1.0 (semver pre-1.0 = beta) plus Authors / Product / RepositoryUrl, picked up by all three projects. - MainWindow gets a real menu bar (File / Server / Help) replacing the old toolbar. File: New endpoint / Import / Export / Backups (last three are stubs for the next phase) / Exit. Server: Settings / Restart service. Help: About. - Drop the Refresh button - the 3 s polling loop covers it. - DataGridRow gets a right-click context menu: Edit / Copy URL / toggle Enabled / Delete. - New About dialog reads AssemblyInformationalVersion at runtime and links jpaul.me + the GitHub repo via clickable hyperlinks. - Ctrl+N input binding for new-endpoint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
28479272d5 |
Configurable bind addresses + display host in Server Settings
ServerConfig grows two fields: - BindAddresses: list of IPs Kestrel binds to (empty = all interfaces, current behavior). Listening only on a subset is useful when the host has multiple NICs and the webhook should not be reachable on all of them. - DisplayHost: the hostname/IP the GUI splices into the URL column and Copy URL button. Cosmetic; doesn't affect what the server accepts. Server Settings dialog gains a "Network" section: a checkbox for "all interfaces" plus per-NIC checkboxes auto-detected via NetworkInterface. GetAllNetworkInterfaces, and an editable ComboBox for the display host pre-populated with detected IPs and the machine name. Listener restart fires on BindAddresses change but not on DisplayHost change (cosmetic). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
4ef8d20578 |
Skip lpDesktop=winsta0\default for SpecificUser launches
Setting lpDesktop on STARTUPINFO forces the child to open that desktop; the LogonUser-derived token in SpecificUser mode usually cannot, since winsta0\default's DACL only grants the currently-logged-in user. The result was STATUS_DLL_INIT_FAILED (exit 0xC0000142) with empty stdio. Only InteractiveUser mode needs the explicit interactive desktop - that whole point of the mode is to land in the user's session. For SpecificUser, leaving lpDesktop null lets the child inherit our service desktop, which works for headless batch tasks (AD reads, file ops, etc.). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
8b855ec9b9 |
Route SpecificUser through LogonUser+CreateProcessAsUser, not psi.UserName
CreateProcessWithLogonW (which ProcessStartInfo.UserName/Password uses under the hood) refuses to run when the caller is LocalSystem - which is exactly the scenario every hook hits, since the service runs as SYSTEM by default. The hook just got "Access is denied" with no useful context. Switch SpecificUser to the same LogonUser + DuplicateTokenEx + CreateProcessAsUser path that InteractiveUser already uses. The launcher tries LOGON32_LOGON_INTERACTIVE first, falling back to LOGON32_LOGON_BATCH for accounts without interactive-logon rights (typical for service-only users). Domain "." is normalized to the machine name so ".\justin" works. The launcher's two public entry points - LaunchAsActiveConsoleUser and LaunchAsSpecificUser - share the same LaunchWithToken core, so stdio capture and environment-block construction stay identical. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
1e48b8185b |
Log execution outcomes (success / failure / timeout / launch error)
Hook runs were silently dropping their result into the void after returning the HTTP response. For sync runs the body went to the caller but nothing was logged; for async runs the result vanished unless a callback was configured. That made debugging RunAs failures (logon errors, missing executables) effectively impossible since the service log only showed the 202. Now every run emits one log line at INF (success) or WRN (non-zero exit / timeout / launch error) with runId, slug, exit code, duration, and truncated stdout/stderr. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
24d8701b65 |
Per-endpoint RunAs: Service / InteractiveUser / SpecificUser
Native per-endpoint identity instead of the schtasks bridge: - Service (default) keeps the existing path - hooks inherit the service account (SYSTEM by default, or whatever you installed under). - SpecificUser binds ProcessStartInfo.UserName / Password / Domain so the hook runs in a batch logon session as the named account. Useful for AD-write hooks that should NOT run as SYSTEM. - InteractiveUser uses WTSQueryUserToken(WTSGetActiveConsoleSessionId) + DuplicateTokenEx + CreateProcessAsUser to drop the child into the logged-in user's session with their environment block. This is the real fix for "calc.exe should pop up on my desktop" - no Task Scheduler bridge required. Stdio is captured via inheritable anonymous pipes so the hook still returns stdout/stderr to the caller normally. Implementation: - New RunAsMode enum + RunAsConfig model on EndpointConfig - ConfigStore round-trips RunAs.Password through DPAPI alongside bearer/HMAC/PFX secrets - AdminPipeServer's secret-merge logic preserves the encrypted blob when the GUI saves an endpoint without re-typing the password - New WebhookServer.Core.Execution.Native namespace with NativeMethods (P/Invoke) and InteractiveProcessLauncher (token-based launcher) - ProcessExecutor branches on RunAs.Mode; the Service/SpecificUser paths share .NET's Process; InteractiveUser uses the launcher - GUI editor gets a "Run as" section: dropdown + conditional username/password/load-profile fields under SpecificUser Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
87bcb6807f |
GUI UX, secret visibility, browser-friendly hooks, deploy script
GUI: - URL column in endpoint grid + Copy URL toolbar button so the full http://host:port/hook/<slug> is one click away - Double-click a row to open the edit dialog - Bearer/HMAC sections in the editor hide when the auth mode doesn't use them, and reappear with previously-entered values when switched back - Log panel auto-scroll checkbox (default on) plus 3s polling so log entries stream in without manual refresh - Secret fields are now plain text with a Copy button. Anyone who can open the admin-pipe-ACL'd GUI is already SYSTEM-equivalent on the host, so masking the value just made recovery harder. PFX password in Server Settings gets the same treatment. Service: - Admin pipe ops log info-level lines on every mutation (create/update/delete/enable/disable/update-config/bind-https) so GUI activity is visible in the Serilog file - /hook/{slug} accepts GET as well as POST so a browser smoke-test works without curl - /favicon.ico returns 204 so browser hits don't pollute logs with 404s - AdminPipeServer no longer strips plaintext secrets when sending config to the GUI; the pipe ACL already restricts to SYSTEM/Admins Scripts: - New deploy.ps1: stops + republishes + copies binaries to C:\Program Files\WebhookServer + (re)installs the Windows Service - install-service.ps1 now uses sc.exe argv splatting consistently for both create and config paths Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
|
ebac2c7c04 |
Fix PowerShell -Command argv binding so positional args + stdin work
PowerShell's -Command treats trailing argv entries as part of the
command-line text rather than as $args, so a hook with an inline
command and an arg template raised a parser error. Wrap inline commands
in a scriptblock with @args splat, and pipe $input into the block so
{{body.*}} arg templates AND stdin JSON both reach the script. Verified
end-to-end against ping, bearer (good/bad/missing), HMAC (good/bad/missing),
IP allowlist deny, async 202, and stdin+template combined.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
|
8ecfe84540 |
Initial WebhookServer implementation
Add the .NET 8 solution scaffolded against PLAN.md. Three projects share WebhookServer.Core (models, auth, execution, storage, IPC, callbacks) and WebhookServer.Service hosts an embedded Kestrel listener plus the named-pipe admin server. WebhookServer.Gui is a thin MVVM client over the pipe. Includes 25 unit tests covering HMAC verification, bearer auth, IP allowlist parsing, arg-template rendering, DPAPI round-trip, and the encrypt-on-save config store. Install/uninstall PowerShell scripts default to LocalSystem and accept a domain user or gMSA via -ServiceAccount. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |