Merge branch 'develop'

env/dev/resources/config.edn

@@ -30,6 +30,9 @@
  :github-user            "commiteth"
  :github-password        "XXX"
 
+ ;; Add Github App webhook secret here to verify GH origin
+ :webhook-secret "XXX"
+
  ;; set to true when on Ropsten testnet
  :on-testnet             true
 

resources/sql/queries.sql

@@ -493,7 +493,7 @@ SELECT
 FROM issues i, repositories r
 WHERE r.repo_id = i.repo_id
 AND contract_address IS NOT NULL
-AND i.payout_hash IS NULL;
+AND i.confirm_hash IS NULL;
 
 -- :name get-bounty :? :1
 -- :doc details for a bounty issue given owner, repo and issue nunber

src/clj/commiteth/github/core.clj

@@ -25,6 +25,7 @@
 (defn self [] (:github-user env))
 (defn self-password [] (:github-password env))
 (defn on-testnet? [] (env :on-testnet))
+(defn webhook-secret [] (env :webhook-secret))
 
 (defn authorize-url [scope]
   (let [params (codec/form-encode {:client_id    (client-id)
@@ -37,8 +38,14 @@
 (defn signup-authorize-url []
   (authorize-url "user:email"))
 
+;; NOTE: Capabilities picked for Github apps if true, Oauth if false
+(defn github-app-enabled? []
+  (env :github-app-enabled) true)
+
 (defn admin-authorize-url []
-  (authorize-url "admin:repo_hook repo user:email admin:org_hook"))
+  (if (github-app-enabled?)
+    (authorize-url "public_repo user:email")
+    (authorize-url "admin:repo_hook repo user:email admin:org_hook")))
 
 (defn access-settings-url []
   (str "https://github.com/settings/connections/applications/" (client-id)))

src/clj/commiteth/routes/services.clj

@@ -193,11 +193,17 @@
     "anna02test"
     "anna03test"
     "anna04test"
+    "anna05test"
+    "anna06test"
+    "anna07test"
+    "anna08test"
+    "anna09test"
     "pablanopete"
     "andytudhope"
     "ara4n"
     "commitethtest"
     "noman-land"
+    "cancuncoconut"
     })
 
 (defapi service-routes

src/clj/commiteth/routes/webhooks.clj

@@ -237,6 +237,23 @@
          (crypto/eq? github-signature
                      (str "sha1=" (hex-hmac-sha1 secret raw-payload))))))
 
+(defn validate-secret-naive [webhook-payload raw-payload github-signature]
+  (let [full-name (get-in webhook-payload [:repository :full_name])
+        repo (repos/get-repo full-name)]
+    (log/debug "validate secret naive - repo exists?" repo)
+    repo))
+
+(defn validate-secret-one-hook [webhook-payload raw-payload github-signature]
+  (let [full-name (get-in webhook-payload [:repository :full_name])
+        repo (repos/get-repo full-name)
+        secret (github/webhook-secret)
+        ;; XXX remove below once verified in logs
+        debug-secret (apply str (take 5 (github/webhook-secret)))]
+    (log/debug "validate secret one hook - repo exists and github origin" repo " - " debug-secret)
+    (and (not (string/blank? secret))
+         repo
+         (crypto/eq? github-signature
+                     (str "sha1=" (hex-hmac-sha1 secret raw-payload))))))
 
 (defroutes webhook-routes
   (POST "/webhook" {:keys [headers body]}
@@ -252,4 +269,19 @@
                 "issues" (handle-issue payload)
                 "pull_request" (handle-pull-request payload)
                 (ok)))
-            (forbidden)))))
+            (forbidden))))
+  (POST "/webhook-app" {:keys [headers body]}
+        (log/debug "webhook-app POST, headers" headers)
+        (let [raw-payload (slurp body)
+              payload (json/parse-string raw-payload true)]
+          (log/debug "webhook-app POST, payload" payload)
+          (if (validate-secret-one-hook payload raw-payload (get headers "x-hub-signature"))
+            (do
+              (log/debug "Github secret validation OK app")
+              (log/debug "x-github-event app" (get headers "x-github-event"))
+              (case (get headers "x-github-event")
+                "issues" (handle-issue payload)
+                "pull_request" (handle-pull-request payload)
+                (ok)))
+            (forbidden))))
+  )