diff --git a/env/dev/resources/config.edn b/env/dev/resources/config.edn index fea607b..d4ba640 100644 --- a/env/dev/resources/config.edn +++ b/env/dev/resources/config.edn @@ -30,6 +30,9 @@ :github-user "commiteth" :github-password "XXX" + ;; Add Github App webhook secret here to verify GH origin + :webhook-secret "XXX" + ;; set to true when on Ropsten testnet :on-testnet true diff --git a/resources/sql/queries.sql b/resources/sql/queries.sql index 902a244..09a6e82 100644 --- a/resources/sql/queries.sql +++ b/resources/sql/queries.sql @@ -493,7 +493,7 @@ SELECT FROM issues i, repositories r WHERE r.repo_id = i.repo_id AND contract_address IS NOT NULL -AND i.payout_hash IS NULL; +AND i.confirm_hash IS NULL; -- :name get-bounty :? :1 -- :doc details for a bounty issue given owner, repo and issue nunber diff --git a/src/clj/commiteth/github/core.clj b/src/clj/commiteth/github/core.clj index 21b8ba6..55f2ea5 100644 --- a/src/clj/commiteth/github/core.clj +++ b/src/clj/commiteth/github/core.clj @@ -25,6 +25,7 @@ (defn self [] (:github-user env)) (defn self-password [] (:github-password env)) (defn on-testnet? [] (env :on-testnet)) +(defn webhook-secret [] (env :webhook-secret)) (defn authorize-url [scope] (let [params (codec/form-encode {:client_id (client-id) @@ -37,8 +38,14 @@ (defn signup-authorize-url [] (authorize-url "user:email")) +;; NOTE: Capabilities picked for Github apps if true, Oauth if false +(defn github-app-enabled? [] + (env :github-app-enabled) true) + (defn admin-authorize-url [] - (authorize-url "admin:repo_hook repo user:email admin:org_hook")) + (if (github-app-enabled?) + (authorize-url "public_repo user:email") + (authorize-url "admin:repo_hook repo user:email admin:org_hook"))) (defn access-settings-url [] (str "https://github.com/settings/connections/applications/" (client-id))) diff --git a/src/clj/commiteth/routes/services.clj b/src/clj/commiteth/routes/services.clj index 5789df1..27cbbb3 100644 --- a/src/clj/commiteth/routes/services.clj +++ b/src/clj/commiteth/routes/services.clj @@ -193,11 +193,17 @@ "anna02test" "anna03test" "anna04test" + "anna05test" + "anna06test" + "anna07test" + "anna08test" + "anna09test" "pablanopete" "andytudhope" "ara4n" "commitethtest" "noman-land" + "cancuncoconut" }) (defapi service-routes diff --git a/src/clj/commiteth/routes/webhooks.clj b/src/clj/commiteth/routes/webhooks.clj index 8f93a0e..e89efda 100644 --- a/src/clj/commiteth/routes/webhooks.clj +++ b/src/clj/commiteth/routes/webhooks.clj @@ -237,6 +237,23 @@ (crypto/eq? github-signature (str "sha1=" (hex-hmac-sha1 secret raw-payload)))))) +(defn validate-secret-naive [webhook-payload raw-payload github-signature] + (let [full-name (get-in webhook-payload [:repository :full_name]) + repo (repos/get-repo full-name)] + (log/debug "validate secret naive - repo exists?" repo) + repo)) + +(defn validate-secret-one-hook [webhook-payload raw-payload github-signature] + (let [full-name (get-in webhook-payload [:repository :full_name]) + repo (repos/get-repo full-name) + secret (github/webhook-secret) + ;; XXX remove below once verified in logs + debug-secret (apply str (take 5 (github/webhook-secret)))] + (log/debug "validate secret one hook - repo exists and github origin" repo " - " debug-secret) + (and (not (string/blank? secret)) + repo + (crypto/eq? github-signature + (str "sha1=" (hex-hmac-sha1 secret raw-payload)))))) (defroutes webhook-routes (POST "/webhook" {:keys [headers body]} @@ -252,4 +269,19 @@ "issues" (handle-issue payload) "pull_request" (handle-pull-request payload) (ok))) - (forbidden))))) + (forbidden)))) + (POST "/webhook-app" {:keys [headers body]} + (log/debug "webhook-app POST, headers" headers) + (let [raw-payload (slurp body) + payload (json/parse-string raw-payload true)] + (log/debug "webhook-app POST, payload" payload) + (if (validate-secret-one-hook payload raw-payload (get headers "x-hub-signature")) + (do + (log/debug "Github secret validation OK app") + (log/debug "x-github-event app" (get headers "x-github-event")) + (case (get headers "x-github-event") + "issues" (handle-issue payload) + "pull_request" (handle-pull-request payload) + (ok))) + (forbidden)))) + )