Github App: check webhook-secret and enable flag

2025-02-03 13:14:34 +00:00 · 2017-11-04 11:21:24 -05:00 · 2017-11-04 11:21:24 -05:00 · fce9ac81bc
commit fce9ac81bc
parent fb034ce925
3 changed files with 17 additions and 3 deletions
--- a/env/dev/resources/config.edn
+++ b/env/dev/resources/config.edn
@ -30,6 +30,9 @@
 :github-user            "commiteth"
 :github-password        "XXX"

+ ;; Add Github App webhook secret here to verify GH origin
+ :webhook-secret "XXX"
+
 ;; set to true when on Ropsten testnet
 :on-testnet             true

--- a/src/clj/commiteth/github/core.clj
+++ b/src/clj/commiteth/github/core.clj
@ -25,6 +25,7 @@
 (defn self [] (:github-user env))
 (defn self-password [] (:github-password env))
 (defn on-testnet? [] (env :on-testnet))
+(defn webhook-secret [] (env :webhook-secret))

 (defn authorize-url [scope]
  (let [params (codec/form-encode {:client_id    (client-id)
@ -38,7 +39,7 @@
  (authorize-url "user:email"))

 ;; NOTE: Capabilities picked for Github apps if true, Oauth if false
-(def github-app-flag false)
+(def github-app-flag true)

 (defn admin-authorize-url []
  (if github-app-flag
--- a/src/clj/commiteth/routes/webhooks.clj
+++ b/src/clj/commiteth/routes/webhooks.clj
@ -240,9 +240,19 @@
 (defn validate-secret-naive [webhook-payload raw-payload github-signature]
  (let [full-name (get-in webhook-payload [:repository :full_name])
        repo (repos/get-repo full-name)]
-    (log/debug "validate secret - repo exists?" repo)
+    (log/debug "validate secret naive - repo exists?" repo)
    repo))

+(defn validate-secret-one-hook [webhook-payload raw-payload github-signature]
+  (let [full-name (get-in webhook-payload [:repository :full_name])
+        repo (repos/get-repo full-name)
+        secret (github/webhook-secret)
+        ;; XXX remove below once verified in logs
+        debug-secret (apply str (take 5 (github/webhook-secret)))]
+    (log/debug "validate secret one hook - repo exists and github origin" repo " - " debug-secret)
+    (and (not (string/blank? secret))
+         (crypto/eq? github-signature
+                     (str "sha1=" (hex-hmac-sha1 secret raw-payload))))))

 (defroutes webhook-routes
  (POST "/webhook" {:keys [headers body]}
@ -264,7 +274,7 @@
        (let [raw-payload (slurp body)
              payload (json/parse-string raw-payload true)]
          (log/debug "webhook-app POST, payload" payload)
-          (if (validate-secret-naive payload raw-payload (get headers "x-hub-signature"))
+          (if (validate-secret-one-hook payload raw-payload (get headers "x-hub-signature"))
            (do
              (log/debug "Github secret validation OK app")
              (log/debug "x-github-event app" (get headers "x-github-event"))