From fce9ac81bcbcfd454a4e6de4ababe7b001b0e5c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oskar=20Thor=C3=A9n?= Date: Sat, 4 Nov 2017 11:21:24 -0500 Subject: [PATCH] Github App: check webhook-secret and enable flag --- env/dev/resources/config.edn | 3 +++ src/clj/commiteth/github/core.clj | 3 ++- src/clj/commiteth/routes/webhooks.clj | 14 ++++++++++++-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/env/dev/resources/config.edn b/env/dev/resources/config.edn index fea607b..d4ba640 100644 --- a/env/dev/resources/config.edn +++ b/env/dev/resources/config.edn @@ -30,6 +30,9 @@ :github-user "commiteth" :github-password "XXX" + ;; Add Github App webhook secret here to verify GH origin + :webhook-secret "XXX" + ;; set to true when on Ropsten testnet :on-testnet true diff --git a/src/clj/commiteth/github/core.clj b/src/clj/commiteth/github/core.clj index 714046a..1b1effc 100644 --- a/src/clj/commiteth/github/core.clj +++ b/src/clj/commiteth/github/core.clj @@ -25,6 +25,7 @@ (defn self [] (:github-user env)) (defn self-password [] (:github-password env)) (defn on-testnet? [] (env :on-testnet)) +(defn webhook-secret [] (env :webhook-secret)) (defn authorize-url [scope] (let [params (codec/form-encode {:client_id (client-id) @@ -38,7 +39,7 @@ (authorize-url "user:email")) ;; NOTE: Capabilities picked for Github apps if true, Oauth if false -(def github-app-flag false) +(def github-app-flag true) (defn admin-authorize-url [] (if github-app-flag diff --git a/src/clj/commiteth/routes/webhooks.clj b/src/clj/commiteth/routes/webhooks.clj index 95b9056..d714274 100644 --- a/src/clj/commiteth/routes/webhooks.clj +++ b/src/clj/commiteth/routes/webhooks.clj @@ -240,9 +240,19 @@ (defn validate-secret-naive [webhook-payload raw-payload github-signature] (let [full-name (get-in webhook-payload [:repository :full_name]) repo (repos/get-repo full-name)] - (log/debug "validate secret - repo exists?" repo) + (log/debug "validate secret naive - repo exists?" repo) repo)) +(defn validate-secret-one-hook [webhook-payload raw-payload github-signature] + (let [full-name (get-in webhook-payload [:repository :full_name]) + repo (repos/get-repo full-name) + secret (github/webhook-secret) + ;; XXX remove below once verified in logs + debug-secret (apply str (take 5 (github/webhook-secret)))] + (log/debug "validate secret one hook - repo exists and github origin" repo " - " debug-secret) + (and (not (string/blank? secret)) + (crypto/eq? github-signature + (str "sha1=" (hex-hmac-sha1 secret raw-payload)))))) (defroutes webhook-routes (POST "/webhook" {:keys [headers body]} @@ -264,7 +274,7 @@ (let [raw-payload (slurp body) payload (json/parse-string raw-payload true)] (log/debug "webhook-app POST, payload" payload) - (if (validate-secret-naive payload raw-payload (get headers "x-hub-signature")) + (if (validate-secret-one-hook payload raw-payload (get headers "x-hub-signature")) (do (log/debug "Github secret validation OK app") (log/debug "x-github-event app" (get headers "x-github-event"))