status-im/open-bounty
2
0
Fork 0
mirror of https://github.com/status-im/open-bounty.git synced 2025-02-09 08:03:41 +00:00
Code Issues Projects Releases Wiki Activity

Github App: check webhook-secret and enable flag

Browse Source
This commit is contained in:
Oskar Thorén 2017-11-04 11:21:24 -05:00
parent fb034ce925
commit fce9ac81bc
3 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
env/dev/resources/config.edn vendored
View File

@ -30,6 +30,9 @@
:github-user "commiteth" :github-user "commiteth"
:github-password "XXX" :github-password "XXX"
;; Add Github App webhook secret here to verify GH origin
:webhook-secret "XXX"
;; set to true when on Ropsten testnet ;; set to true when on Ropsten testnet
:on-testnet true :on-testnet true

3
src/clj/commiteth/github/core.clj
View File

@ -25,6 +25,7 @@
(defn self [] (:github-user env)) (defn self [] (:github-user env))
(defn self-password [] (:github-password env)) (defn self-password [] (:github-password env))
(defn on-testnet? [] (env :on-testnet)) (defn on-testnet? [] (env :on-testnet))
(defn webhook-secret [] (env :webhook-secret))
(defn authorize-url [scope] (defn authorize-url [scope]
(let [params (codec/form-encode {:client_id (client-id) (let [params (codec/form-encode {:client_id (client-id)
@ -38,7 +39,7 @@
(authorize-url "user:email")) (authorize-url "user:email"))
;; NOTE: Capabilities picked for Github apps if true, Oauth if false ;; NOTE: Capabilities picked for Github apps if true, Oauth if false
(def github-app-flag false) (def github-app-flag true)
(defn admin-authorize-url [] (defn admin-authorize-url []
(if github-app-flag (if github-app-flag

14
src/clj/commiteth/routes/webhooks.clj
View File

@ -240,9 +240,19 @@
(defn validate-secret-naive [webhook-payload raw-payload github-signature] (defn validate-secret-naive [webhook-payload raw-payload github-signature]
(let [full-name (get-in webhook-payload [:repository :full_name]) (let [full-name (get-in webhook-payload [:repository :full_name])
repo (repos/get-repo full-name)] repo (repos/get-repo full-name)]
(log/debug "validate secret - repo exists?" repo) (log/debug "validate secret naive - repo exists?" repo)
repo)) repo))
(defn validate-secret-one-hook [webhook-payload raw-payload github-signature]
(let [full-name (get-in webhook-payload [:repository :full_name])
repo (repos/get-repo full-name)
secret (github/webhook-secret)
;; XXX remove below once verified in logs
debug-secret (apply str (take 5 (github/webhook-secret)))]
(log/debug "validate secret one hook - repo exists and github origin" repo " - " debug-secret)
(and (not (string/blank? secret))
(crypto/eq? github-signature
(str "sha1=" (hex-hmac-sha1 secret raw-payload))))))
(defroutes webhook-routes (defroutes webhook-routes
(POST "/webhook" {:keys [headers body]} (POST "/webhook" {:keys [headers body]}
@ -264,7 +274,7 @@
(let [raw-payload (slurp body) (let [raw-payload (slurp body)
payload (json/parse-string raw-payload true)] payload (json/parse-string raw-payload true)]
(log/debug "webhook-app POST, payload" payload) (log/debug "webhook-app POST, payload" payload)
(if (validate-secret-naive payload raw-payload (get headers "x-hub-signature")) (if (validate-secret-one-hook payload raw-payload (get headers "x-hub-signature"))
(do (do
(log/debug "Github secret validation OK app") (log/debug "Github secret validation OK app")
(log/debug "x-github-event app" (get headers "x-github-event")) (log/debug "x-github-event app" (get headers "x-github-event"))