diff options
| author | Oliver Poignant <oliver@poignant.se> | 2016-05-08 10:03:43 +0200 |
|---|---|---|
| committer | Oliver Poignant <oliver@poignant.se> | 2016-05-08 10:03:43 +0200 |
| commit | 717d7478584c948eb6fd5c6b51f094d8ae6a99fd (patch) | |
| tree | 896b671fbcbc98ffe6e1e500473e1af8c2239bea | |
| parent | a29cbdd9d57dd28c3956e4b7615fa73b38697a03 (diff) | |
| download | Git-Auto-Deploy-717d7478584c948eb6fd5c6b51f094d8ae6a99fd.zip Git-Auto-Deploy-717d7478584c948eb6fd5c6b51f094d8ae6a99fd.tar.gz Git-Auto-Deploy-717d7478584c948eb6fd5c6b51f094d8ae6a99fd.tar.bz2 | |
Added support for verifying GitHub secret token
| -rw-r--r-- | docs/Configuration.md | 1 | ||||
| -rw-r--r-- | gitautodeploy/parsers/github.py | 22 |
2 files changed, 21 insertions, 2 deletions
diff --git a/docs/Configuration.md b/docs/Configuration.md index 953385d..916ae34 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -45,6 +45,7 @@ Repository configurations are comprised of the following elements: - **filters**: Filters to apply to the web hook events so that only the desired events result in executing the deploy actions. See section *Filters* for more details. + - **secret-token**: The secret token set for your webhook ([currently only implemented for GitHub](https://developer.github.com/webhooks/securing/)) ## Filters *(Currently only supported for GitHub and GitLab)* diff --git a/gitautodeploy/parsers/github.py b/gitautodeploy/parsers/github.py index d95a1de..82785c3 100644 --- a/gitautodeploy/parsers/github.py +++ b/gitautodeploy/parsers/github.py @@ -40,6 +40,24 @@ class GitHubRequestParser(WebhookRequestParser): logger.info("Action '%s' was fired" % action) # Get a list of configured repositories that matches the incoming web hook reqeust - repo_configs = self.get_matching_repo_configs(repo_urls) + items = self.get_matching_repo_configs(repo_urls) - return repo_configs, ref or "master", action, repo_urls
\ No newline at end of file + repo_configs = [] + for repo_config in items: + + # Validate secret token if present + if 'secret-token' in repo_config and 'x-hub-signature' in request_headers: + if not self.verify_signature(repo_config['secret-token'], request_body, request_headers['x-hub-signature']): + logger.warning("Request signature does not match the 'secret-token' configured for repository %s." % repo_config['url']) + continue + + repo_configs.append(repo_config) + + return repo_configs, ref or "master", action, repo_urls + + def verify_signature(self, token, body, signature): + import hashlib + import hmac + + result = "sha1=" + hmac.new(str(token), body, hashlib.sha1).hexdigest() + return result == signature |