Verify secret token in GitLab requests

author: Oliver Poignant <oliver@poignant.se> 2016-12-09 20:36:38 +0100
committer: Oliver Poignant <oliver@poignant.se> 2016-12-09 20:36:38 +0100
commit: c98d5b22de7bed03c6345775539a405e61e58477 (patch)
tree: 4fff1fdca0626bad24d894192369028d1af9d44d /gitautodeploy
parent: 9e4aa3618ad9f5494847fb95b0958f2f1b43ccb5 (diff)
download: Git-Auto-Deploy-c98d5b22de7bed03c6345775539a405e61e58477.zip
Git-Auto-Deploy-c98d5b22de7bed03c6345775539a405e61e58477.tar.gz
Git-Auto-Deploy-c98d5b22de7bed03c6345775539a405e61e58477.tar.bz2
5 files changed, 38 insertions, 9 deletions
diff --git a/gitautodeploy/httpserver.py b/gitautodeploy/httpserver.py
index 654fd83..2dfb0db 100644
--- a/gitautodeploy/httpserver.py
+++ b/gitautodeploy/httpserver.py
@@ -59,6 +59,11 @@ class WebhookRequestHandler(BaseHTTPRequestHandler):
             repo_configs, ref, action, webhook_urls = ServiceRequestParser(self._config).get_repo_params_from_request(request_headers, request_body)
             logger.debug("Event details - ref: %s; action: %s" % (ref or "master", action))
 
+            if not ServiceRequestParser(self._config).validate_request(request_headers, repo_configs):
+                self.send_error(400, 'Bad request')
+                test_case['expected']['status'] = 400
+                return
+
             if len(repo_configs) == 0:
                 self.send_error(400, 'Bad request')
                 logger.warning('The URLs references in the webhook did not match any repository entry in the config. For this webhook to work, make sure you have at least one repository configured with one of the following URLs; %s' % ', '.join(webhook_urls))
diff --git a/gitautodeploy/parsers/common.py b/gitautodeploy/parsers/common.py
index 0a1a799..1b40b73 100644
--- a/gitautodeploy/parsers/common.py
+++ b/gitautodeploy/parsers/common.py
@@ -22,3 +22,6 @@ class WebhookRequestParser(object):
                     configs.append(repo_config)
 
         return configs
+
+    def validate_request(self, request_headers, repo_configs):
+        return True
+\ No newline at end of file
diff --git a/gitautodeploy/parsers/generic.py b/gitautodeploy/parsers/generic.py
index 3247662..7b150d2 100644
--- a/gitautodeploy/parsers/generic.py
+++ b/gitautodeploy/parsers/generic.py
@@ -27,4 +27,5 @@ class GenericRequestParser(WebhookRequestParser):
         # Get a list of configured repositories that matches the incoming web hook reqeust
         repo_configs = self.get_matching_repo_configs(repo_urls)
 
-        return repo_configs, ref or "master", action, repo_urls
-\ No newline at end of file
+        return repo_configs, ref or "master", action, repo_urls
+
diff --git a/gitautodeploy/parsers/github.py b/gitautodeploy/parsers/github.py
index 7077def..4d24648 100644
--- a/gitautodeploy/parsers/github.py
+++ b/gitautodeploy/parsers/github.py
@@ -40,20 +40,24 @@ class GitHubRequestParser(WebhookRequestParser):
             logger.debug("Action '%s' was fired" % action)
 
         # Get a list of configured repositories that matches the incoming web hook reqeust
-        items = self.get_matching_repo_configs(repo_urls)
+        repo_configs = self.get_matching_repo_configs(repo_urls)
 
-        repo_configs = []
-        for repo_config in items:
+        return repo_configs, ref or "master", action, repo_urls
+
+    def validate_request(self, request_headers, repo_configs):
+        import logging
+
+        logger = logging.getLogger()
+
+        for repo_config in repo_configs:
 
             # Validate secret token if present
             if 'secret-token' in repo_config and 'x-hub-signature' in request_headers:
                 if not self.verify_signature(repo_config['secret-token'], request_body, request_headers['x-hub-signature']):
-                    logger.warning("Request signature does not match the 'secret-token' configured for repository %s." % repo_config['url'])
-                    continue
+                    logger.info("Request signature does not match the 'secret-token' configured for repository %s." % repo_config['url'])
+                    return False
 
-            repo_configs.append(repo_config)
-
-        return repo_configs, ref or "master", action, repo_urls
+        return True
 
     def verify_signature(self, token, body, signature):
         import hashlib
diff --git a/gitautodeploy/parsers/gitlab.py b/gitautodeploy/parsers/gitlab.py
index 86c05fa..68a1982 100644
--- a/gitautodeploy/parsers/gitlab.py
+++ b/gitautodeploy/parsers/gitlab.py
@@ -39,6 +39,22 @@ class GitLabRequestParser(WebhookRequestParser):
 
         return repo_configs, ref or "master", action, repo_urls
 
+    def validate_request(self, request_headers, repo_configs):
+        import logging
+
+        logger = logging.getLogger()
+
+        for repo_config in repo_configs:
+
+            # Validate secret token if present
+            if 'secret-token' in repo_config and 'x-gitlab-token' in request_headers:
+
+                if repo_config['secret-token'] != request_headers['x-gitlab-token']:
+                    logger.info("Request token does not match the 'secret-token' configured for repository %s." % repo_config['url'])
+                    return False
+
+        return True
+
 
 class GitLabCIRequestParser(WebhookRequestParser):
author	Oliver Poignant <oliver@poignant.se>	2016-12-09 20:36:38 +0100
committer	Oliver Poignant <oliver@poignant.se>	2016-12-09 20:36:38 +0100
commit	c98d5b22de7bed03c6345775539a405e61e58477 (patch)
tree	4fff1fdca0626bad24d894192369028d1af9d44d /gitautodeploy
parent	9e4aa3618ad9f5494847fb95b0958f2f1b43ccb5 (diff)
download	Git-Auto-Deploy-c98d5b22de7bed03c6345775539a405e61e58477.zip Git-Auto-Deploy-c98d5b22de7bed03c6345775539a405e61e58477.tar.gz Git-Auto-Deploy-c98d5b22de7bed03c6345775539a405e61e58477.tar.bz2