5 files changed, 38 insertions, 9 deletions
diff --git a/gitautodeploy/httpserver.py b/gitautodeploy/httpserver.py
index 654fd83..2dfb0db 100644
--- a/gitautodeploy/httpserver.py
+++ b/gitautodeploy/httpserver.py
@@ -59,6 +59,11 @@ class WebhookRequestHandler(BaseHTTPRequestHandler):
             repo_configs, ref, action, webhook_urls = ServiceRequestParser(self._config).get_repo_params_from_request(request_headers, request_body)
             logger.debug("Event details - ref: %s; action: %s" % (ref or "master", action))
 
+            if not ServiceRequestParser(self._config).validate_request(request_headers, repo_configs):
+                self.send_error(400, 'Bad request')
+                test_case['expected']['status'] = 400
+                return
+
             if len(repo_configs) == 0:
                 self.send_error(400, 'Bad request')
                 logger.warning('The URLs references in the webhook did not match any repository entry in the config. For this webhook to work, make sure you have at least one repository configured with one of the following URLs; %s' % ', '.join(webhook_urls))
diff --git a/gitautodeploy/parsers/common.py b/gitautodeploy/parsers/common.py
index 0a1a799..1b40b73 100644
--- a/gitautodeploy/parsers/common.py
+++ b/gitautodeploy/parsers/common.py
@@ -22,3 +22,6 @@ class WebhookRequestParser(object):
                     configs.append(repo_config)
 
         return configs
+
+    def validate_request(self, request_headers, repo_configs):
+        return True
+\ No newline at end of file
diff --git a/gitautodeploy/parsers/generic.py b/gitautodeploy/parsers/generic.py
index 3247662..7b150d2 100644
--- a/gitautodeploy/parsers/generic.py
+++ b/gitautodeploy/parsers/generic.py
@@ -27,4 +27,5 @@ class GenericRequestParser(WebhookRequestParser):
         # Get a list of configured repositories that matches the incoming web hook reqeust
         repo_configs = self.get_matching_repo_configs(repo_urls)
 
-        return repo_configs, ref or "master", action, repo_urls
-\ No newline at end of file
+        return repo_configs, ref or "master", action, repo_urls
+
diff --git a/gitautodeploy/parsers/github.py b/gitautodeploy/parsers/github.py
index 7077def..4d24648 100644
--- a/gitautodeploy/parsers/github.py
+++ b/gitautodeploy/parsers/github.py
@@ -40,20 +40,24 @@ class GitHubRequestParser(WebhookRequestParser):
             logger.debug("Action '%s' was fired" % action)
 
         # Get a list of configured repositories that matches the incoming web hook reqeust
-        items = self.get_matching_repo_configs(repo_urls)
+        repo_configs = self.get_matching_repo_configs(repo_urls)
 
-        repo_configs = []
-        for repo_config in items:
+        return repo_configs, ref or "master", action, repo_urls
+
+    def validate_request(self, request_headers, repo_configs):
+        import logging
+
+        logger = logging.getLogger()
+
+        for repo_config in repo_configs:
 
             # Validate secret token if present
             if 'secret-token' in repo_config and 'x-hub-signature' in request_headers:
                 if not self.verify_signature(repo_config['secret-token'], request_body, request_headers['x-hub-signature']):
-                    logger.warning("Request signature does not match the 'secret-token' configured for repository %s." % repo_config['url'])
-                    continue
+                    logger.info("Request signature does not match the 'secret-token' configured for repository %s." % repo_config['url'])
+                    return False
 
-            repo_configs.append(repo_config)
-
-        return repo_configs, ref or "master", action, repo_urls
+        return True
 
     def verify_signature(self, token, body, signature):
         import hashlib
diff --git a/gitautodeploy/parsers/gitlab.py b/gitautodeploy/parsers/gitlab.py
index 86c05fa..68a1982 100644
--- a/gitautodeploy/parsers/gitlab.py
+++ b/gitautodeploy/parsers/gitlab.py
@@ -39,6 +39,22 @@ class GitLabRequestParser(WebhookRequestParser):
 
         return repo_configs, ref or "master", action, repo_urls
 
+    def validate_request(self, request_headers, repo_configs):
+        import logging
+
+        logger = logging.getLogger()
+
+        for repo_config in repo_configs:
+
+            # Validate secret token if present
+            if 'secret-token' in repo_config and 'x-gitlab-token' in request_headers:
+
+                if repo_config['secret-token'] != request_headers['x-gitlab-token']:
+                    logger.info("Request token does not match the 'secret-token' configured for repository %s." % repo_config['url'])
+                    return False
+
+        return True
+
 
 class GitLabCIRequestParser(WebhookRequestParser):