Skip to content

Commit

Permalink
Support GitHub-style (sha256 signature) git hooks
Browse files Browse the repository at this point in the history
  • Loading branch information
sealexan committed Dec 19, 2023
1 parent 150d0cb commit 827898d
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 6 deletions.
14 changes: 11 additions & 3 deletions src/main/kotlin/ch/uzh/ifi/access/controller/CourseController.kt
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,18 @@ class WebhooksController(
private val logger = KotlinLogging.logger {}

@PostMapping("/courses/{course}/update/gitlab")
fun updateCourse(@PathVariable("course") course: String,
fun hookGitlab(@PathVariable("course") course: String,
@RequestHeader("X-Gitlab-Token") secret: String) {
logger.debug { "webhook triggered for $course"}
courseService.webhookUpdateCourse(course, secret)
logger.debug { "webhook (secret) triggered for $course"}
courseService.webhookUpdateWithSecret(course, secret)
}
@PostMapping("/courses/{course}/update/github")
fun hookGithub(@PathVariable("course") course: String,
@RequestHeader("X-Hub-Signature-256") signature: String,
@RequestBody body: String
) {
logger.debug { "webhook (signature) triggered for $course"}
courseService.webhookUpdateWithSignature(course, signature.substringAfter("sha256="), body.substringAfter("payload="))
}

}
Expand Down
29 changes: 26 additions & 3 deletions src/main/kotlin/ch/uzh/ifi/access/service/CourseService.kt
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ import java.nio.charset.Charset
import java.nio.file.Files
import java.nio.file.NoSuchFileException
import java.nio.file.Path
import java.security.MessageDigest
import java.time.LocalDateTime
import java.time.format.DateTimeFormatter
import java.util.*
Expand All @@ -43,6 +44,9 @@ import java.util.concurrent.TimeUnit
import java.util.function.Consumer
import java.util.stream.Collectors
import java.util.stream.Stream
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
import kotlin.math.sign

@Service
class CourseServiceForCaching(
Expand Down Expand Up @@ -554,10 +558,29 @@ fi
}

@Transactional
fun webhookUpdateCourse(courseSlug: String, secret: String): Course? {
fun webhookUpdateWithSecret(courseSlug: String, secret: String?): Course? {
val existingCourse = getCourseBySlug(courseSlug)
if (existingCourse.webhookSecret != null && existingCourse.webhookSecret == secret) {
return updateCourse(courseSlug)
if (existingCourse.webhookSecret != null && secret != null) {
if (existingCourse.webhookSecret == secret) {
return updateCourse(courseSlug)
}
}
logger.debug { "Provided webhook secret does not match secret of course $courseSlug"}
throw ResponseStatusException(HttpStatus.FORBIDDEN)
}

fun webhookUpdateWithSignature(courseSlug: String, signature: String?, body: String): Course? {
val existingCourse = getCourseBySlug(courseSlug)
if (existingCourse.webhookSecret != null && signature != null) {
val encoder = Base64.getEncoder()
val signingKey = SecretKeySpec(existingCourse.webhookSecret!!.toByteArray(Charsets.UTF_8), "HmacSHA1")
val mac = Mac.getInstance("HmacSHA1")
mac.init(signingKey)
val expected = encoder.encodeToString(mac.doFinal(body.toByteArray(Charsets.UTF_8)))
logger.info{"Expected: ${expected} based on secret ${existingCourse.webhookSecret}, actual: ${signature}"}
if (expected == signature) {
return updateCourse(courseSlug)
}
}
logger.debug { "Provided webhook secret does not match secret of course $courseSlug"}
throw ResponseStatusException(HttpStatus.FORBIDDEN)
Expand Down

0 comments on commit 827898d

Please sign in to comment.