Add Gogs signature check — untested
This commit is contained in:
parent
16b8d64913
commit
dfa4359f23
19
gogsmaker.py
19
gogsmaker.py
|
|
@ -5,6 +5,8 @@ A webhook-handler for Gogs running `make` when needed. """
|
||||||
import os
|
import os
|
||||||
import sys
|
import sys
|
||||||
import subprocess
|
import subprocess
|
||||||
|
import hmac
|
||||||
|
from hashlib import sha256
|
||||||
from threading import Thread
|
from threading import Thread
|
||||||
from functools import wraps
|
from functools import wraps
|
||||||
from flask import Flask, request
|
from flask import Flask, request
|
||||||
|
|
@ -77,13 +79,18 @@ def update_repo(hook, clone_url):
|
||||||
raise GitError("Cannot clone {}".format(clone_url))
|
raise GitError("Cannot clone {}".format(clone_url))
|
||||||
|
|
||||||
|
|
||||||
|
def check_signature(received_sig, hook, payload):
|
||||||
|
''' Check Gogs signature '''
|
||||||
|
digest = hmac.new(hook.secret,
|
||||||
|
msg=payload,
|
||||||
|
digestmod=sha256).digest()
|
||||||
|
return hmac.compare_digest(digest, received_sig)
|
||||||
|
|
||||||
|
|
||||||
def gogs_payload(required):
|
def gogs_payload(required):
|
||||||
def wrapper(fct):
|
def wrapper(fct):
|
||||||
@wraps(fct)
|
@wraps(fct)
|
||||||
def wrapped(*args, **kwargs):
|
def wrapped(*args, **kwargs):
|
||||||
# TODO: check signature
|
|
||||||
# payload_raw = request.data
|
|
||||||
|
|
||||||
payload = request.json
|
payload = request.json
|
||||||
if payload is None:
|
if payload is None:
|
||||||
return 'Expected json\n', 415
|
return 'Expected json\n', 415
|
||||||
|
|
@ -104,6 +111,12 @@ def gogs_payload(required):
|
||||||
except UnmonitoredRepository:
|
except UnmonitoredRepository:
|
||||||
return 'Unmonitored repository\n', 403
|
return 'Unmonitored repository\n', 403
|
||||||
|
|
||||||
|
if not settings.DEBUG:
|
||||||
|
received_sig = request.headers['X-Gogs-Signature']
|
||||||
|
payload_raw = request.data
|
||||||
|
if not check_signature(received_sig, hook, payload_raw):
|
||||||
|
return 'Invaild signature\n', 403
|
||||||
|
|
||||||
return fct(payload, hook, *args, **kwargs)
|
return fct(payload, hook, *args, **kwargs)
|
||||||
return wrapped
|
return wrapped
|
||||||
return wrapper
|
return wrapper
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,9 @@
|
||||||
''' GogsMaker settings '''
|
''' GogsMaker settings '''
|
||||||
|
|
||||||
|
# Debug mode. **ALWAYS** leave to False in production, this allows remote code
|
||||||
|
# execution
|
||||||
|
DEBUG = False
|
||||||
|
|
||||||
# List of the repositories to work on
|
# List of the repositories to work on
|
||||||
HOOKS = [
|
HOOKS = [
|
||||||
{
|
{
|
||||||
|
|
@ -12,11 +16,15 @@ HOOKS = [
|
||||||
|
|
||||||
# Make targets to be invoked
|
# Make targets to be invoked
|
||||||
'targets': ['all'],
|
'targets': ['all'],
|
||||||
|
|
||||||
|
# Shared secret with Gogs
|
||||||
|
'secret': 'shooW8IRei5pah7lahMe',
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
'name': 'test-repo',
|
'name': 'test-repo',
|
||||||
'url': 'tests/simple-repo',
|
'url': 'tests/simple-repo',
|
||||||
'targets': ['date', 'touch'],
|
'targets': ['date', 'touch'],
|
||||||
|
'secret': 'mi5aesh8eiS6sileiGha',
|
||||||
},
|
},
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue