Skip to content

Commit

Permalink
release: authorize webhook request using webhook secret token
Browse files Browse the repository at this point in the history
GitHub: groongaGH-43

In this PR, we set up the authorization flow for webhook requests.
At the following PRs, we will implement the logic of deployments.
  • Loading branch information
otegami committed Dec 12, 2024
1 parent fd8bf4c commit ed50a10
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 1 deletion.
31 changes: 30 additions & 1 deletion ansible/files/home/deployer/webhook/lib/deployer/app.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Copyright (C) 2024 Horimoto Yasuhiro <[email protected]>
# Copyright (C) 2024 Takuya Kodama <[email protected]>
#
# This program is free software: you can redistribute it and/or modify
Expand All @@ -13,10 +14,38 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.

require "openssl"
require_relative "response"

module Deployer
class App
def call(env)
[200, {}, ["Hello deployer"]]
request = Rack::Request.new(env)
response = Response.new
process(request, response) or response.finish
end

private

def process(request, response)
unless request.post?
response.set(:method_not_allowed, "must POST")
return nil
end

unless verify_signature(request)
response.set(:unauthorized, "Authorization failed")
return nil
end

response.finish
end

def verify_signature(request)
signature = 'sha256=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'),
ENV['SECRET_TOKEN'],
request.body.read)
Rack::Utils.secure_compare(signature, request.env['HTTP_X_HUB_SIGNATURE_256'])
end
end
end
27 changes: 27 additions & 0 deletions ansible/files/home/deployer/webhook/lib/deployer/response.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Copyright (C) 2010-2019 Sutou Kouhei <[email protected]>
# Copyright (C) 2015 Kenji Okimoto <[email protected]>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.

require "rack/response"

module Deployer
class Response < Rack::Response
def set(status_keyword, message)
self.status = Rack::Utils.status_code(status_keyword)
self["Content-Type"] = "text/plain"
write(message)
end
end
end

0 comments on commit ed50a10

Please sign in to comment.