Skip to content

Commit

Permalink
GitHub signature: Don't fail on dryrun mode on missing signature
Browse files Browse the repository at this point in the history
  • Loading branch information
sbrunner committed Jul 5, 2024
1 parent 40bfabc commit 07fde7c
Showing 1 changed file with 13 additions and 10 deletions.
23 changes: 13 additions & 10 deletions github_app_geo_project/views/webhook.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,24 @@ def webhook(request: pyramid.request.Request) -> dict[str, None]:

github_secret = request.registry.settings.get(f"application.{application}.github_app_webhook_secret")
if github_secret:
dry_run = os.environ.get("GHCI_WEBHOOK_SECRET_DRY_RUN", "false").lower() == "true"
dry_run = os.environ.get("GHCI_WEBHOOK_SECRET_DRY_RUN", "false").lower() in ("true", "1", "yes", "on")
if "X-Hub-Signature-256" not in request.headers:
_LOGGER.error("No signature in the request")
if not dry_run:
raise pyramid.httpexceptions.HTTPBadRequest("No signature in the request")

our_signature = hmac.new(
key=github_secret.encode("utf-8"),
msg=request.body,
digestmod=hashlib.sha256,
).hexdigest()
if not hmac.compare_digest(our_signature, request.headers["X-Hub-Signature-256"].split("=", 1)[1]):
_LOGGER.error("Invalid signature in the request")
if not dry_run:
raise pyramid.httpexceptions.HTTPBadRequest("Invalid signature in the request")
else:
our_signature = hmac.new(
key=github_secret.encode("utf-8"),
msg=request.body,
digestmod=hashlib.sha256,
).hexdigest()
if not hmac.compare_digest(
our_signature, request.headers["X-Hub-Signature-256"].split("=", 1)[-1]
):
_LOGGER.error("Invalid signature in the request")
if not dry_run:
raise pyramid.httpexceptions.HTTPBadRequest("Invalid signature in the request")

_LOGGER.debug(
"Webhook received for %s on %s", request.headers.get("X-GitHub-Event", "undefined"), application
Expand Down

0 comments on commit 07fde7c

Please sign in to comment.