GitHub signature: Don't fail on dryrun mode on missing signature

camptocamp · Jul 5, 2024 · 9349637 · 9349637
1 parent 40bfabc
commit 9349637
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/github_app_geo_project/views/webhook.py b/github_app_geo_project/views/webhook.py
@@ -36,15 +36,18 @@ def webhook(request: pyramid.request.Request) -> dict[str, None]:
             if not dry_run:
                 raise pyramid.httpexceptions.HTTPBadRequest("No signature in the request")
 
-        our_signature = hmac.new(
-            key=github_secret.encode("utf-8"),
-            msg=request.body,
-            digestmod=hashlib.sha256,
-        ).hexdigest()
-        if not hmac.compare_digest(our_signature, request.headers["X-Hub-Signature-256"].split("=", 1)[1]):
-            _LOGGER.error("Invalid signature in the request")
-            if not dry_run:
-                raise pyramid.httpexceptions.HTTPBadRequest("Invalid signature in the request")
+        else:
+            our_signature = hmac.new(
+                key=github_secret.encode("utf-8"),
+                msg=request.body,
+                digestmod=hashlib.sha256,
+            ).hexdigest()
+            if not hmac.compare_digest(
+                our_signature, request.headers["X-Hub-Signature-256"].split("=", 1)[-1]
+            ):
+                _LOGGER.error("Invalid signature in the request")
+                if not dry_run:
+                    raise pyramid.httpexceptions.HTTPBadRequest("Invalid signature in the request")
 
     _LOGGER.debug(
         "Webhook received for %s on %s", request.headers.get("X-GitHub-Event", "undefined"), application