added link to verify_signature

2023-05-26 14:39:02 +02:00 · 2023-05-26 14:39:02 +02:00 · a61b44d329
parent 58d529c93c
commit a61b44d329
1 changed files with 57 additions and 56 deletions
--- a/app.py
+++ b/app.py
@ -1,56 +1,57 @@
-from flask import Flask, request
-import subprocess
-import hashlib
-import hmac
-import os
-
-app = Flask(__name__)
-
-# Secret key used for HMAC signature verification
-secret_token = os.environ.get('SECRET_TOKEN')
-
-@app.route('/webhook', methods=['POST'])
-def webhook():
-    # Check if the received webhook is from Git
-    if request.headers.get('X-GitHub-Event') == 'push':
-        # Verify HMAC signature
-        signature = request.headers.get('X-Hub-Signature-256')
-        if verify_signature(request.data, signature, secret_token):
-            return 'Invalid HMAC signature.', 400
-
-        # Pull the latest changes from Git
-        subprocess.run(['git', 'pull'])
-        
-        # Restart the example_app
-        subprocess.run(['systemctl', 'restart', 'restart_this_app.service'])
-
-        return 'Success!', 200
-    else:
-        return 'Invalid webhook event.', 400
-
-
-
-def verify_signature(payload_body, signature_header, secret_token):
-    """Verify that the payload was sent from GitHub by validating SHA256.
-    
-    Raise and return 403 if not authorized.
-    
-    Args:
-        payload_body: original request body to verify (request.body())
-        secret_token: GitHub app webhook token (WEBHOOK_SECRET)
-        signature_header: header received from GitHub (x-hub-signature-256)
-    """
-    if not signature_header:
-        return False
-    
-    hash_object = hmac.new(secret_token.encode('utf-8'), msg=payload_body, digestmod=hashlib.sha256)
-    expected_signature = "sha256=" + hash_object.hexdigest()
-    if not hmac.compare_digest(expected_signature, signature_header):
-        return False
-
-    return True
-
-
-
-if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=5001)
+from flask import Flask, request
+import subprocess
+import hashlib
+import hmac
+import os
+
+app = Flask(__name__)
+
+# Secret key used for HMAC signature verification
+secret_token = os.environ.get('SECRET_TOKEN')
+
+@app.route('/webhook', methods=['POST'])
+def webhook():
+    # Check if the received webhook is from Git
+    if request.headers.get('X-GitHub-Event') == 'push':
+        # Verify HMAC signature
+        signature = request.headers.get('X-Hub-Signature-256')
+        if verify_signature(request.data, signature, secret_token):
+            return 'Invalid HMAC signature.', 400
+
+        # Pull the latest changes from Git
+        subprocess.run(['git', 'pull'])
+        
+        # Restart the example_app
+        subprocess.run(['systemctl', 'restart', 'restart_this_app.service'])
+
+        return 'Success!', 200
+    else:
+        return 'Invalid webhook event.', 400
+
+
+
+# https://docs.github.com/en/enterprise-server@3.6/webhooks-and-events/webhooks/securing-your-webhooks#python-example
+def verify_signature(payload_body, signature_header, secret_token):
+    """Verify that the payload was sent from GitHub by validating SHA256.
+    
+    Raise and return 403 if not authorized.
+    
+    Args:
+        payload_body: original request body to verify (request.body())
+        secret_token: GitHub app webhook token (WEBHOOK_SECRET)
+        signature_header: header received from GitHub (x-hub-signature-256)
+    """
+    if not signature_header:
+        return False
+    
+    hash_object = hmac.new(secret_token.encode('utf-8'), msg=payload_body, digestmod=hashlib.sha256)
+    expected_signature = "sha256=" + hash_object.hexdigest()
+    if not hmac.compare_digest(expected_signature, signature_header):
+        return False
+
+    return True
+
+
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=5001)