From a61b44d329ccfecd16f96107ad21b8f6eab07596 Mon Sep 17 00:00:00 2001 From: Wojciech Kubicki Date: Fri, 26 May 2023 14:39:02 +0200 Subject: [PATCH] added link to verify_signature --- app.py | 113 +++++++++++++++++++++++++++++---------------------------- 1 file changed, 57 insertions(+), 56 deletions(-) diff --git a/app.py b/app.py index 4f62457..9d4a352 100644 --- a/app.py +++ b/app.py @@ -1,56 +1,57 @@ -from flask import Flask, request -import subprocess -import hashlib -import hmac -import os - -app = Flask(__name__) - -# Secret key used for HMAC signature verification -secret_token = os.environ.get('SECRET_TOKEN') - -@app.route('/webhook', methods=['POST']) -def webhook(): - # Check if the received webhook is from Git - if request.headers.get('X-GitHub-Event') == 'push': - # Verify HMAC signature - signature = request.headers.get('X-Hub-Signature-256') - if verify_signature(request.data, signature, secret_token): - return 'Invalid HMAC signature.', 400 - - # Pull the latest changes from Git - subprocess.run(['git', 'pull']) - - # Restart the example_app - subprocess.run(['systemctl', 'restart', 'restart_this_app.service']) - - return 'Success!', 200 - else: - return 'Invalid webhook event.', 400 - - - -def verify_signature(payload_body, signature_header, secret_token): - """Verify that the payload was sent from GitHub by validating SHA256. - - Raise and return 403 if not authorized. - - Args: - payload_body: original request body to verify (request.body()) - secret_token: GitHub app webhook token (WEBHOOK_SECRET) - signature_header: header received from GitHub (x-hub-signature-256) - """ - if not signature_header: - return False - - hash_object = hmac.new(secret_token.encode('utf-8'), msg=payload_body, digestmod=hashlib.sha256) - expected_signature = "sha256=" + hash_object.hexdigest() - if not hmac.compare_digest(expected_signature, signature_header): - return False - - return True - - - -if __name__ == '__main__': - app.run(host='0.0.0.0', port=5001) +from flask import Flask, request +import subprocess +import hashlib +import hmac +import os + +app = Flask(__name__) + +# Secret key used for HMAC signature verification +secret_token = os.environ.get('SECRET_TOKEN') + +@app.route('/webhook', methods=['POST']) +def webhook(): + # Check if the received webhook is from Git + if request.headers.get('X-GitHub-Event') == 'push': + # Verify HMAC signature + signature = request.headers.get('X-Hub-Signature-256') + if verify_signature(request.data, signature, secret_token): + return 'Invalid HMAC signature.', 400 + + # Pull the latest changes from Git + subprocess.run(['git', 'pull']) + + # Restart the example_app + subprocess.run(['systemctl', 'restart', 'restart_this_app.service']) + + return 'Success!', 200 + else: + return 'Invalid webhook event.', 400 + + + +# https://docs.github.com/en/enterprise-server@3.6/webhooks-and-events/webhooks/securing-your-webhooks#python-example +def verify_signature(payload_body, signature_header, secret_token): + """Verify that the payload was sent from GitHub by validating SHA256. + + Raise and return 403 if not authorized. + + Args: + payload_body: original request body to verify (request.body()) + secret_token: GitHub app webhook token (WEBHOOK_SECRET) + signature_header: header received from GitHub (x-hub-signature-256) + """ + if not signature_header: + return False + + hash_object = hmac.new(secret_token.encode('utf-8'), msg=payload_body, digestmod=hashlib.sha256) + expected_signature = "sha256=" + hash_object.hexdigest() + if not hmac.compare_digest(expected_signature, signature_header): + return False + + return True + + + +if __name__ == '__main__': + app.run(host='0.0.0.0', port=5001)