Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

feat(api): add GitHub webhook signature + push parsing helper #1316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions internal/api/githubwebhook/githubwebhook.go
View file Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
// Package githubwebhook contains the pure, transport-free pieces of the GitHub
// webhook receiver: verifying a delivery's HMAC signature and extracting the
// repository coordinates from a push payload. Keeping these out of the HTTP
// handler lets them be unit-tested without a server and keeps the handler thin.
package githubwebhook

import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"strings"
)

// SignatureHeader is the request header GitHub signs each delivery with.
const SignatureHeader = "X-Hub-Signature-256"

// EventHeader names the webhook event type (e.g. "push", "ping").
const EventHeader = "X-GitHub-Event"

const signaturePrefix = "sha256="

// Verify reports whether sigHeader is a valid HMAC-SHA256 signature of body
// under secret, in GitHub's "sha256=<hex>" form. The comparison is
// constant-time. An empty secret or header is treated as invalid so a
// misconfigured receiver fails closed rather than accepting unsigned payloads.
func Verify(secret string, body []byte, sigHeader string) bool {
if secret == "" || sigHeader == "" {
return false
}
if !strings.HasPrefix(sigHeader, signaturePrefix) {
return false
}
want := sigHeader[len(signaturePrefix):]

mac := hmac.New(sha256.New, []byte(secret))
mac.Write(body)
got := hex.EncodeToString(mac.Sum(nil))

// hmac.Equal is constant-time over equal-length inputs; the lengths match
// whenever want is a valid sha256 hex digest, and differ harmlessly
// otherwise.
return hmac.Equal([]byte(got), []byte(want))
}

// pushPayload captures only the repository coordinates we need from a GitHub
// push event. Owner login and repo name identify the checkout to refresh.
type pushPayload struct {
Repository struct {
Name string `json:"name"`
FullName string `json:"full_name"`
Owner struct {
Login string `json:"login"`
Name string `json:"name"`
} `json:"owner"`
} `json:"repository"`
}

// ParsePush extracts the owner and repository name from a push event body. It
// prefers the explicit owner.login / repository.name fields and falls back to
// splitting full_name ("owner/repo"). ok is false when the body isn't a
// recognizable push payload, so the caller can ignore it without erroring.
func ParsePush(body []byte) (owner, name string, ok bool) {
var p pushPayload
if err := json.Unmarshal(body, &p); err != nil {
return "", "", false
}

owner = p.Repository.Owner.Login
if owner == "" {
owner = p.Repository.Owner.Name
}
name = p.Repository.Name

if (owner == "" || name == "") && p.Repository.FullName != "" {
if o, n, found := strings.Cut(p.Repository.FullName, "/"); found {
if owner == "" {
owner = o
}
if name == "" {
name = n
}
}
}

if owner == "" || name == "" {
return "", "", false
}
return owner, name, true
}
103 changes: 103 additions & 0 deletions internal/api/githubwebhook/githubwebhook_test.go
View file Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
package githubwebhook

import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"testing"

"github.com/stretchr/testify/require"
)

// sign produces the "sha256=<hex>" header GitHub would send for body+secret.
// It uses the stdlib directly as an independent oracle for Verify.
func sign(secret string, body []byte) string {
mac := hmac.New(sha256.New, []byte(secret))
mac.Write(body)
return signaturePrefix + hex.EncodeToString(mac.Sum(nil))
}

func TestVerify(t *testing.T) {
t.Parallel()

secret := "s3cr3t"
body := []byte(`{"zen":"Keep it logically awesome."}`)
valid := sign(secret, body)

tests := []struct {
name string
secret string
body []byte
header string
want bool
}{
{name: "valid signature", secret: secret, body: body, header: valid, want: true},
{name: "wrong secret", secret: "other", body: body, header: valid, want: false},
{name: "tampered body", secret: secret, body: []byte(`{"zen":"tampered"}`), header: valid, want: false},
{name: "missing prefix", secret: secret, body: body, header: valid[len(signaturePrefix):], want: false},
{name: "garbage signature", secret: secret, body: body, header: "sha256=not-hex", want: false},
{name: "empty secret fails closed", secret: "", body: body, header: valid, want: false},
{name: "empty header fails closed", secret: secret, body: body, header: "", want: false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
require.Equal(t, tt.want, Verify(tt.secret, tt.body, tt.header))
})
}
}

func TestParsePush(t *testing.T) {
t.Parallel()

tests := []struct {
name string
body string
wantOwner string
wantName string
wantOK bool
}{
{
name: "owner login and repo name",
body: `{"repository":{"name":"widget","full_name":"octo/widget","owner":{"login":"octo"}}}`,
wantOwner: "octo",
wantName: "widget",
wantOK: true,
},
{
name: "falls back to owner.name when login absent",
body: `{"repository":{"name":"widget","owner":{"name":"octo"}}}`,
wantOwner: "octo",
wantName: "widget",
wantOK: true,
},
{
name: "falls back to full_name when owner/name absent",
body: `{"repository":{"full_name":"octo/widget","owner":{}}}`,
wantOwner: "octo",
wantName: "widget",
wantOK: true,
},
{
name: "no repository object",
body: `{"zen":"ping"}`,
wantOK: false,
},
{
name: "invalid json",
body: `not json`,
wantOK: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
owner, name, ok := ParsePush([]byte(tt.body))
require.Equal(t, tt.wantOK, ok)
if tt.wantOK {
require.Equal(t, tt.wantOwner, owner)
require.Equal(t, tt.wantName, name)
}
})
}
}
Loading

AltStyle によって変換されたページ (->オリジナル) /