Merge pull request #10 from totem/develop

0.5.0 : Support for Github hook signature
totem · Feb 17, 2015 · d707a55 · d707a55
2 parents 48ef63e + d59dd2c
commit d707a55
Show file tree

Hide file tree

Showing 7 changed files with 131 additions and 40 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,4 +18,8 @@
 
 ## 0.4.0
 
-+ OSS Implementation of image factory
++ OSS Implementation of image factory
+
+## 0.5.0
+
++ Support for Github hook signature
diff --git a/README.md b/README.md
@@ -100,6 +100,8 @@ might be removed in future releases.
 | ETCD_HOST | Etcd server host. | 172.17.42.1 |
 | ETCD_PORT | Etcd server port. | 4001 |
 | ETCD_TOTEM_BASE | Base path for totem configurations | /totem |
+| HOOK_POST_URL | URL to be used for post build notification | |
+| HOOK_SECRET | Secret used for github post hook and post build notification |changeit|
 
 
 ## Prerequisites (Development)

diff --git a/lib/factory.js b/lib/factory.js
@@ -16,6 +16,7 @@ var winston = require('winston'),
     Datastore = require('./datastore'),
     JobRunner = require('./job'),
     corsResponse = require('./restify/cors'),
+    usingSignedRequest = require('./restify/authorize-signature'),
     events = require('events'),
     util = require('util'),
     zSchema = require('z-schema'),
@@ -133,22 +134,30 @@ Factory.prototype.initApi = function initApi() {
     }
   });
 
+  this.useDefaults = function() {
+    return [
+      restify.acceptParser(this.server.acceptable),
+      restify.queryParser(),
+      restify.bodyParser(),
+      corsResponse()
+    ];
+  };
 
-  // Ensures the server only responds to types we can process
-  this.server.use(restify.acceptParser(this.server.acceptable));
-
-  // Parses URI query params
-  this.server.use(restify.queryParser());
-
-  // Parsed body based on content-type
-  this.server.use(restify.bodyParser());
-
-  // Enables CORS support on responses
-  this.server.use(corsResponse());
-
+  this.useSignedGithubRequest = function() {
+    var bodyParser = restify.bodyParser();
+    return [
+      restify.acceptParser(this.server.acceptable),
+      restify.queryParser(),
+      bodyParser[0], // First element contains middleware for parsing raw text,
+      usingSignedRequest(_this.config.hook.secret, 'X-Hub-Signature'),
+      // Second Elevement contains middleware for parsing JSON
+      bodyParser[1],
+      corsResponse()
+    ];
+  };
 
   // Server static schemas
-  this.server.get('_schema/:name', function (req, res, next) {
+  this.server.get('_schema/:name', this.useDefaults(), function (req, res, next) {
     var schemaPath = path.resolve(SCHEMA_DIR, req.params.name + '.json');
     try {
       var schema = fs.createReadStream(schemaPath);
@@ -160,18 +169,18 @@ Factory.prototype.initApi = function initApi() {
     }
   });
 
-  this.server.get(/\/_jsonary\/?.*/, restify.serveStatic({ directory: './static' }));
+  this.server.get(/\/_jsonary\/?.*/, this.useDefaults(), restify.serveStatic({ directory: './static' }));
 
   // GET Root
-  this.server.get('/', function (req, res, next) {
+  this.server.get('/', this.useDefaults(), function (req, res, next) {
     res.header('Link', '</_schema/ROOT>; rel="describedBy"');
     res.send({});
     return next();
   });
 
   // GET /job
   // Get a list of all jobs
-  this.server.get('/job', function (req, res, next) {
+  this.server.get('/job', this.useDefaults(), function (req, res, next) {
     var jobs = _this.jobs.get();
     async.map(
       Object.keys(jobs),
@@ -190,7 +199,7 @@ Factory.prototype.initApi = function initApi() {
 
   // GET /job/:id
   // Get the job specified by *id*
-  this.server.get('/job/:id', function (req, res, next) {
+  this.server.get('/job/:id', this.useDefaults(), function (req, res, next) {
     var job = _this.jobs.get(req.params.id);
     if (job) {
       res.header('Content-Type', 'application/vnd.sh.melt.cdp.if.job.v1+json');
@@ -204,7 +213,7 @@ Factory.prototype.initApi = function initApi() {
 
   // GET /job/:id/log
   // Get the build log for the job specified by *id*
-  this.server.get('/job/:id/log', function (req, res, next) {
+  this.server.get('/job/:id/log', this.useDefaults(), function (req, res, next) {
     var job = _this.jobs.get(req.params.id);
 
     if (job) {
@@ -223,7 +232,7 @@ Factory.prototype.initApi = function initApi() {
 
   // POST /job
   // Create a new job
-  this.server.post('/job', function (req, res, next) {
+  this.server.post('/job', this.useDefaults(), function (req, res, next) {
 
     winston.debug('POST /job: ' + util.inspect(req.body));
 
@@ -257,7 +266,7 @@ Factory.prototype.initApi = function initApi() {
 
   // Github POST hook
   // Create a new job
-  this.server.post('/hooks/github', function (req, res, next) {
+  this.server.post('/hooks/github', this.useSignedGithubRequest(), function (req, res, next) {
 
     winston.debug('POST /hooks/github: ' + util.inspect(req.body));
 

diff --git a/lib/restify/authorize-signature.js b/lib/restify/authorize-signature.js
@@ -0,0 +1,42 @@
+/*jshint maxcomplexity:15 */
+
+/*!
+ * Docker Image Factory - Authenticates request using request signature.
+ * Signature is calculated using SHA HMAC (using hexdigest) of the payload
+ * using pre-configured secret
+ *
+ */
+
+'use strict';
+
+var crypto = require('crypto'),
+    restify = require('restify');
+
+module.exports = usingSignedRequest;
+
+/**
+ * Returns middleware that authorizes the request payload using signature
+ * specified in the header.
+ *
+ * @param secret Secret to be used for computing SHA HMAC of the payload.
+ * @param header Header name of the request which contains signature.
+ * @returns {authorize}
+ */
+function usingSignedRequest(secret, header) {
+  header = header || 'X-Hook-Signature';
+
+  return function authorize(req, res, next) {
+      var hmac = crypto.createHmac('sha1', secret);
+      hmac.update(req.body);
+      var calculatedSignature = 'sha1=' + hmac.digest('hex');
+      var actualSignature = req.header(header);
+      if (actualSignature !== calculatedSignature) {
+        return (next(
+            new restify.errors.InvalidCredentialsError(
+                'Mismatch in computed signature and the passed signature of the request payload.')));
+      } else {
+        return (next());
+      }
+  };
+
+}
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "image-factory",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Docker Image Factory",
   "keywords": [
     "docker",

diff --git a/test/integration/api.js b/test/integration/api.js
@@ -49,17 +49,29 @@ var MINIMUM_BUILD_REQUEST = {
   repo: "fake-repo"
 };
 
-var GIT_HOOK_BUILD_REQUEST = {
-  ref: "fake-owner/fake-repo/fake-branch",
-  after: "1234",
-  repository: {
-    name: "fake-repo",
-    owner: {
-      name: "fake-owner"
-    }
-  },
-  deleted: false
-};
+var GIT_HOOK_PUSH_REQUEST_STR = '{ \
+  "ref": "fake-owner/fake-repo/fake-branch", \
+  "after": "1234", \
+  "repository": { \
+    "name": "fake-repo", \
+    "owner": { \
+      "name": "fake-owner" \
+    } \
+  }, \
+  "deleted": false \
+}';
+
+var GIT_HOOK_DELETE_REQUEST_STR = '{ \
+  "ref": "fake-owner/fake-repo/fake-branch", \
+  "after": "1234", \
+  "repository": { \
+    "name": "fake-repo", \
+    "owner": { \
+      "name": "fake-owner" \
+    } \
+  }, \
+  "deleted": true \
+}';
 
 var FULL_BUILD_REQUEST = {
   owner: "fake-owner",
@@ -149,8 +161,11 @@ describe('Image Factory - REST API', function () {
       request.post(
         BASE_URL + '/hooks/github',
         {
-          body: JSON.stringify(GIT_HOOK_BUILD_REQUEST),
-          headers: { 'Content-Type': 'application/json'}
+          body: GIT_HOOK_PUSH_REQUEST_STR,
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Hub-Signature': 'sha1=75486e24e49d01aa87cff3951314993ce649cc8a'
+          }
         },
         function (err, response, body) {
           expect(err).to.not.exist;
@@ -167,13 +182,14 @@ describe('Image Factory - REST API', function () {
     });
 
     it('should return No Content when POST /hooks/github with deleted flag as true', function (done) {
-      var payload = _.clone(GIT_HOOK_BUILD_REQUEST);
-      payload.deleted = true;
       request.post(
         BASE_URL + '/hooks/github',
         {
-          body: JSON.stringify(payload),
-          headers: { 'Content-Type': 'application/json'}
+          body: GIT_HOOK_DELETE_REQUEST_STR,
+          headers: {
+            'Content-Type': 'application/json',
+            'X-Hub-Signature': 'sha1=b1b6f5e7379d550cfaaf597d90f26d832d999f3f'
+          }
         },
         function (err, response, body) {
           expect(err).to.not.exist;
@@ -183,6 +199,24 @@ describe('Image Factory - REST API', function () {
       );
     });
 
+    it('should return Unauthorized response when invalid signature is passed', function (done) {
+      request.post(
+              BASE_URL + '/hooks/github',
+          {
+            body: GIT_HOOK_PUSH_REQUEST_STR,
+            headers: {
+              'Content-Type': 'application/json',
+              'X-Hub-Signature': 'sha1=invalid'
+            }
+          },
+          function (err, response, body) {
+            expect(err).to.not.exist;
+            expect(response.statusCode).to.equal(401);
+            done();
+          }
+      );
+    });
+
   });
 
   describe('GET /job/{id}', function () {