-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
Copy pathmessages.go
357 lines (327 loc) · 13.7 KB
/
messages.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
// Copyright 2016 The go-github AUTHORS. All rights reserved.
//
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// This file provides functions for validating payloads from GitHub Webhooks.
// GitHub API docs: https://developer.github.com/webhooks/securing/#validating-payloads-from-github
package github
import (
"crypto/hmac"
"crypto/sha1"
"crypto/sha256"
"crypto/sha512"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"hash"
"io"
"mime"
"net/http"
"net/url"
"reflect"
"sort"
"strings"
)
const (
// sha1Prefix is the prefix used by GitHub before the HMAC hexdigest.
sha1Prefix = "sha1"
// sha256Prefix and sha512Prefix are provided for future compatibility.
sha256Prefix = "sha256"
sha512Prefix = "sha512"
// SHA1SignatureHeader is the GitHub header key used to pass the HMAC-SHA1 hexdigest.
SHA1SignatureHeader = "X-Hub-Signature"
// SHA256SignatureHeader is the GitHub header key used to pass the HMAC-SHA256 hexdigest.
SHA256SignatureHeader = "X-Hub-Signature-256"
// EventTypeHeader is the GitHub header key used to pass the event type.
EventTypeHeader = "X-Github-Event"
// DeliveryIDHeader is the GitHub header key used to pass the unique ID for the webhook event.
DeliveryIDHeader = "X-Github-Delivery"
)
var (
// eventTypeMapping maps webhooks types to their corresponding go-github struct types.
eventTypeMapping = map[string]interface{}{
"branch_protection_configuration": &BranchProtectionConfigurationEvent{},
"branch_protection_rule": &BranchProtectionRuleEvent{},
"check_run": &CheckRunEvent{},
"check_suite": &CheckSuiteEvent{},
"code_scanning_alert": &CodeScanningAlertEvent{},
"commit_comment": &CommitCommentEvent{},
"content_reference": &ContentReferenceEvent{},
"create": &CreateEvent{},
"custom_property": &CustomPropertyEvent{},
"custom_property_values": &CustomPropertyValuesEvent{},
"delete": &DeleteEvent{},
"dependabot_alert": &DependabotAlertEvent{},
"deploy_key": &DeployKeyEvent{},
"deployment": &DeploymentEvent{},
"deployment_review": &DeploymentReviewEvent{},
"deployment_status": &DeploymentStatusEvent{},
"deployment_protection_rule": &DeploymentProtectionRuleEvent{},
"discussion": &DiscussionEvent{},
"discussion_comment": &DiscussionCommentEvent{},
"fork": &ForkEvent{},
"github_app_authorization": &GitHubAppAuthorizationEvent{},
"gollum": &GollumEvent{},
"installation": &InstallationEvent{},
"installation_repositories": &InstallationRepositoriesEvent{},
"installation_target": &InstallationTargetEvent{},
"issue_comment": &IssueCommentEvent{},
"issues": &IssuesEvent{},
"label": &LabelEvent{},
"marketplace_purchase": &MarketplacePurchaseEvent{},
"member": &MemberEvent{},
"membership": &MembershipEvent{},
"merge_group": &MergeGroupEvent{},
"meta": &MetaEvent{},
"milestone": &MilestoneEvent{},
"organization": &OrganizationEvent{},
"org_block": &OrgBlockEvent{},
"package": &PackageEvent{},
"page_build": &PageBuildEvent{},
"personal_access_token_request": &PersonalAccessTokenRequestEvent{},
"ping": &PingEvent{},
"projects_v2": &ProjectV2Event{},
"projects_v2_item": &ProjectV2ItemEvent{},
"public": &PublicEvent{},
"pull_request": &PullRequestEvent{},
"pull_request_review": &PullRequestReviewEvent{},
"pull_request_review_comment": &PullRequestReviewCommentEvent{},
"pull_request_review_thread": &PullRequestReviewThreadEvent{},
"pull_request_target": &PullRequestTargetEvent{},
"push": &PushEvent{},
"registry_package": &RegistryPackageEvent{},
"repository": &RepositoryEvent{},
"repository_dispatch": &RepositoryDispatchEvent{},
"repository_import": &RepositoryImportEvent{},
"repository_ruleset": &RepositoryRulesetEvent{},
"repository_vulnerability_alert": &RepositoryVulnerabilityAlertEvent{},
"release": &ReleaseEvent{},
"secret_scanning_alert": &SecretScanningAlertEvent{},
"secret_scanning_alert_location": &SecretScanningAlertLocationEvent{},
"security_advisory": &SecurityAdvisoryEvent{},
"security_and_analysis": &SecurityAndAnalysisEvent{},
"sponsorship": &SponsorshipEvent{},
"star": &StarEvent{},
"status": &StatusEvent{},
"team": &TeamEvent{},
"team_add": &TeamAddEvent{},
"user": &UserEvent{},
"watch": &WatchEvent{},
"workflow_dispatch": &WorkflowDispatchEvent{},
"workflow_job": &WorkflowJobEvent{},
"workflow_run": &WorkflowRunEvent{},
}
// Forward mapping of event types to the string names of the structs.
messageToTypeName = make(map[string]string, len(eventTypeMapping))
// Inverse map of the above.
typeToMessageMapping = make(map[string]string, len(eventTypeMapping))
)
func init() {
for k, v := range eventTypeMapping {
typename := reflect.TypeOf(v).Elem().Name()
messageToTypeName[k] = typename
typeToMessageMapping[typename] = k
}
}
// genMAC generates the HMAC signature for a message provided the secret key
// and hashFunc.
func genMAC(message, key []byte, hashFunc func() hash.Hash) []byte {
mac := hmac.New(hashFunc, key)
mac.Write(message)
return mac.Sum(nil)
}
// checkMAC reports whether messageMAC is a valid HMAC tag for message.
func checkMAC(message, messageMAC, key []byte, hashFunc func() hash.Hash) bool {
expectedMAC := genMAC(message, key, hashFunc)
return hmac.Equal(messageMAC, expectedMAC)
}
// messageMAC returns the hex-decoded HMAC tag from the signature and its
// corresponding hash function.
func messageMAC(signature string) ([]byte, func() hash.Hash, error) {
if signature == "" {
return nil, nil, errors.New("missing signature")
}
sigParts := strings.SplitN(signature, "=", 2)
if len(sigParts) != 2 {
return nil, nil, fmt.Errorf("error parsing signature %q", signature)
}
var hashFunc func() hash.Hash
switch sigParts[0] {
case sha1Prefix:
hashFunc = sha1.New
case sha256Prefix:
hashFunc = sha256.New
case sha512Prefix:
hashFunc = sha512.New
default:
return nil, nil, fmt.Errorf("unknown hash type prefix: %q", sigParts[0])
}
buf, err := hex.DecodeString(sigParts[1])
if err != nil {
return nil, nil, fmt.Errorf("error decoding signature %q: %v", signature, err)
}
return buf, hashFunc, nil
}
// ValidatePayloadFromBody validates an incoming GitHub Webhook event request body
// and returns the (JSON) payload.
// The Content-Type header of the payload can be "application/json" or "application/x-www-form-urlencoded".
// If the Content-Type is neither then an error is returned.
// secretToken is the GitHub Webhook secret token.
// If your webhook does not contain a secret token, you can pass an empty secretToken.
// Webhooks without a secret token are not secure and should be avoided.
//
// Example usage:
//
// func (s *GitHubEventMonitor) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// // read signature from request
// signature := ""
// payload, err := github.ValidatePayloadFromBody(r.Header.Get("Content-Type"), r.Body, signature, s.webhookSecretKey)
// if err != nil { ... }
// // Process payload...
// }
func ValidatePayloadFromBody(contentType string, readable io.Reader, signature string, secretToken []byte) (payload []byte, err error) {
var body []byte // Raw body that GitHub uses to calculate the signature.
switch contentType {
case "application/json":
var err error
if body, err = io.ReadAll(readable); err != nil {
return nil, err
}
// If the content type is application/json,
// the JSON payload is just the original body.
payload = body
case "application/x-www-form-urlencoded":
// payloadFormParam is the name of the form parameter that the JSON payload
// will be in if a webhook has its content type set to application/x-www-form-urlencoded.
const payloadFormParam = "payload"
var err error
if body, err = io.ReadAll(readable); err != nil {
return nil, err
}
// If the content type is application/x-www-form-urlencoded,
// the JSON payload will be under the "payload" form param.
form, err := url.ParseQuery(string(body))
if err != nil {
return nil, err
}
payload = []byte(form.Get(payloadFormParam))
default:
return nil, fmt.Errorf("webhook request has unsupported Content-Type %q", contentType)
}
// Validate the signature if present or if one is expected (secretToken is non-empty).
if len(secretToken) > 0 || len(signature) > 0 {
if err := ValidateSignature(signature, body, secretToken); err != nil {
return nil, err
}
}
return payload, nil
}
// ValidatePayload validates an incoming GitHub Webhook event request
// and returns the (JSON) payload.
// The Content-Type header of the payload can be "application/json" or "application/x-www-form-urlencoded".
// If the Content-Type is neither then an error is returned.
// secretToken is the GitHub Webhook secret token.
// If your webhook does not contain a secret token, you can pass nil or an empty slice.
// This is intended for local development purposes only and all webhooks should ideally set up a secret token.
//
// Example usage:
//
// func (s *GitHubEventMonitor) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// payload, err := github.ValidatePayload(r, s.webhookSecretKey)
// if err != nil { ... }
// // Process payload...
// }
func ValidatePayload(r *http.Request, secretToken []byte) (payload []byte, err error) {
signature := r.Header.Get(SHA256SignatureHeader)
if signature == "" {
signature = r.Header.Get(SHA1SignatureHeader)
}
contentType, _, err := mime.ParseMediaType(r.Header.Get("Content-Type"))
if err != nil {
return nil, err
}
return ValidatePayloadFromBody(contentType, r.Body, signature, secretToken)
}
// ValidateSignature validates the signature for the given payload.
// signature is the GitHub hash signature delivered in the X-Hub-Signature header.
// payload is the JSON payload sent by GitHub Webhooks.
// secretToken is the GitHub Webhook secret token.
//
// GitHub API docs: https://developer.github.com/webhooks/securing/#validating-payloads-from-github
func ValidateSignature(signature string, payload, secretToken []byte) error {
messageMAC, hashFunc, err := messageMAC(signature)
if err != nil {
return err
}
if !checkMAC(payload, messageMAC, secretToken, hashFunc) {
return errors.New("payload signature check failed")
}
return nil
}
// WebHookType returns the event type of webhook request r.
//
// GitHub API docs: https://docs.github.com/developers/webhooks-and-events/events/github-event-types
func WebHookType(r *http.Request) string {
return r.Header.Get(EventTypeHeader)
}
// DeliveryID returns the unique delivery ID of webhook request r.
//
// GitHub API docs: https://docs.github.com/developers/webhooks-and-events/events/github-event-types
func DeliveryID(r *http.Request) string {
return r.Header.Get(DeliveryIDHeader)
}
// ParseWebHook parses the event payload. For recognized event types, a
// value of the corresponding struct type will be returned (as returned
// by Event.ParsePayload()). An error will be returned for unrecognized event
// types.
//
// Example usage:
//
// func (s *GitHubEventMonitor) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// payload, err := github.ValidatePayload(r, s.webhookSecretKey)
// if err != nil { ... }
// event, err := github.ParseWebHook(github.WebHookType(r), payload)
// if err != nil { ... }
// switch event := event.(type) {
// case *github.CommitCommentEvent:
// processCommitCommentEvent(event)
// case *github.CreateEvent:
// processCreateEvent(event)
// ...
// }
// }
func ParseWebHook(messageType string, payload []byte) (interface{}, error) {
eventType, ok := messageToTypeName[messageType]
if !ok {
return nil, fmt.Errorf("unknown X-Github-Event in message: %v", messageType)
}
event := Event{
Type: &eventType,
RawPayload: (*json.RawMessage)(&payload),
}
return event.ParsePayload()
}
// MessageTypes returns a sorted list of all the known GitHub event type strings
// supported by go-github.
func MessageTypes() []string {
types := make([]string, 0, len(eventTypeMapping))
for t := range eventTypeMapping {
types = append(types, t)
}
sort.Strings(types)
return types
}
// EventForType returns an empty struct matching the specified GitHub event type.
// If messageType does not match any known event types, it returns nil.
func EventForType(messageType string) interface{} {
prototype := eventTypeMapping[messageType]
if prototype == nil {
return nil
}
// return a _copy_ of the pointed-to-object. Unfortunately, for this we
// need to use reflection. If we store the actual objects in the map,
// we still need to use reflection to convert from `any` to the actual
// type, so this was deemed the lesser of two evils. (#2865)
return reflect.New(reflect.TypeOf(prototype).Elem()).Interface()
}