Skip to content

Commit

Permalink
fix(webhook): Use x-hub-signature-256 header as default (#2434)
Browse files Browse the repository at this point in the history
  • Loading branch information
anshulpatel25 authored Sep 18, 2022
1 parent 05fe737 commit 9c3e495
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 1 deletion.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,7 @@ In case the setup does not work as intended follow the trace of events:
| <a name="input_pool_lambda_timeout"></a> [pool\_lambda\_timeout](#input\_pool\_lambda\_timeout) | Time out for the pool lambda in seconds. | `number` | `60` | no |
| <a name="input_pool_runner_owner"></a> [pool\_runner\_owner](#input\_pool\_runner\_owner) | The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported. | `string` | `null` | no |
| <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix used for naming resources | `string` | `"github-actions"` | no |
| <a name="input_queue_encryption"></a> [queue\_encryption](#input\_queue\_encryption) | Configure how data on queues managed by the modules in ecrypted at REST. Options are encryped via SSE, non encrypted and via KMSS. By default encryptes via SSE is enabled. See for more details the Terraform `aws_sqs_queue` resource https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue. | <pre>object({<br> kms_data_key_reuse_period_seconds = number<br> kms_master_key_id = string<br> sqs_managed_sse_enabled = bool<br> })</pre> | <pre>{<br> "kms_data_key_reuse_period_seconds": null,<br> "kms_master_key_id": null,<br> "sqs_managed_sse_enabled": true<br>}</pre> | no |
| <a name="input_redrive_build_queue"></a> [redrive\_build\_queue](#input\_redrive\_build\_queue) | Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries. | <pre>object({<br> enabled = bool<br> maxReceiveCount = number<br> })</pre> | <pre>{<br> "enabled": false,<br> "maxReceiveCount": null<br>}</pre> | no |
| <a name="input_repository_white_list"></a> [repository\_white\_list](#input\_repository\_white\_list) | List of repositories allowed to use the github app | `list(string)` | `[]` | no |
| <a name="input_role_path"></a> [role\_path](#input\_role\_path) | The path that will be added to role path for created roles, if not set the environment name will be used. | `string` | `null` | no |
Expand Down
10 changes: 10 additions & 0 deletions modules/webhook/lambdas/webhook/src/webhook/handler.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,16 @@ describe('handler', () => {
expect(sendActionRequest).toBeCalled();
});

it('handles workflow job events with 256 hash signature', async () => {
const event = JSON.stringify(workflowjob_event);
const resp = await handle(
{ 'X-Hub-Signature-256': await webhooks.sign(event), 'X-GitHub-Event': 'workflow_job' },
event,
);
expect(resp.statusCode).toBe(201);
expect(sendActionRequest).toBeCalled();
});

it('does not handle other events', async () => {
const event = JSON.stringify(workflowjob_event);
const resp = await handle({ 'X-Hub-Signature': await webhooks.sign(event), 'X-GitHub-Event': 'push' }, event);
Expand Down
7 changes: 6 additions & 1 deletion modules/webhook/lambdas/webhook/src/webhook/handler.ts
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,12 @@ async function verifySignature(
body: string,
environment: string,
): Promise<number> {
const signature = headers['x-hub-signature'] as string;
let signature;
if ('x-hub-signature-256' in headers) {
signature = headers['x-hub-signature-256'] as string;
} else {
signature = headers['x-hub-signature'] as string;
}
if (!signature) {
logger.error(
"Github event doesn't have signature. This webhook requires a secret to be configured.",
Expand Down

0 comments on commit 9c3e495

Please sign in to comment.