add gh app

2bf16413 · Guilhem Saurel · 980a97bc · 2bf16413 · 2bf16413 · 2bf16413
Commit 2bf16413 authored Feb 24, 2020 by Guilhem Saurel
--- a/dashboard/middleware.py
+++ b/dashboard/middleware.py
@@ -3,7 +3,6 @@ from ipaddress import ip_address, ip_network
 from django.conf import settings
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.shortcuts import reverse
-
 from rest_framework import permissions


@@ -22,7 +21,8 @@ class LAASPermsMiddleware:
        or if the user is authenticated,
        or if the request comes from a trusted IP.
        """
-        allowed = (request.path.startswith('/admin/') or request.path.startswith('/accounts/')
+        ALLOWED_URLS = ('admin', 'accounts', 'gh')
+        allowed = (any(request.path.startswith(f'/{url}/') for url in ALLOWED_URLS)
                   or request.user and request.user.is_authenticated
                   or request.method in permissions.SAFE_METHODS and ip_laas(request))


--- a/dashboard/settings.py
+++ b/dashboard/settings.py
@@ -46,6 +46,7 @@ INSTALLED_APPS = [
    'bootstrap4',
    'ndh',
    'rainboard',
+    'gh',
 ]

 MIDDLEWARE = [
@@ -160,6 +161,7 @@ RAINBOARD_RPKG = RAINBOARD_DATA / 'robotpkg'
 PRIVATE_REGISTRY = 'gepgitlab.laas.fr:4567'
 PUBLIC_REGISTRY = 'memmos.laas.fr:5000'
 GITHUB_USER = 'hrp2-14'
+GITHUB_WEBHOOK_KEY = os.environ['GITHUB_WEBHOOK_KEY']

 AUTHENTICATION_BACKENDS = ["django_auth_ldap.backend.LDAPBackend"]


--- a/dashboard/urls.py
+++ b/dashboard/urls.py
@@ -6,5 +6,6 @@ from django.contrib import admin
 urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^accounts/', include('django.contrib.auth.urls')),
+    url(r'gh/', include('gh.urls')),
    url(r'', include('rainboard.urls')),
 ] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
--- a/gh/__init__.py
+++ b/gh/__init__.py
+"""Module for github app."""
--- a/gh/admin.py
+++ b/gh/admin.py
+from django.contrib import admin
+
+# Register your models here.
--- a/gh/apps.py
+++ b/gh/apps.py
+from django.apps import AppConfig
+
+
+class GhConfig(AppConfig):
+    name = 'gh'
--- a/gh/migrations/__init__.py
+++ b/gh/migrations/__init__.py
--- a/gh/models.py
+++ b/gh/models.py
+from django.db import models
+
+# Create your models here.
--- a/gh/tests.py
+++ b/gh/tests.py
+from django.test import TestCase
+
+# Create your tests here.
--- a/gh/urls.py
+++ b/gh/urls.py
+"""URLs for Github."""
+
+from django.urls import path
+
+from . import views
+
+urlpatterns = [
+    path('user-authorization-callback', views.log),
+    path('webhook', views.webhook),
+    path('', views.log),
+]
--- a/gh/views.py
+++ b/gh/views.py
+"""Views for dashboard_apps."""
+import hmac
+from hashlib import sha1
+from ipaddress import ip_address, ip_network
+
+import requests
+from django.conf import settings
+from django.http import HttpRequest
+from django.http.response import HttpResponse, HttpResponseForbidden, HttpResponseServerError
+from django.utils.encoding import force_bytes
+from django.views.decorators.csrf import csrf_exempt
+
+
+def log(request: HttpRequest, rep: str = 'ok') -> HttpResponse:
+    """Just print everything out."""
+    print(f'{request = }')
+    print(f'{request.scheme = }')
+    print(f'{request.body = }')
+    print(f'{request.path = }')
+    print(f'{request.path_info = }')
+    print(f'{request.method = }')
+    print(f'{request.encoding = }')
+    print(f'{request.content_type = }')
+    print(f'{request.content_params = }')
+    print(f'{request.GET = }')
+    print(f'{request.POST = }')
+    print(f'{request.COOKIES = }')
+    print(f'{request.META = }')
+    print(f'{request.headers = }')
+    return HttpResponse(rep)
+
+
+@csrf_exempt
+def webhook(request: HttpRequest) -> HttpResponse:
+    """
+    Process request incoming from a github webhook.
+
+    thx https://simpleisbetterthancomplex.com/tutorial/2016/10/31/how-to-handle-github-webhooks-using-django.html
+    """
+    # validate ip source
+    forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
+    networks = requests.get('https://api.github.com/meta').json()['hooks']
+    if any(ip_address(forwarded_for) in ip_network(net) for net in networks):
+        print('from github IP')
+    else:
+        print('not from github IP')
+
+    # validate signature
+    signature = request.META.get('HTTP_X_HUB_SIGNATURE')
+    if signature is None:
+        print('no signature')
+    else:
+        algo, signature = signature.split('=')
+        if algo != 'sha1':
+            return HttpResponseServerError('I only speak sha1.', status=501)
+
+        mac = hmac.new(force_bytes(settings.GITHUB_WEBHOOK_KEY), msg=force_bytes(request.body), digestmod=sha1)
+        if not hmac.compare_digest(force_bytes(mac.hexdigest()), force_bytes(signature)):
+            return HttpResponseForbidden('wrong signature.')
+
+    # process event
+    event = request.META.get('HTTP_X_GITHUB_EVENT', 'ping')
+    if event == 'ping':
+        return log(request, 'pong')
+    if event == 'push':
+        return log(request, 'push event detected')
+
+    return log(request, event)