actionhook 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.github/workflows/gempush.yml +29 -0
- data/.github/workflows/ruby.yml +24 -0
- data/.gitignore +8 -0
- data/.rspec +1 -0
- data/CODE_OF_CONDUCT.md +74 -0
- data/Gemfile +6 -0
- data/Gemfile.lock +46 -0
- data/LICENSE.txt +21 -0
- data/README.md +93 -0
- data/Rakefile +5 -0
- data/actionhook.gemspec +29 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/lib/actionhook/core/configuration.rb +44 -0
- data/lib/actionhook/core/json_request.rb +19 -0
- data/lib/actionhook/core/net_http_sender.rb +53 -0
- data/lib/actionhook/core/request.rb +29 -0
- data/lib/actionhook/security/authentication.rb +49 -0
- data/lib/actionhook/security/fingerprinting.rb +13 -0
- data/lib/actionhook/security/headers.rb +22 -0
- data/lib/actionhook/security/ip_blocking.rb +61 -0
- data/lib/actionhook/version.rb +3 -0
- data/lib/actionhook.rb +30 -0
- metadata +96 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: b8906ab0fc939ebb202c2a2167749e518e3b8b40eaf0dabc0a035e49e4623af2
|
4
|
+
data.tar.gz: 68a6529a569dc4b846fee304c163ceb51177d6613d6e69ea3d7969b877a539d7
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 9acaf26f59b067a688dcfb0be699707aace42348ab2edab9dbfcee4ca82ca626b03d7a67e349af8e24f9e1b0a41be8a0898a46b4b9778180763a554e3e693b32
|
7
|
+
data.tar.gz: aada13e18f5a9be0339873d9503f995f2b283367495a97e450be70cad6d78a0d6195c76a4c479039420cdbc850df6d19c31007671e3bc88708d9667fc5fe8cd9
|
@@ -0,0 +1,29 @@
|
|
1
|
+
name: Ruby Gem
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
tags:
|
6
|
+
- v*
|
7
|
+
|
8
|
+
jobs:
|
9
|
+
build:
|
10
|
+
name: Build + Publish
|
11
|
+
runs-on: ubuntu-latest
|
12
|
+
|
13
|
+
steps:
|
14
|
+
- uses: actions/checkout@v2
|
15
|
+
- name: Set up Ruby 2.6
|
16
|
+
uses: actions/setup-ruby@v1
|
17
|
+
with:
|
18
|
+
version: 2.6.x
|
19
|
+
|
20
|
+
- name: Publish to RubyGems
|
21
|
+
run: |
|
22
|
+
mkdir -p $HOME/.gem
|
23
|
+
touch $HOME/.gem/credentials
|
24
|
+
chmod 0600 $HOME/.gem/credentials
|
25
|
+
printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
|
26
|
+
gem build *.gemspec
|
27
|
+
gem push *.gem
|
28
|
+
env:
|
29
|
+
GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}}
|
@@ -0,0 +1,24 @@
|
|
1
|
+
name: Ruby
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches: [ master ]
|
6
|
+
pull_request:
|
7
|
+
branches: [ master ]
|
8
|
+
|
9
|
+
jobs:
|
10
|
+
build:
|
11
|
+
|
12
|
+
runs-on: ubuntu-latest
|
13
|
+
|
14
|
+
steps:
|
15
|
+
- uses: actions/checkout@v2
|
16
|
+
- name: Set up Ruby 2.6
|
17
|
+
uses: actions/setup-ruby@v1
|
18
|
+
with:
|
19
|
+
ruby-version: 2.6.x
|
20
|
+
- name: Build and test with Rake
|
21
|
+
run: |
|
22
|
+
gem install bundler
|
23
|
+
bundle install --jobs 4 --retry 3
|
24
|
+
bundle exec rake
|
data/.gitignore
ADDED
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--require spec_helper
|
data/CODE_OF_CONDUCT.md
ADDED
@@ -0,0 +1,74 @@
|
|
1
|
+
# Contributor Covenant Code of Conduct
|
2
|
+
|
3
|
+
## Our Pledge
|
4
|
+
|
5
|
+
In the interest of fostering an open and welcoming environment, we as
|
6
|
+
contributors and maintainers pledge to making participation in our project and
|
7
|
+
our community a harassment-free experience for everyone, regardless of age, body
|
8
|
+
size, disability, ethnicity, gender identity and expression, level of experience,
|
9
|
+
nationality, personal appearance, race, religion, or sexual identity and
|
10
|
+
orientation.
|
11
|
+
|
12
|
+
## Our Standards
|
13
|
+
|
14
|
+
Examples of behavior that contributes to creating a positive environment
|
15
|
+
include:
|
16
|
+
|
17
|
+
* Using welcoming and inclusive language
|
18
|
+
* Being respectful of differing viewpoints and experiences
|
19
|
+
* Gracefully accepting constructive criticism
|
20
|
+
* Focusing on what is best for the community
|
21
|
+
* Showing empathy towards other community members
|
22
|
+
|
23
|
+
Examples of unacceptable behavior by participants include:
|
24
|
+
|
25
|
+
* The use of sexualized language or imagery and unwelcome sexual attention or
|
26
|
+
advances
|
27
|
+
* Trolling, insulting/derogatory comments, and personal or political attacks
|
28
|
+
* Public or private harassment
|
29
|
+
* Publishing others' private information, such as a physical or electronic
|
30
|
+
address, without explicit permission
|
31
|
+
* Other conduct which could reasonably be considered inappropriate in a
|
32
|
+
professional setting
|
33
|
+
|
34
|
+
## Our Responsibilities
|
35
|
+
|
36
|
+
Project maintainers are responsible for clarifying the standards of acceptable
|
37
|
+
behavior and are expected to take appropriate and fair corrective action in
|
38
|
+
response to any instances of unacceptable behavior.
|
39
|
+
|
40
|
+
Project maintainers have the right and responsibility to remove, edit, or
|
41
|
+
reject comments, commits, code, wiki edits, issues, and other contributions
|
42
|
+
that are not aligned to this Code of Conduct, or to ban temporarily or
|
43
|
+
permanently any contributor for other behaviors that they deem inappropriate,
|
44
|
+
threatening, offensive, or harmful.
|
45
|
+
|
46
|
+
## Scope
|
47
|
+
|
48
|
+
This Code of Conduct applies both within project spaces and in public spaces
|
49
|
+
when an individual is representing the project or its community. Examples of
|
50
|
+
representing a project or community include using an official project e-mail
|
51
|
+
address, posting via an official social media account, or acting as an appointed
|
52
|
+
representative at an online or offline event. Representation of a project may be
|
53
|
+
further defined and clarified by project maintainers.
|
54
|
+
|
55
|
+
## Enforcement
|
56
|
+
|
57
|
+
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
58
|
+
reported by contacting the project team at sohan39@gmail.com. All
|
59
|
+
complaints will be reviewed and investigated and will result in a response that
|
60
|
+
is deemed necessary and appropriate to the circumstances. The project team is
|
61
|
+
obligated to maintain confidentiality with regard to the reporter of an incident.
|
62
|
+
Further details of specific enforcement policies may be posted separately.
|
63
|
+
|
64
|
+
Project maintainers who do not follow or enforce the Code of Conduct in good
|
65
|
+
faith may face temporary or permanent repercussions as determined by other
|
66
|
+
members of the project's leadership.
|
67
|
+
|
68
|
+
## Attribution
|
69
|
+
|
70
|
+
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
|
71
|
+
available at [https://contributor-covenant.org/version/1/4][version]
|
72
|
+
|
73
|
+
[homepage]: https://contributor-covenant.org
|
74
|
+
[version]: https://contributor-covenant.org/version/1/4/
|
data/Gemfile
ADDED
data/Gemfile.lock
ADDED
@@ -0,0 +1,46 @@
|
|
1
|
+
PATH
|
2
|
+
remote: .
|
3
|
+
specs:
|
4
|
+
actionhook (1.0.0)
|
5
|
+
|
6
|
+
GEM
|
7
|
+
remote: https://rubygems.org/
|
8
|
+
specs:
|
9
|
+
addressable (2.7.0)
|
10
|
+
public_suffix (>= 2.0.2, < 5.0)
|
11
|
+
crack (0.4.3)
|
12
|
+
safe_yaml (~> 1.0.0)
|
13
|
+
diff-lcs (1.3)
|
14
|
+
hashdiff (0.3.8)
|
15
|
+
public_suffix (4.0.1)
|
16
|
+
rake (12.3.3)
|
17
|
+
rspec (3.9.0)
|
18
|
+
rspec-core (~> 3.9.0)
|
19
|
+
rspec-expectations (~> 3.9.0)
|
20
|
+
rspec-mocks (~> 3.9.0)
|
21
|
+
rspec-core (3.9.0)
|
22
|
+
rspec-support (~> 3.9.0)
|
23
|
+
rspec-expectations (3.9.0)
|
24
|
+
diff-lcs (>= 1.2.0, < 2.0)
|
25
|
+
rspec-support (~> 3.9.0)
|
26
|
+
rspec-mocks (3.9.0)
|
27
|
+
diff-lcs (>= 1.2.0, < 2.0)
|
28
|
+
rspec-support (~> 3.9.0)
|
29
|
+
rspec-support (3.9.0)
|
30
|
+
safe_yaml (1.0.5)
|
31
|
+
webmock (3.4.2)
|
32
|
+
addressable (>= 2.3.6)
|
33
|
+
crack (>= 0.3.2)
|
34
|
+
hashdiff
|
35
|
+
|
36
|
+
PLATFORMS
|
37
|
+
ruby
|
38
|
+
|
39
|
+
DEPENDENCIES
|
40
|
+
actionhook!
|
41
|
+
rake (~> 12.0)
|
42
|
+
rspec
|
43
|
+
webmock
|
44
|
+
|
45
|
+
BUNDLED WITH
|
46
|
+
2.1.4
|
data/LICENSE.txt
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2020 smsohan
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,93 @@
|
|
1
|
+
# Why?
|
2
|
+
|
3
|
+
`ActionHook` is a drop-in library for sending webhooks. You specify the content and destination, `ActionHook` takes care of securely delivering it.
|
4
|
+
|
5
|
+
|
6
|
+
## Build Status
|
7
|
+
|
8
|
+
![Build](https://github.com/smsohan/actionhook/workflows/Ruby/badge.svg)
|
9
|
+
|
10
|
+
# Features:
|
11
|
+
|
12
|
+
- [x] **Core** Send webhooks
|
13
|
+
- [x] **Configuration** Timeout, IP blocking, etc.
|
14
|
+
- [x] **Security** Supports HTTP Basic, Token, and Bearer Token auth.
|
15
|
+
- [x] **Security** Blocks private IPs and allows custom IP blocking
|
16
|
+
- [x] **Security** 2-factor authentication using a secret for each receiver.
|
17
|
+
- [x] **Usability** Works seamlessly on Ruby on Rails. [Example](examples/actionhook-rails-example)
|
18
|
+
- [x] **Scale** Works seamlessly on AWS Lambda. [Example](examples/actionhook-aws-lambda-example)
|
19
|
+
- [x] **More** Logging
|
20
|
+
|
21
|
+
|
22
|
+
## Send Webhooks
|
23
|
+
|
24
|
+
```ruby
|
25
|
+
request = ActionHook::Core::JSONRequest.new(url: 'https://example.com',
|
26
|
+
method: :post, body: { hello: "world" }, headers: {})
|
27
|
+
|
28
|
+
ActionHook::Core::NetHttpSender.send(request)
|
29
|
+
```
|
30
|
+
|
31
|
+
## Configuration
|
32
|
+
|
33
|
+
All configurations are optional, only use these if you want to override the defaults.
|
34
|
+
You can set the following configs in `ActionHook.configuration` object.
|
35
|
+
|
36
|
+
|Name|Description|Default Value|
|
37
|
+
|---|---|---|
|
38
|
+
|`open_timeout` | `Net::HTTP` open timeout in seconds | `5` |
|
39
|
+
|`read_timeout` | `Net::HTTP` read timeout in seconds | `15`|
|
40
|
+
|`hash_header_name` | A HTTP Request header that contains the SHA256 fingerprint of the request body | `SHA256-FINGERPRINT` |
|
41
|
+
|`allow_private_ips` | If loopback or private IPs should be allowed as receiver | `false` |
|
42
|
+
|`blocked_ip_ranges` | Custom IP ranges to block, e.g. `%w{172.8.9.8/24}`| `[]`|
|
43
|
+
|
44
|
+
Instead of the global config using ActionHook.configuration, you can provide an instance of `ActionHook::Core::Configuration` to the `send` method. Please note that, global config will be ignored when you provide a configuration while calling `send`. Here's an example of providing a configuration while calling `send`.
|
45
|
+
|
46
|
+
```ruby
|
47
|
+
ActionHook::Core::NetHttpSender.send(request, ActionHook::Core::Configuration.new)
|
48
|
+
```
|
49
|
+
|
50
|
+
## Security: Authentication
|
51
|
+
|
52
|
+
ActionHook supports `Basic`, `Token`, and `BearerToken` authentication out of the box. You can assign one of these authentication methods to the request object as follows:
|
53
|
+
|
54
|
+
```ruby
|
55
|
+
basic = ActionHook::Security::Authentication::Basic.new(username: 'a_user', password: 'a_pass')
|
56
|
+
token = ActionHook::Security::Authentication::Token.new('a_token')
|
57
|
+
bearer_token = ActionHook::Security::Authentication::BearerToken.new('a_bearer_token')
|
58
|
+
|
59
|
+
request = ActionHook::Core::JSONRequest.new(url: 'https://example.com',
|
60
|
+
authentication: basic, # or token, bearer_token
|
61
|
+
)
|
62
|
+
```
|
63
|
+
|
64
|
+
## Security: 2-Factor Authentication: Hashing With a Secure Key
|
65
|
+
|
66
|
+
You can generate secure key for each receiving endpoint and pass it to `ActionHook`
|
67
|
+
for adding a 2-factor authentication. Using this this key, `ActionHook` will automatically add the `SHA256-FINGERPRINT` header to the webhook. The receiver can compute the SHA256 digest of the request body using the same secret to verify the sender and message integrity.
|
68
|
+
|
69
|
+
```ruby
|
70
|
+
request = ActionHook::Core::JSONRequest.new(url: 'https://example.com',
|
71
|
+
secret: '<Your Secret For This Hook>', # Remember to provide your secret
|
72
|
+
method: :post, body: { hello: "world" }, headers: {})
|
73
|
+
|
74
|
+
ActionHook::Core::NetHttpSender.send(request)
|
75
|
+
```
|
76
|
+
|
77
|
+
## Security: IP Blocking
|
78
|
+
|
79
|
+
When a request is blocked due to private IP, `send` raises `ActionHook::Security::IPBlocking::PrivateIPError`.
|
80
|
+
When a request is blocked due to the `blocked_ip_ranges`, `send` raises `ActionHook::Security::IPBlocking::BlockedRequestError`.
|
81
|
+
In both cases, the error message includes necessary context for debugging / logging.
|
82
|
+
|
83
|
+
## Logging
|
84
|
+
|
85
|
+
You should pass an instance of `Logger` to put all `ActionLog`. Otherwise, logs are written into `STDOUT`.
|
86
|
+
|
87
|
+
```ruby
|
88
|
+
# For example, in Rails, you can pass the Rails logger in an initializer
|
89
|
+
# config/initializers/actionhook_initializer.rb
|
90
|
+
|
91
|
+
ActionHook.logger = Rails.logger
|
92
|
+
```
|
93
|
+
For debugging, you can set the log level to `debug` for detailed information. Even in debug, the secure header values aren't logged, only the header names are mentioned.
|
data/Rakefile
ADDED
data/actionhook.gemspec
ADDED
@@ -0,0 +1,29 @@
|
|
1
|
+
require_relative 'lib/actionhook/version'
|
2
|
+
|
3
|
+
Gem::Specification.new do |spec|
|
4
|
+
spec.name = "actionhook"
|
5
|
+
spec.version = ActionHook::VERSION
|
6
|
+
spec.authors = ["smsohan"]
|
7
|
+
spec.email = ["sohan39@gmail.com"]
|
8
|
+
|
9
|
+
spec.summary = %q{Drop-in library for sending webhooks}
|
10
|
+
spec.description = %q{Use this library to send webhooks from your application}
|
11
|
+
spec.homepage = "https://github.com/smsohan/actionhook"
|
12
|
+
spec.license = "MIT"
|
13
|
+
spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
|
14
|
+
|
15
|
+
spec.metadata["homepage_uri"] = spec.homepage
|
16
|
+
spec.metadata["source_code_uri"] = "https://github.com/smsohan/actionhook"
|
17
|
+
|
18
|
+
# Specify which files should be added to the gem when it is released.
|
19
|
+
# The `git ls-files -z` loads the files in the RubyGem that have been added into git.
|
20
|
+
spec.files = Dir.chdir(File.expand_path('..', __FILE__)) do
|
21
|
+
`git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features|examples)/}) }
|
22
|
+
end
|
23
|
+
spec.bindir = "exe"
|
24
|
+
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
25
|
+
spec.require_paths = ["lib"]
|
26
|
+
|
27
|
+
spec.add_development_dependency 'rspec'
|
28
|
+
spec.add_development_dependency 'webmock'
|
29
|
+
end
|
data/bin/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "actionhook"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start(__FILE__)
|
data/bin/setup
ADDED
@@ -0,0 +1,44 @@
|
|
1
|
+
module ActionHook
|
2
|
+
module Core
|
3
|
+
|
4
|
+
class Configuration
|
5
|
+
|
6
|
+
DEFAULT_OPEN_TIMEOUT_IN_SECONDS = 5
|
7
|
+
DEFAULT_READ_TIMEOUT_IN_SECONDS = 15
|
8
|
+
DEFAULT_HASH_HEADER_NAME = 'SHA256-FINGERPRINT'
|
9
|
+
attr_accessor :open_timeout, :read_timeout, :hash_header_name,
|
10
|
+
:allow_private_ips
|
11
|
+
|
12
|
+
attr_writer :blocked_custom_ip_ranges
|
13
|
+
|
14
|
+
def initialize(open_timeout: DEFAULT_OPEN_TIMEOUT_IN_SECONDS,
|
15
|
+
read_timeout: DEFAULT_READ_TIMEOUT_IN_SECONDS,
|
16
|
+
hash_header_name: DEFAULT_HASH_HEADER_NAME,
|
17
|
+
allow_private_ips: false,
|
18
|
+
blocked_custom_ip_ranges: []
|
19
|
+
)
|
20
|
+
@open_timeout = open_timeout
|
21
|
+
@read_timeout = read_timeout
|
22
|
+
@hash_header_name = hash_header_name
|
23
|
+
@allow_private_ips = allow_private_ips
|
24
|
+
@blocked_custom_ip_ranges = blocked_custom_ip_ranges || []
|
25
|
+
end
|
26
|
+
|
27
|
+
def net_http_options
|
28
|
+
{
|
29
|
+
open_timeout: @open_timeout,
|
30
|
+
read_timeout: @read_timeout
|
31
|
+
}
|
32
|
+
end
|
33
|
+
|
34
|
+
def blocked_custom_ip_ranges
|
35
|
+
@memoized_blocked_custom_ip_ranges ||= @blocked_custom_ip_ranges&.map{|ip| IPAddr.new(ip)} || []
|
36
|
+
end
|
37
|
+
|
38
|
+
def allow_all?
|
39
|
+
allow_private_ips && blocked_custom_ip_ranges.empty?
|
40
|
+
end
|
41
|
+
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
@@ -0,0 +1,19 @@
|
|
1
|
+
require 'json'
|
2
|
+
module ActionHook
|
3
|
+
module Core
|
4
|
+
class JSONRequest < Request
|
5
|
+
|
6
|
+
def serialized_body
|
7
|
+
return @serialized_body if @serialized_body
|
8
|
+
|
9
|
+
if body.is_a?(Hash) || body.is_a?(Array)
|
10
|
+
@serialized_body = JSON.generate(body)
|
11
|
+
else
|
12
|
+
super
|
13
|
+
end
|
14
|
+
|
15
|
+
end
|
16
|
+
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
require 'net/http'
|
2
|
+
require 'actionhook/security/ip_blocking'
|
3
|
+
|
4
|
+
|
5
|
+
module ActionHook
|
6
|
+
|
7
|
+
module Core
|
8
|
+
|
9
|
+
|
10
|
+
class NetHTTPSender
|
11
|
+
extend ActionHook::Security::IPBlocking
|
12
|
+
|
13
|
+
def self.request_method_class(method)
|
14
|
+
case method
|
15
|
+
when :post then Net::HTTP::Post
|
16
|
+
when :get then Net::HTTP::Get
|
17
|
+
when :delete then Net::HTTP::Delete
|
18
|
+
when :put then Net::HTTP::Put
|
19
|
+
else raise ArgumentError, "Invalid method #{method} is used"
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
def self.send(request, configuration = ActionHook.configuration)
|
24
|
+
ActionHook.logger.info "[ActionHook] Send called for #{request.method.upcase} to #{request.uri}"
|
25
|
+
|
26
|
+
ActionHook.logger.debug "[ActonHook] Using configuration: #{configuration.inspect}"
|
27
|
+
ActionHook.logger.debug "[ActonHook] using net/http options #{configuration.net_http_options}"
|
28
|
+
|
29
|
+
verify_allowed!(configuration, request.uri.host)
|
30
|
+
ActionHook.logger.debug "[ActonHook] #{request.uri.host} is clear, not blocked"
|
31
|
+
|
32
|
+
options = { use_ssl: request.uri.scheme == 'https' }.merge(configuration.net_http_options)
|
33
|
+
Net::HTTP.start(request.uri.host, request.uri.port, options) do |http|
|
34
|
+
http_request = request_method_class(request.method).new request.uri
|
35
|
+
http_request.body = request.serialized_body if request.body
|
36
|
+
|
37
|
+
ActionHook.logger.debug "[ActonHook] Body: #{http_request.body}"
|
38
|
+
|
39
|
+
request.headers_with_security(configuration)&.each_pair do |name, value|
|
40
|
+
ActionHook.logger.debug "[ActonHook] Added Security Header: #{name}"
|
41
|
+
http_request[name] = value.to_s
|
42
|
+
end
|
43
|
+
|
44
|
+
http.request http_request
|
45
|
+
end
|
46
|
+
|
47
|
+
end
|
48
|
+
|
49
|
+
end
|
50
|
+
|
51
|
+
end
|
52
|
+
|
53
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
require 'actionhook/security/headers'
|
2
|
+
|
3
|
+
module ActionHook
|
4
|
+
module Core
|
5
|
+
class Request
|
6
|
+
include ActionHook::Security::Headers
|
7
|
+
|
8
|
+
attr_accessor :url, :method, :body, :headers, :secret, :authentication
|
9
|
+
|
10
|
+
def initialize(url:, method: :post, body: nil, headers: {}, secret: nil, authentication: nil)
|
11
|
+
@url = url
|
12
|
+
@method = method
|
13
|
+
@body = body
|
14
|
+
@headers = headers || {}
|
15
|
+
@secret = secret
|
16
|
+
@authentication = authentication
|
17
|
+
end
|
18
|
+
|
19
|
+
def serialized_body
|
20
|
+
@body
|
21
|
+
end
|
22
|
+
|
23
|
+
def uri
|
24
|
+
@uri ||= URI.parse(url)
|
25
|
+
end
|
26
|
+
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,49 @@
|
|
1
|
+
require 'base64'
|
2
|
+
|
3
|
+
module ActionHook
|
4
|
+
module Security
|
5
|
+
module Authentication
|
6
|
+
|
7
|
+
class Base
|
8
|
+
|
9
|
+
def to_h
|
10
|
+
{ "Authorization" => header_value }
|
11
|
+
end
|
12
|
+
|
13
|
+
end
|
14
|
+
|
15
|
+
class Token < Base
|
16
|
+
attr_accessor :token
|
17
|
+
def initialize(token)
|
18
|
+
@token = token
|
19
|
+
end
|
20
|
+
|
21
|
+
def header_value
|
22
|
+
"Token #{token}"
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
class BearerToken < Token
|
27
|
+
def header_value
|
28
|
+
"Bearer #{token}"
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
class Basic < Base
|
33
|
+
attr_accessor :username, :password
|
34
|
+
|
35
|
+
def initialize(username:, password:)
|
36
|
+
@username = username
|
37
|
+
@password = password
|
38
|
+
end
|
39
|
+
|
40
|
+
def header_value
|
41
|
+
encoded = Base64.strict_encode64("#{username}:#{password}")
|
42
|
+
"Basic #{encoded}"
|
43
|
+
end
|
44
|
+
|
45
|
+
end
|
46
|
+
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
require_relative './fingerprinting'
|
2
|
+
|
3
|
+
module ActionHook
|
4
|
+
module Security
|
5
|
+
module Headers
|
6
|
+
include ActionHook::Security::Fingerprinting
|
7
|
+
|
8
|
+
def headers_with_security(configuration)
|
9
|
+
headers_with_security = headers.dup
|
10
|
+
|
11
|
+
if digest = fingerprint
|
12
|
+
headers_with_security.merge!(configuration.hash_header_name => digest)
|
13
|
+
end
|
14
|
+
|
15
|
+
headers_with_security.merge!(authentication.to_h) if authentication
|
16
|
+
|
17
|
+
headers_with_security
|
18
|
+
end
|
19
|
+
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,61 @@
|
|
1
|
+
require 'resolv'
|
2
|
+
|
3
|
+
module ActionHook
|
4
|
+
module Security
|
5
|
+
module IPBlocking
|
6
|
+
|
7
|
+
# This is a crucial security feature for sending webhooks. By default, sending webhooks to loopback
|
8
|
+
# interfaces or to the private IP space is blocked. In production, it __should__ remain blocked.
|
9
|
+
|
10
|
+
# If the destination host is an IP address, it's a security risk anyway since you can't have TLS.
|
11
|
+
|
12
|
+
# If the destination host is a domain name, we'll attempt to resolve each of the IP addresses that
|
13
|
+
# resolve the domain name and block the webhook based on the configuration.
|
14
|
+
|
15
|
+
class BlockedRequestError < StandardError
|
16
|
+
end
|
17
|
+
|
18
|
+
class PrivateIPError < StandardError
|
19
|
+
end
|
20
|
+
|
21
|
+
def verify_allowed!(configuration, hostname_or_ip)
|
22
|
+
return if configuration.allow_all?
|
23
|
+
|
24
|
+
begin
|
25
|
+
verify_ip_allowed!(configuration, IPAddr.new(hostname_or_ip))
|
26
|
+
rescue IPAddr::InvalidAddressError
|
27
|
+
verify_hostname_allowed!(configuration, hostname_or_ip)
|
28
|
+
end
|
29
|
+
|
30
|
+
end
|
31
|
+
|
32
|
+
protected
|
33
|
+
|
34
|
+
def verify_ip_allowed!(configuration, ip, host = ip)
|
35
|
+
if !configuration.allow_private_ips && (ip.private? || ip.loopback?)
|
36
|
+
raise PrivateIPError.new("Host: #{host} IP: #{ip} is private")
|
37
|
+
end
|
38
|
+
|
39
|
+
if configuration.blocked_custom_ip_ranges
|
40
|
+
found = configuration.blocked_custom_ip_ranges.find{|range| range.include?(ip) }
|
41
|
+
if found
|
42
|
+
raise BlockedRequestError.new("Host: #{host} IP: #{ip} is part of the blocked range: #{found}")
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def verify_hostname_allowed!(configuration, hostname)
|
48
|
+
#TODO: Find out of Resolv looks up all kinds of DNS records and if it can be improved by limiting the DNS record types
|
49
|
+
Resolv.each_address(hostname) do |ip|
|
50
|
+
begin
|
51
|
+
#TODO: Add logging
|
52
|
+
verify_ip_allowed!(configuration, IPAddr.new(ip), hostname)
|
53
|
+
rescue IPAddr::InvalidAddressError
|
54
|
+
#TODO: ADD logging
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
data/lib/actionhook.rb
ADDED
@@ -0,0 +1,30 @@
|
|
1
|
+
require 'logger'
|
2
|
+
require "ipaddr"
|
3
|
+
require "actionhook/version"
|
4
|
+
require "actionhook/core/configuration"
|
5
|
+
require "actionhook/security/authentication"
|
6
|
+
require "actionhook/core/request"
|
7
|
+
require "actionhook/core/json_request"
|
8
|
+
require "actionhook/core/net_http_sender"
|
9
|
+
|
10
|
+
module ActionHook
|
11
|
+
class Error < StandardError; end
|
12
|
+
|
13
|
+
DEFAULT_CONFIGURATION = ActionHook::Core::Configuration.new
|
14
|
+
|
15
|
+
def self.logger=(logger)
|
16
|
+
@logger = logger
|
17
|
+
end
|
18
|
+
|
19
|
+
def self.logger
|
20
|
+
@logger ||= Logger.new(STDOUT)
|
21
|
+
end
|
22
|
+
|
23
|
+
def self.configuration=(configuration)
|
24
|
+
@configuration = configuration
|
25
|
+
end
|
26
|
+
|
27
|
+
def self.configuration
|
28
|
+
@configuration || DEFAULT_CONFIGURATION
|
29
|
+
end
|
30
|
+
end
|
metadata
ADDED
@@ -0,0 +1,96 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: actionhook
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- smsohan
|
8
|
+
autorequire:
|
9
|
+
bindir: exe
|
10
|
+
cert_chain: []
|
11
|
+
date: 2020-04-12 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: rspec
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '0'
|
20
|
+
type: :development
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '0'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: webmock
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0'
|
41
|
+
description: Use this library to send webhooks from your application
|
42
|
+
email:
|
43
|
+
- sohan39@gmail.com
|
44
|
+
executables: []
|
45
|
+
extensions: []
|
46
|
+
extra_rdoc_files: []
|
47
|
+
files:
|
48
|
+
- ".github/workflows/gempush.yml"
|
49
|
+
- ".github/workflows/ruby.yml"
|
50
|
+
- ".gitignore"
|
51
|
+
- ".rspec"
|
52
|
+
- CODE_OF_CONDUCT.md
|
53
|
+
- Gemfile
|
54
|
+
- Gemfile.lock
|
55
|
+
- LICENSE.txt
|
56
|
+
- README.md
|
57
|
+
- Rakefile
|
58
|
+
- actionhook.gemspec
|
59
|
+
- bin/console
|
60
|
+
- bin/setup
|
61
|
+
- lib/actionhook.rb
|
62
|
+
- lib/actionhook/core/configuration.rb
|
63
|
+
- lib/actionhook/core/json_request.rb
|
64
|
+
- lib/actionhook/core/net_http_sender.rb
|
65
|
+
- lib/actionhook/core/request.rb
|
66
|
+
- lib/actionhook/security/authentication.rb
|
67
|
+
- lib/actionhook/security/fingerprinting.rb
|
68
|
+
- lib/actionhook/security/headers.rb
|
69
|
+
- lib/actionhook/security/ip_blocking.rb
|
70
|
+
- lib/actionhook/version.rb
|
71
|
+
homepage: https://github.com/smsohan/actionhook
|
72
|
+
licenses:
|
73
|
+
- MIT
|
74
|
+
metadata:
|
75
|
+
homepage_uri: https://github.com/smsohan/actionhook
|
76
|
+
source_code_uri: https://github.com/smsohan/actionhook
|
77
|
+
post_install_message:
|
78
|
+
rdoc_options: []
|
79
|
+
require_paths:
|
80
|
+
- lib
|
81
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
82
|
+
requirements:
|
83
|
+
- - ">="
|
84
|
+
- !ruby/object:Gem::Version
|
85
|
+
version: 2.3.0
|
86
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
87
|
+
requirements:
|
88
|
+
- - ">="
|
89
|
+
- !ruby/object:Gem::Version
|
90
|
+
version: '0'
|
91
|
+
requirements: []
|
92
|
+
rubygems_version: 3.0.3
|
93
|
+
signing_key:
|
94
|
+
specification_version: 4
|
95
|
+
summary: Drop-in library for sending webhooks
|
96
|
+
test_files: []
|