fluent-plugin-webhook-github 0.0.1 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7e923883115c0db82c6949857520454371405355
-  data.tar.gz: 411b18a816bddd71848bc803735eed69e1d159bc
+  metadata.gz: de9f951a5814c20c8c607c6bee818f7d2c05f199
+  data.tar.gz: 2096cb5f1e9da7bec2661639c3d4a626aa8cd411
 SHA512:
-  metadata.gz: 9660b12470cbf52461c134aaa7ded8d1cc1d52cbdde763befe5552eb97c37e4e31c2c7b94472e518f967f81483cf7ce245d7b4e46254065f6646af99fc5406e8
-  data.tar.gz: 40d9b3f67dff59bc02c888c2a627455c4bc1c634c95eba1e978b708da106fd020e5a28292df8b0559de61873eec93cbfc0ff79dea8429be30d6642d588ccf388
+  metadata.gz: 6b985724b8552de1b4e9ea9d17303b165c5d9579dafcd30002b7005e8c7676928e0af7dc5acddd27d929d9b686103565c76e8859c77c7c4ffe228df9d4d70683
+  data.tar.gz: 44d0fa1289062639b4fe1c69e7b9e50e1a3437eb5ce1fbd4d508f08e6ab540c68a43c740dfa9a4d66740b38f4ba95862333a9ecba72a2c3d68496a650ad2c5fd

data/README.md

@@ -15,10 +15,13 @@ fluentd input plugin for incoming webhook from GitHub.
   type webhook_github
   tag gh
 
+  secret THE_SECRET_STRING_YOU_SET # the hook's secret. optional, but strongly recommended.
+
   # optional (values are default)
   bind 0.0.0.0
   port 8080
   mount /
+  with_payload false
 </source>
 
 <match gh.*>

data/Rakefile

@@ -1,2 +1,9 @@
 require "bundler/gem_tasks"
+require "rake/testtask"
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
 
+task :default => :test

data/VERSION

@@ -1 +1 @@
-0.0.1
+0.1.0

data/fluent-plugin-webhook-github.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_runtime_dependency "fluentd", "~> 0"
+  spec.add_runtime_dependency "secure_compare", "~> 0"
   spec.add_development_dependency "bundler", "~> 1.6"
   spec.add_development_dependency "rake"
 end

data/lib/fluent/plugin/in_webhook_github.rb

@@ -3,6 +3,8 @@
 require "thread"
 require "json"
 require 'fluent/process'
+require 'openssl'
+require 'secure_compare'
 
 module Fluent
   class WebhookGithubInput < Input
@@ -14,64 +16,85 @@ module Fluent
     config_param :bind, :string, :default => "0.0.0.0"
     config_param :port, :integer, :default => 8080
     config_param :mount, :string, :default => "/"
+    config_param :secret, :string, :default => nil
+    config_param :with_payload, :bool, :default => false
 
     def start
       @thread = Thread.new(&method(:run))
     end
 
     def shutdown
+      @server.shutdown
       Thread.kill(@thread)
     end
 
+    HMAC_DIGEST = OpenSSL::Digest.new('sha1')
+
     def run
-      server = WEBrick::HTTPServer.new(
+      @server = WEBrick::HTTPServer.new(
         :BindAddress => @bind,
         :Port => @port,
       )
       $log.debug "Listen on http://#{@bind}:#{@port}#{@mount}"
-      server.mount_proc(@mount) do |req, res|
+      @server.mount_proc(@mount) do |req, res|
         begin
           $log.debug req.header
-          payload = JSON.parse(req.body || "{}")
-          event = req.header["x-github-event"].first
-          process(event, payload)
-          res.status = 204
+
+          if verify_signature(req)
+            payload = JSON.parse(req.body || "{}")
+            event = req.header["x-github-event"].first
+            process(event, payload)
+            res.status = 204
+          else
+            res.status = 401
+          end
         rescue => e
           $log.error e.inspect
           $log.error e.backtrace.join("\n")
           res.status = 400
         end
       end
-      server.start
+      @server.start
+    end
+
+    def verify_signature(req)
+      return true unless @secret
+      sig = 'sha1='+OpenSSL::HMAC.hexdigest(HMAC_DIGEST, @secret, req.body)
+      SecureCompare.compare(sig, req.header["x-hub-signature"].first)
     end
 
     def process(event, payload)
       content = case event
       when "issue", "issue_comment"
         {
-          :url => payload["issue"]["html_url"],
-          :title => payload["issue"]["title"],
-          :user => payload["issue"]["user"]["login"],
-          :body => payload["comment"]["body"],
+          :url   => payload["issue"] && payload["issue"]["html_url"],
+          :title => payload["issue"] && payload["issue"]["title"],
+          :user  => payload["issue"] && payload["issue"]["user"]["login"],
+          :body  => payload["comment"] && payload["comment"]["body"],
         }
       when "pull_request"
         {
-          :url => payload["pull_request"]["html_url"],
-          :title => payload["pull_request"]["title"],
-          :user => payload["pull_request"]["user"]["login"],
-          :body => payload["pull_request"]["body"],
+          :url   => payload["pull_request"] && payload["pull_request"]["html_url"],
+          :title => payload["pull_request"] && payload["pull_request"]["title"],
+          :user  => payload["pull_request"] && payload["pull_request"]["user"]["login"],
+          :body  => payload["pull_request"] && payload["pull_request"]["body"],
         }
       when "pull_request_review_comment"
         {
-          :url => payload["comment"]["html_url"],
-          :title => payload["pull_request"]["title"],
-          :user => payload["comment"]["user"]["login"],
-          :body => payload["comment"]["body"],
+          :url   => payload["comment"] && payload["comment"]["html_url"],
+          :title => payload["pull_request"] && payload["pull_request"]["title"],
+          :user  => payload["comment"] && payload["comment"]["user"]["login"],
+          :body  => payload["comment"] && payload["comment"]["body"],
         }
+      else
+        {}
       end
+
       if content
         content[:origin] = "github"
-        $log.info "tag: #{@tag.dup}.#{event}, event:#{event}, content:#{content}" 
+        content[:event]  = event
+        content[:payload] = payload if @with_payload
+        $log.info "tag: #{@tag.dup}.#{event}, event:#{event}, content:#{content}"
         Engine.emit("#{@tag.dup}.#{event}", Engine.now, content) if content
       else
         $log.warn "unknown hook received #{event} #{payload.inspect}"

data/test/helper.rb

@@ -0,0 +1,24 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+require 'fluent/test'
+require 'fluent/plugin/in_webhook_github'
+
+def unused_port
+  s = TCPServer.open(0)
+  port = s.addr[1]
+  s.close
+  port
+end
+

data/test/plugin/test_in_webhook_github.rb

@@ -0,0 +1,172 @@
+require 'helper'
+require 'net/http'
+
+class GithubWebhookInputTest < Test::Unit::TestCase
+  def setup
+    Fluent::Test.setup
+  end
+
+  PORT = unused_port
+  CONFIG = %[
+    port #{PORT}
+    tag gwebhook
+  ]
+
+  def create_driver(conf=CONFIG, tag='test')
+    Fluent::Test::OutputTestDriver.new(Fluent::WebhookGithubInput, tag).configure(conf)
+  end
+
+  def test_configure
+    assert_raise(Fluent::ConfigError) {
+      d = create_driver('')
+    }
+    d = create_driver
+    assert_equal 'gwebhook', d.instance.tag
+    assert_equal PORT, d.instance.port
+    assert_equal '/', d.instance.mount
+    assert_equal '0.0.0.0', d.instance.bind
+  end
+
+  def test_basic
+    d = create_driver
+
+    time = Time.parse("2011-01-02 13:14:15 UTC").to_i
+    Fluent::Engine.now = time
+
+    d.expect_emit "gwebhook.issue", time, {
+      :event  => 'issue',
+      :url    => 'http://',
+      :title  => 'tttt',
+      :user   => 'Ore',
+      :body   => 'Karada',
+      :origin => 'github',
+    }
+
+    payload = {
+      'issue' => {
+        'html_url' => 'http://',
+        'title'    => 'tttt',
+        'user'     => {
+          'login' => 'Ore',
+        },
+      },
+      'comment' => {
+        'body' => 'Karada',
+      }
+    }
+
+    d.run do
+      d.expected_emits.each {|tag, time, record|
+        res = post("/", payload.to_json, {
+          'x-github-event' => 'issue',
+        })
+        assert_equal "204", res.code
+      }
+    end
+  end
+
+
+  def test_signature
+    d = create_driver(CONFIG + %[
+      secret secret1234
+    ])
+
+    time = Time.parse("2011-01-02 13:14:15 UTC").to_i
+    Fluent::Engine.now = time
+
+    d.expect_emit "gwebhook.issue", time, {
+      :event  => 'issue',
+      :url    => nil,
+      :title  => nil,
+      :user   => nil,
+      :body   => nil,
+      :origin => 'github',
+    }
+
+    d.run do
+      d.expected_emits.each {|tag, time, record|
+        res = post("/", '{"hoge":"fuga"}', {
+          'x-github-event'  => 'issue',
+          'x-hub-signature' => 'sha1=5ea783ea13c9feef6dbb9c8c805450e2ba1fb0c0',
+        })
+        assert_equal "204", res.code
+      }
+      res = post("/", '{"hoge":"fuga"}', {
+        'x-github-event'  => 'issue',
+        'x-hub-signature' => 'sha1=5ea783ea13c9feef6dbb9c8c805450e2ba1fb0c0-dummy',
+      })
+      assert_equal "401", res.code
+    end
+  end
+
+  def test_with_payload
+    d = create_driver(CONFIG + %[
+      with_payload true
+    ])
+
+    time = Time.parse("2011-01-02 13:14:15 UTC").to_i
+    Fluent::Engine.now = time
+
+    payload = {
+      'issue' => {
+        'html_url' => 'http://',
+        'title'    => 'tttt',
+        'user'     => {
+          'login' => 'Ore',
+        },
+      },
+      'comment' => {
+        'body' => 'Karada',
+      }
+    }
+
+    d.expect_emit "gwebhook.issue", time, {
+      :event   => 'issue',
+      :url     => 'http://',
+      :title   => 'tttt',
+      :user    => 'Ore',
+      :body    => 'Karada',
+      :origin  => 'github',
+      :payload => payload
+    }
+
+    payload_delete = {
+      'ref'         => 'simple-tag',
+      'ref_type'    => 'tag',
+      'pusher_type' => 'user',
+      'repository'  => {},
+      'sender'      => {
+        'login' => 'baxterthehacker',
+        'id'    => 6752317,
+      },
+    }
+
+    d.expect_emit "gwebhook.delete", time, {
+      :event   => 'delete',
+      :origin  => 'github',
+      :payload => payload_delete,
+    }
+
+    d.run do
+      d.expected_emits.each {|tag, time, record|
+        res = post("/", record[:payload].to_json, {
+          'x-github-event' => record[:event],
+        })
+        assert_equal "204", res.code
+      }
+    end
+  end
+
+
+  def post(path, params, header = {})
+    http = Net::HTTP.new("127.0.0.1", PORT)
+    req = Net::HTTP::Post.new(path, header)
+    if params.is_a?(String)
+      req.body = params
+    else
+      req.set_form_data(params)
+    end
+    http.request(req)
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-webhook-github
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - uu59
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-07-06 00:00:00.000000000 Z
+date: 2014-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: secure_compare
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -67,6 +81,8 @@ files:
 - VERSION
 - fluent-plugin-webhook-github.gemspec
 - lib/fluent/plugin/in_webhook_github.rb
+- test/helper.rb
+- test/plugin/test_in_webhook_github.rb
 homepage: ''
 licenses:
 - MIT
@@ -91,4 +107,6 @@ rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: fluentd input plugin for receive GitHub webhook
-test_files: []
+test_files:
+- test/helper.rb
+- test/plugin/test_in_webhook_github.rb