txgh-server 2.4.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f70d20e0073d7671f6010e1dfd962c7e4758482d
-  data.tar.gz: 9d1167e2d2b25fdbde79051bc93c32535d3fec04
+  metadata.gz: 759f65691df917f6705c476c987285b4941b9343
+  data.tar.gz: ba32bd6e35a211fa01757d30609949fb48006f4f
 SHA512:
-  metadata.gz: b3a6abf97a38ed2e92d887ff03e38b5c4327f89816d3c8e87a99ec8f0300326262568f9c5755d08f4451b54fbafe652110dd7685b4c36c4464ffd8c8aa658920
-  data.tar.gz: 25147bc9bd2612a674869236fd13eb78b74aacb58edaf6e5bae058cfa6a97d789d314f21bb62c86ca5fb0840a3ec401153596e4e812058c76918b1cec9d567d5
+  metadata.gz: e5683453efde01a21ed1b3f9410a8ae11509764aeeee0323f320d0c4cb86ffa20526b6cb45b3bd04a9ecbce344fbee910cc4bb69a678bd5606381891e8362ec9
+  data.tar.gz: 07b1d539ddb62965a186b4987e7b4d1e315018e42a4dcd7e0af149877cc7d60df7ae18e7105d4e68629b844038c02b9acaa3178fd5ac451daca1e913cbfd98af

data/lib/txgh-server/github_request_auth.rb

@@ -9,12 +9,12 @@ module TxghServer
     class << self
       def authentic_request?(request, secret)
         request.body.rewind
-        expected_signature = header_value(request.body.read, secret)
+        expected_signature = compute_signature(request.body.read, secret)
         actual_signature = request.env[RACK_HEADER]
         actual_signature == expected_signature
       end
 
-      def header_value(content, secret)
+      def compute_signature(content, secret)
         "sha1=#{digest(content, secret)}"
       end
 

data/lib/txgh-server/transifex_request_auth.rb

@@ -1,22 +1,32 @@
+require 'json'
 require 'openssl'
 require 'base64'
 
 module TxghServer
   class TransifexRequestAuth
-    HMAC_DIGEST = OpenSSL::Digest.new('sha1')
-    RACK_HEADER = 'HTTP_X_TX_SIGNATURE'
-    TRANSIFEX_HEADER = 'X-TX-Signature'
+    HMAC_DIGEST = OpenSSL::Digest.new('sha256')
+    RACK_HEADER = 'HTTP_X_TX_SIGNATURE_V2'
+    TRANSIFEX_HEADER = 'X-TX-Signature-V2'
 
     class << self
       def authentic_request?(request, secret)
         request.body.rewind
-        expected_signature = header_value(request.body.read, secret)
+
+        expected_signature = compute_signature(
+          http_verb: request.request_method,
+          date_str: request.env['HTTP_DATE'],
+          url: request.env['HTTP_X_TX_URL'],
+          content: request.body.read,
+          secret: secret
+        )
+
         actual_signature = signature_from(request)
         actual_signature == expected_signature
       end
 
-      def header_value(content, secret)
-        digest(transform(content), secret)
+      def compute_signature(http_verb: 'POST', url:, date_str:, content:, secret:)
+        data = [http_verb, url, date_str, Digest::MD5.hexdigest(content)]
+        digest(data.join("\n"), secret)
       end
 
       def signature_from(request)
@@ -25,29 +35,6 @@ module TxghServer
 
       private
 
-      # In order to generate a correct HMAC hash, the request body must be
-      # parsed and made to look like a python map. If you're thinking that's
-      # weird, you're correct, but it's apparently expected behavior.
-      def transform(content)
-        params = URI.decode_www_form(content)
-
-        params = params.map do |key, val|
-          key = "'#{key}'"
-          val = interpret_val(val)
-          "#{key}: #{val}"
-        end
-
-        "{#{params.join(', ')}}"
-      end
-
-      def interpret_val(val)
-        if val =~ /\A[\d]+\z/
-          val
-        else
-          "u'#{val}'"
-        end
-      end
-
       def digest(content, secret)
         Base64.encode64(
           OpenSSL::HMAC.digest(HMAC_DIGEST, secret, content)

data/lib/txgh-server/version.rb

@@ -1,3 +1,3 @@
 module TxghServer
-  VERSION = '2.4.0'
+  VERSION = '3.0.0'
 end

data/lib/txgh-server/webhooks/transifex/request_handler.rb

@@ -1,4 +1,4 @@
-require 'uri'
+require 'json'
 
 module TxghServer
   module Webhooks
@@ -20,7 +20,10 @@ module TxghServer
         end
 
         def handle_request
-          publish_event
+          if publish_event
+            # the event handled the request
+            return respond_with(204, '')  # no content
+          end
 
           handle_safely do
             handler = TxghServer::Webhooks::Transifex::HookHandler.new(
@@ -38,13 +41,18 @@ module TxghServer
         private
 
         def publish_event
-          Txgh.events.publish(
-            'transifex.webhook_received', {
-              payload: payload,
-              raw_payload: raw_payload,
-              signature: TransifexRequestAuth.signature_from(request)
-            }
-          )
+          if Txgh.events.channel_hash.include?('transifex.webhook_received')
+            Txgh.events.publish(
+              'transifex.webhook_received', {
+                payload: payload,
+                raw_payload: raw_payload,
+                signature: TransifexRequestAuth.signature_from(request),
+                url: request.env['HTTP_X_TX_URL'],
+                date_str: request.env['HTTP_DATE'],
+                http_verb: request.request_method
+              }
+            )
+          end
         end
 
         def handle_safely
@@ -83,11 +91,9 @@ module TxghServer
         end
 
         def payload
-          @payload ||= begin
-            Txgh::Utils.deep_symbolize_keys(
-              Hash[URI.decode_www_form(raw_payload)]
-            )
-          end
+          @payload ||= Txgh::Utils.deep_symbolize_keys(
+            JSON.parse(raw_payload)
+          )
         end
 
       end

data/spec/application_spec.rb

@@ -109,10 +109,19 @@ describe TxghServer::WebhookEndpoints do
 
   describe '/transifex' do
     def sign_with(body)
+      date_str = Time.now.strftime('%a, %d %b %Y %H:%M:%S GMT')
+
+      header('Date', date_str)
+      header('X-Tx-Url', 'http://example.org/transifex')
+
       header(
         TxghServer::TransifexRequestAuth::TRANSIFEX_HEADER,
-        TxghServer::TransifexRequestAuth.header_value(
-          body, config.transifex_project.webhook_secret
+        TxghServer::TransifexRequestAuth.compute_signature(
+          http_verb: 'POST',
+          url: 'http://example.org/transifex',
+          date_str: date_str,
+          content: body,
+          secret: config.transifex_project.webhook_secret
         )
       )
     end
@@ -128,7 +137,7 @@ describe TxghServer::WebhookEndpoints do
       }
     end
 
-    let(:payload) { URI.encode_www_form(params.to_a) }
+    let(:payload) { params.to_json }
 
     before(:each) do
       allow(TxghServer::Webhooks::Transifex::HookHandler).to(
@@ -145,7 +154,7 @@ describe TxghServer::WebhookEndpoints do
         receive(:execute).and_return(respond_with(200, true))
       )
 
-      payload = URI.encode_www_form(params.to_a)
+      payload = params.to_json
       sign_with payload
       post '/transifex', payload
       expect(last_response).to be_ok
@@ -174,7 +183,7 @@ describe TxghServer::WebhookEndpoints do
     def sign_with(body)
       header(
         TxghServer::GithubRequestAuth::GITHUB_HEADER,
-        TxghServer::GithubRequestAuth.header_value(
+        TxghServer::GithubRequestAuth.compute_signature(
           body, config.github_repo.webhook_secret
         )
       )

data/spec/github_request_auth_spec.rb

@@ -30,9 +30,9 @@ describe GithubRequestAuth do
     end
   end
 
-  describe '.header' do
+  describe '.compute_signature' do
     it 'calculates the signature and formats it as an http header' do
-      value = GithubRequestAuth.header_value(params, secret)
+      value = GithubRequestAuth.compute_signature(params, secret)
       expect(value).to eq("sha1=#{valid_signature}")
     end
   end

data/spec/helpers/test_request.rb

@@ -1,10 +1,11 @@
 class TestRequest
-  attr_reader :body, :params, :headers
+  attr_reader :body, :params, :headers, :request_method
   alias_method :env, :headers
 
-  def initialize(body: , params: {}, headers: {})
+  def initialize(body: , params: {}, headers: {}, request_method: 'POST')
     @body = StringIO.new(body)
     @params = params
     @headers = headers
+    @request_method = request_method
   end
 end

data/spec/integration/hooks_spec.rb

@@ -93,14 +93,27 @@ describe 'hook integration tests', integration: true do
   def sign_github_request(body)
     header(
       GithubRequestAuth::GITHUB_HEADER,
-      GithubRequestAuth.header_value(body, config.github_repo.webhook_secret)
+      GithubRequestAuth.compute_signature(
+        body, config.github_repo.webhook_secret
+      )
     )
   end
 
   def sign_transifex_request(body)
+    date_str = Time.now.strftime('%a, %d %b %Y %H:%M:%S GMT')
+
+    header('Date', date_str)
+    header('X-Tx-Url', 'http://example.org/transifex')
+
     header(
-      TransifexRequestAuth::TRANSIFEX_HEADER,
-      TransifexRequestAuth.header_value(body, config.transifex_project.webhook_secret)
+      TxghServer::TransifexRequestAuth::TRANSIFEX_HEADER,
+      TxghServer::TransifexRequestAuth.compute_signature(
+        http_verb: 'POST',
+        url: 'http://example.org/transifex',
+        date_str: date_str,
+        content: body,
+        secret: config.transifex_project.webhook_secret
+      )
     )
   end
 
@@ -115,7 +128,7 @@ describe 'hook integration tests', integration: true do
         'language' => 'el_GR', 'translated' => 100
       }
 
-      payload = URI.encode_www_form(params.to_a)
+      payload = params.to_json
 
       sign_transifex_request(payload)
       post '/transifex', payload

data/spec/transifex_request_auth_spec.rb

@@ -5,13 +5,24 @@ include TxghServer
 
 describe TransifexRequestAuth do
   let(:secret) { 'abc123' }
-  let(:params) { 'param1=value1&param2=value2&param3=123' }
-  let(:valid_signature) { 'pXucIcivBezpfNgCGTHKYeDve84=' }
+  let(:params) { { param1: 'value1', param2: 'value2', param3: 123 }.to_json }
+  let(:date_str) { Time.now.strftime('%a, %d %b %Y %H:%M:%S GMT') }
+  let(:http_verb) { 'POST' }
+  let(:url) { 'http://example.com/transifex' }
+  let(:valid_signature) do
+    data = [http_verb, url, date_str, Digest::MD5.hexdigest(params)]
+    Base64.encode64(
+      OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, data.join("\n"))
+    ).strip
+  end
 
   describe '.authentic_request?' do
     it 'returns true if the request is signed correctly' do
       request = Rack::Request.new(
         TransifexRequestAuth::RACK_HEADER => valid_signature,
+        'HTTP_DATE' => date_str,
+        'REQUEST_METHOD' => http_verb,
+        'HTTP_X_TX_URL' => url,
         'rack.input' => StringIO.new(params)
       )
 
@@ -30,9 +41,16 @@ describe TransifexRequestAuth do
     end
   end
 
-  describe '.header' do
+  describe '.compute_signature' do
     it 'calculates the signature and formats it as an http header' do
-      value = TransifexRequestAuth.header_value(params, secret)
+      value = TransifexRequestAuth.compute_signature(
+        http_verb: http_verb,
+        date_str: date_str,
+        url: url,
+        content: params,
+        secret: secret
+      )
+
       expect(value).to eq(valid_signature)
     end
   end

data/spec/webhooks/transifex/request_handler_spec.rb

@@ -9,15 +9,17 @@ describe Transifex::RequestHandler do
   include StandardTxghSetup
 
   let(:logger) { NilLogger.new }
-  let(:body) { URI.encode_www_form(payload.to_a) }
+  let(:body) { payload.to_json }
   let(:signature) { 'abc123' }
   let(:headers) { { TxghServer::TransifexRequestAuth::RACK_HEADER => signature } }
-  let(:request) { TestRequest.new(body: body, headers: headers) }
+  let(:request) { TestRequest.new(body: body, headers: headers, request_method: 'POST') }
   let(:handler) { described_class.new(request, logger) }
   let(:payload) { { 'project' => project_name, 'resource' => resource_slug, 'language' => 'pt' } }
 
   describe '#handle_request' do
     it 'publishes an event' do
+      Txgh.events.subscribe('transifex.webhook_received') { false }
+
       expect { handler.handle_request }.to(
         change { Txgh.events.published_in('transifex.webhook_received').size }.by(1)
       )
@@ -26,6 +28,13 @@ describe Transifex::RequestHandler do
       expect(event[:options][:payload]).to eq(Txgh::Utils.deep_symbolize_keys(payload))
       expect(event[:options][:raw_payload]).to eq(body)
       expect(event[:options][:signature]).to eq(signature)
+      expect(event[:options][:http_verb]).to eq('POST')
+    end
+
+    it 'returns a 204 if the event handles the request' do
+      Txgh.events.subscribe('transifex.webhook_received') { true }
+      response = handler.handle_request
+      expect(response.status).to eq(204)
     end
 
     it 'does not execute if unauthorized' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: txgh-server
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Matthew Jackowski
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-03 00:00:00.000000000 Z
+date: 2018-02-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mime-types