Merge pull request #1497 from DashboardHub/issue-1465-v2

feat(repositories)#1465 secure webhooks

README.md

@@ -49,6 +49,7 @@ Please get in touch via [@DashboardHub](https://twitter.com/DashboardHub) and le
    2. Enter the 2 OAuth private keys from GitHub into the Firebase Authentication
 3. Click **Databases** and create an empty `firestore` database (indexes, security, collections and rules will all be automatically created later on as part of the deployment)
 4. Update `{{ FIREBASE_FUNCTIONS_URL }}` in file `functions/src/environments/environment.ts` with your function subdomain, for example `us-central1-pipelinedashboard-test`
+4. Update `{{ GITHUB_WEBHOOK_SECRET }}` in file `functions/src/environments/environment.ts` with your private secret key (random string), this is used to protect your webhook function, for example `pipelinedashboard-test-123`
 
 #### Angular
 

functions/src/environments/environment.ts

@@ -2,6 +2,9 @@
 export const enviroment: Config = {
   githubWebhook: {
     url: 'https://{{ FIREBASE_FUNCTIONS_URL }}.cloudfunctions.net/responseGitWebhookRepository',
+    secret: '{{ GITHUB_WEBHOOK_SECRET }}',
+    content_type: 'json',
+    insecure_ssl: '0',
     events: [
       // IMPLEMENTED
       'create',
@@ -61,6 +64,9 @@ export const enviroment: Config = {
 interface Config {
   githubWebhook: {
     url: string,
+    secret: string,
+    content_type: 'json' | 'form',
+    insecure_ssl: '0' | '1',
     events: string[],
   }
 }

functions/src/repository/create-git-webhook-repository.ts

@@ -40,8 +40,9 @@ export function createWebhook(repositoryFullName: string, token: string): Promis
     events: enviroment.githubWebhook.events,
     config: {
       url: enviroment.githubWebhook.url,
-      content_type: 'json',
-      insecure_ssl: '0',
+      secret: enviroment.githubWebhook.secret,
+      content_type: enviroment.githubWebhook.content_type,
+      insecure_ssl: enviroment.githubWebhook.insecure_ssl,
     },
   }
   return GitHubClientPost<GitHubRepositoryWebhookResponse>(`/repos/${repositoryFullName}/hooks`, token, body);
@@ -53,7 +54,10 @@ export async function getWebhook(repositoryFullName: string, token: string): Pro
   const exist: GitHubRepositoryWebhookResponse = await findWebhook(repositoryFullName, token);
 
   if (exist) {
-    let isEqual: boolean = exist.events.length === enviroment.githubWebhook.events.length;
+    let isEqual: boolean = exist.events.length === enviroment.githubWebhook.events.length
+      && exist.config.content_type === enviroment.githubWebhook.content_type
+      && exist.config.insecure_ssl === enviroment.githubWebhook.insecure_ssl
+      && ((!exist.config.secret && !enviroment.githubWebhook.secret) || (!!exist.config.secret && !!enviroment.githubWebhook.secret));
 
     if (isEqual) {
 
@@ -65,11 +69,14 @@ export async function getWebhook(repositoryFullName: string, token: string): Pro
       }
 
       if (isEqual) {
+        Logger.info('Webhook is exist');
         return GitHubRepositoryWebhookMapper.import(exist);
       }
     }
+    Logger.info('Webhook is deleting');
     await deleteWebhook(repositoryFullName, exist.id, token);
   }
 
+  Logger.info('Webhook is creating');
   return GitHubRepositoryWebhookMapper.import(await createWebhook(repositoryFullName, token));
 }

functions/src/repository/response-git-webhook-repository.ts

@@ -1,6 +1,11 @@
 // Third party modules
 import * as CORS from 'cors';
+import * as crypto from "crypto";
 import { https, HttpsFunction, Response } from 'firebase-functions';
+
+import { enviroment } from '../environments/environment';
+
+// Dashboard hub firebase functions models/mappers
 import { GitHubClient } from '../client/github';
 import { Logger } from '../client/logger';
 import { GitHubContributorInput, GitHubContributorMapper } from '../mappers/github/index.mapper';
@@ -33,7 +38,12 @@ export interface ResponseGitWebhookRepositoryInput {
 
 export const onResponseGitWebhookRepository: HttpsFunction = https.onRequest((req: https.Request, res: Response) => {
   return cors(req, res, () => {
-    Logger.info(`${req.protocol}://${req.hostname} ; onResponseGitWebhookRepository: success!`);
+    const sig: string = 'sha1=' + crypto.createHmac('sha1', enviroment.githubWebhook.secret).update(req.rawBody).digest('hex');
+
+    if (sig !== req.headers['x-hub-signature']) {
+      res.status(401).send('Error secret token!');
+      return;
+    }
 
     const inputData: any = req.body;
     let result: Promise<any>;

scripts/deployment/dev.sh

@@ -2,6 +2,7 @@
 
 # FUNCTIONS
 (cd functions; npm install)
+(cd functions/src/environments; sed -i 's/{{ GITHUB_WEBHOOK_SECRET }}/'$GITHUB_WEBHOOK_SECRET'/g' environment.ts)
 (cd functions/src/environments; sed -i 's/{{ FIREBASE_FUNCTIONS_URL }}/us-central1-pipelinedashboard-dev/g' environment.ts)
 
 # WEB

scripts/deployment/eddie.sh

@@ -2,6 +2,7 @@
 
 # FUNCTIONS
 (cd functions; npm install)
+(cd functions/src/environments; sed -i 's/{{ GITHUB_WEBHOOK_SECRET }}/'$GITHUB_WEBHOOK_SECRET'/g' environment.ts)
 (cd functions/src/environments; sed -i 's/{{ FIREBASE_FUNCTIONS_URL }}/us-central1-pipelinedashboard-eddie/g' environment.ts)
 
 # WEB

scripts/deployment/khush.sh

@@ -2,6 +2,7 @@
 
 # FUNCTIONS
 (cd functions; npm install)
+(cd functions/src/environments; sed -i 's/{{ GITHUB_WEBHOOK_SECRET }}/'$GITHUB_WEBHOOK_SECRET'/g' environment.ts)
 (cd functions/src/environments; sed -i 's/{{ FIREBASE_FUNCTIONS_URL }}/us-central1-pipelinedashboard-khush/g' environment.ts)
 
 # WEB

scripts/deployment/prod.sh

@@ -2,6 +2,7 @@
 
 # FUNCTIONS
 (cd functions; npm install)
+(cd functions/src/environments; sed -i 's/{{ GITHUB_WEBHOOK_SECRET }}/'$GITHUB_WEBHOOK_SECRET'/g' environment.ts)
 (cd functions/src/environments; sed -i 's/{{ FIREBASE_FUNCTIONS_URL }}/us-central1-pipelinedashboard/g' environment.ts)
 
 # WEB