Add customer support

Signed-off-by: Alex Ellis <[email protected]>

Author: alexellis

.gitignore

@@ -18,3 +18,6 @@ derek
 auth/*.pem
 
 *.pem
+template
+build
+secrets.yml

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.7.5 as build
+FROM golang:1.9.2-alpine as build
 
 RUN mkdir -p /go/src/github.com/alexellis/derek
 WORKDIR /go/src/github.com/alexellis/derek
@@ -9,7 +9,7 @@ FROM alpine:3.5
 
 RUN apk --no-cache add curl ca-certificates \ 
     && echo "Pulling watchdog binary from Github." \
-    && curl -sSL https://github.com/alexellis/faas/releases/download/0.6.5/fwatchdog > /usr/bin/fwatchdog \
+    && curl -sSL https://github.com/alexellis/faas/releases/download/0.6.9/fwatchdog > /usr/bin/fwatchdog \
     && chmod +x /usr/bin/fwatchdog \
     && apk del curl --no-cache
 
@@ -22,6 +22,7 @@ COPY derek.pem	.
 ENV cgi_headers="true"
 ENV validate_hmac="true"
 ENV fprocess="./derek"
+ENV validate_customers="true"
 
 EXPOSE 8080
 CMD ["fwatchdog"]

auth/client_factory.go

@@ -19,12 +19,12 @@ type JwtAuth struct {
 }
 
 // MakeAccessTokenForInstallation makes an access token for an installation / private key
-func MakeAccessTokenForInstallation(appID, installation, privateKeyPath string) (string, error) {
+func MakeAccessTokenForInstallation(appID string, installation int, privateKeyPath string) (string, error) {
 	signed, err := GetSignedJwtToken(appID, privateKeyPath)
 
 	if err == nil {
 		c := http.Client{}
-		req, _ := http.NewRequest(http.MethodPost, fmt.Sprintf("https://api.github.com/installations/%s/access_tokens", installation), nil)
+		req, _ := http.NewRequest(http.MethodPost, fmt.Sprintf("https://api.github.com/installations/%d/access_tokens", installation), nil)
 
 		req.Header.Add("Authorization", "Bearer "+signed)
 		req.Header.Add("Accept", "application/vnd.github.machine-man-preview+json")

auth/customers.go

@@ -0,0 +1,49 @@
+package auth
+
+import (
+	"io/ioutil"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/alexellis/derek/types"
+)
+
+func IsCustomer(repo types.Repository) (bool, error) {
+	validate := os.Getenv("validate_customers")
+	if len(validate) == 0 || (validate == "false" || validate == "0") {
+		return true, nil
+	}
+
+	var err error
+	var found bool
+	c := http.Client{}
+	request, _ := http.NewRequest(http.MethodGet, "https://raw.githubusercontent.com/alexellis/derek/master/.CUSTOMERS", nil)
+	res, doErr := c.Do(request)
+	if err != nil {
+		err = doErr
+		// Not sure how I feel about goto, but seems OK here (Alex Ellis)
+		goto DO_RETURN
+	}
+
+	if res.Body != nil {
+		defer res.Body.Close()
+		body, readErr := ioutil.ReadAll(res.Body)
+		if readErr != nil {
+			err = readErr
+			goto DO_RETURN
+		}
+
+		lines := strings.Split(strings.TrimSpace(string(body)), "\n")
+
+		for _, line := range lines {
+			if line == repo.Owner.Login {
+				found = true
+				break
+			}
+		}
+	}
+
+DO_RETURN:
+	return found, err
+}

commentHandler.go

@@ -19,12 +19,12 @@ const closed = "closed"
 const maintainersFileEnv = "maintainers_file"
 const defaultMaintFile = "MAINTAINERS"
 
-func makeClient() (*github.Client, context.Context) {
+func makeClient(installation int) (*github.Client, context.Context) {
 	ctx := context.Background()
 
 	token := os.Getenv("access_token")
 	if len(token) == 0 {
-		newToken, tokenErr := auth.MakeAccessTokenForInstallation(os.Getenv("application"), os.Getenv("installation"), os.Getenv("private_key"))
+		newToken, tokenErr := auth.MakeAccessTokenForInstallation(os.Getenv("application"), installation, os.Getenv("private_key"))
 		if tokenErr != nil {
 			log.Fatalln(tokenErr.Error())
 		}
@@ -59,7 +59,7 @@ func handleComment(req types.IssueCommentOuter) {
 		}
 
 		if allowed {
-			client, ctx := makeClient()
+			client, ctx := makeClient(req.Installation.ID)
 			_, res, err := client.Issues.AddLabelsToIssue(ctx, req.Repository.Owner.Login, req.Repository.Name, req.Issue.Number, []string{command.Value})
 			if err != nil {
 				log.Fatalf("%s, limit: %d, remaining: %d", err, res.Limit, res.Remaining)
@@ -87,7 +87,7 @@ func handleComment(req types.IssueCommentOuter) {
 		}
 
 		if allowed {
-			client, ctx := makeClient()
+			client, ctx := makeClient(req.Installation.ID)
 			_, err := client.Issues.RemoveLabelForIssue(ctx, req.Repository.Owner.Login, req.Repository.Name, req.Issue.Number, command.Value)
 			if err != nil {
 				log.Fatalln(err)
@@ -101,7 +101,7 @@ func handleComment(req types.IssueCommentOuter) {
 		fmt.Printf("%s wants to %s user %s to issue %d - allowed? %t\n", req.Comment.User.Login, command.Type, command.Value, req.Issue.Number, allowed)
 
 		if allowed {
-			client, ctx := makeClient()
+			client, ctx := makeClient(req.Installation.ID)
 			assignee := command.Value
 			if assignee == "me" {
 				assignee = req.Comment.User.Login
@@ -119,7 +119,7 @@ func handleComment(req types.IssueCommentOuter) {
 		fmt.Printf("%s wants to %s user %s from issue %d - allowed? %t\n", req.Comment.User.Login, command.Type, command.Value, req.Issue.Number, allowed)
 
 		if allowed {
-			client, ctx := makeClient()
+			client, ctx := makeClient(req.Installation.ID)
 			assignee := command.Value
 			if assignee == "me" {
 				assignee = req.Comment.User.Login
@@ -137,7 +137,7 @@ func handleComment(req types.IssueCommentOuter) {
 		fmt.Printf("%s wants to %s issue #%d - allowed? %t\n", req.Comment.User.Login, command.Type, req.Issue.Number, allowed)
 
 		if allowed {
-			client, ctx := makeClient()
+			client, ctx := makeClient(req.Installation.ID)
 
 			var state string
 

derek.yml

@@ -0,0 +1,16 @@
+provider:
+  name: faas
+  # gateway: http://localhost:80  # can be a remote server
+
+functions:
+  the-derek:
+    handler: ./
+    image: derek:2.0
+    lang: Dockerfile
+    environment:
+      private_key: derek.pem
+      validate_hmac: false
+      debug: true
+    environment_file:
+      - secrets.yml
+      # See secrets.example.yml

main.go

@@ -10,12 +10,18 @@ import (
 	"github.com/alexellis/derek/types"
 )
 
+func hmacValidation() bool {
+	val := os.Getenv("validate_hmac")
+	return len(val) > 0 && (val == "1" || val == "true")
+}
+
 func main() {
 	bytesIn, _ := ioutil.ReadAll(os.Stdin)
 
-	xHubSignature := os.Getenv("XHubSignature")
-	if len(xHubSignature) == 0 {
-		xHubSignature = os.Getenv("Http_X_Hub_Signature")
+	xHubSignature := os.Getenv("Http_X_Hub_Signature")
+	if hmacValidation() && len(xHubSignature) == 0 {
+		log.Fatal("must provide X_Hub_Signature")
+		return
 	}
 
 	if len(xHubSignature) > 0 {
@@ -26,24 +32,40 @@ func main() {
 			log.Fatal(err.Error())
 			return
 		}
-	} else if len(os.Getenv("validate_hmac")) > 0 {
-		log.Fatal("must provide X_Hub_Signature")
 	}
 
+	// HMAC Validated or not turned on.
+
 	eventType := os.Getenv("Http_X_Github_Event")
 	switch eventType {
 	case "pull_request":
 		req := types.PullRequestOuter{}
 		if err := json.Unmarshal(bytesIn, &req); err != nil {
 			log.Fatalf("Cannot parse input %s", err.Error())
 		}
+
+		customer, err := auth.IsCustomer(req.Repository)
+		if err != nil {
+			log.Fatalf("Unable to verify customer: %s/%s", req.Repository.Owner.Login, req.Repository.Name)
+		} else if !customer {
+			log.Fatalf("No customer found for: %s/%s", req.Repository.Owner.Login, req.Repository.Name)
+		}
+
 		handlePullRequest(req)
 		break
 	case "issue_comment":
 		req := types.IssueCommentOuter{}
 		if err := json.Unmarshal(bytesIn, &req); err != nil {
 			log.Fatalf("Cannot parse input %s", err.Error())
 		}
+
+		customer, err := auth.IsCustomer(req.Repository)
+		if err != nil {
+			log.Fatalf("Unable to verify customer: %s/%s", req.Repository.Owner.Login, req.Repository.Name)
+		} else if !customer {
+			log.Fatalf("No customer found for: %s/%s", req.Repository.Owner.Login, req.Repository.Name)
+		}
+
 		handleComment(req)
 		break
 	default:

pullRequestHandler.go

@@ -18,7 +18,11 @@ func handlePullRequest(req types.PullRequestOuter) {
 
 	token := os.Getenv("access_token")
 	if len(token) == 0 {
-		newToken, tokenErr := auth.MakeAccessTokenForInstallation(os.Getenv("application"), os.Getenv("installation"), os.Getenv("private_key"))
+		newToken, tokenErr := auth.MakeAccessTokenForInstallation(
+			os.Getenv("application"),
+			req.Installation.ID,
+			os.Getenv("private_key"))
+
 		if tokenErr != nil {
 			log.Fatalln(tokenErr.Error())
 		}