def hook_receiver():
"""
Process incoming GitHub webhook events.
1. Make sure the payload hashes to the proper signature. If not,
reject the request with http status of 403.
2. Send a job to the queue with details of the event.
3. Respond with http status 202.
Returns:
Tuple[str, int]: Message payload and HTTP status code
"""
headers = GithubWebHookRequestHeader(request.headers)
# TODO: Once we adopt payload signature validation for all web hooks,
# add as decorator, or somehow into Blueprint
secret = app.config.get('GITHUB_WEBHOOKS_SECRET')
if not is_valid_payload(secret, headers.signature, request.data):
msg = "Rejecting because signature doesn't match!"
print(msg, file=sys.stderr)
return msg, 403
q.enqueue('openedx_webhooks.github.dispatcher.dispatch',
dict(request.headers), request.get_json())
return 'Thank you', 202
def test_mismatched_payload(secret1, signature):
wrong_payload = json.dumps('x')
assert is_valid_payload(secret1, signature, wrong_payload) is False
def test_bad_secret(secret2, signature, payload):
assert is_valid_payload(secret2, signature, payload) is False
def test_mismatched_signature(secret1, secret2, payload):
wrong_signature = _make_signature(secret2, payload)
assert is_valid_payload(secret1, wrong_signature, payload) is False
def test_everything_matches(secret1, signature, payload):
assert is_valid_payload(secret1, signature, payload) is True
