webhook: Add flask app to validate webhooks

7e2b07aa · Jason Zaman · 1f14989e · 7e2b07aa · 7e2b07aa · 7e2b07aa
Commit 7e2b07aa authored Jan 13, 2020 by Jason Zaman
--- a/.gitignore
+++ b/.gitignore
+.*.swp
+*~
+
+__pycache__
+*.pyo
+*.pyc
+
--- a/webhook/Dockerfile
+++ b/webhook/Dockerfile
+FROM python:3.6-jessie
+
+RUN apt update
+
+WORKDIR /app
+
+ADD requirements.txt /app/requirements.txt
+RUN pip install -r /app/requirements.txt
+
+ADD ./*.py /app
+
+ENV PORT 80
+CMD ["gunicorn", "app:app", "--config=config.py"]
--- a/webhook/app.py
+++ b/webhook/app.py
+import os
+import hashlib
+import hmac
+
+from flask import Flask, request, abort
+
+import config
+
+app = Flask(__name__)
+
+
+def verify_github_signature(req):
+    reqsig = request.headers.get('X-Hub-Signature')
+    data = request.get_data()
+
+    secret = os.environ.get('GITHUB_SECRET', '')
+    if not reqsig.startswith("sha1=") or len(secret) < 1:
+        abort(401, 'Unauthorized')
+
+    reqsig = reqsig[len("sha1="):]
+    secret = secret.encode('utf-8')
+
+    digest = hmac.new(secret, data, hashlib.sha1).hexdigest()
+
+    print("Validate Github Sig: digest:", digest, "request:", reqsig)
+    return hmac.compare_digest(digest, reqsig)
+
+
+@app.route('/', methods=['GET', 'POST'])
+def root():
+    if request.method != 'POST':
+        return 'Hello, TensorFlow SIG-Build!'
+
+    # Fail if the sig does not match
+    if not verify_github_signature(request):
+        abort(401, 'Unauthorized')
+
+    data = request.get_json()
+    if not data:
+        abort(404, 'JSON request not found')
+
+    # Only accept 'push' events for now
+    event = request.headers.get('X-GitHub-Event')
+    if event not in config.ALLOWED_EVENTS:
+        abort(404, 'GitHub Event not found')
+
+    # Only accept known repos
+    if data['repository']['full_name'] not in config.ALLOWED_REPOS:
+        abort(404, 'Invalid repo')
+
+    # return the data back to the Tekton event listener
+    return data
+
+
+if __name__ == '__main__':
+    print("Running flask webhook app")
+    app.run(host="0.0.0.0", port=config.PORT, debug=config.DEBUG_MODE, load_dotenv=False)
+
--- a/webhook/config.py
+++ b/webhook/config.py
+import multiprocessing
+import os
+
+
+PORT = int(os.environ.get("PORT", 5000))
+DEBUG_MODE = int(os.environ.get("DEBUG_MODE", 0))
+
+ALLOWED_EVENTS = [
+    'push',
+]
+
+ALLOWED_REPOS = [
+    'tensorflow/build',
+    'perfinion/build',
+]
+
+# Gunicorn config
+bind = ":" + str(PORT)
+workers = multiprocessing.cpu_count() * 2 + 1
+threads = multiprocessing.cpu_count() * 2
--- a/webhook/requirements.txt
+++ b/webhook/requirements.txt
+Click==7.0
+Flask==1.1.1
+gunicorn==20.0.4
+itsdangerous==1.1.0
+Jinja2==2.10.3
+MarkupSafe==1.1.1
+Werkzeug==0.16.0
+