Mirror
/
go-neb
mirror of https://github.com/matrix-org/go-neb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
573 Commits
120 Branches
3 Tags
12 MiB
Tree: 1e297c50ad
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1e297c50ad'
${ noResults }
go-neb/services/travisci/verify.go

109 lines
3.2 KiB
Raw Normal View History

Verify incoming Travis-CI webhook requests
8 years ago
Begin to add Travis-CI Service tests Currently this verifies the signature logic, but not the templating logic which isn't implemented yet.
8 years ago
Verify incoming Travis-CI webhook requests
8 years ago
Begin to add Travis-CI Service tests Currently this verifies the signature logic, but not the templating logic which isn't implemented yet.
8 years ago
Verify incoming Travis-CI webhook requests
8 years ago
Begin to add Travis-CI Service tests Currently this verifies the signature logic, but not the templating logic which isn't implemented yet.
8 years ago
Verify incoming Travis-CI webhook requests
8 years ago
Begin to add Travis-CI Service tests Currently this verifies the signature logic, but not the templating logic which isn't implemented yet.
8 years ago
Verify incoming Travis-CI webhook requests
8 years ago
Begin to add Travis-CI Service tests Currently this verifies the signature logic, but not the templating logic which isn't implemented yet.
8 years ago
Verify incoming Travis-CI webhook requests
8 years ago
Begin to add Travis-CI Service tests Currently this verifies the signature logic, but not the templating logic which isn't implemented yet.
8 years ago
Verify incoming Travis-CI webhook requests
8 years ago
Begin to add Travis-CI Service tests Currently this verifies the signature logic, but not the templating logic which isn't implemented yet.
8 years ago
Verify incoming Travis-CI webhook requests
8 years ago
Begin to add Travis-CI Service tests Currently this verifies the signature logic, but not the templating logic which isn't implemented yet.
8 years ago
Verify incoming Travis-CI webhook requests
8 years ago
  1. package travisci
  3. import (
  4. "crypto"
  5. "crypto/rsa"
  6. "crypto/sha1"
  7. "crypto/x509"
  8. "encoding/base64"
  9. "encoding/json"
  10. "encoding/pem"
  11. "fmt"
  12. "net/http"
  13. "strings"
  14. )
  16. // Host => Public Key.
  17. // Travis has a .com and .org with different public keys.
  18. // .org is the public one and is one we will try first, then .com
  19. var travisPublicKeyMap = map[string]*rsa.PublicKey{
  20. "api.travis-ci.org": nil,
  21. "api.travis-ci.com": nil,
  22. }
  24. func verifyOrigin(payload []byte, sigHeader string) error {
  25. /*
  26. From: https://docs.travis-ci.com/user/notifications#Verifying-Webhook-requests
  27. 1. Pick up the payload data from the HTTP requests body.
  28. 2. Obtain the Signature header value, and base64-decode it.
  29. 3. Obtain the public key corresponding to the private key that signed the payload.
  30. This is available at the /config endpoints config.notifications.webhook.public_key on
  31. the relevant API server. (e.g., https://api.travis-ci.org/config)
  32. 4. Verify the signature using the public key and SHA1 digest.
  33. */
  34. sig, err := base64.StdEncoding.DecodeString(sigHeader)
  35. if err != nil {
  36. return fmt.Errorf("verifyOrigin: Failed to decode signature as base64: %s", err)
  37. }
  39. if err := loadPublicKeys(); err != nil {
  40. return fmt.Errorf("verifyOrigin: Failed to cache Travis public keys: %s", err)
  41. }
  43. // 4. Verify with SHA1
  44. // NB: We don't know who sent this request (no Referer header or anything) so we need to try
  45. // both public keys at both endpoints. We use the .org one first since it's more popular.
  46. var verifyErr error
  47. for _, host := range []string{"api.travis-ci.org", "api.travis-ci.com"} {
  48. h := sha1.New()
  49. h.Write(payload)
  50. digest := h.Sum(nil)
  51. verifyErr = rsa.VerifyPKCS1v15(travisPublicKeyMap[host], crypto.SHA1, digest, sig)
  52. if verifyErr == nil {
  53. return nil // Valid for this key
  54. }
  55. }
  56. return fmt.Errorf("verifyOrigin: Signature verification failed: %s", verifyErr)
  57. }
  59. func loadPublicKeys() error {
  60. for _, host := range []string{"api.travis-ci.com", "api.travis-ci.org"} {
  61. pubKey := travisPublicKeyMap[host]
  62. if pubKey == nil {
  63. pemPubKey, err := fetchPEMPublicKey("https://" + host + "/config")
  64. if err != nil {
  65. return err
  66. }
  67. block, _ := pem.Decode([]byte(pemPubKey))
  68. if block == nil {
  69. return fmt.Errorf("public_key at %s doesn't have a valid PEM block", host)
  70. }
  72. k, err := x509.ParsePKIXPublicKey(block.Bytes)
  73. if err != nil {
  74. return err
  75. }
  76. pubKey = k.(*rsa.PublicKey)
  77. travisPublicKeyMap[host] = pubKey
  78. }
  79. }
  80. return nil
  81. }
  83. func fetchPEMPublicKey(travisURL string) (key string, err error) {
  84. var res *http.Response
  85. res, err = httpClient.Get(travisURL)
  86. if res != nil {
  87. defer res.Body.Close()
  88. }
  89. if err != nil {
  90. return
  91. }
  92. configStruct := struct {
  93. Config struct {
  94. Notifications struct {
  95. Webhook struct {
  96. PublicKey string `json:"public_key"`
  97. } `json:"webhook"`
  98. } `json:"notifications"`
  99. } `json:"config"`
  100. }{}
  101. if err = json.NewDecoder(res.Body).Decode(&configStruct); err != nil {
  102. return
  103. }
  104. key = configStruct.Config.Notifications.Webhook.PublicKey
  105. if key == "" || !strings.HasPrefix(key, "-----BEGIN PUBLIC KEY-----") {
  106. err = fmt.Errorf("Couldn't fetch Travis-CI public key. Missing or malformed key: %s", key)
  107. }
  108. return
  109. }