feature: add hmac auth and exception handling

Author: TimoKramer

deps.edn

@@ -1,10 +1,11 @@
 {:deps {org.clojure/clojure {:mvn/version "1.10.3"}
         org.clojure/core.match {:mvn/version "1.0.0"}
-        org.clojure/tools.logging {:mvn/version "1.2.4"}
+        com.taoensso/timbre {:mvn/version "5.2.1"}
         cheshire/cheshire {:mvn/version "5.10.2"}
         http-kit/http-kit {:mvn/version "2.5.3"}
         twitter-api/twitter-api {:mvn/version "1.8.0"}
-        jarohen/chime {:mvn/version "0.3.3"}}
+        jarohen/chime {:mvn/version "0.3.3"}
+        failjure/failjure {:mvn/version "2.2.0"}}
  :aliases {:deploy {:extra-deps {slipset/deps-deploy {:mvn/version "0.2.0"}}
                     :main-opts ["-m" "deps-deploy.deps-deploy" "deploy" "replikativ-datahike.jar"]}
 
@@ -25,5 +26,6 @@
                                                         :sha "a83ee8da47d56a80b6380cbb6b4b9274048067bd"}
                           babashka/babashka.curl {:mvn/version "0.1.1"}
                           babashka/fs {:mvn/version "0.1.2"}
+                          com.google.cloud.tools/jib-core {:mvn/version "0.20.0"}
                           cheshire/cheshire {:mvn/version "5.10.2"}}
                    :ns-default build}}}

src/souffleuse/core.clj

@@ -3,14 +3,19 @@
             [org.httpkit.server :as srv]
             [org.httpkit.client :as clnt]
             [clojure.core.match :refer [match]]
-            [clojure.tools.logging :as log]
+            [taoensso.timbre :as log]
             [clojure.string :as str]
             [cheshire.core :as json]
             [twitter.oauth :as oauth]
-            [twitter.api.restful :as r]))
+            [twitter.api.restful :as r]
+            [failjure.core :as f])
+  (:import (javax.crypto Mac)
+           (javax.crypto.spec SecretKeySpec)))
 
 (def port 3000)
 
+(def github-token (System/getenv "GITHUB_TOKEN"))
+
 (def slack-hook-url (System/getenv "SLACK_HOOK_URL"))
 (def slack-channel "#datahike")
 
@@ -28,6 +33,26 @@
   (log/info "Received webhook" d)
   d)
 
+(defn hmac-sha-256
+  "Takes the webhook body as string
+   Takes the secret webhook token as string
+   Computes an HMAC
+   Returns HMAC as string
+   https://stackoverflow.com/a/15444056"
+  [^String body-str ^String key-str]
+  (let [key-spec (SecretKeySpec. (.getBytes key-str) "HmacSHA256")
+        hmac (doto (Mac/getInstance "HmacSHA256") (.init key-spec))
+        result (.doFinal hmac (.getBytes body-str))]
+    (apply str (map #(format "%02x" %) result))))
+
+(defn check-hmac [body-str {:keys [headers]}]
+  (let [hmac (str "sha256=" (hmac-sha-256 body-str github-token))
+        header (get headers "x-hub-signature-256")]
+    (if (not= hmac header)
+      (throw (ex-info "HMAC does not match" {:hmac hmac
+                                             :header header}))
+      body-str)))
+
 (defn trigger-slack-reminder [_]
   (if slack-hook-url
     (let [message "In a quarter hour we will have our weekly open-source meeting
@@ -41,9 +66,10 @@
       (log/debug "Weekly OSS meeting announcement triggered"))
     (log/error "Slack Hook URL not provided")))
 
-(defn trigger-slack-announcement [[release repository :as d]]
+(defn trigger-slack-announcement [body]
   (if slack-hook-url
-    (let [message (format "Version %s of %s was just released. Find the changelog or get in contact with us <%s|over on GitHub.>"
+    (let [[release repository] (juxt body :release :repository)
+          message (format "Version %s of %s was just released. Find the changelog or get in contact with us <%s|over on GitHub.>"
                           (:tag_name release)
                           (:name repository)
                           (:html_url release))
@@ -53,30 +79,36 @@
       (clnt/post slack-hook-url {:headers {"content-type" "application/json"}
                                  :body json}))
     (log/error "Slack Hook URL not provided"))
-  d)
+  body)
 
-(defn trigger-twitter-announcement [[release repository :as d]]
-  (let [message (format "Version %s of %s was just released. Take a look at the changelog over on GitHub: %s"
+(defn trigger-twitter-announcement [body]
+  (let [[release repository] (juxt body :release :repository)
+        message (format "Version %s of %s was just released. Take a look at the changelog over on GitHub: %s"
                         (:tag_name release)
                         (:name repository)
                         (:html_url release))]
     (if (not-any? nil? [twitter-api-key twitter-api-secret twitter-access-token twitter-access-token-secret])
       (r/statuses-update :oauth-creds twitter-creds
                          :params {:status message})
       (log/error "Twitter secrets not provided")))
-  d)
+  body)
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Handlers
 ;;;;;;;;;;;;;;;;;;;;;;;;;;
 
-(defn github-hook [{body :body :as req}]
-  (-> (slurp body)
-      (json/parse-string true)
-      log-request
-      ((juxt :release :repository))
-      trigger-slack-announcement
-      trigger-twitter-announcement))
+(defn github-hook [{:keys [body headers] :as req}]
+  (let [result (f/ok-> (slurp body)
+                       (check-hmac req)
+                       (json/parse-string true)
+                       log-request
+                       trigger-slack-announcement
+                       trigger-twitter-announcement)]
+    (if (f/failed? result)
+      (do (log/error (f/message result) {:delivery (get headers "X-GitHub-Delivery")
+                                         :event (get headers "X-GitHub-Event")})
+          {:status 500 :body (f/message result)})
+      {:status 201})))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Routes
@@ -85,23 +117,22 @@
 (defn routes [{:keys [request-method uri] :as req}]
   (let [path (vec (rest (str/split uri #"/")))]
     (match [request-method path]
-      [:post ["github" "release"]] {:body (github-hook req)}
+      [:post ["github" "release"]] (github-hook req)
       :else {:status 404 :body "Error 404: Page not found"})))
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Server
 ;;;;;;;;;;;;;;;;;;;;;;;;;;
 
 (def server (let [url (str "http://localhost:" port "/")]
-              (srv/run-server #'routes {:port port})
-              (println "serving" url)))
+              (println "serving" url)
+              (srv/run-server #'routes {:port port})))
 
 (def scheduler (s/start-scheduler trigger-slack-reminder))
 
 (comment
   (def payload (json/parse-string (slurp "test/payload.sample.json") true))
 
-  (defonce server (atom nil))
-  (reset! server (srv/run-server #'routes {:port port}))
+  (srv/server-stop! @server)
 
   @(clnt/post "http://localhost:3000/github/release" {:headers {"Content-Type" "application/json"} :body (slurp "test/payload.sample.json")}))