app/blueprints/github/__init__.py

   1 # Content DB
   2 # Copyright (C) 2018  rubenwardy
   3 #
   4 # This program is free software: you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation, either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
  16
  17 from flask import Blueprint
  18
  19 bp = Blueprint("github", __name__)
  20
  21 from flask import redirect, url_for, request, flash, abort, render_template, jsonify, current_app
  22 from flask_user import current_user, login_required
  23 from sqlalchemy import func
  24 from flask_github import GitHub
  25 from app import github, csrf
  26 from app.models import db, User, APIToken, Package, Permission
  27 from app.utils import loginUser, randomString, abs_url_for
  28 from app.blueprints.api.support import error, handleCreateRelease
  29 import hmac, requests, json
  30
  31 from flask_wtf import FlaskForm
  32 from wtforms import SelectField, SubmitField
  33
  34 @bp.route("/github/start/")
  35 def start():
  36         return github.authorize("", redirect_uri=abs_url_for("github.callback"))
  37
  38 @bp.route("/github/view/")
  39 def view_permissions():
  40         url = "https://github.com/settings/connections/applications/" + \
  41                         current_app.config["GITHUB_CLIENT_ID"]
  42         return redirect(url)
  43
  44 @bp.route("/github/callback/")
  45 @github.authorized_handler
  46 def callback(oauth_token):
  47         next_url = request.args.get("next")
  48         if oauth_token is None:
  49                 flash("Authorization failed [err=gh-oauth-login-failed]", "danger")
  50                 return redirect(url_for("user.login"))
  51
  52         # Get Github username
  53         url = "https://api.github.com/user"
  54         r = requests.get(url, headers={"Authorization": "token " + oauth_token})
  55         username = r.json()["login"]
  56
  57         # Get user by github username
  58         userByGithub = User.query.filter(func.lower(User.github_username) == func.lower(username)).first()
  59
  60         # If logged in, connect
  61         if current_user and current_user.is_authenticated:
  62                 if userByGithub is None:
  63                         current_user.github_username = username
  64                         db.session.commit()
  65                         flash("Linked github to account", "success")
  66                         return redirect(url_for("homepage.home"))
  67                 else:
  68                         flash("Github account is already associated with another user", "danger")
  69                         return redirect(url_for("homepage.home"))
  70
  71         # If not logged in, log in
  72         else:
  73                 if userByGithub is None:
  74                         flash("Unable to find an account for that Github user", "danger")
  75                         return redirect(url_for("users.claim"))
  76                 elif loginUser(userByGithub):
  77                         if not current_user.hasPassword():
  78                                 return redirect(next_url or url_for("users.set_password", optional=True))
  79                         else:
  80                                 return redirect(next_url or url_for("homepage.home"))
  81                 else:
  82                         flash("Authorization failed [err=gh-login-failed]", "danger")
  83                         return redirect(url_for("user.login"))
  84
  85
  86 @bp.route("/github/webhook/", methods=["POST"])
  87 @csrf.exempt
  88 def webhook():
  89         json = request.json
  90
  91         # Get package
  92         github_url = "github.com/" + json["repository"]["full_name"]
  93         package = Package.query.filter(Package.repo.like("%{}%".format(github_url))).first()
  94         if package is None:
  95                 return error(400, "Unknown package")
  96
  97         # Get all tokens for package
  98         possible_tokens = APIToken.query.filter_by(package=package).all()
  99         actual_token = None
 100
 101         #
 102         # Check signature
 103         #
 104
 105         header_signature = request.headers.get('X-Hub-Signature')
 106         if header_signature is None:
 107                 return error(403, "Expected payload signature")
 108
 109         sha_name, signature = header_signature.split('=')
 110         if sha_name != 'sha1':
 111                 return error(403, "Expected SHA1 payload signature")
 112
 113         for token in possible_tokens:
 114                 mac = hmac.new(token.access_token.encode("utf-8"), msg=request.data, digestmod='sha1')
 115
 116                 if hmac.compare_digest(str(mac.hexdigest()), signature):
 117                         actual_token = token
 118                         break
 119
 120         if actual_token is None:
 121                 return error(403, "Invalid authentication")
 122
 123         if not package.checkPerm(actual_token.owner, Permission.APPROVE_RELEASE):
 124                 return error(403, "Only trusted members can use webhooks")
 125
 126         #
 127         # Check event
 128         #
 129
 130         event = request.headers.get("X-GitHub-Event")
 131         if event == "push":
 132                 ref = json["after"]
 133                 title = json["head_commit"]["message"].partition("\n")[0]
 134         elif event == "create" and json["ref_type"] == "tag":
 135                 ref = json["ref"]
 136                 title = ref
 137         elif event == "ping":
 138                 return jsonify({ "success": True, "message": "Ping successful" })
 139         else:
 140                 return error(400, "Unsupported event. Only 'push', `create:tag`, and 'ping' are supported.")
 141
 142         #
 143         # Perform release
 144         #
 145
 146         return handleCreateRelease(actual_token, package, title, ref)
 147
 148
 149 class SetupWebhookForm(FlaskForm):
 150         event   = SelectField("Event Type", choices=[('create', 'New tag or GitHub release'), ('push', 'Push')])
 151         submit  = SubmitField("Save")
 152
 153
 154 @bp.route("/github/callback/webhook/")
 155 @github.authorized_handler
 156 def callback_webhook(oauth_token=None):
 157         pid = request.args.get("pid")
 158         if pid is None:
 159                 abort(404)
 160
 161         current_user.github_access_token = oauth_token
 162         db.session.commit()
 163
 164         return redirect(url_for("github.setup_webhook", pid=pid))
 165
 166
 167 @bp.route("/github/webhook/new/", methods=["GET", "POST"])
 168 @login_required
 169 def setup_webhook():
 170         pid = request.args.get("pid")
 171         if pid is None:
 172                 abort(404)
 173
 174         package = Package.query.get(pid)
 175         if package is None:
 176                 abort(404)
 177
 178         if not package.checkPerm(current_user, Permission.APPROVE_RELEASE):
 179                 flash("Only trusted members can use webhooks", "danger")
 180                 return redirect(package.getDetailsURL())
 181
 182         gh_user, gh_repo = package.getGitHubFullName()
 183         if gh_user is None or gh_repo is None:
 184                 flash("Unable to get Github full name from repo address", "danger")
 185                 return redirect(package.getDetailsURL())
 186
 187         if current_user.github_access_token is None:
 188                 return github.authorize("write:repo_hook", \
 189                         redirect_uri=abs_url_for("github.callback_webhook", pid=pid))
 190
 191         form = SetupWebhookForm(formdata=request.form)
 192         if request.method == "POST" and form.validate():
 193                 token = APIToken()
 194                 token.name = "GitHub Webhook for " + package.title
 195                 token.owner = current_user
 196                 token.access_token = randomString(32)
 197                 token.package = package
 198
 199                 event = form.event.data
 200                 if event != "push" and event != "create":
 201                         abort(500)
 202
 203                 if handleMakeWebhook(gh_user, gh_repo, package, \
 204                                 current_user.github_access_token, event, token):
 205                         flash("Successfully created webhook", "success")
 206                         return redirect(package.getDetailsURL())
 207                 else:
 208                         return redirect(url_for("github.setup_webhook", pid=package.id))
 209
 210         return render_template("github/setup_webhook.html", \
 211                 form=form, package=package)
 212
 213
 214 def handleMakeWebhook(gh_user, gh_repo, package, oauth, event, token):
 215         url = "https://api.github.com/repos/{}/{}/hooks".format(gh_user, gh_repo)
 216         headers = {
 217                 "Authorization": "token " + oauth
 218         }
 219         data = {
 220                 "name": "web",
 221                 "active": True,
 222                 "events": [event],
 223                 "config": {
 224                         "url": abs_url_for("github.webhook"),
 225                         "content_type": "json",
 226                         "secret": token.access_token
 227                 },
 228         }
 229
 230         # First check that the webhook doesn't already exist
 231         r = requests.get(url, headers=headers)
 232
 233         if r.status_code == 401 or r.status_code == 403:
 234                 current_user.github_access_token = None
 235                 db.session.commit()
 236                 return False
 237
 238         if r.status_code != 200:
 239                 flash("Failed to create webhook, received response from Github " +
 240                         str(r.status_code) + ": " +
 241                         str(r.json().get("message")), "danger")
 242                 return False
 243
 244         for hook in r.json():
 245                 if hook.get("config") and hook["config"].get("url") and \
 246                                 hook["config"]["url"] == data["config"]["url"]:
 247                         flash("Failed to create webhook, as it already exists", "danger")
 248                         return False
 249
 250
 251         # Create it
 252         r = requests.post(url, headers=headers, data=json.dumps(data))
 253
 254         if r.status_code == 201:
 255                 db.session.add(token)
 256                 db.session.commit()
 257
 258                 return True
 259
 260         elif r.status_code == 401 or r.status_code == 403:
 261                 current_user.github_access_token = None
 262                 db.session.commit()
 263
 264                 return False
 265
 266         else:
 267                 flash("Failed to create webhook, received response from Github " +
 268                         str(r.status_code) + ": " +
 269                         str(r.json().get("message")), "danger")
 270                 return False