2019-02-01 17:26:47 +03:00
|
|
|
from flask import Flask, request, jsonify
|
|
|
|
|
import json
|
2019-05-21 01:46:02 +03:00
|
|
|
import hashlib
|
2019-02-01 17:26:47 +03:00
|
|
|
import hmac
|
2020-12-17 20:40:19 +03:00
|
|
|
from datetime import datetime
|
2021-01-20 00:23:56 +03:00
|
|
|
import jiralib
|
2021-01-27 23:22:46 +03:00
|
|
|
import threading
|
2019-02-01 17:26:47 +03:00
|
|
|
|
|
|
|
|
|
2021-02-02 00:17:35 +03:00
|
|
|
sync = None
|
|
|
|
|
repo_sync_interval = None
|
|
|
|
|
app = Flask(__name__)
|
|
|
|
|
sync_lock = threading.Lock()
|
|
|
|
|
last_repo_syncs = {}
|
|
|
|
|
secret = None
|
2019-02-01 17:26:47 +03:00
|
|
|
|
|
|
|
|
|
2021-07-26 20:18:41 +03:00
|
|
|
def run_server(
|
|
|
|
|
sync_object, webhook_secret, repository_sync_interval=60 * 60 * 24, port=5000
|
|
|
|
|
):
|
2021-02-02 00:17:35 +03:00
|
|
|
global sync
|
|
|
|
|
sync = sync_object
|
|
|
|
|
global secret
|
2021-07-26 20:18:41 +03:00
|
|
|
secret = webhook_secret.encode("utf-8")
|
2021-02-02 00:17:35 +03:00
|
|
|
global repo_sync_interval
|
|
|
|
|
repo_sync_interval = repository_sync_interval
|
|
|
|
|
app.run(port=port)
|
2020-12-17 20:40:19 +03:00
|
|
|
|
2021-07-26 20:18:41 +03:00
|
|
|
|
2020-12-12 01:39:39 +03:00
|
|
|
def auth_is_valid(signature, request_body):
|
2019-02-26 13:55:23 +03:00
|
|
|
if app.debug:
|
|
|
|
|
return True
|
|
|
|
|
return hmac.compare_digest(
|
2021-07-26 20:18:41 +03:00
|
|
|
signature.encode("utf-8"),
|
|
|
|
|
("sha256=" + hmac.new(secret, request_body, hashlib.sha256).hexdigest()).encode(
|
|
|
|
|
"utf-8"
|
|
|
|
|
),
|
2019-02-26 13:55:23 +03:00
|
|
|
)
|
2019-02-01 17:26:47 +03:00
|
|
|
|
|
|
|
|
|
2020-12-17 20:40:19 +03:00
|
|
|
@app.route("/jira", methods=["POST"])
|
|
|
|
|
def jira_webhook():
|
|
|
|
|
"""Handle POST requests coming from JIRA, and pass a translated request to GitHub"""
|
|
|
|
|
|
2021-07-26 20:18:41 +03:00
|
|
|
if not hmac.compare_digest(
|
|
|
|
|
request.args.get("secret_token", "").encode("utf-8"), secret
|
|
|
|
|
):
|
2020-12-18 20:00:10 +03:00
|
|
|
return jsonify({"code": 403, "error": "Unauthorized"}), 403
|
|
|
|
|
|
2021-11-03 08:24:36 +03:00
|
|
|
payload = json.loads(request.data.decode("utf-8"))
|
|
|
|
|
event = payload["webhookEvent"]
|
|
|
|
|
desc = payload["issue"]["fields"]["description"]
|
2021-05-10 12:55:20 +03:00
|
|
|
repo_id, _, _, _, _ = jiralib.parse_alert_info(desc)
|
2021-01-11 18:11:33 +03:00
|
|
|
|
2021-01-11 19:23:30 +03:00
|
|
|
app.logger.debug('Received JIRA webhook for event "{event}"'.format(event=event))
|
|
|
|
|
|
2021-01-27 23:22:46 +03:00
|
|
|
if repo_id is None:
|
2021-07-26 20:18:41 +03:00
|
|
|
app.logger.debug(
|
|
|
|
|
"Ignoring JIRA webhook for issue not related to a code scanning alert."
|
|
|
|
|
)
|
2021-01-11 18:11:33 +03:00
|
|
|
return jsonify({}), 200
|
2020-12-18 20:00:10 +03:00
|
|
|
|
2021-01-27 23:22:46 +03:00
|
|
|
with sync_lock:
|
|
|
|
|
# we only care about updates to issues
|
|
|
|
|
if event == jiralib.CREATE_EVENT:
|
|
|
|
|
sync.issue_created(desc)
|
|
|
|
|
elif event == jiralib.DELETE_EVENT:
|
|
|
|
|
sync.issue_deleted(desc)
|
|
|
|
|
elif event == jiralib.UPDATE_EVENT:
|
|
|
|
|
sync.issue_changed(desc)
|
|
|
|
|
else:
|
2021-07-26 20:18:41 +03:00
|
|
|
app.logger.debug(
|
|
|
|
|
'Ignoring JIRA webhook for event "{event}".'.format(event=event)
|
|
|
|
|
)
|
2021-01-27 23:22:46 +03:00
|
|
|
return jsonify({}), 200
|
2020-12-17 20:40:19 +03:00
|
|
|
|
|
|
|
|
return jsonify({}), 200
|
|
|
|
|
|
|
|
|
|
|
2020-12-12 01:39:39 +03:00
|
|
|
@app.route("/github", methods=["POST"])
|
|
|
|
|
def github_webhook():
|
2020-12-17 20:40:19 +03:00
|
|
|
"""
|
|
|
|
|
Handle POST requests coming from GitHub, and pass a translated request to JIRA
|
|
|
|
|
By default, flask runs in single-threaded mode, so we don't need to worry about
|
|
|
|
|
any race conditions.
|
|
|
|
|
"""
|
2019-02-01 17:26:47 +03:00
|
|
|
|
2021-07-26 20:18:41 +03:00
|
|
|
app.logger.debug(
|
|
|
|
|
'Received GITHUB webhook for event "{event}"'.format(
|
|
|
|
|
event=request.headers.get("X-GitHub-Event", "")
|
|
|
|
|
)
|
|
|
|
|
)
|
2021-01-11 19:23:30 +03:00
|
|
|
|
2021-07-26 20:18:41 +03:00
|
|
|
if not auth_is_valid(
|
|
|
|
|
request.headers.get("X-Hub-Signature-256", "not-provided"), request.data
|
|
|
|
|
):
|
2020-12-12 01:39:39 +03:00
|
|
|
return jsonify({"code": 403, "error": "Unauthorized"}), 403
|
2019-02-27 17:35:11 +03:00
|
|
|
|
2020-12-17 20:40:19 +03:00
|
|
|
# When creating a webhook, GitHub will send a 'ping' to check whether the
|
|
|
|
|
# instance is up. If we return a friendly code, the hook will mark as green in the UI.
|
|
|
|
|
if request.headers.get("X-GitHub-Event", "") == "ping":
|
|
|
|
|
return jsonify({}), 200
|
|
|
|
|
|
2021-02-02 00:17:35 +03:00
|
|
|
json_dict = request.get_json()
|
|
|
|
|
repo_id = json_dict.get("repository", {}).get("full_name")
|
|
|
|
|
transition = json_dict.get("action")
|
2021-01-21 13:51:16 +03:00
|
|
|
|
2021-01-20 19:33:27 +03:00
|
|
|
if request.headers.get("X-GitHub-Event", "") == "repository":
|
2021-07-26 20:18:41 +03:00
|
|
|
if transition == "deleted":
|
2021-01-27 23:22:46 +03:00
|
|
|
with sync_lock:
|
|
|
|
|
sync.sync_repo(repo_id)
|
2021-07-26 20:18:41 +03:00
|
|
|
return (
|
|
|
|
|
jsonify(
|
|
|
|
|
{
|
|
|
|
|
"code": 400,
|
|
|
|
|
"error": "Wrong event type: "
|
|
|
|
|
+ request.headers.get("X-GitHub-Event", ""),
|
|
|
|
|
}
|
|
|
|
|
),
|
|
|
|
|
400,
|
|
|
|
|
)
|
2021-01-20 19:33:27 +03:00
|
|
|
|
2020-12-12 01:39:39 +03:00
|
|
|
if request.headers.get("X-GitHub-Event", "") != "code_scanning_alert":
|
2021-07-26 20:18:41 +03:00
|
|
|
return (
|
|
|
|
|
jsonify(
|
|
|
|
|
{
|
|
|
|
|
"code": 400,
|
|
|
|
|
"error": "Wrong event type: "
|
|
|
|
|
+ request.headers.get("X-GitHub-Event", ""),
|
|
|
|
|
}
|
|
|
|
|
),
|
|
|
|
|
400,
|
|
|
|
|
)
|
2019-02-01 17:26:47 +03:00
|
|
|
|
2020-12-17 20:40:19 +03:00
|
|
|
alert = json_dict.get("alert")
|
|
|
|
|
alert_url = alert.get("html_url")
|
|
|
|
|
alert_num = alert.get("number")
|
|
|
|
|
|
|
|
|
|
# TODO: We might want to do the following asynchronously, as it could
|
|
|
|
|
# take time to do a full sync on a repo with many alerts / issues
|
2021-01-20 19:33:27 +03:00
|
|
|
last_sync = last_repo_syncs.get(repo_id, 0)
|
2020-12-17 20:40:19 +03:00
|
|
|
now = datetime.now().timestamp()
|
2021-02-02 00:17:35 +03:00
|
|
|
if now - last_sync >= repo_sync_interval:
|
2021-01-20 19:33:27 +03:00
|
|
|
last_repo_syncs[repo_id] = now
|
2021-01-27 23:22:46 +03:00
|
|
|
with sync_lock:
|
|
|
|
|
sync.sync_repo(repo_id)
|
2020-12-17 20:40:19 +03:00
|
|
|
|
2021-07-26 20:18:41 +03:00
|
|
|
app.logger.debug(
|
|
|
|
|
"Received GITHUB webhook {action} for {alert_url}".format(
|
|
|
|
|
action=transition, alert_url=alert_url
|
|
|
|
|
)
|
|
|
|
|
)
|
2019-02-25 20:52:05 +03:00
|
|
|
|
2020-12-12 01:39:39 +03:00
|
|
|
# we deal with each action type individually, showing the expected
|
|
|
|
|
# behaviour and response codes explicitly
|
2021-01-27 23:22:46 +03:00
|
|
|
with sync_lock:
|
|
|
|
|
if transition == "appeared_in_branch":
|
|
|
|
|
app.logger.debug('Nothing to do for "appeared_in_branch"')
|
|
|
|
|
elif transition == "created":
|
|
|
|
|
sync.alert_created(repo_id, alert_num)
|
|
|
|
|
elif transition in ["closed_by_user", "reopened_by_user", "reopened"]:
|
|
|
|
|
sync.alert_changed(repo_id, alert_num)
|
|
|
|
|
elif transition == "fixed":
|
|
|
|
|
sync.alert_fixed(repo_id, alert_num)
|
2021-01-20 19:33:27 +03:00
|
|
|
else:
|
2021-01-27 23:22:46 +03:00
|
|
|
# when the transition is not recognised, we return a bad request response
|
|
|
|
|
return (
|
2021-07-26 20:18:41 +03:00
|
|
|
jsonify(
|
|
|
|
|
{"code": 400, "error": "unknown transition type - %s" % transition}
|
|
|
|
|
),
|
2021-01-27 23:22:46 +03:00
|
|
|
400,
|
|
|
|
|
)
|
2020-12-17 20:40:19 +03:00
|
|
|
|
2021-01-27 23:22:46 +03:00
|
|
|
return jsonify({}), 200
|
