File Coverage

blib/lib/Dancer2/Plugin/Github/Webhook.pm
Criterion Covered Total %
statement 19 19 100.0
branch 4 4 100.0
condition 2 5 40.0
subroutine 5 5 100.0
pod 1 1 100.0
total 31 34 91.1


line stmt bran cond sub pod time code
1             package Dancer2::Plugin::Github::Webhook;
2              
3 2     2   355846 use strict;
  2         2  
  2         44  
4 2     2   6 use warnings;
  2         2  
  2         36  
5 2     2   968 use Dancer2::Plugin;
  2         62346  
  2         9  
6              
7             our $VERSION = '0.01';
8              
9             has secret => (
10             is => 'ro',
11             from_config => sub { return undef },
12             );
13              
14             plugin_keywords 'require_github_webhook_secret';
15              
16             =head1 NAME
17              
18             Dancer2::Plugin::Github::Webhook - Check Github Webhook secret
19              
20             =head1 DESCRIPTION
21              
22             This plugin can be used to verify if routes that are used as Github webhook payload URL
23             use the correct secret.
24              
25             =head1 SYNOPSIS
26              
27             Set the secret in your app configuration if you want it global:
28              
29             plugins:
30             Github::Webhook:
31             secret: '|8MVY)<[2Zh@!f39=
32              
33             Define that a route has to be correctly signed:
34              
35             post '/githubinfo' => require_github_webhook_secret sub { do_something_with_correctly_signed_payload(); };
36              
37             Define that a route has to be correctly signed with a specific secret.
38              
39             post '/otherwebhook' => require_github_webhook_secret 'KUksrZyREtM32mIPoxcV7Cqx' => sub {
40             do_something_with_correctly_signed_payload();
41             };
42              
43             post '/otherwebhook' => require_github_webhook_secret config->{githubwebhooks}->{otherwebhook} => sub {
44             do_something_with_correctly_signed_payload();
45             };
46              
47             =head1 CONTROLLING ACCESS TO ROUTES
48              
49             =head2 require_github_webhook_secret [ $secret ]
50              
51             post '/reload-app' => require_github_webhook_secret 'mysecret' => sub {
52             ...
53             };
54              
55             Only executes the route's sub if the payload is correctly signed. If no secret is given, we use the one
56             you configured in your config file (see above). If you need different secrets within your app, you can
57             provide it here or use on from the configuration file via C<< config->{anyconfigentry} >>.
58              
59             =cut
60              
61             sub require_github_webhook_secret {
62 4     4 1 10988 my $plugin = shift;
63 4         5 my $coderef = pop;
64 4   33     13 my $secret = shift || $plugin->secret() || $plugin->dsl->log( error => 'No secret given!' );
65              
66             return sub {
67 6 100   6   104801 my $x_hub_signature = $plugin->dsl->request_header('X-Hub-Signature')
68             or return $plugin->dsl->send_error( "No X-Hub-Signature found", 403 );
69              
70 5         541 require Digest::SHA;
71 5   50     13 my $calculated_signature = 'sha1=' . Digest::SHA::hmac_sha1_hex( $plugin->dsl->request->content // '', $secret );
72              
73 5 100       324 return $coderef->($plugin) if $x_hub_signature eq $calculated_signature;
74 2         5 $plugin->dsl->log( info => 'Github Webhook call not signed correctly: '
75             . $x_hub_signature
76             . ' (expected: '
77             . $calculated_signature
78             . ')' );
79 2         1388 $plugin->dsl->send_error( "Not allowed", 403 );
80 4         724 };
81             }
82              
83             =head1 AUTHOR
84              
85             Dominic Sonntag, C<< >>
86              
87             =head1 BUGS
88              
89             Please report any bugs or feature requests to C, or through
90             the web interface at L. I will be notified, and then you'll
91             automatically be notified of progress on your bug as I make changes.
92              
93              
94             =head1 SUPPORT
95              
96             You can find documentation for this module with the perldoc command.
97              
98             perldoc Dancer2::Plugin::Github::Webhook
99              
100              
101             If you want to contribute to this module, write me an email or create a
102             Pull request on Github: L
103              
104              
105             =head1 ACKNOWLEDGEMENTS
106              
107              
108             =head1 LICENSE AND COPYRIGHT
109              
110             Copyright 2016 Dominic Sonntag.
111              
112             This program is free software; you can redistribute it and/or modify it
113             under the terms of the the Artistic License (2.0). You may obtain a
114             copy of the full license at:
115              
116             L
117              
118             Any use, modification, and distribution of the Standard or Modified
119             Versions is governed by this Artistic License. By using, modifying or
120             distributing the Package, you accept this license. Do not use, modify,
121             or distribute the Package, if you do not accept this license.
122              
123             If your Modified Version has been derived from a Modified Version made
124             by someone other than you, you are nevertheless required to ensure that
125             your Modified Version complies with the requirements of this license.
126              
127             This license does not grant you the right to use any trademark, service
128             mark, tradename, or logo of the Copyright Holder.
129              
130             This license includes the non-exclusive, worldwide, free-of-charge
131             patent license to make, have made, use, offer to sell, sell, import and
132             otherwise transfer the Package with respect to any patent claims
133             licensable by the Copyright Holder that are necessarily infringed by the
134             Package. If you institute patent litigation (including a cross-claim or
135             counterclaim) against any party alleging that the Package constitutes
136             direct or contributory patent infringement, then this Artistic License
137             to you shall terminate on the date that such litigation is filed.
138              
139             Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER
140             AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
141             THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
142             PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY
143             YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR
144             CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR
145             CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE,
146             EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
147              
148              
149             =cut
150              
151             1; # End of Dancer2::Plugin::Github::Webhook