Feature/webhook secret (#79)

* fix: Do not run triggers by default
* fix: Rename output file for Lambda deployment
* fix: Do not return stack on error
* feature: Add debug mode
* fix: Normalize lambda event headers
* feat: Add support for webhook secret
* fix: Update path variable name for Lambda
* fix: Update package lock file
* fix: Point tests to proper lambda handler file
* refactor: Failing early on the signature check

Author: radekk

config/main.json

@@ -34,9 +34,10 @@
     "lambdaEventObjectNotFound": "Invalid request, event not found",
     "githubTokenNotProvided": "GITHUB_TOKEN is not set",
     "jwtTokenNotProvided": "JWT_SECRET is not set",
-    "invalidReportID": "Report not found, invalid ID"
+    "invalidReportID": "Report not found, invalid ID",
+    "invalidWebhookSecret": "Webhook secret is not valid"
   },
-  "runTriggers": true,
+  "runTriggers": false,
   "triggerTextFormat": "mrkdwn",
   "triggerMessages": {
     "falsePositiveReported": ":warning: False positive reported (%s): %s",

config/webpack.js

@@ -60,7 +60,7 @@ const cliConfigLight = Object.assign({}, config, {
 
 const lambdaConfigFull = Object.assign({}, config, {
   entry: {
-    './awslambda': './src/index.js'
+    './index': './src/index.js'
   },
   output: {
     filename: '[name].js',
@@ -71,7 +71,7 @@ const lambdaConfigFull = Object.assign({}, config, {
 
 const lambdaConfigLight = Object.assign({}, config, {
   entry: {
-    './awslambda.light': './src/index.js'
+    './index.light': './src/index.js'
   },
   output: {
     filename: '[name].js',

package-lock.json

@@ -7,7 +7,7 @@
     "build": "rm ./dist/* 2> /dev/null; webpack --config config/webpack.js && npm run package",
     "cli": "node dist/cli.js",
     "lint": "eslint src/ config/ --quiet",
-    "package": "zip -j ./dist/awslambda.zip ./dist/awslambda.js",
+    "package": "zip -j ./dist/awslambda.zip ./dist/index.js",
     "test": "npm run lint && mocha",
     "validate": "npm run lint && npm outdated --depth 0",
     "watch": "./bin/webpack --config config/webpack.js --watch --bail --display-error-details"
@@ -28,6 +28,7 @@
   },
   "dependencies": {
     "@octokit/rest": "^16.43.2",
+    "@octokit/webhooks-methods": "^2.0.0",
     "acorn": "^5.7.3",
     "an-array-of-english-words": "^1.3.1",
     "handlebars": "^4.7.7",

package.json

@@ -67,12 +67,12 @@ module.exports = async (payload, event, github, viewer, res, isFalsePositiveRepo
     return Promise.resolve(res(SUCCESS_MESSAGE));
   } catch (e) {
     const httpCode = Number.isSafeInteger(e.status) ? e.status : http.STATUS_CODE.ERROR;
-    if (httpCode === 401) return res(e.stack, httpCode);
+    if (httpCode === 401) return res(e.message, httpCode);
 
     if (updateCIStatus) {
       status.setFailure(e.message);
     }
 
-    return res(e.stack, httpCode);
+    return res(e.message, httpCode);
   }
 };

src/dispatcher/index.js

@@ -6,9 +6,9 @@ module.exports = {
     if (!event.headers) return null;
 
     return url.format({
-      protocol: event.headers['X-Forwarded-Proto'],
-      host: event.headers.Host,
-      pathname: event.path
+      protocol: event.headers['x-forwarded-proto'],
+      host: event.headers.host,
+      pathname: event.rawPath
     }).replace(/\/+$/g, '');
   },
   getRepoURL: (owner, repo) => `${config.githubUrl}/${owner}/${repo}`,

src/helpers/url.js

@@ -10,17 +10,37 @@ const token = require('./helpers/jwt');
 
 const GITHUB_TOKEN = process.env.GITHUB_TOKEN;
 const JWT_SECRET = process.env.JWT_SECRET;
+const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;
+const DEBUG = process.env.DEBUG;
 
 const returnErrorResponse = message => Promise.resolve(http.response(message, http.STATUS_CODE.ERROR));
 
 async function lambda(event) {
+  if (DEBUG) console.log(event);
+
   if (!GITHUB_TOKEN) { return returnErrorResponse(config.responseMessages.githubTokenNotProvided); }
   if (!JWT_SECRET) { return returnErrorResponse(config.responseMessages.jwtTokenNotProvided); }
   if (!event) { return returnErrorResponse(config.responseMessages.lambdaEventObjectNotFound); }
 
   let requestBody;
   let requestParams = {};
 
+  /**
+   * It seems like there are two types of Event object headers naming conventions.
+   *
+   * REST Private API: Camel-Case
+   * REST Public API: lower-case
+   */
+  if (event.headers) {
+    const normalizedHeaders = {};
+
+    Object.keys(event.headers).forEach((id) => {
+      normalizedHeaders[id.toLowerCase()] = event.headers[id];
+    });
+
+    event.headers = normalizedHeaders;
+  }
+
   if (event.queryStringParameters) {
     requestParams = {
       isFalsePositiveReport: !!([1, '1', 'true', true].indexOf(event.queryStringParameters.false_positive) > -1),
@@ -81,6 +101,13 @@ async function lambda(event) {
   }
 
   if (config.pullRequests.allowedActions.indexOf(requestBody.action) > -1) {
+    if (WEBHOOK_SECRET && event.headers[service.HTTP_SIGNATURE_HEADER]) {
+      const signature = event.headers[service.HTTP_SIGNATURE_HEADER];
+      const isSigValid = await service.webhooks.verify(WEBHOOK_SECRET, event.body, signature);
+
+      if (!isSigValid) return returnErrorResponse(config.responseMessages.invalidWebhookSecret);
+    }
+
     return dispatcher(requestBody, event, service, view, http.response);
   }
 

src/index.js

@@ -1,4 +1,5 @@
 const Octokit = require('@octokit/rest').Octokit;
+const Webhook = require('@octokit/webhooks-methods');
 
 module.exports = (apiToken) => {
   const client = new Octokit({
@@ -9,5 +10,8 @@ module.exports = (apiToken) => {
     }
   });
 
+  client.webhooks = Webhook;
+  client.HTTP_SIGNATURE_HEADER = 'x-hub-signature-256';
+
   return client;
 };

src/lib/github/index.js

@@ -1,7 +1,7 @@
 /* eslint-disable object-shorthand */
 /* eslint-disable max-len */
 /* eslint-disable no-unused-expressions */
-const lambdaModule = './../../../dist/awslambda.light';
+const lambdaModule = './../../../dist/index.light';
 const handler = require(lambdaModule).handler;
 const config = require('./../../../config/main.json');
 const http = require('./../../../src/helpers/http');