feat: implement x-hub/websub webhook validation (#15064) #15065
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Alessandro Ogier <[email protected]>
Signed-off-by: Alessandro Ogier <[email protected]>
aogier
force-pushed
the
feature/x-hub-validation
branch
from
bcf467b to
c75d712
Compare
Signed-off-by: Alessandro Ogier <[email protected]>
Signed-off-by: Alessandro Ogier <[email protected]>
Signed-off-by: Alessandro Ogier <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #15064
Motivation
This PR enhances webhook signature verification by implementing WebSub content distribution signature validation. This allows for an easy integration of platforms which implements it, such as Forgejo, Facebook, Shopify, and a lot more which are not supported by webhooks library we currently use for validating github/gitlab/bitbucket webhooks.
A flag allows for validating base64-encoded signatures instead of hex encoded ones, which is non-compliant to websub but seems to be widely used.
Modifications
A new validator
x-hubhas been implemented, which can accept configuration parameters detailed inwebhooks.md, and some example configurations have been added to sampleargo-workflows-webhook-clients. No current functionality has been affected, and some new tests have been written to verify the new functionality.Verification
I've wrote tests covering the new features.
Documentation
docs/webhooks.md now explain how to use this feature, which should be clear to whoever need it via docs and example secret.