-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGitHubAuthenticationHandler.cs
111 lines (92 loc) · 3.92 KB
/
GitHubAuthenticationHandler.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Options;
using rubberduckvba.Server.Api.Admin;
using rubberduckvba.Server.Services;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;
using System.Text.Encodings.Web;
namespace rubberduckvba.Server;
public class GitHubAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
private readonly IGitHubClientService _github;
public GitHubAuthenticationHandler(IGitHubClientService github,
IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder)
: base(options, logger, encoder)
{
_github = github;
}
protected async override Task<AuthenticateResult> HandleAuthenticateAsync()
{
var token = Context.Request.Headers["X-ACCESS-TOKEN"].SingleOrDefault();
if (token is null)
{
return AuthenticateResult.NoResult();
}
var principal = await _github.ValidateTokenAsync(token);
return principal is ClaimsPrincipal
? AuthenticateResult.Success(new AuthenticationTicket(principal, "github"))
: AuthenticateResult.NoResult();
}
}
public class WebhookAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
private readonly ConfigurationOptions _configuration;
public WebhookAuthenticationHandler(IOptionsMonitor<AuthenticationSchemeOptions> options, ILoggerFactory logger, UrlEncoder encoder,
ConfigurationOptions configuration)
: base(options, logger, encoder)
{
_configuration = configuration;
}
protected async override Task<AuthenticateResult> HandleAuthenticateAsync()
{
return await Task.Run(() =>
{
var xGitHubEvent = Context.Request.Headers["X-GitHub-Event"];
var xGitHubDelivery = Context.Request.Headers["X-GitHub-Delivery"];
var xHubSignature = Context.Request.Headers["X-Hub-Signature"];
var xHubSignature256 = Context.Request.Headers["X-Hub-Signature-256"];
if (!xGitHubEvent.Contains("push"))
{
// only authenticate push events
return AuthenticateResult.NoResult();
}
if (!Guid.TryParse(xGitHubDelivery.SingleOrDefault(), out _))
{
// delivery should parse as a GUID
return AuthenticateResult.NoResult();
}
if (!xHubSignature.Any())
{
// signature header should be present
return AuthenticateResult.NoResult();
}
var signature = xHubSignature256.SingleOrDefault();
var payload = new StreamReader(Context.Request.Body).ReadToEnd();
if (!IsValidSignature(signature, payload))
{
// encrypted signature must be present
return AuthenticateResult.NoResult();
}
var identity = new ClaimsIdentity("webhook", ClaimTypes.Name, ClaimTypes.Role);
identity.AddClaim(new Claim(ClaimTypes.Name, "rubberduck-vba-releasebot"));
identity.AddClaim(new Claim(ClaimTypes.Role, "rubberduck-webhook"));
identity.AddClaim(new Claim(ClaimTypes.Authentication, "webhook-signature"));
var principal = new ClaimsPrincipal(identity);
return AuthenticateResult.Success(new AuthenticationTicket(principal, "webhook-signature"));
});
}
private bool IsValidSignature(string? signature, string payload)
{
if (string.IsNullOrWhiteSpace(signature))
{
return false;
}
using var sha256 = SHA256.Create();
var secret = _configuration.GitHubOptions.Value.WebhookToken;
var bytes = Encoding.UTF8.GetBytes(secret + payload);
var check = $"sha256={Encoding.UTF8.GetString(sha256.ComputeHash(bytes))}";
return check == payload;
}
}