2020-07-12 17:34:25 +02:00
|
|
|
# ContentDB
|
2021-01-30 17:59:42 +01:00
|
|
|
# Copyright (C) 2018-21 rubenwardy
|
2018-05-17 16:18:20 +02:00
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
2021-01-30 17:59:42 +01:00
|
|
|
# it under the terms of the GNU Affero General Public License as published by
|
2018-05-17 16:18:20 +02:00
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
2021-01-30 17:59:42 +01:00
|
|
|
# GNU Affero General Public License for more details.
|
2018-05-17 16:18:20 +02:00
|
|
|
#
|
2021-01-30 17:59:42 +01:00
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
2018-05-17 16:18:20 +02:00
|
|
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
|
2024-03-06 00:59:30 +01:00
|
|
|
import datetime
|
|
|
|
|
2023-10-31 19:45:24 +01:00
|
|
|
from flask import Blueprint, abort
|
2022-01-07 22:46:16 +01:00
|
|
|
from flask_babel import gettext
|
2018-05-17 16:18:20 +02:00
|
|
|
|
2020-01-24 19:15:09 +01:00
|
|
|
bp = Blueprint("github", __name__)
|
|
|
|
|
2021-01-26 17:22:13 +01:00
|
|
|
from flask import redirect, url_for, request, flash, jsonify, current_app
|
|
|
|
from flask_login import current_user
|
2024-03-30 17:52:17 +01:00
|
|
|
from sqlalchemy import or_, and_
|
2020-01-24 22:39:35 +01:00
|
|
|
from app import github, csrf
|
2023-03-18 15:22:39 +01:00
|
|
|
from app.models import db, User, APIToken, Package, Permission, AuditSeverity, PackageState
|
2023-10-31 19:45:24 +01:00
|
|
|
from app.utils import abs_url_for, add_audit_log, login_user_set_active, is_safe_url
|
2021-02-02 01:07:41 +01:00
|
|
|
from app.blueprints.api.support import error, api_create_vcs_release
|
2021-01-26 17:22:13 +01:00
|
|
|
import hmac, requests
|
2018-03-18 19:05:53 +01:00
|
|
|
|
2023-10-31 19:45:24 +01:00
|
|
|
|
2020-01-24 19:15:09 +01:00
|
|
|
@bp.route("/github/start/")
|
|
|
|
def start():
|
2023-10-31 19:45:24 +01:00
|
|
|
next = request.args.get("next")
|
|
|
|
if next and not is_safe_url(next):
|
|
|
|
abort(400)
|
|
|
|
|
|
|
|
return github.authorize("", redirect_uri=abs_url_for("github.callback", next=next))
|
|
|
|
|
2018-03-18 19:05:53 +01:00
|
|
|
|
2020-01-30 22:39:51 +01:00
|
|
|
@bp.route("/github/view/")
|
|
|
|
def view_permissions():
|
|
|
|
url = "https://github.com/settings/connections/applications/" + \
|
|
|
|
current_app.config["GITHUB_CLIENT_ID"]
|
|
|
|
return redirect(url)
|
|
|
|
|
2023-06-18 23:21:37 +02:00
|
|
|
|
2020-01-24 22:39:35 +01:00
|
|
|
@bp.route("/github/callback/")
|
2018-03-18 19:05:53 +01:00
|
|
|
@github.authorized_handler
|
2020-01-24 19:15:09 +01:00
|
|
|
def callback(oauth_token):
|
2018-03-18 19:05:53 +01:00
|
|
|
if oauth_token is None:
|
2022-01-07 22:46:16 +01:00
|
|
|
flash(gettext("Authorization failed [err=gh-oauth-login-failed]"), "danger")
|
2020-12-04 23:05:10 +01:00
|
|
|
return redirect(url_for("users.login"))
|
2018-03-18 19:05:53 +01:00
|
|
|
|
2023-10-31 19:45:24 +01:00
|
|
|
next = request.args.get("next")
|
|
|
|
if next and not is_safe_url(next):
|
|
|
|
abort(400)
|
|
|
|
|
|
|
|
redirect_to = next
|
|
|
|
if redirect_to is None:
|
|
|
|
redirect_to = url_for("homepage.home")
|
|
|
|
|
2023-06-18 23:07:46 +02:00
|
|
|
# Get GitGub username
|
2018-03-18 19:05:53 +01:00
|
|
|
url = "https://api.github.com/user"
|
|
|
|
r = requests.get(url, headers={"Authorization": "token " + oauth_token})
|
2024-03-30 17:52:17 +01:00
|
|
|
json = r.json()
|
|
|
|
user_id = json["id"]
|
|
|
|
username = json["login"]
|
2024-03-30 18:06:32 +01:00
|
|
|
if type(user_id) is not int:
|
|
|
|
abort(400)
|
2018-03-18 19:05:53 +01:00
|
|
|
|
2024-03-30 17:52:17 +01:00
|
|
|
# Get user by GitHub user ID
|
2024-03-30 18:06:32 +01:00
|
|
|
userByGithub = User.query.filter(User.github_user_id == user_id).one_or_none()
|
2018-03-18 19:05:53 +01:00
|
|
|
|
|
|
|
# If logged in, connect
|
|
|
|
if current_user and current_user.is_authenticated:
|
|
|
|
if userByGithub is None:
|
|
|
|
current_user.github_username = username
|
2024-03-30 17:52:17 +01:00
|
|
|
current_user.github_user_id = user_id
|
2018-03-18 19:05:53 +01:00
|
|
|
db.session.commit()
|
2022-01-20 02:28:50 +01:00
|
|
|
flash(gettext("Linked GitHub to account"), "success")
|
2023-10-31 19:45:24 +01:00
|
|
|
return redirect(redirect_to)
|
2024-03-30 17:52:17 +01:00
|
|
|
elif userByGithub == current_user:
|
|
|
|
return redirect(redirect_to)
|
2018-03-18 19:05:53 +01:00
|
|
|
else:
|
2024-04-08 00:17:34 +02:00
|
|
|
flash(gettext("GitHub account is already associated with another user: %(username)s",
|
|
|
|
username=userByGithub.username), "danger")
|
2023-10-31 19:45:24 +01:00
|
|
|
return redirect(redirect_to)
|
2018-03-18 19:05:53 +01:00
|
|
|
|
|
|
|
# If not logged in, log in
|
|
|
|
else:
|
|
|
|
if userByGithub is None:
|
2022-01-20 02:28:50 +01:00
|
|
|
flash(gettext("Unable to find an account for that GitHub user"), "danger")
|
2020-12-22 11:58:43 +01:00
|
|
|
return redirect(url_for("users.claim_forums"))
|
2020-12-09 21:38:36 +01:00
|
|
|
|
2023-10-31 19:45:24 +01:00
|
|
|
ret = login_user_set_active(userByGithub, next, remember=True)
|
2021-07-20 00:04:40 +02:00
|
|
|
if ret is None:
|
2022-01-07 22:46:16 +01:00
|
|
|
flash(gettext("Authorization failed [err=gh-login-failed]"), "danger")
|
2020-12-04 23:05:10 +01:00
|
|
|
return redirect(url_for("users.login"))
|
2020-01-24 22:39:35 +01:00
|
|
|
|
2023-06-19 22:27:49 +02:00
|
|
|
add_audit_log(AuditSeverity.USER, userByGithub, "Logged in using GitHub OAuth",
|
2023-10-31 19:45:24 +01:00
|
|
|
url_for("users.profile", username=userByGithub.username))
|
2021-07-20 00:04:40 +02:00
|
|
|
db.session.commit()
|
|
|
|
return ret
|
|
|
|
|
2020-01-24 22:39:35 +01:00
|
|
|
|
|
|
|
@bp.route("/github/webhook/", methods=["POST"])
|
|
|
|
@csrf.exempt
|
|
|
|
def webhook():
|
|
|
|
json = request.json
|
|
|
|
|
|
|
|
# Get package
|
|
|
|
github_url = "github.com/" + json["repository"]["full_name"]
|
2023-03-18 15:22:39 +01:00
|
|
|
package = Package.query.filter(
|
|
|
|
Package.repo.ilike("%{}%".format(github_url)), Package.state != PackageState.DELETED).first()
|
2020-01-24 22:39:35 +01:00
|
|
|
if package is None:
|
2020-06-03 17:32:39 +02:00
|
|
|
return error(400, "Could not find package, did you set the VCS repo in CDB correctly? Expected {}".format(github_url))
|
2020-01-24 22:39:35 +01:00
|
|
|
|
|
|
|
# Get all tokens for package
|
2020-04-11 16:24:44 +02:00
|
|
|
tokens_query = APIToken.query.filter(or_(APIToken.package==package,
|
2023-03-29 11:58:09 +02:00
|
|
|
and_(APIToken.package==None, APIToken.owner==package.author)))
|
2020-04-11 16:24:44 +02:00
|
|
|
|
|
|
|
possible_tokens = tokens_query.all()
|
2020-01-24 22:39:35 +01:00
|
|
|
actual_token = None
|
|
|
|
|
|
|
|
#
|
|
|
|
# Check signature
|
|
|
|
#
|
|
|
|
|
|
|
|
header_signature = request.headers.get('X-Hub-Signature')
|
|
|
|
if header_signature is None:
|
|
|
|
return error(403, "Expected payload signature")
|
|
|
|
|
|
|
|
sha_name, signature = header_signature.split('=')
|
|
|
|
if sha_name != 'sha1':
|
|
|
|
return error(403, "Expected SHA1 payload signature")
|
|
|
|
|
|
|
|
for token in possible_tokens:
|
|
|
|
mac = hmac.new(token.access_token.encode("utf-8"), msg=request.data, digestmod='sha1')
|
|
|
|
|
|
|
|
if hmac.compare_digest(str(mac.hexdigest()), signature):
|
|
|
|
actual_token = token
|
|
|
|
break
|
|
|
|
|
|
|
|
if actual_token is None:
|
2020-04-11 16:24:44 +02:00
|
|
|
return error(403, "Invalid authentication, couldn't validate API token")
|
2020-01-24 22:39:35 +01:00
|
|
|
|
2023-06-18 22:56:19 +02:00
|
|
|
if not package.check_perm(actual_token.owner, Permission.APPROVE_RELEASE):
|
2020-04-21 20:27:34 +02:00
|
|
|
return error(403, "You do not have the permission to approve releases")
|
2020-01-25 01:04:56 +01:00
|
|
|
|
2020-01-24 22:39:35 +01:00
|
|
|
#
|
|
|
|
# Check event
|
|
|
|
#
|
|
|
|
|
|
|
|
event = request.headers.get("X-GitHub-Event")
|
|
|
|
if event == "push":
|
|
|
|
ref = json["after"]
|
2024-03-06 00:59:30 +01:00
|
|
|
title = datetime.datetime.utcnow().strftime("%Y-%m-%d") + " " + ref[:5]
|
2021-03-07 15:47:27 +01:00
|
|
|
branch = json["ref"].replace("refs/heads/", "")
|
|
|
|
if branch not in [ "master", "main" ]:
|
|
|
|
return jsonify({ "success": False, "message": "Webhook ignored, as it's not on the master/main branch" })
|
|
|
|
|
2021-12-12 18:20:23 +01:00
|
|
|
elif event == "create":
|
|
|
|
ref_type = json.get("ref_type")
|
|
|
|
if ref_type != "tag":
|
|
|
|
return jsonify({
|
|
|
|
"success": False,
|
|
|
|
"message": "Webhook ignored, as it's a non-tag create event. ref_type='{}'.".format(ref_type)
|
|
|
|
})
|
|
|
|
|
2020-01-25 02:14:01 +01:00
|
|
|
ref = json["ref"]
|
|
|
|
title = ref
|
2021-12-12 18:20:23 +01:00
|
|
|
|
2020-01-25 00:19:06 +01:00
|
|
|
elif event == "ping":
|
|
|
|
return jsonify({ "success": True, "message": "Ping successful" })
|
2021-12-12 18:20:23 +01:00
|
|
|
|
2020-01-24 22:39:35 +01:00
|
|
|
else:
|
2021-12-12 18:20:23 +01:00
|
|
|
return error(400, "Unsupported event: '{}'. Only 'push', 'create:tag', and 'ping' are supported."
|
|
|
|
.format(event or "null"))
|
2020-01-24 22:39:35 +01:00
|
|
|
|
|
|
|
#
|
|
|
|
# Perform release
|
|
|
|
#
|
|
|
|
|
2021-02-04 20:54:26 +01:00
|
|
|
if package.releases.filter_by(commit_hash=ref).count() > 0:
|
|
|
|
return
|
|
|
|
|
2021-02-02 01:07:41 +01:00
|
|
|
return api_create_vcs_release(actual_token, package, title, ref, reason="Webhook")
|