2018-05-17 16:18:20 +02:00
|
|
|
# Content DB
|
|
|
|
# Copyright (C) 2018 rubenwardy
|
|
|
|
#
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
|
2020-01-24 19:15:09 +01:00
|
|
|
from flask import Blueprint
|
2018-05-17 16:18:20 +02:00
|
|
|
|
2020-01-24 19:15:09 +01:00
|
|
|
bp = Blueprint("github", __name__)
|
|
|
|
|
2020-01-24 22:39:35 +01:00
|
|
|
from flask import redirect, url_for, request, flash, abort
|
2020-01-24 19:15:09 +01:00
|
|
|
from flask_user import current_user
|
2018-05-23 19:22:41 +02:00
|
|
|
from sqlalchemy import func
|
2018-03-18 19:05:53 +01:00
|
|
|
from flask_github import GitHub
|
2020-01-24 22:39:35 +01:00
|
|
|
from app import github, csrf
|
|
|
|
from app.models import db, User, APIToken, Package
|
2018-05-15 20:35:59 +02:00
|
|
|
from app.utils import loginUser
|
2020-01-24 22:39:35 +01:00
|
|
|
from app.blueprints.api.support import error, handleCreateRelease
|
|
|
|
import hmac
|
2018-03-18 19:05:53 +01:00
|
|
|
|
2020-01-24 19:15:09 +01:00
|
|
|
@bp.route("/github/start/")
|
|
|
|
def start():
|
2018-03-21 23:05:32 +01:00
|
|
|
return github.authorize("")
|
2018-03-18 19:05:53 +01:00
|
|
|
|
2020-01-24 22:39:35 +01:00
|
|
|
@bp.route("/github/callback/")
|
2018-03-18 19:05:53 +01:00
|
|
|
@github.authorized_handler
|
2020-01-24 19:15:09 +01:00
|
|
|
def callback(oauth_token):
|
2018-03-21 23:03:37 +01:00
|
|
|
next_url = request.args.get("next")
|
2018-03-18 19:05:53 +01:00
|
|
|
if oauth_token is None:
|
|
|
|
flash("Authorization failed [err=gh-oauth-login-failed]", "danger")
|
|
|
|
return redirect(url_for("user.login"))
|
|
|
|
|
|
|
|
import requests
|
|
|
|
|
|
|
|
# Get Github username
|
|
|
|
url = "https://api.github.com/user"
|
|
|
|
r = requests.get(url, headers={"Authorization": "token " + oauth_token})
|
|
|
|
username = r.json()["login"]
|
|
|
|
|
|
|
|
# Get user by github username
|
2018-05-23 19:22:41 +02:00
|
|
|
userByGithub = User.query.filter(func.lower(User.github_username) == func.lower(username)).first()
|
2018-03-18 19:05:53 +01:00
|
|
|
|
|
|
|
# If logged in, connect
|
|
|
|
if current_user and current_user.is_authenticated:
|
|
|
|
if userByGithub is None:
|
|
|
|
current_user.github_username = username
|
|
|
|
db.session.commit()
|
2018-07-30 01:42:11 +02:00
|
|
|
flash("Linked github to account", "success")
|
2019-11-21 20:38:26 +01:00
|
|
|
return redirect(url_for("homepage.home"))
|
2018-03-18 19:05:53 +01:00
|
|
|
else:
|
|
|
|
flash("Github account is already associated with another user", "danger")
|
2019-11-21 20:38:26 +01:00
|
|
|
return redirect(url_for("homepage.home"))
|
2018-03-18 19:05:53 +01:00
|
|
|
|
|
|
|
# If not logged in, log in
|
|
|
|
else:
|
|
|
|
if userByGithub is None:
|
2020-01-24 19:15:09 +01:00
|
|
|
flash("Unable to find an account for that Github user", "danger")
|
2019-11-16 00:51:42 +01:00
|
|
|
return redirect(url_for("users.claim"))
|
2018-05-13 16:28:27 +02:00
|
|
|
elif loginUser(userByGithub):
|
2020-01-19 20:48:41 +01:00
|
|
|
if not current_user.hasPassword():
|
2019-11-16 00:51:42 +01:00
|
|
|
return redirect(next_url or url_for("users.set_password", optional=True))
|
2018-06-04 19:49:42 +02:00
|
|
|
else:
|
2019-11-21 20:38:26 +01:00
|
|
|
return redirect(next_url or url_for("homepage.home"))
|
2018-03-18 19:05:53 +01:00
|
|
|
else:
|
|
|
|
flash("Authorization failed [err=gh-login-failed]", "danger")
|
|
|
|
return redirect(url_for("user.login"))
|
2020-01-24 22:39:35 +01:00
|
|
|
|
|
|
|
|
|
|
|
@bp.route("/github/webhook/", methods=["POST"])
|
|
|
|
@csrf.exempt
|
|
|
|
def webhook():
|
|
|
|
json = request.json
|
|
|
|
|
|
|
|
# Get package
|
|
|
|
github_url = "github.com/" + json["repository"]["full_name"]
|
|
|
|
package = Package.query.filter(Package.repo.like("%{}%".format(github_url))).first()
|
|
|
|
if package is None:
|
|
|
|
return error(400, "Unknown package")
|
|
|
|
|
|
|
|
# Get all tokens for package
|
|
|
|
possible_tokens = APIToken.query.filter_by(package=package).all()
|
|
|
|
actual_token = None
|
|
|
|
|
|
|
|
#
|
|
|
|
# Check signature
|
|
|
|
#
|
|
|
|
|
|
|
|
header_signature = request.headers.get('X-Hub-Signature')
|
|
|
|
if header_signature is None:
|
|
|
|
return error(403, "Expected payload signature")
|
|
|
|
|
|
|
|
sha_name, signature = header_signature.split('=')
|
|
|
|
if sha_name != 'sha1':
|
|
|
|
return error(403, "Expected SHA1 payload signature")
|
|
|
|
|
|
|
|
for token in possible_tokens:
|
|
|
|
mac = hmac.new(token.access_token.encode("utf-8"), msg=request.data, digestmod='sha1')
|
|
|
|
|
|
|
|
if hmac.compare_digest(str(mac.hexdigest()), signature):
|
|
|
|
actual_token = token
|
|
|
|
break
|
|
|
|
|
|
|
|
if actual_token is None:
|
|
|
|
return error(403, "Invalid authentication")
|
|
|
|
|
|
|
|
#
|
|
|
|
# Check event
|
|
|
|
#
|
|
|
|
|
|
|
|
event = request.headers.get("X-GitHub-Event")
|
|
|
|
if event == "push":
|
|
|
|
title = json["head_commit"]["message"].partition("\n")[0]
|
|
|
|
ref = json["after"]
|
|
|
|
else:
|
|
|
|
return error(400, "Unknown event, expected 'push'")
|
|
|
|
|
|
|
|
#
|
|
|
|
# Perform release
|
|
|
|
#
|
|
|
|
|
|
|
|
return handleCreateRelease(actual_token, package, title, ref)
|