Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace hook IP address validation with signature check #204

Merged
merged 1 commit into from
Jul 30, 2019
Merged

Replace hook IP address validation with signature check #204

merged 1 commit into from
Jul 30, 2019

Conversation

HebaruSan
Copy link
Contributor

@HebaruSan HebaruSan commented Jul 30, 2019
edited
Loading

Background

We are trying to set up a comfortable environment for development and testing, overall notes here:

https://github.com/KSP-SpaceDock/SpaceDock/wiki/Migration-notes-and-tasks

We already have branches and servers set up for alpha and beta. The last remaining piece is the automatic redeployment.

Problem

SpaceDock inherited a mechanism to restart itself via a web hook from KerbalStuff:

SpaceDock/KerbalStuff/app.py

Lines 126 to 149 in e537e22

@app.route('/hook', methods=['POST'])
def hook_publish():
allow = False
for ip in _cfg("hook_ips").split(","):
parts = ip.split("/")
range = 32
if len(parts) != 1:
range = int(parts[1])
addr = networkMask(parts[0], range)
if addressInNetwork(dottedQuadToNum(request.remote_addr), addr):
allow = True
if not allow:
return "unauthorized", 403
# Pull and restart site
event = json.loads(request.data.decode("utf-8"))
if not _cfg("hook_repository") == "%s/%s" % (event["repository"]["owner"]["name"], event["repository"]["name"]):
return "ignored"
if any("[noupdate]" in c["message"] for c in event["commits"]):
return "ignored"
if "refs/heads/" + _cfg("hook_branch") == event["ref"]:
subprocess.call(["git", "pull", "origin", "master"])
subprocess.Popen(_cfg("restart_command").split())
return "thanks"
return "ignored"

We have done our best to set this up. #203 and #195 were merged for testing and the hook fired:

10.150.1.9 - - [29/Jul/2019:23:04:53 +0000] "POST /hook/ HTTP/1.1" 404 195094 "-" "GitHub-Hookshot/20c7c42"

However, no pull or restart was done.

Cause

I believe this is because 10.150.1.9 (presumably the reverse proxy) does not match the IP addresses that are considered to be trusted GitHub addresses:

# Configure these to determine who can send GitHub-style hook notifications to the site
# to configure an automatic redeployment. Defaults to trusting GitHub and localhost.
hook_ips = 185.199.108.0/22,140.82.112.0/20,192.30.252.0/22,127.0.0.1

Since everything goes through the reverse proxy, adding it to that setting would enable everyone to trigger the hook whenever they liked, so that won't work. We need a better way of authenticating the web hook.

Changes

If you set a secret string in your web hook, GitHub will use it to sign outgoing messages in the X-Hub-Signature header:

Now SpaceDock supports this via a hook_secret setting in config.ini. The IP address setting is removed (it was just a bad approach).

After this is merged and pulled to the alpha server, the same secret string should be set in the web hook configuration on GitHub and in the config.ini file on the alpha server. Then we will need to merge a PR to test it.

@HebaruSan HebaruSan requested a review from V1TA5 July 30, 2019 00:50
@V1TA5 V1TA5 merged commit 684cac3 into KSP-SpaceDock:alpha Jul 30, 2019
@HebaruSan HebaruSan mentioned this pull request Aug 8, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@V1TA5 V1TA5 Awaiting requested review from V1TA5

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@HebaruSan @V1TA5