rjz
diff --git a/‎CONTRIBUTING.md
Lines changed: 16 additions & 0 deletions b/‎CONTRIBUTING.md
Lines changed: 16 additions & 0 deletions
diff --git a/‎LICENSE
Lines changed: 21 additions & 0 deletions b/‎LICENSE
Lines changed: 21 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 21 additions & 0 deletions b/‎README.md
Lines changed: 21 additions & 0 deletions
diff --git a/‎webhook.go
Lines changed: 69 additions & 0 deletions b/‎webhook.go
Lines changed: 69 additions & 0 deletions
diff --git a/‎webhook_test.go
Lines changed: 72 additions & 0 deletions b/‎webhook_test.go
Lines changed: 72 additions & 0 deletions
@@ -0,0 +1,16 @@
+Contributing
+===============================================================================
+
+Have something to add? Feature requests, bug reports, and contributions are
+enormously welcome!
+
+  1. Fork this repo
+  2. Update the tests and implement the change
+  3. Submit a [pull request][github-pull-request]
+
+(hint: following the conventions in the [the code review
+checklist][code-review-checklist] will expedite review and merge)
+
+[github-pull-request]: help.github.com/pull-requests/
+[code-review-checklist]: https://github.com/rjz/code-review-checklist
+
@@ -0,0 +1,21 @@
+// MIT License
+
+Copyright (C) RJ Zaworski <rj@rjzaworski.com>
+
+Permission is hereby
8000
 granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
@@ -0,0 +1,21 @@
+githubhook
+===============================================
+
+Golang parser for [github webhooks][gh-webhook]. Not a server, though it could
+be integrated with one.
+
+Installation
+-----------------------------------------------
+
+    $ go get github.com/rjz/githubhook
+
+Usage
+-----------------------------------------------
+
+Given an incoming `*http.Request` representing a webhook signed with a `secret`,
+use `githubhook` to validate and parse its content:
+
+    secret := []byte("don't tell!")
+    hook, err := githubhook.Parse(secret, req)
+
+[gh-webhook]: https://developer.github.com/webhooks/
@@ -0,0 +1,69 @@
+package webhook
+
+import (
+	"crypto/hmac"
+	"crypto/sha1"
+	"encoding/hex"
+	"errors"
+	"io/ioutil"
+	"net/http"
+	"strings"
+)
+
+type Hook struct {
+	Signature string
+	Event     string
+	Id        string
+	Payload   []byte
+}
+
+func signBody(secret, body []byte) []byte {
+	computed := hmac.New(sha1.New, secret)
+	computed.Write(body)
+	return []byte(computed.Sum(nil))
+}
+
+func verifySignature(secret []byte, signature string, body []byte) bool {
+
+	const signaturePrefix = "sha1="
+	const signatureLength = 45 // len(SignaturePrefix) + len(hex(sha1))
+
+	if len(signature) != signatureLength || !strings.HasPrefix(signature, signaturePrefix) {
+		return false
+	}
+
+	actual := make([]byte, 20)
+	hex.Decode(actual, []byte(signature[5:]))
+
+	return hmac.Equal(signBody(secret, body), actual)
+}
+
+func Parse(secret []byte, req *http.Request) (*Hook, error) {
+	hook := Hook{}
+
+	if hook.Signature = req.Header.Get("x-hub-signature"); len(hook.Signature) == 0 {
+		return nil, errors.New("No signature!")
+	}
+
+	if hook.Event = req.Header.Get("x-github-event"); len(hook.Event) == 0 {
+		return nil, errors.New("No event!")
+	}
+
+	if hook.Id = req.Header.Get("x-github-delivery"); len(hook.Id) == 0 {
+		return nil, errors.New("No event Id!")
+	}
+
+	body, err := ioutil.ReadAll(req.Body)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if !verifySignature(secret, hook.Signature, body) {
+		return nil, errors.New("Invalid signature")
+	}
+
+	hook.Payload = body
+
+	return &hook, nil
+}
@@ -0,0 +1,72 @@
+package webhook
+
+import (
+	"crypto/hmac"
+	"crypto/sha1"
+	"encoding/hex"
+	"fmt"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+const testSecret = "foobar"
+
+func expectErrorMessage(t *testing.T, msg string, err error) {
+	if err == nil || err.Error() != msg {
+		t.Error(fmt.Sprintf("Expected '%s', got %s", msg, err))
+	}
+}
+
+func expectParseError(t *testing.T, msg string, r *http.Request) {
+	_, err := Parse([]byte(testSecret), r)
+	expectErrorMessage(t, msg, err)
+}
+
+func signature(body string) string {
+	dst := make([]byte, 40)
+	computed := hmac.New(sha1.New, []byte(testSecret))
+	computed.Write([]byte(body))
+	hex.Encode(dst, computed.Sum(nil))
+	return "sha1=" + string(dst)
+}
+
+func TestMissingSignature(t *testing.T) {
+	r, _ := http.NewRequest("GET", "/path", nil)
+	expectParseError(t, "No signature!", r)
+}
+
+func TestMissingEvent(t *testing.T) {
+	r, _ := http.NewRequest("GET", "/path", nil)
+	r.Header.Add("x-hub-signature", "bogus signature")
+	expectParseError(t, "No event!", r)
+}
+
+func TestMissingEventId(t *testing.T) {
+	r, _ := http.NewRequest("GET", "/path", nil)
+	r.Header.Add("x-hub-signature", "bogus signature")
+	r.Header.Add("x-github-event", "bogus event")
+	expectParseError(t, "No event Id!", r)
+}
+
+func TestInvalidSignature(t *testing.T) {
+	r, _ := http.NewRequest("GET", "/path", strings.NewReader("..."))
+	r.Header.Add("x-hub-signature", "bogus signature")
+	r.Header.Add("x-github-event", "bogus event")
+	r.Header.Add("x-github-delivery", "bogus id")
+	expectParseError(t, "Invalid signature", r)
+}
+
+func TestValidSignature(t *testing.T) {
+
+	body := "{}"
+
+	r, _ := http.NewRequest("GET", "/path", strings.NewReader(body))
+	r.Header.Add("x-hub-signature", signature(body))
+	r.Header.Add("x-github-event", "bogus event")
+	r.Header.Add("x-github-delivery", "bogus id")
+
+	if _, err := Parse([]byte(testSecret), r); err != nil {
+		t.Error(fmt.Sprintf("Unexpected error '%s'", err))
+	}
+}