refactor: move valitation into another crate

Author: SergioRibera

Cargo.lock

@@ -15,7 +15,7 @@ license = "MIT OR Apache-2.0"
 repository = "https://github.com/RustLangES/grhooks"
 
 [workspace]
-members = ["crates/core", "crates/config"]
+members = ["crates/core", "crates/config", "crates/origin"]
 
 [workspace.dependencies]
 serde_json = "1"
@@ -30,15 +30,10 @@ axum = { version = "0.8.3", default-features = false, features = [
     "tokio",
     "matched-path",
 ] }
-constant_time_eq = "0.4.2"
 grhooks-config = { version = "0.1.0", path = "crates/config" }
 grhooks-core = { version = "0.1.0", path = "crates/core" }
-hex = "0.4.3"
-hmac = "0.12.1"
 notify = "8.0.0"
 serde_json.workspace = true
-sha1 = "0.10.6"
-sha2 = "0.10.8"
 tokio = { version = "1.44.1", default-features = false, features = ["full"] }
 tracing.workspace = true
 tracing-subscriber = "0.3.19"

Cargo.toml

@@ -9,6 +9,7 @@ repository.workspace = true
 
 [dependencies]
 clap = { version = "4.5", features = ["env"] }
+grhooks-origin = { version = "0.1.0", path = "../origin" }
 serde = { version = "1", features = ["derive"] }
 serde_json.workspace = true
 serde_yaml = "0.9"

crates/config/Cargo.toml

@@ -2,11 +2,16 @@ use std::collections::HashSet;
 use std::path::PathBuf;
 
 use clap::{Arg, Command};
+use grhooks_origin::Origin;
 use serde::Deserialize;
 
+pub use grhooks_origin;
+
 #[derive(Clone, Debug, Deserialize)]
 pub struct WebhookConfig {
     pub path: String,
+    #[serde(default = "Origin::default")]
+    pub origin: Origin,
     pub secret: Option<String>,
     pub events: HashSet<String>,
     pub shell: Option<Vec<String>>,
@@ -16,12 +21,17 @@ pub struct WebhookConfig {
 
 #[derive(Clone, Debug, Deserialize)]
 pub struct Config {
+    #[serde(default = "default_port")]
     pub port: u16,
     #[serde(skip)]
     pub verbose: String,
     pub webhooks: Vec<WebhookConfig>,
 }
 
+const fn default_port() -> u16 {
+    8080
+}
+
 impl Default for Config {
     fn default() -> Self {
         Self {

crates/config/src/lib.rs

@@ -0,0 +1,17 @@
+[package]
+name = "grhooks-origin"
+version = "0.1.0"
+edition.workspace = true
+authors.workspace = true
+description.workspace = true
+license.workspace = true
+repository.workspace = true
+
+[dependencies]
+axum = { version = "0.8.3", default-features = false }
+serde = { version = "1", default-features = false, features = ["derive"] }
+constant_time_eq = "0.4"
+hex = "0.4"
+hmac = "0.12"
+sha1 = "0.10"
+sha2 = "0.10"

crates/origin/Cargo.toml

@@ -0,0 +1,43 @@
+use std::fmt::Debug;
+
+use axum::http::StatusCode;
+use axum::response::IntoResponse;
+
+pub enum Error {
+    MissingHeader(&'static str),
+    InvalidSignature,
+    InvalidUserAgent,
+    UnsupportedEvent,
+}
+
+impl Debug for Error {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Error::MissingHeader(header) => write!(f, "Missing required header: {}", header),
+            Error::InvalidSignature => write!(f, "Invalid signature"),
+            Error::InvalidUserAgent => write!(f, "Invalid user agent"),
+            Error::UnsupportedEvent => write!(f, "Unsupported event type"),
+        }
+    }
+}
+
+impl IntoResponse for Error {
+    fn into_response(self) -> axum::response::Response {
+        match self {
+            Error::MissingHeader(header) => (
+                StatusCode::BAD_REQUEST,
+                format!("Missing required header: {}", header),
+            )
+                .into_response(),
+            Error::InvalidSignature => {
+                (StatusCode::BAD_REQUEST, "Invalid signature").into_response()
+            }
+            Error::InvalidUserAgent => {
+                (StatusCode::BAD_REQUEST, "Invalid user agent").into_response()
+            }
+            Error::UnsupportedEvent => {
+                (StatusCode::BAD_REQUEST, "Unsupported event type").into_response()
+            }
+        }
+    }
+}

crates/origin/src/errors.rs

@@ -0,0 +1,84 @@
+use axum::http::HeaderMap;
+use hmac::{Hmac, Mac};
+use sha1::Sha1;
+use sha2::Sha256;
+
+use crate::{Error, WebhookOrigin};
+
+pub struct GitHubValidator;
+
+impl WebhookOrigin for GitHubValidator {
+    fn validate_headers(&self, headers: &HeaderMap) -> Result<(), Error> {
+        const REQUIRED_HEADERS: [&str; 4] = [
+            "X-GitHub-Hook-ID",
+            "X-GitHub-Event",
+            "X-GitHub-Delivery",
+            "User-Agent",
+        ];
+
+        for header in REQUIRED_HEADERS {
+            if !headers.contains_key(header) {
+                return Err(Error::MissingHeader(header));
+            }
+        }
+
+        let user_agent = headers
+            .get("User-Agent")
+            .and_then(|v| v.to_str().ok())
+            .ok_or(Error::MissingHeader("User-Agent"))?;
+
+        if !user_agent.starts_with("GitHub-Hookshot/") {
+            return Err(Error::InvalidUserAgent);
+        }
+
+        Ok(())
+    }
+
+    fn extract_event_type(&self, headers: &HeaderMap) -> Result<String, Error> {
+        headers
+            .get("X-GitHub-Event")
+            .and_then(|v| v.to_str().ok())
+            .map(|s| s.to_string())
+            .ok_or(Error::MissingHeader("X-GitHub-Event"))
+    }
+
+    fn validate_signature(
+        &self,
+        headers: &HeaderMap,
+        secret: &str,
+        body: &[u8],
+    ) -> Result<(), Error> {
+        let (expected_signature, signature) = match headers
+            .get("X-Hub-Signature-256")
+            .and_then(|v| v.to_str().ok())
+        {
+            Some(signature) => {
+                let signature = signature.trim_start_matches("sha256=");
+                let mut mac = Hmac::<Sha256>::new_from_slice(secret.as_bytes())
+                    .map_err(|_| Error::InvalidSignature)?;
+                mac.update(body);
+                let expected_signature = hex::encode(mac.finalize().into_bytes());
+                (expected_signature, signature)
+            }
+            None => {
+                let signature = headers
+                    .get("X-Hub-Signature")
+                    .and_then(|v| v.to_str().ok())
+                    .ok_or(Error::MissingHeader("X-Hub-Signature"))?;
+                let signature = signature.trim_start_matches("sha1=");
+                let mut mac = Hmac::<Sha1>::new_from_slice(secret.as_bytes())
+                    .map_err(|_| Error::InvalidSignature)?;
+                mac.update(body);
+                let expected_signature = hex::encode(mac.finalize().into_bytes());
+                (expected_signature, signature)
+            }
+        };
+
+        if !constant_time_eq::constant_time_eq(signature.as_bytes(), expected_signature.as_bytes())
+        {
+            return Err(Error::InvalidSignature);
+        }
+
+        Ok(())
+    }
+}

crates/origin/src/github.rs

@@ -0,0 +1,50 @@
+mod errors;
+mod github;
+
+use axum::http::HeaderMap;
+use serde::Deserialize;
+
+pub use crate::errors::Error;
+
+#[derive(Clone, Copy, Debug, Default, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum Origin {
+    #[default]
+    GitHub,
+}
+
+pub trait WebhookOrigin {
+    fn validate_headers(&self, headers: &HeaderMap) -> Result<(), Error>;
+    fn extract_event_type(&self, headers: &HeaderMap) -> Result<String, Error>;
+    fn validate_signature(
+        &self,
+        headers: &HeaderMap,
+        secret: &str,
+        body: &[u8],
+    ) -> Result<(), Error>;
+}
+
+impl WebhookOrigin for Origin {
+    fn validate_headers(&self, headers: &HeaderMap) -> Result<(), Error> {
+        match self {
+            Origin::GitHub => github::GitHubValidator.validate_headers(headers),
+        }
+    }
+
+    fn extract_event_type(&self, headers: &HeaderMap) -> Result<String, Error> {
+        match self {
+            Origin::GitHub => github::GitHubValidator.extract_event_type(headers),
+        }
+    }
+
+    fn validate_signature(
+        &self,
+        headers: &HeaderMap,
+        secret: &str,
+        body: &[u8],
+    ) -> Result<(), Error> {
+        match self {
+            Origin::GitHub => github::GitHubValidator.validate_signature(headers, secret, body),
+        }
+    }
+}

crates/origin/src/lib.rs

@@ -1,33 +1,29 @@
 use axum::http::StatusCode;
 use axum::response::{IntoResponse, Response};
+use grhooks_config::grhooks_origin;
 
 #[derive(Debug)]
 pub enum HeaderValidationError {
-    MissingHeader(&'static str),
-    InvalidSignature,
-    InvalidUserAgent,
     WebhookNotFound,
+    OriginValidation(grhooks_origin::Error),
     AxumError(axum::Error),
 }
 
 impl IntoResponse for HeaderValidationError {
     fn into_response(self) -> Response {
         let (status, message) = match self {
-            HeaderValidationError::MissingHeader(header) => (
-                StatusCode::BAD_REQUEST,
-                format!("Missing required header: {header}"),
-            ),
-            HeaderValidationError::InvalidSignature => {
-                (StatusCode::UNAUTHORIZED, "Invalid signature".to_string())
-            }
-            HeaderValidationError::InvalidUserAgent => {
-                (StatusCode::BAD_REQUEST, "Invalid User-Agent".to_string())
-            }
             HeaderValidationError::WebhookNotFound => {
                 (StatusCode::NOT_FOUND, "Webhook not configured".to_string())
             }
             HeaderValidationError::AxumError(error) => (StatusCode::BAD_REQUEST, error.to_string()),
+            HeaderValidationError::OriginValidation(error) => return error.into_response(),
         };
         (status, message).into_response()
     }
 }
+
+impl From<grhooks_origin::Error> for HeaderValidationError {
+    fn from(error: grhooks_origin::Error) -> Self {
+        HeaderValidationError::OriginValidation(error)
+    }
+}