Merge pull request signalapp#18 from fxkr/require-http-basic-auth

Require HTTP basic auth for github webhook

Author: moxie0

config/sample.yml

@@ -3,6 +3,8 @@ github:
   token: # Your BitHub instance's GitHub auth token.
   repositories:
     - # A list of repository URLs to support payouts for.
+  webhook:
+    password: # HTTP basic auth. The username defaults to "bithub".
 
 coinbase:
   apiKey: # Your Coinbase API key.

src/main/java/org/whispersystems/bithub/BithubServerConfiguration.java

@@ -22,6 +22,7 @@
 import org.whispersystems.bithub.config.BithubConfiguration;
 import org.whispersystems.bithub.config.CoinbaseConfiguration;
 import org.whispersystems.bithub.config.GithubConfiguration;
+import org.whispersystems.bithub.config.WebhookConfiguration;
 
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;

src/main/java/org/whispersystems/bithub/BithubService.java

@@ -18,9 +18,11 @@
 package org.whispersystems.bithub;
 
 import com.yammer.dropwizard.Service;
+import com.yammer.dropwizard.auth.basic.BasicAuthProvider;
 import com.yammer.dropwizard.config.Bootstrap;
 import com.yammer.dropwizard.config.Environment;
 import com.yammer.dropwizard.views.ViewBundle;
+import org.whispersystems.bithub.auth.GithubWebhookAuthenticator;
 import org.whispersystems.bithub.client.CoinbaseClient;
 import org.whispersystems.bithub.client.GithubClient;
 import org.whispersystems.bithub.controllers.GithubController;
@@ -51,6 +53,8 @@ public void run(BithubServerConfiguration config, Environment environment)
   {
     String         githubUser         = config.getGithubConfiguration().getUser();
     String         githubToken        = config.getGithubConfiguration().getToken();
+    String         githubWebhookUser  = config.getGithubConfiguration().getWebhookConfiguration().getUsername();
+    String         githubWebhookPwd   = config.getGithubConfiguration().getWebhookConfiguration().getPassword();
     List<String>   githubRepositories = config.getGithubConfiguration().getRepositories();
     BigDecimal     payoutRate         = config.getBithubConfiguration().getPayoutRate();
     GithubClient   githubClient       = new GithubClient(githubUser, githubToken);
@@ -61,6 +65,8 @@ public void run(BithubServerConfiguration config, Environment environment)
     environment.addResource(new StatusController(coinbaseClient, payoutRate));
     environment.addProvider(new IOExceptionMapper());
     environment.addProvider(new UnauthorizedHookExceptionMapper());
+    environment.addProvider(new BasicAuthProvider<>(
+      new GithubWebhookAuthenticator(githubWebhookUser, githubWebhookPwd), GithubWebhookAuthenticator.REALM));
   }
 
   public static void main(String[] args) throws Exception {

src/main/java/org/whispersystems/bithub/auth/GithubWebhookAuthenticator.java

@@ -0,0 +1,34 @@
+package org.whispersystems.bithub.auth;
+
+import com.google.common.base.Optional;
+import com.yammer.dropwizard.auth.Authenticator;
+import com.yammer.dropwizard.auth.basic.BasicCredentials;
+
+/**
+ * Accepts only one fixed username/password combination.
+ */
+public class GithubWebhookAuthenticator implements Authenticator<BasicCredentials, GithubWebhookAuthenticator.Authentication> {
+
+  /**
+   * Represents a successful basic HTTP authentication.
+   */
+  public static class Authentication {
+  }
+
+  public static final String REALM = "bithub";
+
+  private final BasicCredentials correctCredentials;
+
+  public GithubWebhookAuthenticator(String username, String password) {
+    this.correctCredentials = new BasicCredentials(username, password);
+  }
+
+  @Override
+  public Optional<Authentication> authenticate(BasicCredentials clientCredentials) {
+    if (correctCredentials.equals(clientCredentials)) {
+      return Optional.of(new Authentication());
+    } else {
+      return Optional.absent();
+    }
+  }
+}

src/main/java/org/whispersystems/bithub/config/GithubConfiguration.java

@@ -24,6 +24,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
 import java.io.IOException;
 import java.util.LinkedList;
 import java.util.List;
@@ -46,6 +48,11 @@ public class GithubConfiguration {
   @JsonProperty
   private String repositories_heroku;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private WebhookConfiguration webhook;
+
   public String getUser() {
     return user;
   }
@@ -70,4 +77,8 @@ public List<String> getRepositories() {
 
     return new LinkedList<>();
   }
+
+  public WebhookConfiguration getWebhookConfiguration() {
+    return webhook;
+  }
 }

src/main/java/org/whispersystems/bithub/config/WebhookConfiguration.java

@@ -0,0 +1,19 @@
+package org.whispersystems.bithub.config;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.hibernate.validator.constraints.NotEmpty;
+
+public class WebhookConfiguration {
+
+  @JsonProperty
+  @NotEmpty
+  private String username = "bithub";
+
+  @JsonProperty
+  @NotEmpty
+  private String password;
+
+  public String getUsername() { return username; }
+
+  public String getPassword() { return password; }
+}

src/main/java/org/whispersystems/bithub/controllers/GithubController.java

@@ -18,11 +18,13 @@
 package org.whispersystems.bithub.controllers;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.yammer.dropwizard.auth.Auth;
 import com.yammer.metrics.annotation.Timed;
 import org.apache.commons.net.util.SubnetUtils;
 import org.apache.commons.net.util.SubnetUtils.SubnetInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.whispersystems.bithub.auth.GithubWebhookAuthenticator.Authentication;
 import org.whispersystems.bithub.client.CoinbaseClient;
 import org.whispersystems.bithub.client.GithubClient;
 import org.whispersystems.bithub.client.TransferFailedException;
@@ -85,8 +87,9 @@ public GithubController(List<String> repositories,
   @POST
   @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
   @Path("/commits/")
-  public void handleCommits(@HeaderParam("X-Forwarded-For") String clientIp,
-                            @FormParam("payload")           String eventString)
+  public void handleCommits(@Auth Authentication auth,
+                            @HeaderParam("X-Forwarded-For") String clientIp,
+                            @FormParam("payload") String eventString)
       throws IOException, UnauthorizedHookException
   {
     authenticate(clientIp);

src/test/java/org/whispersystems/bithub/tests/controllers/GithubControllerTest.java

@@ -19,8 +19,11 @@
 
 import com.sun.jersey.api.client.ClientResponse;
 import com.sun.jersey.core.util.MultivaluedMapImpl;
+import com.yammer.dropwizard.auth.basic.BasicAuthProvider;
 import com.yammer.dropwizard.testing.ResourceTest;
+import org.apache.commons.codec.binary.Base64;
 import org.junit.Test;
+import org.whispersystems.bithub.auth.GithubWebhookAuthenticator;
 import org.whispersystems.bithub.client.CoinbaseClient;
 import org.whispersystems.bithub.client.GithubClient;
 import org.whispersystems.bithub.client.TransferFailedException;
@@ -47,6 +50,14 @@ public class GithubControllerTest extends ResourceTest {
   private final CoinbaseClient coinbaseClient = mock(CoinbaseClient.class);
   private final GithubClient   githubClient   = mock(GithubClient.class);
 
+  // HTTP Basic Authentication data
+  private final String authUsername = "TestUser";
+  private final String authPassword = "TestPassword";
+  private final String authRealm = GithubWebhookAuthenticator.REALM;
+  private final String authString = "Basic " + Base64.encodeBase64String((authUsername + ":" + authPassword).getBytes());
+  private final String invalidUserAuthString = "Basic " + Base64.encodeBase64(("wrong:" + authPassword).getBytes());
+  private final String invalidPasswordAuthString = "Basic " + Base64.encodeBase64((authUsername + ":wrong").getBytes());
+
   private final List<String> repositories = new LinkedList<String>() {{
     add("https://github.com/moxie0/test");
   }};
@@ -57,6 +68,7 @@ protected void setUpResources() throws Exception {
     when(coinbaseClient.getExchangeRate()).thenReturn(EXCHANGE_RATE);
     addResource(new GithubController(repositories, githubClient, coinbaseClient, new BigDecimal(0.02)));
     addProvider(new UnauthorizedHookExceptionMapper());
+    addProvider(new BasicAuthProvider<>(new GithubWebhookAuthenticator(authUsername, authPassword), authRealm));
   }
 
   protected String payload(String path) {
@@ -72,6 +84,7 @@ public void testInvalidRepository() throws Exception {
     post.add("payload", payloadValue);
     ClientResponse response = client().resource("/v1/github/commits/")
         .header("X-Forwarded-For", "192.30.252.1")
+        .header("Authorization", authString)
         .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
         .post(ClientResponse.class, post);
 
@@ -85,19 +98,62 @@ public void testInvalidOrigin() throws Exception {
     post.add("payload", payloadValue);
     ClientResponse response = client().resource("/v1/github/commits/")
         .header("X-Forwarded-For", "192.30.242.1")
+        .header("Authorization", authString)
         .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
         .post(ClientResponse.class, post);
 
     assertThat(response.getStatus()).isEqualTo(401);
   }
 
+  @Test
+  public void testMissingAuth() throws Exception, TransferFailedException {
+      String payloadValue = payload("/payloads/valid_commit.json");
+      MultivaluedMapImpl post = new MultivaluedMapImpl();
+      post.add("payload", payloadValue);
+      ClientResponse response = client().resource("/v1/github/commits/")
+              .header("X-Forwarded-For", "192.30.252.1")
+              .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
+              .post(ClientResponse.class, post);
+
+    assertThat(response.getStatus()).isEqualTo(401);
+  }
+
+  @Test
+  public void testInvalidAuthUser() throws Exception, TransferFailedException {
+      String payloadValue = payload("/payloads/valid_commit.json");
+      MultivaluedMapImpl post = new MultivaluedMapImpl();
+      post.add("payload", payloadValue);
+      ClientResponse response = client().resource("/v1/github/commits/")
+              .header("X-Forwarded-For", "192.30.252.1")
+              .header("Authorization", invalidUserAuthString)
+              .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
+              .post(ClientResponse.class, post);
+
+    assertThat(response.getStatus()).isEqualTo(401);
+  }
+
+  @Test
+  public void testInvalidAuthPassword() throws Exception, TransferFailedException {
+      String payloadValue = payload("/payloads/valid_commit.json");
+      MultivaluedMapImpl post = new MultivaluedMapImpl();
+      post.add("payload", payloadValue);
+      ClientResponse response = client().resource("/v1/github/commits/")
+              .header("X-Forwarded-For", "192.30.252.1")
+              .header("Authorization", invalidPasswordAuthString)
+              .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
+              .post(ClientResponse.class, post);
+
+    assertThat(response.getStatus()).isEqualTo(401);
+  }
+
   @Test
   public void testOptOutCommit() throws Exception, TransferFailedException {
     String payloadValue = payload("/payloads/opt_out_commit.json");
     MultivaluedMapImpl post = new MultivaluedMapImpl();
     post.add("payload", payloadValue);
     ClientResponse response = client().resource("/v1/github/commits/")
         .header("X-Forwarded-For", "192.30.252.1")
+        .header("Authorization", authString)
         .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
         .post(ClientResponse.class, post);
 
@@ -113,6 +169,7 @@ public void testValidCommit() throws Exception, TransferFailedException {
     post.add("payload", payloadValue);
     ClientResponse response = client().resource("/v1/github/commits/")
         .header("X-Forwarded-For", "192.30.252.1")
+        .header("Authorization", authString)
         .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
         .post(ClientResponse.class, post);
 
@@ -126,8 +183,11 @@ public void testValidMultipleCommitsMultipleAuthors() throws Exception, Transfer
     String payloadValue = payload("/payloads/multiple_commits_authors.json");
     MultivaluedMapImpl post = new MultivaluedMapImpl();
     post.add("payload", payloadValue);
-    ClientResponse response = client().resource("/v1/github/commits/").header("X-Forwarded-For", "192.30.252.1")
-        .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE).post(ClientResponse.class, post);
+    ClientResponse response = client().resource("/v1/github/commits/")
+        .header("X-Forwarded-For", "192.30.252.1")
+        .header("Authorization", authString)
+        .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
+        .post(ClientResponse.class, post);
 
     verify(coinbaseClient, times(1)).sendPayment(any(Author.class), eq(BALANCE.multiply(new BigDecimal(0.02))),
         anyString());