diff --git a/.travis.yml b/.travis.yml index 350c4eb..a50fc73 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,2 @@ -sudo: false -language: ruby -cache: bundler -rvm: - - jruby-1.7.23 -script: - - bundle exec rspec spec +import: +- logstash-plugins/.ci:travis/travis.yml@1.x \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index a17f38d..08ab890 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,43 @@ -# 2.0.5 - - Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash -# 2.0.4 - - New dependency requirements for logstash-core for the 5.0 release +## 3.0.11 + - Change `secret_token` config type to `password` for better protection from leaks in debug logs [#23](https://github.com/logstash-plugins/logstash-input-github/pull/23) + +## 3.0.10 + - Changed the transitive dependency `http_parser.rb` (ftw) version to `~-> 0.6.0` as newer versions are published without the java support. + - Fixed crashing when the request body payload is not a JSON object. [#24](https://github.com/logstash-plugins/logstash-input-github/pull/24) + +## 3.0.9 + - Bump ftw dependency to 0.0.49, for compatibility with Logstash 7.x + +## 3.0.8 + - Require x-hub-signature header if secret_token defined + +## 3.0.7 + - Docs: Set the default_codec doc attribute. + +## 3.0.6 + - Improve malformed-input handling by using updated FTW + - Improve webserver crash recovery + - Properly support plugin stopping & reloading + +## 3.0.5 + - Update gemspec summary + +## 3.0.4 + - Fix some documentation issues + +## 3.0.1 + - Relax constraint on logstash-core-plugin-api to >= 1.60 <= 2.99 + +## 3.0.0 + - breaking: Updated plugin to use new Java Event APIs + +## 2.0.5 + - Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash + +## 2.0.4 + - New dependency requirements for logstash-core for the 5.0 release + ## 2.0.0 - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully, instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895 - Dependency on logstash-core update to 2.0 - diff --git a/Gemfile b/Gemfile index d926697..32cc6fb 100644 --- a/Gemfile +++ b/Gemfile @@ -1,2 +1,11 @@ source 'https://rubygems.org/' -gemspec \ No newline at end of file + +gemspec + +logstash_path = ENV["LOGSTASH_PATH"] || "../../logstash" +use_logstash_source = ENV["LOGSTASH_SOURCE"] && ENV["LOGSTASH_SOURCE"].to_s == "1" + +if Dir.exist?(logstash_path) && use_logstash_source + gem 'logstash-core', :path => "#{logstash_path}/logstash-core" + gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api" +end diff --git a/LICENSE b/LICENSE index 43976b7..a80a3fd 100644 --- a/LICENSE +++ b/LICENSE @@ -1,13 +1,202 @@ -Copyright (c) 2012–2016 Elasticsearch -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ - http://www.apache.org/licenses/LICENSE-2.0 + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2020 Elastic and contributors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index 86a1c11..62c9cb2 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Logstash Plugin -[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-input-github.svg)](https://travis-ci.org/logstash-plugins/logstash-input-github) +[![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-input-github.svg)](https://travis-ci.com/logstash-plugins/logstash-input-github) This is a plugin for [Logstash](https://github.com/elastic/logstash). diff --git a/docs/index.asciidoc b/docs/index.asciidoc new file mode 100644 index 0000000..eb333e9 --- /dev/null +++ b/docs/index.asciidoc @@ -0,0 +1,84 @@ +:plugin: github +:type: input +:default_codec: plain + +/////////////////////////////////////////// +START - GENERATED VARIABLES, DO NOT EDIT! +/////////////////////////////////////////// +:version: %VERSION% +:release_date: %RELEASE_DATE% +:changelog_url: %CHANGELOG_URL% +:include_path: ../../../../logstash/docs/include +/////////////////////////////////////////// +END - GENERATED VARIABLES, DO NOT EDIT! +/////////////////////////////////////////// + +[id="plugins-{type}s-{plugin}"] + +=== Github input plugin + +include::{include_path}/plugin_header.asciidoc[] + +==== Description + +Read events from github webhooks + +[id="plugins-{type}s-{plugin}-options"] +==== Github Input Configuration Options + +This plugin supports the following configuration options plus the <> described later. + +[cols="<,<,<",options="header",] +|======================================================================= +|Setting |Input type|Required +| <> |<>|No +| <> |<>|No +| <> |<>|Yes +| <> |<>|No +|======================================================================= + +Also see <> for a list of options supported by all +input plugins. + +  + +[id="plugins-{type}s-{plugin}-drop_invalid"] +===== `drop_invalid` + + * Value type is <> + * Default value is `false` + +If Secret is defined, we drop the events that don't match. +Otherwise, we'll just add an invalid tag + +[id="plugins-{type}s-{plugin}-ip"] +===== `ip` + + * Value type is <> + * Default value is `"0.0.0.0"` + +The ip to listen on + +[id="plugins-{type}s-{plugin}-port"] +===== `port` + + * This is a required setting. + * Value type is <> + * There is no default value for this setting. + +The port to listen on + +[id="plugins-{type}s-{plugin}-secret_token"] +===== `secret_token` + + * Value type is <> + * There is no default value for this setting. + +Your GitHub Secret Token for the webhook + + + +[id="plugins-{type}s-{plugin}-common-options"] +include::{include_path}/{type}.asciidoc[] + +:default_codec!: \ No newline at end of file diff --git a/lib/logstash/inputs/github.rb b/lib/logstash/inputs/github.rb index 4902926..c337d42 100644 --- a/lib/logstash/inputs/github.rb +++ b/lib/logstash/inputs/github.rb @@ -3,6 +3,7 @@ require "logstash/namespace" require "socket" require "json" +require "rack" # Read events from github webhooks class LogStash::Inputs::GitHub < LogStash::Inputs::Base @@ -15,11 +16,11 @@ class LogStash::Inputs::GitHub < LogStash::Inputs::Base config :port, :validate => :number, :required => true # Your GitHub Secret Token for the webhook - config :secret_token, :validate => :string, :required => false + config :secret_token, :validate => :password, :required => false - # If Secret is defined, we drop the events that don't match. - # Otherwise, we'll just add a invalid tag - config :drop_invalid, :validate => :boolean + # If Secret is defined, we drop the events that don't match. + # Otherwise, we'll just add an invalid tag + config :drop_invalid, :validate => :boolean, :default => false def register require "ftw" @@ -29,36 +30,64 @@ def register def run(output_queue) @server = FTW::WebServer.new(@ip, @port) do |request, response| body = request.read_body - begin - event = LogStash::Event.new(JSON.parse(body)) - rescue JSON::ParserError => e - @logger.info("JSON parse failure. Falling back to plain-text", :error => e, :data => body) - event = LogStash::Event.new("message" => body, "tags" => "_invalidjson") - end - event['headers'] = request.headers.to_hash - if defined? @secret_token and event['headers']['x-hub-signature'] - event['hash'] = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), @secret_token, body) - if not Rack::Utils.secure_compare(event['hash'], event['headers']['x-hub-signature']) - if not @drop_invalid - event['tags'] = "_Invalid_Github_Message" - else - @logger.info("Dropping invalid Github message") - drop = true - end - end - end - if not drop - decorate(event) - output_queue << event + event = build_event_from_request(body, request.headers.to_hash) + valid_event = verify_signature(event,body) + if !valid_event && @drop_invalid + @logger.info("Dropping invalid Github message") + else + decorate(event) + output_queue << event end response.status = 200 response.body = "Accepted!" end @server.run + rescue Exception => original_exception + # If our server crashes, it may not have cleaned up after itself; + # since `FTW::WebServer#stop` is idempotent, make one last attempt + # before propagating the original exception. + @server && @server.stop rescue logger.error("Error while stopping FTW::WebServer", exception: $!.message, backtrace: $!.backtrace) + + raise original_exception end # def run - def close - @server.stop - end # def close + def build_event_from_request(body, headers) + begin + data = JSON.parse(body) + # The JSON specification defines single values as valid JSONs, it can be a string in double quotes, + # a number, true or false or null. When the body is parsed, those values are transformed into its + # corresponding types. When those types aren't a Hash (aka object), it breaks the LogStash::Event + # contract and crashes. + if data.is_a?(::Hash) + event = LogStash::Event.new(data) + else + event = LogStash::Event.new("message" => body, "tags" => "_invalidjsonobject") + end + rescue JSON::ParserError => e + @logger.info("JSON parse failure. Falling back to plain-text", :error => e, :data => body) + event = LogStash::Event.new("message" => body, "tags" => "_invalidjson") + end + event.set('headers', headers) + return event + end + + def verify_signature(event,body) + # skip validation if we have no secret token + return true unless @secret_token + + sign_header = event.get("[headers][x-hub-signature]") + if sign_header + hash = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), @secret_token.value, body) + event.set("hash", hash) + return true if Rack::Utils.secure_compare(hash, sign_header) + end + + event.tag("_Invalid_Github_Message") + return false + end + + def stop + @server && @server.stop + end # def stop end # class LogStash::Inputs::Github diff --git a/logstash-input-github.gemspec b/logstash-input-github.gemspec index f53fe47..e3dec90 100644 --- a/logstash-input-github.gemspec +++ b/logstash-input-github.gemspec @@ -1,9 +1,9 @@ Gem::Specification.new do |s| s.name = 'logstash-input-github' - s.version = '2.0.5' + s.version = '3.0.11' s.licenses = ['Apache License (2.0)'] - s.summary = "Accept events from github webhooks." + s.summary = "Reads events from a GitHub webhook" s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" s.authors = ["Elastic"] s.email = 'jason.kendall@elastic.co' @@ -11,7 +11,7 @@ Gem::Specification.new do |s| s.require_paths = ["lib"] # Files - s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT'] + s.files = Dir["lib/**/*","spec/**/*","*.gemspec","*.md","CONTRIBUTORS","Gemfile","LICENSE","NOTICE.TXT", "vendor/jar-dependencies/**/*.jar", "vendor/jar-dependencies/**/*.rb", "VERSION", "docs/**/*"] # Tests s.test_files = s.files.grep(%r{^(test|spec|features)/}) @@ -20,12 +20,12 @@ Gem::Specification.new do |s| s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" } # Gem dependencies - s.add_runtime_dependency "logstash-core-plugin-api", "~> 1.0" + s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99" s.add_runtime_dependency 'addressable' s.add_runtime_dependency 'logstash-codec-plain' - s.add_runtime_dependency 'ftw', '~> 0.0.42' + s.add_runtime_dependency 'http_parser.rb', '~> 0.6.0' + s.add_runtime_dependency 'ftw', '~> 0.0.49' - s.add_development_dependency 'logstash-devutils', '~> 0' + s.add_development_dependency 'logstash-devutils' end - diff --git a/spec/fixtures/event_create.json b/spec/fixtures/event_create.json new file mode 100644 index 0000000..2d48b54 --- /dev/null +++ b/spec/fixtures/event_create.json @@ -0,0 +1,113 @@ +{ + "ref": "0.0.1", + "ref_type": "tag", + "master_branch": "master", + "description": "", + "pusher_type": "user", + "repository": { + "id": 35129377, + "name": "public-repo", + "full_name": "baxterthehacker/public-repo", + "owner": { + "login": "baxterthehacker", + "id": 6752317, + "avatar_url": "https://avatars.githubusercontent.com/u/6752317?v=3", + "gravatar_id": "", + "url": "https://api.github.com/users/baxterthehacker", + "html_url": "https://github.com/baxterthehacker", + "followers_url": "https://api.github.com/users/baxterthehacker/followers", + "following_url": "https://api.github.com/users/baxterthehacker/following%7B/other_user%7D", + "gists_url": "https://api.github.com/users/baxterthehacker/gists%7B/gist_id%7D", + "starred_url": "https://api.github.com/users/baxterthehacker/starred%7B/owner%7D%7B/repo%7D", + "subscriptions_url": "https://api.github.com/users/baxterthehacker/subscriptions", + "organizations_url": "https://api.github.com/users/baxterthehacker/orgs", + "repos_url": "https://api.github.com/users/baxterthehacker/repos", + "events_url": "https://api.github.com/users/baxterthehacker/events%7B/privacy%7D", + "received_events_url": "https://api.github.com/users/baxterthehacker/received_events", + "type": "User", + "site_admin": false + }, + "private": false, + "html_url": "https://github.com/baxterthehacker/public-repo", + "description": "", + "fork": false, + "url": "https://api.github.com/repos/baxterthehacker/public-repo", + "forks_url": "https://api.github.com/repos/baxterthehacker/public-repo/forks", + "keys_url": "https://api.github.com/repos/baxterthehacker/public-repo/keys%7B/key_id%7D", + "collaborators_url": "https://api.github.com/repos/baxterthehacker/public-repo/collaborators%7B/collaborator%7D", + "teams_url": "https://api.github.com/repos/baxterthehacker/public-repo/teams", + "hooks_url": "https://api.github.com/repos/baxterthehacker/public-repo/hooks", + "issue_events_url": "https://api.github.com/repos/baxterthehacker/public-repo/issues/events%7B/number%7D", + "events_url": "https://api.github.com/repos/baxterthehacker/public-repo/events", + "assignees_url": "https://api.github.com/repos/baxterthehacker/public-repo/assignees%7B/user%7D", + "branches_url": "https://api.github.com/repos/baxterthehacker/public-repo/branches%7B/branch%7D", + "tags_url": "https://api.github.com/repos/baxterthehacker/public-repo/tags", + "blobs_url": "https://api.github.com/repos/baxterthehacker/public-repo/git/blobs%7B/sha%7D", + "git_tags_url": "https://api.github.com/repos/baxterthehacker/public-repo/git/tags%7B/sha%7D", + "git_refs_url": "https://api.github.com/repos/baxterthehacker/public-repo/git/refs%7B/sha%7D", + "trees_url": "https://api.github.com/repos/baxterthehacker/public-repo/git/trees%7B/sha%7D", + "statuses_url": "https://api.github.com/repos/baxterthehacker/public-repo/statuses/%7Bsha%7D", + "languages_url": "https://api.github.com/repos/baxterthehacker/public-repo/languages", + "stargazers_url": "https://api.github.com/repos/baxterthehacker/public-repo/stargazers", + "contributors_url": "https://api.github.com/repos/baxterthehacker/public-repo/contributors", + "subscribers_url": "https://api.github.com/repos/baxterthehacker/public-repo/subscribers", + "subscription_url": "https://api.github.com/repos/baxterthehacker/public-repo/subscription", + "commits_url": "https://api.github.com/repos/baxterthehacker/public-repo/commits%7B/sha%7D", + "git_commits_url": "https://api.github.com/repos/baxterthehacker/public-repo/git/commits%7B/sha%7D", + "comments_url": "https://api.github.com/repos/baxterthehacker/public-repo/comments%7B/number%7D", + "issue_comment_url": "https://api.github.com/repos/baxterthehacker/public-repo/issues/comments%7B/number%7D", + "contents_url": "https://api.github.com/repos/baxterthehacker/public-repo/contents/%7B+path%7D", + "compare_url": "https://api.github.com/repos/baxterthehacker/public-repo/compare/%7Bbase%7D...%7Bhead%7D", + "merges_url": "https://api.github.com/repos/baxterthehacker/public-repo/merges", + "archive_url": "https://api.github.com/repos/baxterthehacker/public-repo/%7Barchive_format%7D%7B/ref%7D", + "downloads_url": "https://api.github.com/repos/baxterthehacker/public-repo/downloads", + "issues_url": "https://api.github.com/repos/baxterthehacker/public-repo/issues%7B/number%7D", + "pulls_url": "https://api.github.com/repos/baxterthehacker/public-repo/pulls%7B/number%7D", + "milestones_url": "https://api.github.com/repos/baxterthehacker/public-repo/milestones%7B/number%7D", + "notifications_url": "https://api.github.com/repos/baxterthehacker/public-repo/notifications%7B?since,all,participating}", + "labels_url": "https://api.github.com/repos/baxterthehacker/public-repo/labels%7B/name%7D", + "releases_url": "https://api.github.com/repos/baxterthehacker/public-repo/releases%7B/id%7D", + "created_at": "2015-05-05T23:40:12Z", + "updated_at": "2015-05-05T23:40:30Z", + "pushed_at": "2015-05-05T23:40:38Z", + "git_url": "git://github.com/baxterthehacker/public-repo.git", + "ssh_url": "git@github.com:baxterthehacker/public-repo.git", + "clone_url": "https://github.com/baxterthehacker/public-repo.git", + "svn_url": "https://github.com/baxterthehacker/public-repo", + "homepage": null, + "size": 0, + "stargazers_count": 0, + "watchers_count": 0, + "language": null, + "has_issues": true, + "has_downloads": true, + "has_wiki": true, + "has_pages": true, + "forks_count": 0, + "mirror_url": null, + "open_issues_count": 2, + "forks": 0, + "open_issues": 2, + "watchers": 0, + "default_branch": "master" + }, + "sender": { + "login": "baxterthehacker", + "id": 6752317, + "avatar_url": "https://avatars.githubusercontent.com/u/6752317?v=3", + "gravatar_id": "", + "url": "https://api.github.com/users/baxterthehacker", + "html_url": "https://github.com/baxterthehacker", + "followers_url": "https://api.github.com/users/baxterthehacker/followers", + "following_url": "https://api.github.com/users/baxterthehacker/following%7B/other_user%7D", + "gists_url": "https://api.github.com/users/baxterthehacker/gists%7B/gist_id%7D", + "starred_url": "https://api.github.com/users/baxterthehacker/starred%7B/owner%7D%7B/repo%7D", + "subscriptions_url": "https://api.github.com/users/baxterthehacker/subscriptions", + "organizations_url": "https://api.github.com/users/baxterthehacker/orgs", + "repos_url": "https://api.github.com/users/baxterthehacker/repos", + "events_url": "https://api.github.com/users/baxterthehacker/events%7B/privacy%7D", + "received_events_url": "https://api.github.com/users/baxterthehacker/received_events", + "type": "User", + "site_admin": false + } +} \ No newline at end of file diff --git a/spec/inputs/github_spec.rb b/spec/inputs/github_spec.rb index 34392f1..11ad53d 100644 --- a/spec/inputs/github_spec.rb +++ b/spec/inputs/github_spec.rb @@ -9,4 +9,159 @@ it "register without errors" do expect { plugin.register }.to_not raise_error end + + describe "building Logstash event from webhook" do + let(:body) {IO.read("spec/fixtures/event_create.json")} + let(:headers) { {"fake_header" => "fake_value"} } + let(:event) {plugin.build_event_from_request(body,headers)} + + it "initialize event from webhook body" do + JSON.parse(body).each do |k,v| + expect(event.get(k)).to eq(v) + end + end + + it "copy webhook http headers to event[headers]" do + expect(event.get('headers')).to eq (headers) + end + end + + describe "verify webhook signature if token provided" do + let(:plugin) { LogStash::Plugin.lookup("input", "github").new( {"port" => 9999, "secret_token" => ::LogStash::Util::Password.new("my_secret")} ) } + let(:body) {IO.read("spec/fixtures/event_create.json")} + let(:headers) { {"x-hub-signature" => "hash"} } + let(:event) {plugin.build_event_from_request(body,headers)} + let(:hash) { "sha1=43b113fc453c47f1cd4d5b4ded2985581c00a715" } + + it "reject event without signature" do + event.set('headers',{}) + expect(plugin.verify_signature(event,body)).to eq(false) + expect(event.get("hash")).to be_nil + expect(event.get("tags")).to eq(["_Invalid_Github_Message"]) + end + + it "reject event with invalid signature" do + event.set('headers',{"x-hub-signature" => "invalid"}) + expect(plugin.verify_signature(event,body)).to eq(false) + expect(event.get("hash")).to eq(hash) + expect(event.get("tags")).to eq(["_Invalid_Github_Message"]) + end + + it "accept event with valid signature" do + event.set('headers', {"x-hub-signature" => hash}) + expect(plugin.verify_signature(event,body)).to eq(true) + expect(event.get("hash")).to eq(hash) + expect(event.get("tags")).to be_nil + end + + end + + describe "don't validate webhook if token missing" do + let(:plugin) { LogStash::Plugin.lookup("input", "github").new( {"port" => 9999} ) } + let(:body) {IO.read("spec/fixtures/event_create.json")} + let(:headers) { {"x-hub-signature" => "hash"} } + let(:event) {plugin.build_event_from_request(body,headers)} + let(:hash) { "sha1=43b113fc453c47f1cd4d5b4ded2985581c00a715" } + + it "accept event without signature" do + event.set('headers',{}) + expect(plugin.verify_signature(event,body)).to eq(true) + expect(event.get("hash")).to be_nil + expect(event.get("tags")).to be_nil + end + + it "accept event with invalid signature" do + event.set('headers',{"x-hub-signature" => "invalid"}) + expect(plugin.verify_signature(event,body)).to eq(true) + expect(event.get("hash")).to be_nil + expect(event.get("tags")).to be_nil + end + + it "accept event with valid signature" do + event.set('headers', {"x-hub-signature" => hash}) + expect(plugin.verify_signature(event,body)).to eq(true) + expect(event.get("hash")).to be_nil + expect(event.get("tags")).to be_nil + end + + end + + describe "verify event builder" do + let(:plugin) { LogStash::Plugin.lookup("input", "github").new( {"port" => 9999} ) } + let(:body) {"{}"} + let(:event) {plugin.build_event_from_request(body, {})} + + context 'when request body is a minimal JSON value' do + let(:body) {"123"} + it 'should add the body string into the message field and tag' do + expect(event.get("message")).to eq("123") + expect(event.get("tags")).to eq("_invalidjsonobject") + end + end + + context 'when request body is a JSON object' do + let(:body) {'{"action": "create"}'} + it 'should parse the body' do + expect(event.get("action")).to eq("create") + end + end + end + + describe 'graceful shutdown' do + context 'when underlying webserver crashes' do + + # Stubbing out our FTW::WebServer allows us to force it to raise an exception when we try to run it. + let(:mock_webserver_class) { double('FTW::WebServer::class').as_null_object } + let(:mock_webserver) { double('FTW::WebServer').as_null_object } + before(:each) do + stub_const('FTW::WebServer', mock_webserver_class) + allow(mock_webserver_class).to receive(:new).and_return(mock_webserver) + expect(mock_webserver).to receive(:run).and_raise('testing: intentional uncaught exception') + end + + it 'makes an attempt to stop the webserver' do + expect(mock_webserver).to receive(:stop) + + plugin.run([]) rescue nil + end + + it 'propagates the original exception' do + expect do + plugin.run([]) + end.to raise_exception('testing: intentional uncaught exception') + end + + context 'and an attempt to stop the webserver also crashes' do + let(:mock_logger) { double('Logger').as_null_object } + before(:each) do + allow(plugin).to receive(:logger).and_return(mock_logger) + allow(mock_webserver).to receive(:stop).and_raise('yo dawg') + end + + it 'logs helpfully' do + expect(mock_logger).to receive(:error).with("Error while stopping FTW::WebServer", + exception: 'yo dawg', backtrace: instance_of(Array)) + + plugin.run([]) rescue nil + end + + it 'propagates the original exception' do + expect do + plugin.run([]) + end.to raise_exception('testing: intentional uncaught exception') + end + end + end + end + + describe "debugging `secret_token`" do + let(:plugin) { LogStash::Plugin.lookup("input", "github").new( {"port" => 9999, "secret_token" => ::LogStash::Util::Password.new("my_secret")} ) } + + it "should not show origin value" do + expect(plugin.logger).to receive(:debug).with('') + + plugin.register + plugin.logger.send(:debug, plugin.secret_token.to_s) + end + end end