Skip to content

secrets are now looked up in order of: system environment, plug param… #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bbalser wants to merge 1 commit into
base: master
Choose a base branch
from
Open

secrets are now looked up in order of: system environment, plug param… #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions lib/gh_webhook_plug.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,18 @@ defmodule GhWebhookPlug do
Plug.Crypto.secure_compare(signature, signature_in_header)
end


defp get_config(options, :secret) do
System.get_env(get_env_name(:secret)) || options[:secret] || get_config(:secret)
end
defp get_config(options, key) do
options[key] || get_config(key)
end

defp get_env_name(key) do
"GH_WEBHOOK_" <> to_string(key) |> String.upcase
end

defp get_config(key) do
case Application.get_env(:gh_webhook_plug, key) do
nil ->
Expand Down
30 changes: 28 additions & 2 deletions test/gh_webhook_plug_test.exs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ defmodule GhWebhookPlugTest do
end
end

setup do
on_exit fn -> System.delete_env("GH_WEBHOOK_SECRET") end
end

test "when verification fails, returns a 403" do
conn = conn(:get, "/gh-webhook", "hello world") |> put_req_header("x-hub-signature", "sha1=wrong_hexdigest")
Expand Down Expand Up @@ -50,7 +53,7 @@ defmodule GhWebhookPlugTest do

test "when secret set in param, it takes presedence over application setting" do
# Demo plug where secret is in ENV var
defmodule DemoPlugParamPresendence do
defmodule DemoPlugParamPrecedence do
use Plug.Builder

plug GhWebhookPlug, secret: "secret",path: "/gh-webhook", action: {__MODULE__, :'gh_webhook'}
Expand All @@ -63,7 +66,7 @@ defmodule GhWebhookPlugTest do
Application.put_env(:gh_webhook_plug, :secret, "wrong")
hexdigest = "sha1=" <> (:crypto.hmac(:sha, "secret", "hello world") |> Base.encode16(case: :lower))
conn = conn(:get, "/gh-webhook", "hello world") |> put_req_header("x-hub-signature", hexdigest)
|> DemoPlugParamPresendence.call([])
|> DemoPlugParamPrecedence.call([])

assert conn.status == 200
assert Process.get(:payload) == "hello world"
Expand Down Expand Up @@ -110,4 +113,27 @@ defmodule GhWebhookPlugTest do
assert conn.status == 200
assert Process.get(:payload) == "hello world"
end

test "when secret set in system environment, it takes presedence over application setting and plug param" do
# Demo plug where secret is in ENV var
defmodule DemoPlugSystemEnvPrecedence do
use Plug.Builder

plug GhWebhookPlug, secret: "wrong",path: "/gh-webhook", action: {__MODULE__, :'gh_webhook'}

def gh_webhook(_conn, payload) do
Process.put(:payload, payload)
end
end

System.put_env("GH_WEBHOOK_SECRET", "secret")
Application.put_env(:gh_webhook_plug, :secret, "wrong")
hexdigest = "sha1=" <> (:crypto.hmac(:sha, "secret", "hello world") |> Base.encode16(case: :lower))
conn = conn(:get, "/gh-webhook", "hello world") |> put_req_header("x-hub-signature", hexdigest)
|> DemoPlugSystemEnvPrecedence.call([])

assert conn.status == 200
assert Process.get(:payload) == "hello world"
end

end