[FEATURE] Gérer le déploiement des review app sur scalingo

build/controllers/github.js

@@ -0,0 +1,38 @@
+const ScalingoClient = require('../../common/services/scalingo-client');
+
+const repositoryToScalingoAppsReview = {
+  pix: ['pix-front-review', 'pix-api-review'],
+  'pix-editor': ['pix-lcms-review'],
+  'pix-db-replication': ['pix-datawarehouse-integration'],
+  'pix-db-stats': ['pix-db-stats-review'],
+  'pix-site': ['pix-site-review'],
+  'pix-bot': ['pix-bot-review']
+};
+
+module.exports = {
+  async processWebhook(request) {
+    const eventName = request.headers['x-github-event'];
+    if (eventName === 'pull_request') {
+      const payload = request.payload;
+      const repository = payload.pull_request.head.repo.name;
+      const prId = payload.number;
+      const reviewApps = repositoryToScalingoAppsReview[repository];
+      if (payload.pull_request.head.repo.fork) {
+        return 'No RA for a fork';
+      }
+      if (payload.action !== 'opened') {
+        return `Ignoring ${payload.action} action`;
+      }
+      if (!reviewApps) {
+        return 'No RA configured for this repository';
+      }
+      const client = await ScalingoClient.getInstance('reviewApps');
+      for (const appName of reviewApps) {
+        await client.deployReviewApp(appName, prId);
+      }
+      return `Created RA on app ${reviewApps.join(', ')} with pr ${prId}`;
+    } else {
+      return `Ignoring ${eventName} event`;
+    }
+  }
+};

build/routes/github.js

@@ -0,0 +1,11 @@
+const { githubConfig } = require('../../common/config');
+const githubController = require('../../build/controllers/github');
+
+module.exports = [
+  {
+    method: 'POST',
+    path: '/github/webhook',
+    handler: githubController.processWebhook,
+    config: githubConfig
+  },
+];

common/config.js

@@ -1,4 +1,5 @@
-const { verifySignatureAndParseBody } = require('./services/slack/security');
+const { verifySignatureAndParseBody: verifySlackSignatureAndParseBody } = require('./services/slack/security');
+const { verifyWebhookSignature: verifyGithubSignature } = require('./services/github');
 
 module.exports = {
   slackConfig: {
@@ -7,7 +8,16 @@ module.exports = {
       parse: false
     },
     pre: [
-      {method: verifySignatureAndParseBody, assign: 'payload'}
+      { method: verifySlackSignatureAndParseBody, assign: 'payload' }
     ]
   },
+
+  githubConfig: {
+    payload: {
+      allow: ['application/json'],
+    },
+    pre: [
+      { method: verifyGithubSignature }
+    ]
+  }
 };

common/services/github.js

@@ -1,6 +1,9 @@
 const { Octokit } = require('@octokit/rest');
-const settings = require('../../config');
 const { zipWith, countBy, entries, noop } = require('lodash');
+const crypto = require('crypto');
+const tsscmp = require('tsscmp');
+const Boom = require('@hapi/boom');
+const settings = require('../../config');
 
 const color = {
   'team-evaluation': '#FDEEC1',
@@ -209,6 +212,19 @@ async function _getCommitsWhereConfigFileHasChangedSinceDate(repoOwner, repoName
   return data;
 }
 
+function _verifyRequestSignature(webhookSecret, body, signature) {
+  if (!signature) {
+    throw Boom.unauthorized('Github signature is empty.');
+  }
+  const [, hash] = signature.split('=');
+  const hmac = crypto.createHmac('sha256', webhookSecret);
+  hmac.update(body);
+
+  if (!tsscmp(hash, hmac.digest('hex'))) {
+    throw Boom.unauthorized('Github signature verification failed. Signature mismatch.');
+  }
+}
+
 module.exports = {
 
   async getPullRequests(label) {
@@ -271,6 +287,20 @@ module.exports = {
     const latestReleaseDate = await _getLatestReleaseDate(repoOwner, repoName);
     const commits = await _getCommitsWhereConfigFileHasChangedSinceDate(repoOwner, repoName, latestReleaseDate);
     return commits.length > 0;
-  }
+  },
 
+  verifyWebhookSignature(request) {
+    const { headers, payload } = request;
+
+    const webhookSecret = settings.github.webhookSecret;
+    const signature = headers['x-hub-signature-256'];
+    const stringBody = payload ? JSON.stringify(payload) : '';
+
+    try {
+      _verifyRequestSignature(webhookSecret, stringBody, signature);
+    } catch (error) {
+      return error;
+    }
+    return true;
+  }
 };

common/services/scalingo-client.js

@@ -47,6 +47,10 @@ class ScalingoClient {
     return [await this._getSingleAppInfo(target)];
   }
 
+  deployReviewApp(appName, prId) {
+    return this.client.SCMRepoLinks.manualReviewApp(appName, prId);
+  }
+
   async _getAllAppsInfo(environment) {
     const apps = ['api', 'app', 'orga', 'certif', 'admin'];
     const promises = apps.map(appName => this._getSingleAppInfo(appName, environment));

config.js

@@ -64,6 +64,7 @@ module.exports = (function() {
       token: process.env.GITHUB_PERSONAL_ACCESS_TOKEN,
       owner: process.env.GITHUB_OWNER,
       repository: process.env.GITHUB_REPOSITORY,
+      webhookSecret: process.env.GITHUB_WEBHOOK_SECRET,
     },
 
     googleSheet: {
@@ -110,6 +111,7 @@ module.exports = (function() {
 
     config.github.owner = 'github-owner';
     config.github.repository = 'github-repository';
+    config.github.webhookSecret = 'github-webhook-secret';
 
     config.slack.requestSigningSecret = 'slack-super-signing-secret';
 

test/acceptance/build/github_test.js

@@ -0,0 +1,126 @@
+const { expect } = require('chai');
+const { createGithubWebhookSignatureHeader, nock } = require('../../test-helper');
+const server = require('../../../server');
+
+describe('Acceptance | Build | Github', function() {
+  describe('POST /github/webhook', function() {
+    let body;
+
+    beforeEach(() => {
+      body = {
+        action: 'opened',
+        number: 2,
+        pull_request: {
+          head: {
+            repo: {
+              name: 'pix',
+              fork: false
+            }
+          }
+        }
+      };
+    });
+
+    it('responds with 200 and create the RA on scalingo', async () => {
+      const scalingoAuth = nock('https://auth.scalingo.com')
+        .post('/v1/tokens/exchange')
+        .reply(201);
+      const scalingoDeploy1 = nock('https://api.osc-fr1.scalingo.com')
+        .post('/v1/apps/pix-front-review/scm_repo_link/manual_review_app', {pull_request_id: 2})
+        .reply(201);
+      const scalingoDeploy2 = nock('https://api.osc-fr1.scalingo.com')
+        .post('/v1/apps/pix-api-review/scm_repo_link/manual_review_app', {pull_request_id: 2})
+        .reply(201);
+
+      const res = await server.inject({
+        method: 'POST',
+        url: '/github/webhook',
+        headers: {
+          ...createGithubWebhookSignatureHeader(JSON.stringify(body)),
+          'x-github-event': 'pull_request'
+        },
+        payload: body,
+      });
+      expect(res.statusCode).to.equal(200);
+      expect(res.result).to.eql('Created RA on app pix-front-review, pix-api-review with pr 2');
+      expect(scalingoAuth.isDone()).to.be.true;
+      expect(scalingoDeploy1.isDone()).to.be.true;
+      expect(scalingoDeploy2.isDone()).to.be.true;
+    });
+
+    it('responds with 200 and doesn\'t create the RA on scalingo when the PR is from a fork', async () => {
+      body.pull_request.head.repo.fork = true;
+
+      const res = await server.inject({
+        method: 'POST',
+        url: '/github/webhook',
+        headers: {
+          ...createGithubWebhookSignatureHeader(JSON.stringify(body)),
+          'x-github-event': 'pull_request'
+        },
+        payload: body,
+      });
+      expect(res.statusCode).to.equal(200);
+      expect(res.result).to.eql('No RA for a fork');
+    });
+
+    it('responds with 200 and doesn\'t create the RA on scalingo when the PR is not from a configured repo', async () => {
+      body.pull_request.head.repo.name = 'pix-repository-that-dont-exist';
+
+      const res = await server.inject({
+        method: 'POST',
+        url: '/github/webhook',
+        headers: {
+          ...createGithubWebhookSignatureHeader(JSON.stringify(body)),
+          'x-github-event': 'pull_request'
+        },
+        payload: body,
+      });
+      expect(res.statusCode).to.equal(200);
+      expect(res.result).to.eql('No RA configured for this repository');
+    });
+
+    it('responds with 200 and do nothing for other action on pull request', async () => {
+      body.action = 'edited';
+
+      const res = await server.inject({
+        method: 'POST',
+        url: '/github/webhook',
+        headers: {
+          ...createGithubWebhookSignatureHeader(JSON.stringify(body)),
+          'x-github-event': 'pull_request'
+        },
+        payload: body,
+      });
+      expect(res.statusCode).to.equal(200);
+      expect(res.result).to.eql('Ignoring edited action');
+    });
+
+    it('responds with 200 and do nothing for other event', async () => {
+      const res = await server.inject({
+        method: 'POST',
+        url: '/github/webhook',
+        headers: {
+          ...createGithubWebhookSignatureHeader(JSON.stringify(body)),
+          'x-github-event': 'deployment'
+        },
+        payload: body,
+      });
+      expect(res.statusCode).to.equal(200);
+      expect(res.result).to.eql('Ignoring deployment event');
+    });
+
+    it('responds with 401', async () => {
+      const res = await server.inject({
+        method: 'POST',
+        url: '/github/webhook',
+        headers: {
+          'x-hub-signature-256': 'sha256=test',
+          'x-github-event': 'pull_request'
+        },
+        payload: body,
+      });
+      expect(res.statusCode).to.equal(401);
+    });
+  });
+});

test/test-helper.js

@@ -2,6 +2,8 @@ const chai = require('chai');
 const { expect } = chai;
 const sinon = require('sinon');
 const nock = require('nock');
+const crypto = require('crypto');
+const config = require('../config');
 
 chai.use(require('sinon-chai'));
 
@@ -11,6 +13,7 @@ beforeEach(() => {
 
 afterEach(function () {
   sinon.restore();
+  nock.cleanAll();
 });
 
 function catchErr(promiseFn, ctx) {
@@ -24,9 +27,19 @@ function catchErr(promiseFn, ctx) {
   };
 }
 
+function createGithubWebhookSignatureHeader(body) {
+  const hmac = crypto.createHmac('sha256', config.github.webhookSecret);
+  hmac.update(body);
+
+  return {
+    'x-hub-signature-256': 'sha256='+ hmac.digest('hex'),
+  };
+}
+
 module.exports = {
   catchErr,
   expect,
   nock,
   sinon,
+  createGithubWebhookSignatureHeader,
 };