Mise à jour : migration vers ForgeJo
This commit is contained in:
parent
d8ef20ba8c
commit
c2bcd5a2f2
2 changed files with 124 additions and 74 deletions
|
|
@ -5,6 +5,8 @@ os.environ.pop("SSL_CERT_FILE", None)
|
|||
|
||||
from flask import Flask, request, abort
|
||||
from datetime import datetime, timezone
|
||||
import hmac
|
||||
import hashlib
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
|
@ -89,11 +91,22 @@ def run_mep_logic(author, commit_msg, branch="main"):
|
|||
|
||||
@app.route('/deploy', methods=['POST'])
|
||||
def deploy():
|
||||
# ⚡ MODIFICATION : Forgejo envoie son token secret dans 'X-Gitea-Token'
|
||||
if request.headers.get('X-Gitea-Token') != WEBHOOK_SECRET:
|
||||
# 1. Vérification de la signature HMAC
|
||||
signature_recue = request.headers.get('X-Hub-Signature-256')
|
||||
if not signature_recue:
|
||||
abort(403)
|
||||
|
||||
# Extraction des infos (La structure des commits est identique à GitLab)
|
||||
payload_brut = request.get_data()
|
||||
signature_attendue = "sha256=" + hmac.new(
|
||||
WEBHOOK_SECRET.encode('utf-8'),
|
||||
payload_brut,
|
||||
hashlib.sha256
|
||||
).hexdigest()
|
||||
|
||||
if not hmac.compare_digest(signature_attendue, signature_recue):
|
||||
abort(403)
|
||||
|
||||
# 2. Logique de déploiement si la signature est valide
|
||||
data = request.json
|
||||
author = "Inconnu"
|
||||
commit_msg = "Pas de message"
|
||||
|
|
@ -102,11 +115,9 @@ def deploy():
|
|||
author = data['commits'][0].get('author', {}).get('name', 'Inconnu')
|
||||
commit_msg = data['commits'][0].get('message', 'Pas de message')
|
||||
|
||||
# Extraction de la branche
|
||||
ref = data.get('ref', 'refs/heads/main')
|
||||
branch = ref.split('/')[-1] if ref else 'main'
|
||||
|
||||
# Threading inchangé pour répondre instantanément à Forgejo
|
||||
threading.Thread(target=run_mep_logic, args=(author, commit_msg, branch)).start()
|
||||
|
||||
return {"status": "accepted"}, 202
|
||||
|
|
@ -115,23 +126,43 @@ def deploy():
|
|||
@app.route('/forgejo_webhook', methods=['POST'])
|
||||
@app.route('/gitlab_webhook', methods=['POST'])
|
||||
def forgejo_webhook():
|
||||
# ⚡ MODIFICATION : Sécurité via l'en-tête Forgejo
|
||||
received_token = request.headers.get('X-Gitea-Token')
|
||||
|
||||
print(f"[DEBUG] Webhook d'événements reçu. Token reçu: '{received_token}'")
|
||||
# 1. On récupère la signature envoyée par Forgejo/Gitea
|
||||
signature_recue = None
|
||||
for header_name in ('X-Hub-Signature-256', 'X-Gitea-Signature', 'X-Gogs-Signature'):
|
||||
signature_recue = request.headers.get(header_name)
|
||||
if signature_recue:
|
||||
break
|
||||
|
||||
if received_token != WEBHOOK_SECRET:
|
||||
abort(403)
|
||||
# 2. On lit les données brutes envoyées par Forgejo
|
||||
payload_brut = request.get_data()
|
||||
|
||||
# Relai direct de la payload de l'événement (tickets, commentaires) vers ton bot local au port 5001
|
||||
# 3. Vérification de signature (compatible GitHub/Gitea/Gogs)
|
||||
if signature_recue:
|
||||
signature_attendue = "sha256=" + hmac.new(
|
||||
WEBHOOK_SECRET.encode('utf-8'),
|
||||
payload_brut,
|
||||
hashlib.sha256
|
||||
).hexdigest()
|
||||
|
||||
if not hmac.compare_digest(signature_attendue, signature_recue):
|
||||
print("[!] Signature invalide ! Hacking intercepté 🛡️", flush=True)
|
||||
abort(403)
|
||||
else:
|
||||
# Fallback pratique pour les environnements locaux / tests où Forgejo n'envoie pas d'en-tête de signature.
|
||||
print("[WARN] Aucune signature détectée, relayage du webhook sans vérification de signature.", flush=True)
|
||||
|
||||
print("[DEBUG] Signature validée avec succès !", flush=True)
|
||||
|
||||
# 4. Si tout est bon, on transmet au bot sur le port 5001
|
||||
payload = request.json
|
||||
try:
|
||||
requests.post(BOT_LOCAL_URL, json=payload, timeout=5)
|
||||
except Exception as e:
|
||||
print(f"[!] Erreur de relais vers le bot Discord : {e}")
|
||||
print(f"[!] Erreur de relais vers le bot Discord : {e}", flush=True)
|
||||
|
||||
return {"status": "received"}, 200
|
||||
|
||||
if __name__ == '__main__':
|
||||
print(f"[*] Webhook Forgejo opérationnel sur le port 5000. Prêt pour les MEP !")
|
||||
app.run(host='0.0.0.0', port=5000)
|
||||
app.run(host='0.0.0.0', port=5000)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue