Initial commit

Author: ddevault

.gitignore

@@ -0,0 +1,13 @@
+*.pyc
+bin/
+config.ini
+include/
+local/
+lib/
+*.swp
+*.rdb
+.idea/
+nbproject/
+MANIFEST
+dist/
+build/

LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2015 Drew DeVault
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,57 @@
+# Hooks
+
+This is a simple web server that enables you to execute commands when you
+receive web hooks from Github. This lets you, for example, redeploy things when
+you push a commit.
+
+## Installation
+
+`pip install ghhooks` will do the trick, or just `sudo python ./setup.py
+install`. Hooks depends on Flask.
+
+## Deployment
+
+### Stupid way
+
+Just run `ghhooks` and it'll work well enough.
+
+### Smart way
+
+Install gunicorn and run `gunicorn hooks:app`, then set up a web server like
+nginx to proxy to it (see [nginx](#nginx)). Use an init script from the init
+directory, or write your own and send a pull request adding it.
+
+## Configuration
+
+It looks for `config.ini` in the CWD or uses `/etc/hooks.conf` if that doesn't
+exist. An example is given in this repository as "config.ini":
+
+    [example-hook]
+    repository=SirCmpwn/hook
+    branch=master
+    command=echo Hello world!
+    valid_ips=204.232.175.64/27,192.30.252.0/22,127.0.0.1
+    # Note: these IP blocks are Github's hook servers, plus localhost
+
+You may add as many hooks as you like, named by the `[example-hook]` line.
+
+Hooks will pass Github's JSON payload into your hook command.
+
+### Github configuration
+
+1. Go to https://github.com/OWNER/REPOSITORY/settings/hooks/new (modify this
+   URL as appropriate)
+2. Set your payload URL to "http://your-server/hook"
+3. Set the content type to `application/json`
+4. Do not include a secret
+5. "Just the `push` event"
+6. Click "Add webhook" and you're good to go!
+
+## Nginx
+
+I suggest you run this behind nginx. The location configuration might look
+something like this:
+
+    location /hook {
+        proxy_pass http://localhost:8000;
+    }

ghhooks

@@ -0,0 +1,5 @@
+#!/usr/bin/env python3
+from hooks import app
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=8000, debug=True)

hooks.py

@@ -0,0 +1,86 @@
+from flask import Flask, request, abort
+from configparser import ConfigParser
+
+import sys
+import os
+from subprocess import Popen, PIPE, STDOUT
+import urllib
+import json
+import logging
+
+config_paths = ["./config.ini", "/etc/hooks.conf"]
+config = ConfigParser()
+for p in config_paths:
+    try:
+        config.readfp(open(p))
+        break
+    except:
+        pass
+
+app = Flask(__name__)
+
+class Hook():
+    def __init__(self, name, config):
+        self.name = name
+        self.repository = config.get(name, "repository")
+        self.branch = config.get(name, "branch")
+        self.command = config.get(name, "command")
+        self.valid_ips = config.get(name, "valid_ips")
+
+hooks = list()
+
+for key in config:
+    if key == 'DEFAULT':
+        continue
+    hooks.append(Hook(key, config))
+
+print("Loaded {} hooks".format(len(hooks)))
+
+def makeMask(n):
+    return (2 << n - 1) - 1
+
+def dottedQuadToNum(ip):
+    parts = ip.split(".")
+    return int(parts[0]) | (int(parts[1]) << 8) | (int(parts[2]) << 16) | (int(parts[3]) << 24)
+
+def networkMask(ip, bits):
+    return dottedQuadToNum(ip) & makeMask(bits)
+
+def addressInNetwork(ip, net):
+    return ip & net == net
+
+@app.route('/hook', methods=['POST'])
+def hook_publish():
+    raw = request.data.decode("utf-8")
+    try:
+        event = json.loads(raw)
+    except:
+        return "Hook rejected: invalid JSON", 400
+    repository = "{}/{}".format(event["repository"]["owner"]["name"], event["repository"]["name"])
+    matches = [h for h in hooks if h.repository == repository]
+    if len(matches) == 0:
+        return "Hook rejected: unknown repository {}".format(repository)
+    hook = matches[0]
+
+    allow = False
+    for ip in hook.valid_ips.split(","):
+        parts = ip.split("/")
+        range = 32
+        if len(parts) != 1:
+            range = int(parts[1])
+        addr = networkMask(parts[0], range)
+        if addressInNetwork(dottedQuadToNum(request.remote_addr), addr):
+            allow = True
+    if not allow:
+        return "Hook rejected: unauthorized IP", 403
+
+    if any("[noupdate]" in c["message"] for c in event["commits"]):
+        return "Hook ignored: commit specifies [noupdate]"
+
+    if "refs/heads/" + hook.branch == event["ref"]:
+        print("Executing hook for " + hook.name)
+        p=Popen(hook.command.split(), stdin=PIPE)
+        p.communicate(input=raw.encode())
+        return "Hook accepted"
+
+    return "Hook ignored: wrong branch"

init/hooks.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Github hook service
+Wants=network.target
+Before=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/gunicorn hooks:app
+ExecStop=/usr/bin/pkill gunicorn
+
+[Install]
+WantedBy=multi-user.target

requirements.txt

@@ -0,0 +1 @@
+Flask==0.10.1

setup.py

@@ -0,0 +1,11 @@
+from distutils.core import setup
+setup(name="ghhooks",
+        author="Drew DeVault",
+        author_email="[email protected]",
+        url="https://github.com/SirCmpwn/hooks",
+        description="Executes commands based on Github hooks",
+        license="MIT",
+        version="1.0",
+        scripts=["ghhooks"],
+        py_modules=["hooks"],
+        install_requires=["Flask"])