/// <summary>
/// Instantiates a new <see cref="Enumerator"/> instance for <paramref name="tokenizer"/>.
/// </summary>
/// <param name="tokenizer">The containing <see cref="TrimmingTokenizer"/>.</param>
public Enumerator(TrimmingTokenizer tokenizer)
{
_tokenizer = tokenizer;
_count = 0;
_enumerator = tokenizer._tokenizer.GetEnumerator();
_remainder = StringSegment.Empty;
}
/// <inheritdoc />
public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (next == null)
{
throw new ArgumentNullException(nameof(next));
}
var request = context.HttpContext.Request;
if (HttpMethods.IsPost(request.Method))
{
// 1. Confirm a secure connection.
var errorResult = EnsureSecureConnection(ReceiverName, context.HttpContext.Request);
if (errorResult != null)
{
context.Result = errorResult;
return;
}
// 2. Get the expected hash from the signature header.
var header = GetRequestHeader(request, GitHubConstants.SignatureHeaderName, out errorResult);
if (errorResult != null)
{
context.Result = errorResult;
return;
}
var values = new TrimmingTokenizer(header, PairSeparators);
var enumerator = values.GetEnumerator();
enumerator.MoveNext();
var headerKey = enumerator.Current;
if (values.Count != 2 ||
!StringSegment.Equals(
headerKey,
GitHubConstants.SignatureHeaderKey,
StringComparison.OrdinalIgnoreCase))
{
Logger.LogWarning(
0,
$"Invalid '{GitHubConstants.SignatureHeaderName}' header value. Expecting a value of " +
$"'{GitHubConstants.SignatureHeaderKey}=<value>'.");
var message = string.Format(
CultureInfo.CurrentCulture,
GitHubConstants.SignatureHeaderName,
GitHubConstants.SignatureHeaderKey,
"<value>");
errorResult = new BadRequestObjectResult(message);
context.Result = errorResult;
return;
}
enumerator.MoveNext();
var headerValue = enumerator.Current.Value;
var expectedHash = FromHex(headerValue, GitHubConstants.SignatureHeaderName);
if (expectedHash == null)
{
context.Result = CreateBadHexEncodingResult(GitHubConstants.SignatureHeaderKey);
return;
}
// 3. Get the configured secret key.
var secretKey = Env.GetString("GITHUB_WEBHOOKS_SECRETKEY_DEFAULT");
if (secretKey == null)
{
context.Result = new NotFoundResult();
return;
}
var secret = Encoding.UTF8.GetBytes(secretKey);
// 4. Get the actual hash of the request body.
var actualHash = await ComputeRequestBodySha1HashAsync(request, secret);
// 5. Verify that the actual hash matches the expected hash.
if (!SecretEqual(expectedHash, actualHash))
{
// Log about the issue and short-circuit remainder of the pipeline.
errorResult = CreateBadSignatureResult(GitHubConstants.SignatureHeaderName);
context.Result = errorResult;
return;
}
}
await next();
}