Adding in webhook function

ryantiffany · ryantiffany · commit f44f406ddb29 · 2024-05-12T05:21:50.000-05:00
diff --git a/diagrams/ce-fn-webhook.drawio b/diagrams/ce-fn-webhook.drawio
diff --git a/functions/github-webhook-app-update/README.md b/functions/github-webhook-app-update/README.md
@@ -0,0 +1,3 @@
+# Github webhook function
+
+![Workflow diagram](../../images/ce-fn-webhook.png)
diff --git a/functions/github-webhook-app-update/__main__.py b/functions/github-webhook-app-update/__main__.py
@@ -0,0 +1,80 @@
+"""main entry point to webhook function"""
+import logging
+import os
+import json
+import httpx
+from helpers import verify_payload, verify_signature, get_iam_token
+
+HEADERS = {"Content-Type": "text/plain;charset=utf-8"}
+
+logger = logging.getLogger()
+
+
+def main(params):
+    ibmcloud_api_key = os.environ.get('IBMCLOUD_API_KEY')
+    if not ibmcloud_api_key:
+        raise ValueError("IBMCLOUD_API_KEY environment variable not found")
+
+    secret_token = os.environ.get("WEBHOOK_SECRET")
+    if not secret_token:
+        raise ValueError("WEBHOOK_SECRET environment variable not found")
+
+    payload_body = params
+    headers = payload_body["__ce_headers"]
+    signature_header = headers.get("X-Hub-Signature-256", None)
+    image_tag = payload_body.get('workflow_run', {}).get('head_sha', None)
+    if not image_tag:
+        return {
+            "headers": {"Content-Type": "application/json"},
+            "statusCode": 400,
+            "body": "Missing image tag"
+        }
+    verify_payload(payload_body)
+    verify_signature(payload_body, secret_token, signature_header)
+
+    iam_token = get_iam_token(ibmcloud_api_key)
+    if not iam_token:
+        return {
+            "headers": HEADERS,
+            "statusCode": 500,
+            "body": "Failed to get IAM token",
+        }
+
+    code_engine_app = os.environ.get('CE_APP')
+    code_engine_region = os.environ.get('CE_REGION')
+    project_id = os.environ.get('CE_PROJECT_ID')
+    app_endpoint = f"https://api.{code_engine_region}.codeengine.cloud.ibm.com/v2/projects/{project_id}/apps/{code_engine_app}"
+
+    try:
+
+        app_get = httpx.get(app_endpoint, headers = { "Authorization" : iam_token })
+        results = app_get.json()
+        etag = results['entity_tag']
+        short_tag = image_tag[:8]
+        update_headers = { "Authorization" : iam_token, "Content-Type" : "application/merge-patch+json", "If-Match" : etag }
+        app_patch_model = { "image_reference": "private.us.icr.io/rtiffany/dts-ce-py-app:" + short_tag }
+        app_update = httpx.patch(app_endpoint, headers = update_headers, json = app_patch_model)
+        app_update.raise_for_status()
+        app_json_payload = app_update.json()
+        latest_ready_revision = app_json_payload.get('latest_ready_revision', None)
+
+        data = {
+            "headers": {"Content-Type": "application/json"},
+            "statusCode": 200,
+            "latest_ready_revision": latest_ready_revision,
+            "body": "App updated successfully"
+        }
+ 
+        return {
+                "headers": {"Content-Type": "application/json"},
+                "statusCode": 200,
+                "body": json.dumps(data)
+                }
+    except httpx.HTTPError as e:
+        # Define results here to avoid the error
+        results = {"error": str(e)}
+        return {
+                "headers": {"Content-Type": "application/json"},
+                "statusCode": 500,
+                "body": json.dumps(results)
+        }
diff --git a/functions/github-webhook-app-update/helpers.py b/functions/github-webhook-app-update/helpers.py
@@ -0,0 +1,63 @@
+import json
+import hashlib
+import hmac
+import httpx
+
+HEADERS = {"Content-Type": "text/plain;charset=utf-8"}
+
+
+def verify_payload(params):
+    """Verify X-Hub-Signature-256, commits, & head_commit.id exist."""
+    if (
+        "__ce_headers" not in params
+        or "X-Hub-Signature-256" not in params["__ce_headers"]
+    ):
+        return {
+            "headers": HEADERS,
+            "body": "Missing params.headers.X-Hub-Signature-256",
+        }
+
+    if "workflow_run" not in params:
+        return {
+            "headers": HEADERS,
+            "body": "Missing params.workflow_run",
+        }
+
+    return None
+
+def verify_signature(payload_body, secret_token, signature_header):
+    """Verify that the payload was sent from GitHub by validating SHA256.
+
+    Raise and return 403 if not authorized.
+
+    Args:
+        payload_body: original request body to verify (request.body())
+        secret_token: GitHub app webhook token (WEBHOOK_SECRET)
+        signature_header: header received from GitHub (x-hub-signature-256)
+    """
+    for value in payload_body:
+        value: str
+        if value.startswith("__"):
+            del value
+    payload_body_bytes = json.dumps(payload_body).encode('utf-8')
+
+    hash_object = hmac.new(secret_token.encode('utf-8'), msg=payload_body_bytes, digestmod=hashlib.sha256)
+    expected_signature = "sha256=" + hash_object.hexdigest()
+
+    if not hmac.compare_digest(expected_signature, signature_header):
+        return {
+            "statusCode": 403,
+            "headers": HEADERS,
+            "body": "Request signatures didn't match!",
+        }
+
+    return None
+
+def get_iam_token(ibmcloud_api_key):
+    """Get IAM token from IBM Cloud using API key."""
+    hdrs = { "Accept" : "application/json", "Content-Type" : "application/x-www-form-urlencoded" }
+    iam_params = { "grant_type" : "urn:ibm:params:oauth:grant-type:apikey", "apikey" : ibmcloud_api_key }
+    resp = httpx.post('https://iam.cloud.ibm.com/identity/token', data = iam_params, headers = hdrs)
+    resp.raise_for_status() 
+    return resp.json().get('access_token', None)
+
diff --git a/functions/github-webhook-app-update/requirements.txt b/functions/github-webhook-app-update/requirements.txt
@@ -0,0 +1,35 @@
+annotated-types==0.6.0
+anyio==4.3.0
+certifi==2024.2.2
+click==8.1.7
+dnspython==2.6.1
+email_validator==2.1.1
+fastapi==0.111.0
+fastapi-cli==0.0.3
+h11==0.14.0
+httpcore==1.0.5
+httptools==0.6.1
+httpx==0.27.0
+idna==3.7
+Jinja2==3.1.4
+markdown-it-py==3.0.0
+MarkupSafe==2.1.5
+mdurl==0.1.2
+orjson==3.10.3
+pydantic==2.7.1
+pydantic_core==2.18.2
+Pygments==2.18.0
+python-dotenv==1.0.1
+python-multipart==0.0.9
+PyYAML==6.0.1
+rich==13.7.1
+shellingham==1.5.4
+sniffio==1.3.1
+starlette==0.37.2
+typer==0.12.3
+typing_extensions==4.11.0
+ujson==5.9.0
+uvicorn==0.29.0
+uvloop==0.19.0
+watchfiles==0.21.0
+websockets==12.0
diff --git a/images/ce-fn-webhook.png b/images/ce-fn-webhook.png

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Github webhook function`
	`2`	`+`
	`3`	`+![Workflow diagram](../../images/ce-fn-webhook.png)`