From 6f57651f92477c9a723465fc81535ed1da6672c1 Mon Sep 17 00:00:00 2001 From: Greg Date: Tue, 1 Jul 2025 12:03:23 -0700 Subject: [PATCH] fix: Update webhook handler to skip Docker commands and map environment names - Remove Docker pull step (Knative handles image pulling) - Add environment name mapping (development -> dev, production -> prod) - Add test files to .gitignore to exclude PII - Webhook signature validation now working correctly --- .gitignore | 4 ++++ scripts/webhook-handler.py | 49 +++++++++++++++++++++++++++++++------- 2 files changed, 44 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index d308d05..8169fe6 100644 --- a/.gitignore +++ b/.gitignore @@ -33,6 +33,10 @@ Thumbs.db .env.production webhook_secret.txt +# Test files with PII +test-signature.py +test-webhook.sh + # Personal deployment files manifests/personal/ config/personal/ diff --git a/scripts/webhook-handler.py b/scripts/webhook-handler.py index 6721119..4879979 100644 --- a/scripts/webhook-handler.py +++ b/scripts/webhook-handler.py @@ -53,8 +53,16 @@ def pull_image(image): def apply_manifests(environment): """Apply Kubernetes manifests for environment""" - manifest_dir = f"{MANIFESTS_PATH}/{environment}" - logger.info(f"Applying manifests from: {manifest_dir}") + # Map environment names to manifest directories + env_mapping = { + 'development': 'dev', + 'staging': 'staging', + 'production': 'prod' + } + + manifest_env = env_mapping.get(environment, environment) + manifest_dir = f"{MANIFESTS_PATH}/{manifest_env}" + logger.info(f"Applying manifests from: {manifest_dir} (environment: {environment})") if not os.path.exists(manifest_dir): raise FileNotFoundError(f"Manifest directory not found: {manifest_dir}") @@ -165,12 +173,35 @@ def implement_blue_green_deployment(service_name, namespace, traffic_split): def deploy(): """Main webhook endpoint for deployments""" try: - # Verify signature (temporarily disabled for testing) + # Verify signature signature = request.headers.get('X-Signature-SHA256') - # if not verify_signature(request.data, signature): - # logger.warning("Invalid webhook signature") - # return jsonify({"error": "Invalid signature"}), 401 - logger.info(f"Webhook called with signature: {signature}") + payload = request.data + + logger.info(f"Received webhook request") + logger.info(f"Signature header: {signature}") + logger.info(f"Payload length: {len(payload)} bytes") + logger.info(f"Payload: {payload.decode('utf-8')[:200]}...") + + # Test signature verification with debug + if signature: + expected = hmac.new( + WEBHOOK_SECRET.encode('utf-8'), + payload, + hashlib.sha256 + ).hexdigest() + expected_full = f"sha256={expected}" + logger.info(f"Expected signature: {expected_full}") + logger.info(f"Received signature: {signature}") + logger.info(f"Signatures match: {hmac.compare_digest(expected_full, signature)}") + + if not verify_signature(payload, signature): + logger.warning("Invalid webhook signature") + return jsonify({"error": "Invalid signature"}), 401 + else: + logger.warning("No signature header found") + return jsonify({"error": "No signature provided"}), 401 + + logger.info(f"Signature verification passed") # Parse payload data = request.json @@ -199,8 +230,8 @@ def deploy(): logger.info(f"Service: {service_name}") logger.info(f"Strategy: {deployment_strategy}") - # Step 1: Pull the Docker image - pull_image(image) + # Step 1: Skip Docker pull for Knative (Knative handles image pulling) + logger.info("Skipping Docker pull step (Knative handles image pulling)") # Step 2: Apply manifests apply_manifests(environment)