forked from oscar-system/oscar-website
-
Notifications
You must be signed in to change notification settings - Fork 0
/
webhook.php
97 lines (82 loc) · 3.41 KB
/
webhook.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<?php
/*
GitHub webhook handler template based on code by Miloslav Hůla (https://github.com/milo)
and extended for the oscar-website by Max Horn.
Here is how it works:
Any push to the oscar-website repository triggers this PHP script as a
webhook; this can be configured at
<https://github.com/oscar-system/oscar-website/settings/hooks>.
The crucial bit is at the end of this .php file, where an empty file
`/tmp/oscar-website.trigger` is created. This is detected by a systemd unit
/etc/systemd/system/oscar-website.path (a copy of this file is in the
/etc/ directory of the oscar-website repo).
This then triggers /etc/systemd/system/oscar-website.service
(a copy of this file is in the etc/ directory of the oscar-website repo).
This finally executes etc/update.sh, which runs jekyll.
*/
/*
We set a secret token in /etc/apache2/sites-enabled/oscar.conf
via this line: SetEnv GITHUB_WEBHOOK_SECRET "MY_SECRET"
with the actual secret key taking the place of MY_SECRET.
The same value must be entered in the GitHub settings at
<https://github.com/oscar-system/oscar-website/settings/hooks>.
*/
$hookSecret = getenv('GITHUB_WEBHOOK_SECRET');
set_error_handler(function($severity, $message, $file, $line) {
throw new \ErrorException($message, 0, $severity, $file, $line);
});
set_exception_handler(function($e) {
header('HTTP/1.1 500 Internal Server Error');
echo "Error on line {$e->getLine()}: " . htmlSpecialChars($e->getMessage());
die();
});
$rawPost = NULL;
if ($hookSecret !== NULL) {
if (!isset($_SERVER['HTTP_X_HUB_SIGNATURE'])) {
throw new \Exception("HTTP header 'X-Hub-Signature' is missing.");
} elseif (!extension_loaded('hash')) {
throw new \Exception("Missing 'hash' extension to check the secret code validity.");
}
list($algo, $hash) = explode('=', $_SERVER['HTTP_X_HUB_SIGNATURE'], 2) + array('', '');
if (!in_array($algo, hash_algos(), TRUE)) {
throw new \Exception("Hash algorithm '$algo' is not supported.");
}
$rawPost = file_get_contents('php://input');
if (!hash_equals($hash, hash_hmac($algo, $rawPost, $hookSecret))) {
throw new \Exception('Hook secret does not match.');
}
};
if (!isset($_SERVER['CONTENT_TYPE'])) {
throw new \Exception("Missing HTTP 'Content-Type' header.");
} elseif (!isset($_SERVER['HTTP_X_GITHUB_EVENT'])) {
throw new \Exception("Missing HTTP 'X-Github-Event' header.");
}
switch ($_SERVER['CONTENT_TYPE']) {
case 'application/json':
$json = $rawPost ?: file_get_contents('php://input');
break;
case 'application/x-www-form-urlencoded':
$json = $_POST['payload'];
break;
default:
throw new \Exception("Unsupported content type: $_SERVER[CONTENT_TYPE]");
}
# Payload structure depends on triggered event
# https://developer.github.com/v3/activity/events/types/
$payload = json_decode($json);
switch (strtolower($_SERVER['HTTP_X_GITHUB_EVENT'])) {
case 'ping':
echo 'pong';
break;
case 'push':
// create file to trigger systemd unit which regenerates the website
exec("echo 'Running oscar-website webhook' | logger");
touch("/tmp/oscar-website.trigger");
echo 'touched /tmp/oscar-website.trigger';
break;
default:
header('HTTP/1.0 404 Not Found');
echo "Event:$_SERVER[HTTP_X_GITHUB_EVENT] Payload:\n";
print_r($payload); # For debug only. Can be found in GitHub hook log.
die();
}