using_webhooks.rst 3.0 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980
  1. Using web-hooks
  2. ===============
  3. Web-hooks are a notification system that could be compared to a callback.
  4. Basically, pagure will make a HTTP POST request to one or more third party
  5. server/application with information about what is or just happened.
  6. Activating web-hooks notifications
  7. ----------------------------------
  8. To set-up a web-hook, simply go to the settings page of your project and
  9. enter the URL to the server/endpoint that will receive the notifications.
  10. If you wish to enter multiple URLs, enter one per line.
  11. To stop all notifications, clear out that field.
  12. Pagure will send a notification to this/these URL(s) for every action made
  13. on this project: new issue, new pull-request, new comments, new commits...
  14. .. note:: The notifications sent via web-hooks have the same payload as the
  15. notifications sent via `fedmsg <http://www.fedmsg.com/en/latest/>`_.
  16. Therefore, the list of pagure topics as well as example messages can be
  17. found in the `fedmsg documentation about pagure
  18. <https://fedora-fedmsg.readthedocs.io/en/latest/topics.html#id550>`_
  19. Authenticating the notifications
  20. --------------------------------
  21. There is, in the settings page, a web-hook key which is used by the
  22. server (here pagure) to sign the message sent and which you can use to
  23. ensure the notifications received are coming from the right source.
  24. Each POST request made contains some specific headers:
  25. ::
  26. X-Pagure
  27. X-Pagure-Project
  28. X-Pagure-Signature
  29. X-Pagure-Signature-256
  30. X-Pagure-Topic
  31. ``X-Pagure`` contains URL of the pagure instance sending this notification.
  32. ``X-Pagure-Project`` contains the name of the project on that pagure instance.
  33. ``X-Pagure-Signature`` contains the signature of the message allowing to
  34. check that the message comes from pagure.
  35. ``X-Pagure-Signature-256`` contains the SHA-256 signature of the message
  36. allowing to check that the message comes from pagure.
  37. .. note:: These headers are present to allow you to verify that the webhook
  38. was actually sent by the correct Pagure instance. These are not
  39. included in the signed data.
  40. ``X-Pagure-Topic`` is a global header giving a clue about the type of action
  41. that just occurred. For example ``issue.edit``.
  42. .. warning:: The headers ``X-Pagure``, ``X-Pagure-Project`` and ``X-Pagure-Topic``
  43. are present for convenience only, they are not signed and therefore
  44. should not be trusted. Rely on the payload after checking the
  45. signature to make any decision.
  46. Pagure relies on ``hmac`` to sign the content of its messages. If you want
  47. to validate the message, in python, you can do something like the following:
  48. ::
  49. import hmac
  50. import hashlib
  51. payload = # content you received in the POST request
  52. headers = # headers of the POST request
  53. project_web_hook_key = # private web-hook key of the project
  54. hashhex = hmac.new(
  55. str(project_web_hook_key), payload, hashlib.sha1).hexdigest()
  56. if hashhex != headers.get('X-Pagure-Signature'):
  57. raise Exception('Message received with an invalid signature')