Well, add the program sources

Author: Fingercomp

.gitignore

@@ -8,3 +8,6 @@ Cargo.lock
 
 # These are backup files generated by rustfmt
 **/*.rs.bk
+
+/target
+**/*.rs.bk

Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "gh-hook-command"
+version = "0.1.0"
+authors = ["Fingercomp <[email protected]>"]
+license = "Apache 2.0"
+
+[dependencies]
+actix-web = "0.6"
+futures = "0.1"
+
+rust-crypto = "0.2"
+
+serde = "1.0"
+toml = "0.4"
+serde_json = "1.0"
+serde_derive = "1.0"

config.toml

@@ -0,0 +1,5 @@
+secret = "this is a secret secret you should not know about"
+bind = "0.0.0.0:8000"
+
+[commands]
+push = 'cat /dev/stdin && echo ""'

src/app.rs

@@ -0,0 +1,8 @@
+use std::sync::Arc;
+
+use ::config::Config;
+
+#[derive(Clone)]
+pub struct State {
+    pub config: Arc<Config>,
+}

src/config.rs

@@ -0,0 +1,38 @@
+use std::collections::HashMap;
+use std::fs::{self, File};
+use std::io::Write;
+use std::net::SocketAddr;
+use std::path::Path;
+
+use toml;
+
+const DEFAULT_CONFIG: &'static str = {
+r#"secret = "this is a secret secret you should not know about"
+bind = "0.0.0.0:8000"
+
+[commands]
+push = 'cat /dev/stdin && echo ""'
+"#
+};
+
+#[derive(Debug, Clone, Deserialize)]
+pub struct Config {
+    pub commands: HashMap<String, String>,
+    pub secret: String,
+    pub bind: SocketAddr,
+}
+
+impl Config {
+    pub fn load(path: impl AsRef<Path>) -> Config {
+        if !path.as_ref().exists() {
+            File::create(&path).expect("Failed to create a new config file")
+                .write_all(DEFAULT_CONFIG.as_bytes())
+                .expect("Failed to write to a new config file");
+        }
+
+        toml::from_str(
+            &fs::read_to_string(path)
+                .expect("Failed to read the config file"))
+            .expect("Failed to parse the config file as a TOML file")
+    }
+}

src/main.rs

@@ -0,0 +1,156 @@
+extern crate actix_web;
+extern crate crypto;
+extern crate futures;
+extern crate serde;
+#[macro_use] extern crate serde_derive;
+extern crate toml;
+
+mod app;
+mod config;
+
+use std::sync::Arc;
+use std::env;
+use std::io::Write;
+use std::process::{Command, Stdio};
+
+use actix_web::{
+    server,
+    AsyncResponder,
+    App,
+    HttpMessage,
+    HttpRequest,
+    HttpResponse,
+    Responder
+};
+use actix_web::dev::AsyncResult;
+use actix_web::http::Method;
+use crypto::mac::{Mac, MacResult};
+use crypto::hmac::Hmac;
+use crypto::sha1::Sha1;
+use futures::Future;
+
+use ::config::Config;
+use ::app::State;
+
+fn from_hex(bytes: &[u8]) -> Option<Vec<u8>> {
+    if bytes.len() % 2 == 1 {
+        return None;
+    }
+
+    if !bytes.iter().all(|x| x.is_ascii_hexdigit()) {
+        return None;
+    }
+
+    let nibbles: Vec<u8> = bytes.iter().map(|&x| {
+        char::from(x).to_digit(16).unwrap() as u8
+    }).collect();
+
+    Some(nibbles.as_slice()
+         .chunks(2)
+         .map(|x| {
+             let (n1, n2) = (x[0], x[1]);
+             (n1 << 4 | n2) as u8
+         })
+         .collect())
+}
+
+fn run_command(command: &str, input: &[u8]) {
+    match Command::new("sh")
+        .arg("-c")
+        .arg(command)
+        .stdin(Stdio::piped())
+        .spawn()
+    {
+        Ok(mut child) => {
+            match child.stdin.as_mut() {
+                Some(stdin) => {
+                    if let Err(e) = stdin.write_all(input) {
+                        println!("Failed to write to stdin for {}: {}",
+                                 command, e);
+                    }
+                }
+                None => {
+                    println!("Failed to open stdin for {}", command);
+                }
+            }
+
+            if let Err(e) = child.wait() {
+                println!("Failed to run {}: {}", command, e);
+            }
+        }
+        Err(e) => {
+            println!("Failed to run command {}: {}", command, e);
+        }
+    }
+}
+
+fn verify_signature<'a>(body: &'a [u8], secret: &'a [u8], signature: &'a [u8])
+-> bool
+{
+    let mut hmac = Hmac::new(Sha1::new(), secret);
+    hmac.input(body);
+    hmac.result() == MacResult::new(signature)
+}
+
+fn hook(request: HttpRequest<State>) -> impl Responder
+{
+    let config = Arc::clone(&request.state().config);
+
+    let (event, signature) = {
+        let headers = request.headers();
+        (headers.get("X-GitHub-Event").cloned(),
+         headers.get("X-Hub-Signature").cloned())
+    };
+
+    if let (Some(event), Some(signature_value)) = (event, signature) {
+        let event = String::from_utf8_lossy(event.as_bytes()).into_owned();
+
+        let signature = if signature_value.as_bytes().starts_with(b"sha1=") {
+            if let Some(slice) = signature_value.as_bytes().get(5..) {
+                from_hex(slice)
+            } else {
+                from_hex(signature_value.as_bytes())
+            }
+        } else {
+            from_hex(signature_value.as_bytes())
+        };
+
+        if let Some(signature) = signature {
+            let secret = config.secret.clone();
+
+            if let Some(command) = config.commands.get(&event).cloned() {
+                return request.body().and_then(move |bytes| {
+
+                    if verify_signature(&bytes,
+                                        &secret.as_bytes(),
+                                        &signature) {
+                        run_command(&command, &bytes);
+                    }
+                    Ok(HttpResponse::NoContent())
+                })
+                .responder();
+            }
+        }
+    }
+
+    AsyncResult::ok(HttpResponse::NoContent()).responder()
+}
+
+fn main() {
+    let config_path = env::var("GH_HOOK_CONFIG")
+        .unwrap_or("./config.toml".to_string());
+
+    let config = Config::load(config_path);
+    let bind_addr = config.bind.clone();
+
+    let state = State {
+        config: Arc::new(config),
+    };
+
+    server::new(move || {
+            App::with_state(state.clone())
+                .resource("/hook", |r| r.method(Method::POST).f(::hook))
+        })
+        .bind(bind_addr).unwrap()
+        .run();
+}