🩹 [Patch]: Enhance Test-GitHubWebhookSignature to support a full request object + Context bump (#482)

## Description

This pull request introduces several updates across multiple files,
focusing on enhancing functionality, improving documentation, and
updating dependencies. The most significant changes include updates to
the `Test-GitHubWebhookSignature` function for better flexibility and
security and the upgrade of required module versions.

### Functional Updates

* `Test-GitHubWebhookSignature`:
- Added support for validating webhook requests using the entire
`Request` object, enabling automatic extraction of body and headers.
- Updated descriptions to clarify the use of SHA-256 and added examples
demonstrating validation with the `Request` object.

### Dependency Updates

- Updated `#Requires` statements across multiple files to require
version `8.1.1` of the `Context` module. The update fixes an issue where
the GitHub module attempted to save a context with null values would
throw a null-pointer exception.

### Test Enhancements

- Expanded test coverage for `Test-GitHubWebhookSignature`, including
scenarios for valid signatures, invalid signatures, and missing headers
in the `Request` object.

## Type of change

<!-- Use the check-boxes [x] on the options that are relevant. -->

- [ ] 📖 [Docs]
- [ ] 🪲 [Fix]
- [x] 🩹 [Patch]
- [ ] ⚠️ [Security fix]
- [ ] 🚀 [Feature]
- [ ] 🌟 [Breaking change]

## Checklist

<!-- Use the check-boxes [x] on the options that are relevant. -->

- [x] I have performed a self-review of my own code
- [x] I have commented my code, particularly in hard-to-understand areas

Author: MariusStorhaug

.github/PSModule.yml

@@ -1,3 +1,17 @@
 Test:
   CodeCoverage:
     PercentTarget: 50
+#   TestResults:
+#     Skip: true
+#   SourceCode:
+#     Skip: true
+#   PSModule:
+#     Skip: true
+#   Module:
+#     Windows:
+#       Skip: true
+#     MacOS:
+#       Skip: true
+# Build:
+#   Docs:
+#     Skip: true

src/functions/private/Auth/Context/Remove-GitHubContext.ps1

@@ -42,4 +42,4 @@
         Write-Debug "[$stackPath] - End"
     }
 }
-#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.0' }
+#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.1' }

src/functions/private/Auth/Context/Set-GitHubContext.ps1

@@ -168,4 +168,4 @@
         Write-Debug "[$stackPath] - End"
     }
 }
-#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.0' }
+#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.1' }

src/functions/private/Config/Initialize-GitHubConfig.ps1

@@ -75,4 +75,4 @@
         Write-Debug "[$stackPath] - End"
     }
 }
-#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.0' }
+#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.1' }

src/functions/public/Auth/Context/Get-GitHubContext.ps1

@@ -92,4 +92,4 @@
         Write-Debug "[$stackPath] - End"
     }
 }
-#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.0' }
+#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.1' }

src/functions/public/Config/Get-GitHubConfig.ps1

@@ -47,4 +47,4 @@
         Write-Debug "[$stackPath] - End"
     }
 }
-#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.0' }
+#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.1' }

src/functions/public/Config/Remove-GitHubConfig.ps1

@@ -44,4 +44,4 @@
         Write-Debug "[$stackPath] - End"
     }
 }
-#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.0' }
+#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.1' }

src/functions/public/Config/Set-GitHubConfig.ps1

@@ -54,4 +54,4 @@
         Write-Debug "[$stackPath] - End"
     }
 }
-#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.0' }
+#Requires -Modules @{ ModuleName = 'Context'; RequiredVersion = '8.1.1' }

src/functions/public/Webhooks/Test-GitHubWebhookSignature.ps1

@@ -5,9 +5,9 @@
 
         .DESCRIPTION
         This function validates the integrity and authenticity of a GitHub webhook request by comparing
-        the received HMAC SHA-256 signature against a computed hash of the payload using a shared secret.
-        It uses a constant-time comparison to mitigate timing attacks and returns a boolean indicating
-        whether the signature is valid.
+        the received HMAC signature against a computed hash of the payload using a shared secret.
+        It uses the SHA-256 algorithm and employs a constant-time comparison to mitigate
+        timing attacks. The function returns a boolean indicating whether the signature is valid.
 
         .EXAMPLE
         Test-GitHubWebhookSignature -Secret $env:WEBHOOK_SECRET -Body $Request.RawBody -Signature $Request.Headers['X-Hub-Signature-256']
@@ -19,6 +19,16 @@
 
         Validates the provided webhook payload against the HMAC SHA-256 signature using the given secret.
 
+        .EXAMPLE
+        Test-GitHubWebhookSignature -Secret $env:WEBHOOK_SECRET -Request $Request
+
+        Output:
+        ```powershell
+        True
+        ```
+
+        Validates the webhook request using the entire request object, automatically extracting the body and signature.
+
         .OUTPUTS
         bool
 
@@ -29,11 +39,12 @@
         .LINK
         https://psmodule.io/GitHub/Functions/Webhooks/Test-GitHubWebhookSignature
 
-        .LINK
-        https://docs.github.com/webhooks/using-webhooks/validating-webhook-deliveries
+        .NOTES
+        [Validating Webhook Deliveries | GitHub Docs](https://docs.github.com/webhooks/using-webhooks/validating-webhook-deliveries)
+        [Webhook events and payloads | GitHub Docs](https://docs.github.com/en/webhooks/webhook-events-and-payloads)
     #>
     [OutputType([bool])]
-    [CmdletBinding()]
+    [CmdletBinding(DefaultParameterSetName = 'ByBody')]
     param (
         # The secret key used to compute the HMAC hash.
         # Example: 'mysecret'
@@ -43,25 +54,59 @@
         # The JSON body of the GitHub webhook request.
         # This must be the compressed JSON payload received from GitHub.
         # Example: '{"action":"opened"}'
-        [Parameter(Mandatory)]
+        [Parameter(Mandatory, ParameterSetName = 'ByBody')]
         [string] $Body,
 
         # The signature received from GitHub to compare against.
         # Example: 'sha256=abc123...'
-        [Parameter(Mandatory)]
-        [string] $Signature
+        [Parameter(Mandatory, ParameterSetName = 'ByBody')]
+        [string] $Signature,
+
+        # The entire request object containing RawBody and Headers.
+        # Used in Azure Function Apps or similar environments.
+        [Parameter(Mandatory, ParameterSetName = 'ByRequest')]
+        [PSObject] $Request
     )
 
-    $keyBytes = [Text.Encoding]::UTF8.GetBytes($Secret)
-    $payloadBytes = [Text.Encoding]::UTF8.GetBytes($Body)
+    begin {
+        $stackPath = Get-PSCallStackPath
+        Write-Debug "[$stackPath] - Start"
+    }
 
-    $hmac = [System.Security.Cryptography.HMACSHA256]::new()
-    $hmac.Key = $keyBytes
-    $hashBytes = $hmac.ComputeHash($payloadBytes)
-    $computedSignature = 'sha256=' + (($hashBytes | ForEach-Object { $_.ToString('x2') }) -join '')
+    process {
+        # Handle parameter sets
+        if ($PSCmdlet.ParameterSetName -eq 'ByRequest') {
+            $Body = $Request.RawBody
+            $Signature = $Request.Headers['X-Hub-Signature-256']
 
-    [System.Security.Cryptography.CryptographicOperations]::FixedTimeEquals(
-        [Text.Encoding]::UTF8.GetBytes($computedSignature),
-        [Text.Encoding]::UTF8.GetBytes($Signature)
-    )
+            # If signature not found, throw an error
+            if (-not $Signature) {
+                throw "No webhook signature found in request headers. Expected 'X-Hub-Signature-256' for SHA256 algorithm."
+            }
+        }
+
+        $keyBytes = [Text.Encoding]::UTF8.GetBytes($Secret)
+        $payloadBytes = [Text.Encoding]::UTF8.GetBytes($Body)
+
+        # Create HMAC SHA256 object
+        $hmac = [System.Security.Cryptography.HMACSHA256]::new()
+        $algorithmPrefix = 'sha256='
+
+        $hmac.Key = $keyBytes
+        $hashBytes = $hmac.ComputeHash($payloadBytes)
+        $computedSignature = $algorithmPrefix + (($hashBytes | ForEach-Object { $_.ToString('x2') }) -join '')
+
+        # Dispose of the HMAC object
+        $hmac.Dispose()
+
+        [System.Security.Cryptography.CryptographicOperations]::FixedTimeEquals(
+            [Text.Encoding]::UTF8.GetBytes($computedSignature),
+            [Text.Encoding]::UTF8.GetBytes($Signature)
+        )
+    }
+
+    end {
+        Write-Debug "[$stackPath] - End"
+    }
 }
+

tests/GitHub.Tests.ps1

@@ -179,6 +179,37 @@ Describe 'Auth' {
     }
 }
 
+Describe 'Anonymous - Functions that can run anonymously' {
+    It 'Get-GithubRateLimit - Using -Anonymous' {
+        $rateLimit = Get-GitHubRateLimit -Anonymous
+        LogGroup 'Rate Limit' {
+            Write-Host ($rateLimit | Format-Table | Out-String)
+        }
+        $rateLimit | Should -Not -BeNullOrEmpty
+    }
+    It 'Invoke-GitHubAPI - Using -Anonymous' {
+        $rateLimit = Invoke-GitHubAPI -ApiEndpoint '/rate_limit' -Anonymous | Select-Object -ExpandProperty Response
+        LogGroup 'Rate Limit' {
+            Write-Host ($rateLimit | Format-Table | Out-String)
+        }
+        $rateLimit | Should -Not -BeNullOrEmpty
+    }
+    It 'Get-GithubRateLimit - Using -Context Anonymous' {
+        $rateLimit = Get-GitHubRateLimit -Context Anonymous
+        LogGroup 'Rate Limit' {
+            Write-Host ($rateLimit | Format-List | Out-String)
+        }
+        $rateLimit | Should -Not -BeNullOrEmpty
+    }
+    It 'Invoke-GitHubAPI - Using -Context Anonymous' {
+        $rateLimit = Invoke-GitHubAPI -ApiEndpoint '/rate_limit' -Context Anonymous | Select-Object -ExpandProperty Response
+        LogGroup 'Rate Limit' {
+            Write-Host ($rateLimit | Format-Table | Out-String)
+        }
+        $rateLimit | Should -Not -BeNullOrEmpty
+    }
+}
+
 Describe 'GitHub' {
     Context 'Config' {
         It 'Get-GitHubConfig - Gets the module configuration' {
@@ -780,42 +811,40 @@ Describe 'Emojis' {
 }
 
 Describe 'Webhooks' {
-    It 'Test-GitHubWebhookSignature - Validates the webhook payload using known correct signature' {
+    BeforeAll {
         $secret = "It's a Secret to Everybody"
         $payload = 'Hello, World!'
         $signature = 'sha256=757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17'
+    }
+
+    It 'Test-GitHubWebhookSignature - Validates the webhook payload using known correct signature (SHA256)' {
         $result = Test-GitHubWebhookSignature -Secret $secret -Body $payload -Signature $signature
         $result | Should -Be $true
     }
-}
 
-Describe 'Anonymous - Functions that can run anonymously' {
-    It 'Get-GithubRateLimit - Using -Anonymous' {
-        $rateLimit = Get-GitHubRateLimit -Anonymous
-        LogGroup 'Rate Limit' {
-            Write-Host ($rateLimit | Format-Table | Out-String)
-        }
-        $rateLimit | Should -Not -BeNullOrEmpty
-    }
-    It 'Invoke-GitHubAPI - Using -Anonymous' {
-        $rateLimit = Invoke-GitHubAPI -ApiEndpoint '/rate_limit' -Anonymous | Select-Object -ExpandProperty Response
-        LogGroup 'Rate Limit' {
-            Write-Host ($rateLimit | Format-Table | Out-String)
+    It 'Test-GitHubWebhookSignature - Validates the webhook using Request object' {
+        $mockRequest = [PSCustomObject]@{
+            RawBody = $payload
+            Headers = @{
+                'X-Hub-Signature-256' = $signature
+            }
         }
-        $rateLimit | Should -Not -BeNullOrEmpty
+        $result = Test-GitHubWebhookSignature -Secret $secret -Request $mockRequest
+        $result | Should -Be $true
     }
-    It 'Get-GithubRateLimit - Using -Context Anonymous' {
-        $rateLimit = Get-GitHubRateLimit -Context Anonymous
-        LogGroup 'Rate Limit' {
-            Write-Host ($rateLimit | Format-List | Out-String)
-        }
-        $rateLimit | Should -Not -BeNullOrEmpty
+
+    It 'Test-GitHubWebhookSignature - Should fail with invalid signature' {
+        $invalidSignature = 'sha256=invalid'
+        $result = Test-GitHubWebhookSignature -Secret $secret -Body $payload -Signature $invalidSignature
+        $result | Should -Be $false
     }
-    It 'Invoke-GitHubAPI - Using -Context Anonymous' {
-        $rateLimit = Invoke-GitHubAPI -ApiEndpoint '/rate_limit' -Context Anonymous | Select-Object -ExpandProperty Response
-        LogGroup 'Rate Limit' {
-            Write-Host ($rateLimit | Format-Table | Out-String)
+
+    It 'Test-GitHubWebhookSignature - Should throw when signature header is missing from request' {
+        $mockRequest = [PSCustomObject]@{
+            RawBody = $payload
+            Headers = @{}
         }
-        $rateLimit | Should -Not -BeNullOrEmpty
+
+        { Test-GitHubWebhookSignature -Secret $secret -Request $mockRequest } | Should -Throw
     }
 }