github: move webhook signature checking logic out of parse_exn

With repo-specific secrets, we'll need the repo name in order
to obtain the webhook token used for signature validation. So
parsing the request body for a GH payload needs to happen before,
not after, the signature check.

Author: yasunariw

lib/action.ml

@@ -211,11 +211,18 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
     | _ -> Lwt.return @@ Ok ()
 
   let process_github_notification (ctx : Context.t) headers body =
+    let validate_signature secrets =
+      let signing_key = secrets.gh_hook_token in
+      Github.validate_signature ?signing_key ~headers body
+    in
     try%lwt
       let secrets = Context.get_secrets_exn ctx in
-      match Github.parse_exn ~secret:secrets.gh_hook_token headers body with
+      match Github.parse_exn headers body with
       | exception exn -> Exn_lwt.fail ~exn "failed to parse payload"
       | payload ->
+      match validate_signature secrets with
+      | Error e -> action_error e
+      | Ok () ->
         ( match%lwt refresh_repo_config ctx payload with
         | Error e -> action_error e
         | Ok () ->

lib/github.ml

@@ -64,16 +64,16 @@ let is_valid_signature ~secret headers_sig body =
   let (`Hex request_hash) = Hex.of_string request_hash in
   String.equal headers_sig (sprintf "sha1=%s" request_hash)
 
+let validate_signature ?signing_key ~headers body =
+  match signing_key with
+  | None -> Ok ()
+  | Some secret ->
+  match List.Assoc.find headers "x-hub-signature" ~equal:String.equal with
+  | None -> Error "unable to find header x-hub-signature"
+  | Some signature -> if is_valid_signature ~secret signature body then Ok () else Error "signatures don't match"
+
 (* Parse a payload. The type of the payload is detected from the headers. *)
-let parse_exn ~secret headers body =
-  begin
-    match secret with
-    | None -> ()
-    | Some secret ->
-    match List.Assoc.find headers "x-hub-signature" ~equal:String.equal with
-    | None -> Exn.fail "unable to find header x-hub-signature"
-    | Some req_sig -> if not @@ is_valid_signature ~secret req_sig body then failwith "request signature invalid"
-  end;
+let parse_exn headers body =
   match List.Assoc.find_exn headers "x-github-event" ~equal:String.equal with
   | exception exn -> Exn.fail ~exn "unable to read x-github-event"
   | "push" -> Push (commit_pushed_notification_of_string body)