From 4650c7e1ee19cd5e72a5e1ae05c55a0fd97159d6 Mon Sep 17 00:00:00 2001
From: Yoann Gini <yoann.gini@gmail.com>
Date: Wed, 23 Aug 2017 11:03:04 +0200
Subject: [PATCH 1/5] Improved config example

---
 README.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index 54bfe66..b908a01 100644
--- a/README.rst
+++ b/README.rst
@@ -34,7 +34,7 @@ You can configure what the application does by copying the sample config file
         "github_ips_only": true,
         "enforce_secret": "",
         "return_scripts_info": true
-        "hooks_path": "/.../hooks/"
+        "hooks_path": "/absolute/path/to/your/hooks/"
     }
 
 :github_ips_only: Restrict application to be called only by GitHub IPs. IPs

From fe0f337205ec23aa8b67b266e49dbd32a949c2a6 Mon Sep 17 00:00:00 2001
From: Yoann Gini <yoann.gini@gmail.com>
Date: Wed, 23 Aug 2017 11:16:55 +0200
Subject: [PATCH 2/5] Log messages added

---
 webhooks.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/webhooks.py b/webhooks.py
index ef9d70c..7755bb6 100644
--- a/webhooks.py
+++ b/webhooks.py
@@ -45,6 +45,7 @@ def index():
 
     # Only POST is implemented
     if request.method != 'POST':
+        logging.warning("We got a $s request, this isn't supported", request.method)
         abort(501)
 
     # Load config
@@ -53,6 +54,8 @@ def index():
 
     hooks = config.get('hooks_path', join(path, 'hooks'))
 
+    logging.info("Config loaded, handling request")
+
     # Allow Github IPs only
     if config.get('github_ips_only', True):
         src_ip = ip_address(
@@ -64,6 +67,7 @@ def index():
             if src_ip in ip_network(valid_ip):
                 break
         else:
+            logging.warning("We got a request from unauthorized IP: %s", src_ip)
             abort(403)
 
     # Enforce secret
@@ -72,10 +76,12 @@ def index():
         # Only SHA1 is supported
         header_signature = request.headers.get('X-Hub-Signature')
         if header_signature is None:
+            logging.warning("No signature found when expecting one")
             abort(403)
 
         sha_name, signature = header_signature.split('=')
         if sha_name != 'sha1':
+            logging.warning("Unsupported signature mech: %s", sha_name)
             abort(501)
 
         # HMAC requires the key to be bytes, but data is string
@@ -84,24 +90,27 @@ def index():
         # Python prior to 2.7.7 does not have hmac.compare_digest
         if hexversion >= 0x020707F0:
             if not hmac.compare_digest(str(mac.hexdigest()), str(signature)):
+                logging.warning("Invalid digest comparaison")
                 abort(403)
         else:
             # What compare_digest provides is protection against timing
             # attacks; we can live without this protection for a web-based
             # application
             if not str(mac.hexdigest()) == str(signature):
+                logging.warning("Hex digest aren't equals")
                 abort(403)
 
     # Implement ping
     event = request.headers.get('X-GitHub-Event', 'ping')
     if event == 'ping':
+        logging.warning("Ping Pong")
         return dumps({'msg': 'pong'})
 
     # Gather data
     try:
         payload = request.get_json()
     except Exception:
-        logging.warning('Request parsing failed')
+        logging.warning('Request parsing failed with exception %s', Exception)
         abort(400)
 
     # Determining the branch is tricky, as it only appears for certain event

From 179023733aee4ed4f1600b4a70ba0b4f9b15d9dc Mon Sep 17 00:00:00 2001
From: Yoann Gini <yoann.gini@gmail.com>
Date: Wed, 23 Aug 2017 11:17:23 +0200
Subject: [PATCH 3/5] Fixing digestmod selection

---
 webhooks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webhooks.py b/webhooks.py
index 7755bb6..95be1c3 100644
--- a/webhooks.py
+++ b/webhooks.py
@@ -85,7 +85,7 @@ def index():
             abort(501)
 
         # HMAC requires the key to be bytes, but data is string
-        mac = hmac.new(str(secret), msg=request.data, digestmod='sha1')
+        mac = hmac.new(str(secret), msg=request.data, digestmod=sha1)
 
         # Python prior to 2.7.7 does not have hmac.compare_digest
         if hexversion >= 0x020707F0:

From 12e92d021621c73a1e9b8fc6c0f66dae32d18c75 Mon Sep 17 00:00:00 2001
From: Yoann Gini <yoann.gini@gmail.com>
Date: Wed, 23 Aug 2017 11:30:00 +0200
Subject: [PATCH 4/5] Add line to enable log to file when needed.

---
 webhooks.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/webhooks.py b/webhooks.py
index 95be1c3..5fd4bae 100644
--- a/webhooks.py
+++ b/webhooks.py
@@ -18,6 +18,8 @@
 import logging
 from sys import stderr, hexversion
 logging.basicConfig(stream=stderr)
+# If you need troubleshooting logs, comment the previous line and uncomment the next one
+#logging.basicConfig(filename=/your/writable/path/for/hooks.log, level=10)
 
 import hmac
 from hashlib import sha1

From 275573304542b85dc0e0dd3994e97bd8df556114 Mon Sep 17 00:00:00 2001
From: Yoann Gini <yoann.gini@gmail.com>
Date: Wed, 23 Aug 2017 11:37:24 +0200
Subject: [PATCH 5/5] trailing slash is mandatory in github settings

---
 README.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index b908a01..3e5afa5 100644
--- a/README.rst
+++ b/README.rst
@@ -140,7 +140,7 @@ of your WSGI script:
 
 ::
 
-   http://my.site.com/webhooks
+   http://my.site.com/webhooks/
 
 Docker
 ------