From: Ralf Jung Date: Sun, 29 Jan 2017 10:50:38 +0000 (+0100) Subject: make configuring the hmac secret optional if no webhook is involved X-Git-Url: https://git.ralfj.de/git-mirror.git/commitdiff_plain/91149b3b918cfe8d95e261ad8ce7607606e98ba3?ds=inline;hp=a653fb0a12320a4f300023c5dd5e5af422a19a82 make configuring the hmac secret optional if no webhook is involved --- diff --git a/README.md b/README.md index 21285ee..4c0f358 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,8 @@ The next step is to add this as a webhook to the GitHub repository you want to sync with, to create a fresh SSH key and configure it as deployment key for the repository, and to configure git-mirror accordingly. For additional security, one should also configure a shared HMAC secret, such that the webhook can verify -that the data indeed comes from GitHub. +that the data indeed comes from GitHub. On the git-mirror side, the HMAC secret +is configured with the `hmac-secret` repository option. To make your job easier, there is a script `github-add-hooks.py` that can do all this for you. It assumes that the repository exists on the GitHub side, but diff --git a/git_mirror.py b/git_mirror.py index 859b376..23f6545 100644 --- a/git_mirror.py +++ b/git_mirror.py @@ -84,7 +84,7 @@ class Repo: self.name = name self.local = conf['local'] self.owner = conf['owner'] # email address to notify in case of problems - self.hmac_secret = conf['hmac-secret'].encode('utf-8') + self.hmac_secret = conf['hmac-secret'].encode('utf-8') if 'hmac-secret' in conf else None self.deploy_key = conf['deploy-key'] # the SSH ky used for authenticating against remote hosts self.mirrors = {} # maps mirrors to their URLs mirror_prefix = 'mirror-' @@ -97,6 +97,7 @@ class Repo: send_mail("git-mirror {}".format(self.name), msg, recipients = [self.owner], sender = mail_sender) def compute_hmac(self, data): + assert self.hmac_secret is not None h = hmac.new(self.hmac_secret, digestmod = hashlib.sha1) h.update(data) return h.hexdigest()