github-pr-webhook-lambda/main.py at master · PolicyStat/github-pr-webhook-lambda · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
import hmac
import json
import logging
import re
import sys
import traceback
from datetime import datetime
from operator import itemgetter

import boto3
import github3
import gspread
import requests
from environs import Env
from flask import Flask, request, abort
from oauth2client import crypt
from oauth2client.client import HttpAccessTokenRefreshError
from oauth2client.service_account import ServiceAccountCredentials


logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
logger.setLevel(logging.DEBUG)

app = Flask(__name__)

env = Env()
env.read_env()

@env.parser_for('pgp')
def pgp_parser(value):
    if value:
        return value.replace('\\n', '\n')


SNS_TOPIC_ARN = env('SNS_TOPIC_ARN')
SLACK_API_ENDPOINT = env('SLACK_API_ENDPOINT')

with env.prefixed('DEV_DASHBOARD_'):
    DEV_DASHBOARD_CLIENT_EMAIL = env('CLIENT_EMAIL')
    DEV_DASHBOARD_PRIVATE_KEY = env.pgp('PRIVATE_KEY')
    DEV_DASHBOARD_WORKBOOK = env('WORKBOOK')
    DEV_DASHBOARD_SHEET_NAME = env('SHEET_NAME')
    DEV_DASHBOARD_GH_LOGIN_LOOKUP_SHEET_NAME = env('GH_LOGIN_LOOKUP_SHEET_NAME')

with env.prefixed('GITHUB_'):
    GITHUB_SECRET_TOKEN = env('SECRET_TOKEN')
    GITHUB_API_TOKEN = env('API_TOKEN')
    GITHUB_API_USER = env('API_USER')


@app.route('/', methods=['GET', 'POST'])
def handle_incoming_github_event():
    if request.method != 'POST':
        return 'no'

    event_type = request.headers.get('X-GitHub-Event', None)
    if event_type == 'ping':
        return json.dumps({'msg': 'pong'})

    if event_type != 'pull_request':
        return 'no'

    verify_signature(request)

    # Gather data
    try:
        event = request.get_json()
    except Exception:
        logger.error('Request parsing failed')
        abort(400)

    if not event:
        logger.error('No event to process. Content-type must be json')
        abort(400)

    message = create_pr_action_message(event)
    logger.info(f'Created message: {message}')
    if message:
        logger.info('Posting to Slack')
        post_slack_message(message)

    if gh_event_is_merged_pr(event):
        update_spreadsheet(event)

    return 'ok'


def verify_signature(request):
    if not GITHUB_SECRET_TOKEN:
        logger.warning('Security token not specified. This is very insecure!')
        return

    hash_signature = request.headers.get('X-Hub-Signature', None)
    if not hash_signature:
        logger.error('Header X-Hub-Signature was missing and it is required')
        abort(400)
    if not hash_signature.startswith('sha1='):
        logger.error('Header X-Hub-Signature is not formatted correctly')
        abort(400)
    expected_digest = hash_signature[len('sha1='):]
    actual_digest = hmac.new(GITHUB_SECRET_TOKEN.encode(), request.data, digestmod='sha1')
    if not hmac.compare_digest(actual_digest.hexdigest(), expected_digest):
        logger.error(
            'Actual digest does not match signature. '
            'Make sure you are using the correct token.'
        )
        abort(400)


def gh_event_is_merged_pr(event):
    if event['action'] != 'closed':
        return False
    return event['pull_request']['merged']


def get_contributors(repo_owner, repo_name, pr_num):
    gh = github_auth()
    pr = gh.pull_request(repo_owner, repo_name, pr_num)
    contributors = set()
    commits = list(pr.commits())
    for c in commits:
        if c.message.startswith('Merged branch'):
            # skip merges
            continue
        author = c.commit.author['name']
        committer = c.commit.committer['name']
        if author != committer:
            # Skip cherry-picks unless the committer is Github
            if committer != 'GitHub':
                continue
        contributors.add(author)
    return contributors


def get_workbook():
    scopes = [
        'https://spreadsheets.google.com/feeds',
        'https://www.googleapis.com/auth/drive',
    ]

    signer = crypt.Signer.from_string(DEV_DASHBOARD_PRIVATE_KEY)
    credentials = ServiceAccountCredentials(
        service_account_email=DEV_DASHBOARD_CLIENT_EMAIL,
        signer=signer,
        scopes=scopes,
    )

    try:
        gc = gspread.authorize(credentials)
    except HttpAccessTokenRefreshError:
        logger.error('Invalid credentials')
        return

    try:
        book = gc.open(DEV_DASHBOARD_WORKBOOK)
    except gspread.exceptions.SpreadsheetNotFound:
        logger.error(f'Could not find workbook named {DEV_DASHBOARD_WORKBOOK}')
        return
    return book


def update_spreadsheet(event):
    book = get_workbook()
    if not book:
        return
    pr = event['pull_request']

    merged_at = pr['merged_at'].replace('T', ' ').rstrip('Z')
    pr_url = pr['html_url']
    merged_by = pr['merged_by']['login']

    if not all([merged_at, pr_url, merged_by]):
        logger.error(f'Some meta data is missing')
        return

    contributors = get_contributors(
        repo_owner=event['repository']['owner']['login'],
        repo_name=event['repository']['name'],
        pr_num=pr['number'],
    )

    display_name = get_gh_login_display_name_mapping(book, merged_by)
    new_row = [
        merged_at,
        pr_url,
        display_name,
        '', '',
        '; '.join(sorted(contributors)),
    ]

    sheet = book.worksheet(DEV_DASHBOARD_SHEET_NAME)
    sheet.insert_row(new_row, index=2, value_input_option='USER_ENTERED')


def get_gh_login_display_name_mapping(book, gh_login):
    sheet = book.worksheet(DEV_DASHBOARD_GH_LOGIN_LOOKUP_SHEET_NAME)
    mapping = dict(zip(sheet.col_values(1), sheet.col_values(2)))
    return mapping.get(gh_login, gh_login)


def create_pr_action_message(event):
    action = event['action']
    if action not in ['opened', 'closed', 'reopened']:
        return

    if event['pull_request']['merged']:
        action = 'merged'

    sender_name = event['sender']['login']
    sender_url = event['sender']['html_url']
    repo_name = event['repository']['full_name']
    repo_url = event['repository']['html_url']
    pr_num = event['pull_request']['number']
    pr_url = event['pull_request']['html_url']
    pr_title = event['pull_request']['title']

    message = (
        f'<{sender_url}|{sender_name}> '
        f'{action} #<{pr_url}|{pr_num}> on '
        f'<{repo_url}|{repo_name}>: {pr_title}'
    )
    return message


def github_auth():
    return github3.login(GITHUB_API_USER, GITHUB_API_TOKEN)


def test_message():
    post_slack_message('<http://google.com|Bar>')


def post_slack_message(message):
    requests.post(SLACK_API_ENDPOINT, timeout=5, json=dict(text=message))


def send_sns_message(subject, message, subject_prefix='[AWS GH PR Webhook]'):
    # remove any characters that aren't allowed
    subject = re.sub('[^a-zA-Z0-9-]+', ' ', subject)

    full_subject = f'{subject_prefix} {subject}'
    logger.info(f'send_sns_message: {full_subject}\n{message}')
    topic_arn = SNS_TOPIC_ARN
    if not topic_arn:
        logger.warning('Unable to send message because SNS_TOPIC_ARN is not set')
        return

    # subject must be < 100 characters
    limited_subject = full_subject[:99].strip()

    sns = boto3.client('sns')
    sns.publish(TopicArn=topic_arn, Message=message, Subject=limited_subject)


def get_current_exception_info():
    exc_type, exc_value, exc_traceback = sys.exc_info()

    exc_name_and_value = traceback.format_exception_only(exc_type, exc_value)
    exc_stacktrace = traceback.format_exception(exc_type, exc_value, exc_traceback)

    exc_name_and_value = ''.join(exc_name_and_value).strip()
    exc_stacktrace = ''.join(exc_stacktrace).strip()

    return exc_name_and_value, exc_stacktrace


def unhandled_exceptions(exception, event, context):
    logger = logging.getLogger(__name__)
    exc_name_and_value, exc_stacktrace = get_current_exception_info()

    # Some exception messages are across multiple lines
    # If this is the case, only use the first line
    exc_lines = exc_name_and_value.split('\n', 1)
    exception_subject = exc_lines[0].strip()

    subject = f'Unhandled exception: {exception_subject}'
    message = f'''
{exc_stacktrace}
Event:
{event}
Function: {context.function_name} {context.function_version}
AWS Request ID: {context.aws_request_id}
'''
    send_sns_message(subject=subject, message=message)
    logger.warning(f'{subject}\n{message}')
    return True  # Prevent invocation retry


if __name__ == "__main__":
    app.run(host="0.0.0.0", port=80)