From ac3f34e05443dd113f63ea75965948f601299e3d Mon Sep 17 00:00:00 2001
From: Yannik Schmidt <sheppy@atlantishq.de>
Date: Sun, 6 Oct 2019 11:50:08 +0200
Subject: [PATCH] add request matching checks/errors

---
 webhook-listener.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/webhook-listener.py b/webhook-listener.py
index 7b36016..9c2d40c 100755
--- a/webhook-listener.py
+++ b/webhook-listener.py
@@ -4,6 +4,9 @@ import argparse
 import json
 
 app = flask.Flask("webhook-listener")
+SECRET_TOKEN_HEADER = "X-Gitlab-Token"
+PROJECT_IDENTIFIER  = "web_url"
+config = {}
 
 ##### FRONTEND PATHS ########
 @app.route('/', methods=["GET","POST"])
@@ -11,6 +14,16 @@ def rootPage():
     if flask.request.method == "GET":
         return "Webhook Listener ist running"
     else:
+        data = flask.request.json
+
+        # check request against configuration #
+        if data[PROJECT_IDENTIFIER] not in config:
+            return ("Rejected: project not identified in config", 400)
+        if SECRET_TOKEN_HEADER not in flask.request.headers:
+            return ("Rejected: secret token not found in request", 403)
+        if config[data[PROJECT_IDENTIFIER]] != flask.request.headers[SECRET_TOKEN_HEADER]:
+            return ("Rejected: secret token found but is mismatch", 403)
+
         print(json.dumps(flask.request.json))
 
 def readExecutionConfig():