use std::sync::Arc; use axum::body::Bytes; use axum::extract::Extension; use axum::http::{HeaderMap, StatusCode}; use hmac::{Hmac, Mac}; use secrecy::ExposeSecret; use sha2::Sha256; use compliance_core::models::ScanTrigger; use crate::agent::ComplianceAgent; type HmacSha256 = Hmac; pub async fn handle_github_webhook( Extension(agent): Extension>, headers: HeaderMap, body: Bytes, ) -> StatusCode { // Verify HMAC signature if let Some(secret) = &agent.config.github_webhook_secret { let signature = headers .get("x-hub-signature-256") .and_then(|v| v.to_str().ok()) .unwrap_or(""); if !verify_signature(secret.expose_secret(), &body, signature) { tracing::warn!("GitHub webhook: invalid signature"); return StatusCode::UNAUTHORIZED; } } let event = headers .get("x-github-event") .and_then(|v| v.to_str().ok()) .unwrap_or(""); let payload: serde_json::Value = match serde_json::from_slice(&body) { Ok(v) => v, Err(e) => { tracing::warn!("GitHub webhook: invalid JSON: {e}"); return StatusCode::BAD_REQUEST; } }; match event { "push" => handle_push(agent, &payload).await, "pull_request" => handle_pull_request(agent, &payload).await, _ => { tracing::debug!("GitHub webhook: ignoring event '{event}'"); StatusCode::OK } } } async fn handle_push(agent: Arc, payload: &serde_json::Value) -> StatusCode { let repo_url = payload["repository"]["clone_url"] .as_str() .or_else(|| payload["repository"]["html_url"].as_str()) .unwrap_or(""); if repo_url.is_empty() { return StatusCode::BAD_REQUEST; } // Find matching tracked repository let repo = agent .db .repositories() .find_one(mongodb::bson::doc! { "git_url": repo_url }) .await .ok() .flatten(); if let Some(repo) = repo { let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default(); let agent_clone = (*agent).clone(); tokio::spawn(async move { tracing::info!("GitHub push webhook: triggering scan for {repo_id}"); if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await { tracing::error!("Webhook-triggered scan failed: {e}"); } }); } else { tracing::debug!("GitHub push webhook: no tracked repo for {repo_url}"); } StatusCode::OK } async fn handle_pull_request( agent: Arc, payload: &serde_json::Value, ) -> StatusCode { let action = payload["action"].as_str().unwrap_or(""); if action != "opened" && action != "synchronize" { return StatusCode::OK; } let repo_url = payload["repository"]["clone_url"].as_str().unwrap_or(""); let pr_number = payload["pull_request"]["number"].as_u64().unwrap_or(0); let head_sha = payload["pull_request"]["head"]["sha"] .as_str() .unwrap_or(""); let base_sha = payload["pull_request"]["base"]["sha"] .as_str() .unwrap_or(""); if repo_url.is_empty() || pr_number == 0 || head_sha.is_empty() || base_sha.is_empty() { return StatusCode::BAD_REQUEST; } let repo = agent .db .repositories() .find_one(mongodb::bson::doc! { "git_url": repo_url }) .await .ok() .flatten(); if let Some(repo) = repo { let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default(); let head_sha = head_sha.to_string(); let base_sha = base_sha.to_string(); let agent_clone = (*agent).clone(); tokio::spawn(async move { tracing::info!("GitHub PR webhook: reviewing PR #{pr_number} on {repo_id}"); if let Err(e) = agent_clone .run_pr_review(&repo_id, pr_number, &base_sha, &head_sha) .await { tracing::error!("PR review failed for #{pr_number}: {e}"); } }); } else { tracing::debug!("GitHub PR webhook: no tracked repo for {repo_url}"); } StatusCode::OK } fn verify_signature(secret: &str, body: &[u8], signature: &str) -> bool { let sig = signature.strip_prefix("sha256=").unwrap_or(signature); let sig_bytes = match hex::decode(sig) { Ok(b) => b, Err(_) => return false, }; let mut mac = match HmacSha256::new_from_slice(secret.as_bytes()) { Ok(m) => m, Err(_) => return false, }; mac.update(body); mac.verify_slice(&sig_bytes).is_ok() }