cf1b74275daa81f2b25020d91d81ee535d633d09 - github/openstack-infra/zuul

commit	cf1b74275daa81f2b25020d91d81ee535d633d09	[log] [tgz]
author	Clint Byrum <clint@fewbar.com>	Thu Jul 27 17:12:00 2017 -0700
committer	Clint Byrum <clint@fewbar.com>	Thu Jul 27 17:26:52 2017 -0700
tree	733d581549e4b1b71300fe410376d9c0a4d9b4ab
parent	ad2f6773a68e625ab9d389ef4edc632741c7a904 [diff]

Github - Require webhook_token

It's quite unsafe to run without webhook_token, and quite easy for us to
run our tests with a terribly predictable one. This will ensure that
nobody accidentally runs a Zuul vulnerable to MITM proxy attacks.

Per the link right under the doc we just changed, we also use
hmac.compare_digest to prevent timing analysis by malicious attackers
which would help them discover the secret.

Change-Id: Ie8aa83b81b8e4ef1bb755a664bf416a8663930fa

doc/source/admin/drivers/github.rst[diff]
tests/base.py[diff]
tests/fixtures/zuul-connections-gerrit-and-github.conf[diff]
tests/fixtures/zuul-github-driver.conf[diff]
tests/fixtures/zuul-push-reqs.conf[diff]
zuul/driver/github/githubconnection.py[diff]

6 files changed

tree: 733d581549e4b1b71300fe410376d9c0a4d9b4ab

.gitignore
.gitreview
.mailmap
.testr.conf
.zuul.yaml
LICENSE
MANIFEST.in
NEWS.rst
README.rst
TESTING.rst
bindep.txt
doc/
etc/
requirements.txt
setup.cfg
setup.py
test-requirements.txt
tests/
tools/
tox.ini
zuul/