forked from NiklasRosenstein/python-github-bot-api
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsignature.py
More file actions
48 lines (34 loc) · 1.58 KB
/
signature.py
File metadata and controls
48 lines (34 loc) · 1.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
"""
Helper to check the signature of a GitHub event request.
"""
import hmac
def compute_signature(payload: bytes, secret: bytes, algo: str = 'sha256') -> str:
"""
Computes the HMAC signature of *payload* given the specified *secret* and the given hashing *algo*.
# Parmeters
payload: The payload for which the signature should be computed.
secret: The secret string that is used in conjunction to generate the signature.
algo: The hash algorithm to use, must be `sha1` or `sha256`.
"""
if algo not in ('sha1', 'sha256'):
raise ValueError(f'algo must be {{sha1, sha256}}, got {algo!r}')
return f'{algo}=' + hmac.new(secret, payload, algo).hexdigest()
def check_signature(sig: str, payload: bytes, secret: bytes, algo: str = 'sha256') -> None:
"""
Compares the porivided signature *sig* with the computed signature of the *payload* and
raises a #SignatureMismatchException if they do not match. This function uses constant-time
string comparison to prevent timing analysis.
"""
computed = compute_signature(payload, secret, algo)
if not hmac.compare_digest(sig, computed):
raise SignatureMismatchException(sig, computed)
class SignatureMismatchException(Exception):
"""
Raised if a signature can not be verified with #check_signatuer().
"""
_MSG = 'The provided signature does not match the computed signature of the payload.'
def __init__(self, provided: str, computed: str) -> None:
self.provided = provided
self.computed = computed
def __str__(self) -> str:
return f'{self._MSG}\n provided: {self.provided}\n computed: {self.computed}'