From 538f64eb675ef99027a91712ed5378a0471d6259 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 10 Feb 2021 07:44:14 -0600 Subject: [PATCH] Send webhooks without credentials We can now send webhook data to an SQS queue at AWS without signing the request with credentials. This allows us to trigger Schutzbot from forks and from branches on the main repository. Signed-off-by: Major Hayden --- .github/workflows/tests.yml | 4 +--- schutzbot/send_webhook.py | 12 ++++++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index db53bb6a7..8feba71ab 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -59,11 +59,9 @@ jobs: WEBHOOK_PAYLOAD: ${{ toJSON(github.event) }} SQS_REGION: us-east-1 SQS_QUEUE_URL: "https://sqs.us-east-1.amazonaws.com/933752197999/schutzbot_webhook_sqs-staging" - AWS_ACCESS_KEY_ID: ${{ secrets.WEBHOOK_AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.WEBHOOK_AWS_SECRET_ACCESS_KEY }} run: | #!/bin/bash - pip3 install boto3 + pip3 install boto3 botocore schutzbot/send_webhook.py shellcheck: diff --git a/schutzbot/send_webhook.py b/schutzbot/send_webhook.py index abb76ff67..b4e8c3891 100755 --- a/schutzbot/send_webhook.py +++ b/schutzbot/send_webhook.py @@ -4,13 +4,21 @@ import json import os import boto3 +from botocore import UNSIGNED +from botocore.client import Config WEBHOOK_PAYLOAD = os.environ.get("WEBHOOK_PAYLOAD") EVENT_NAME = os.environ.get("EVENT_NAME") -SQS_REGION = os.environ.get("SQS_REGION") SQS_QUEUE_URL = os.environ.get("SQS_QUEUE_URL") +SQS_REGION = os.environ.get("SQS_REGION") -sqs = boto3.client('sqs', region_name=SQS_REGION) +sqs = boto3.client( + 'sqs', + region_name=SQS_REGION, + config=Config( + signature_version=UNSIGNED + ) +) payload = json.loads(WEBHOOK_PAYLOAD) message = {