From 50a54c9214613519485d31aa52d694a0ed6e5441 Mon Sep 17 00:00:00 2001
From: Jeff Bradberry <jeff.bradberry@gmail.com>
Date: Wed, 7 Aug 2019 14:49:39 -0400
Subject: [PATCH] Forbid access to the webhook receiver views if webhook_key is
 not set

---
 awx/api/views/webhooks.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/awx/api/views/webhooks.py b/awx/api/views/webhooks.py
index 2728e4ac3b..a88131e274 100644
--- a/awx/api/views/webhooks.py
+++ b/awx/api/views/webhooks.py
@@ -44,6 +44,9 @@ class WebhookReceiverBase(APIView):
         raise NotImplementedError
 
     def check_signature(self, obj):
+        if not obj.webhook_key:
+            raise PermissionDenied
+
         mac = hmac.new(force_bytes(obj.webhook_key), msg=force_bytes(self.request.body), digestmod=sha1)
         if not hmac.compare_digest(force_bytes(mac.hexdigest()), self.get_signature()):
             raise PermissionDenied
@@ -86,9 +89,12 @@ class GitlabWebhookReceiver(WebhookReceiverBase):
         return self.request.META.get('HTTP_X_GITLAB_TOKEN')
 
     def check_signature(self, obj):
-        # Gitlab only returns the secret token, not an hmac hash
+        if not obj.webhook_key:
+            raise PermissionDenied
 
-        # Use the hmac `compare_digest` helper function to prevent timing analysis by attackers.
+        # Gitlab only returns the secret token, not an hmac hash.  Use
+        # the hmac `compare_digest` helper function to prevent timing
+        # analysis by attackers.
         if not hmac.compare_digest(force_bytes(obj.webhook_key), self.get_signature()):
             raise PermissionDenied