Merge pull request #947 from taigaio/gogs-new-signature

Adding new gogs signature method
2017-03-06 16:54:26 +01:00 · 2017-03-06 16:54:26 +01:00 · 40577d7675
parent 08424b97fe eb38517977
commit 40577d7675
2 changed files with 13 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -27,6 +27,7 @@
    - Contacts API allow full text search (by the username, full name or email).
    - Filter milestones, user stories and tasks by estimated_start and estimated_finish dates.
    - Add project_extra_info to epics, tasks, milestones, issues and wiki pages endpoints.
+- Gogs integration: Adding new Gogs signature method.
 - Lots of small and not so small bugfixes.


--- a/taiga/hooks/gogs/api.py
+++ b/taiga/hooks/gogs/api.py
@ -19,6 +19,9 @@ from taiga.hooks.api import BaseWebhookApiViewSet

 from . import event_hooks

+import hmac
+import hashlib
+

 class GogsViewSet(BaseWebhookApiViewSet):
    event_hook_classes = {
@ -26,8 +29,6 @@ class GogsViewSet(BaseWebhookApiViewSet):
    }

    def _validate_signature(self, project, request):
-        payload = self._get_payload(request)
-
        if not hasattr(project, "modules_config"):
            return False

@ -38,7 +39,15 @@ class GogsViewSet(BaseWebhookApiViewSet):
        if secret is None:
            return False

+        signature = request.META.get("HTTP_X_GOGS_SIGNATURE", None)
+        if not signature:  # Old format signature support (before 0.11 version)
+            payload = self._get_payload(request)
            return payload.get('secret', None) == secret

+        secret = project.modules_config.config.get("gogs", {}).get("secret", "")
+        secret = bytes(secret.encode("utf-8"))
+        mac = hmac.new(secret, msg=request.body, digestmod=hashlib.sha256)
+        return hmac.compare_digest(mac.hexdigest(), signature)
+
    def _get_event_name(self, request):
        return "push"