Adding new gogs signature method

CHANGELOG.md

@@ -27,6 +27,7 @@
     - Contacts API allow full text search (by the username, full name or email).
     - Filter milestones, user stories and tasks by estimated_start and estimated_finish dates.
     - Add project_extra_info to epics, tasks, milestones, issues and wiki pages endpoints.
+- Gogs integration: Adding new Gogs signature method.
 - Lots of small and not so small bugfixes.
 
 

taiga/hooks/gogs/api.py

@@ -19,6 +19,9 @@ from taiga.hooks.api import BaseWebhookApiViewSet
 
 from . import event_hooks
 
+import hmac
+import hashlib
+
 
 class GogsViewSet(BaseWebhookApiViewSet):
     event_hook_classes = {
@@ -26,8 +29,6 @@ class GogsViewSet(BaseWebhookApiViewSet):
     }
 
     def _validate_signature(self, project, request):
-        payload = self._get_payload(request)
-
         if not hasattr(project, "modules_config"):
             return False
 
@@ -38,7 +39,15 @@ class GogsViewSet(BaseWebhookApiViewSet):
         if secret is None:
             return False
 
+        signature = request.META.get("HTTP_X_GOGS_SIGNATURE", None)
+        if not signature:  # Old format signature support (before 0.11 version)
+            payload = self._get_payload(request)
             return payload.get('secret', None) == secret
 
+        secret = project.modules_config.config.get("gogs", {}).get("secret", "")
+        secret = bytes(secret.encode("utf-8"))
+        mac = hmac.new(secret, msg=request.body, digestmod=hashlib.sha256)
+        return hmac.compare_digest(mac.hexdigest(), signature)
+
     def _get_event_name(self, request):
         return "push"