Add config option SignaturePrefix

This commit is contained in:
Akbar Rahman 2021-08-04 21:43:37 +01:00
parent 8677f5bfdd
commit 6cacc65013
4 changed files with 9 additions and 3 deletions

View File

@ -7,7 +7,8 @@
"AppendPayload": true "AppendPayload": true
}, },
"Secret": "THISISVERYSECRET", "Secret": "THISISVERYSECRET",
"SignatureHeader": "X-Gitea-Signature", "SignatureHeader": "X-Hub-Signature",
"SignaturePrefix": "sha256=",
"Tests": [ "Tests": [
{ {
"Program": "echo", "Program": "echo",

View File

@ -10,6 +10,7 @@ type Config struct {
Services map[string]struct { Services map[string]struct {
Script Command Script Command
Secret string Secret string
SignaturePrefix string
SignatureHeader string SignatureHeader string
Tests []Command Tests []Command
} }

View File

@ -63,7 +63,7 @@ func webhookHandler(w http.ResponseWriter, r *http.Request) {
// Verify that signature provided matches signature calculated using secretsss // Verify that signature provided matches signature calculated using secretsss
signature := r.Header.Get(service.SignatureHeader) signature := r.Header.Get(service.SignatureHeader)
calculatedSignature := getSha256HMACSignature([]byte(service.Secret), payload) calculatedSignature := fmt.Sprintf("%v%v", service.SignaturePrefix, getSha256HMACSignature([]byte(service.Secret), payload))
fmt.Printf("signature = %v\n", signature) fmt.Printf("signature = %v\n", signature)
fmt.Printf("calcuatedSignature = %v\n", signature) fmt.Printf("calcuatedSignature = %v\n", signature)
if signature != calculatedSignature && checkSignature { if signature != calculatedSignature && checkSignature {

View File

@ -22,6 +22,9 @@ You **must** set which HTTP header gohookr will receive a signature from using t
key for each service. key for each service.
You should also specify a shared secret in the `Secret` key. You should also specify a shared secret in the `Secret` key.
You may also need to specify a `SignaturePrefix`.
For GitHub it would be `sha256=`.
### Disable Signature Verification ### Disable Signature Verification
You can disable signature verification altogether by setting environment variable You can disable signature verification altogether by setting environment variable
@ -61,7 +64,8 @@ An example config file can be found [here](./config.json) but also below:
"AppendPayload": true "AppendPayload": true
}, },
"Secret": "THISISVERYSECRET", "Secret": "THISISVERYSECRET",
"SignatureHeader": "X-Gitea-Signature", "SignatureHeader": "X-Hub-Signature",
"SignaturePrefix": "sha256=",
"Tests": [ "Tests": [
{ {
"Program": "echo", "Program": "echo",