NEW: (suer#9) Added secret_key to webhooks . Post now includes HMAC v…

…erification signature. Currently this is hard-coded to use sha1, this should be made configurable on a global or project basis. (Or perhaps even per hook?). Direct link to upstream issue: suer#9
ricekab · Oct 23, 2022 · 8c3fb0c · 8c3fb0c
1 parent 5bc9a84
commit 8c3fb0c
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 0 deletions.
diff --git a/app/controllers/webhook_settings_controller.rb b/app/controllers/webhook_settings_controller.rb
@@ -9,6 +9,7 @@ def index
   def create
     webhook = Webhook.new(:project_id => @project.id)
     webhook.url = params[:url]
+    webhook.secret_key = params[:secret_key]
     if webhook.save
       flash[:notice] = l(:notice_successful_create_webhook)
     else
@@ -20,6 +21,7 @@ def update
     id = params[:webhook_id]
     webhook = Webhook.where(:project_id => @project.id).where(:id => id).first
     webhook.url = params[:url]
+    webhook.secret_key = params[:secret_key]
     if webhook.url.blank? ? webhook.destroy : webhook.save
       flash[:notice] = l(:notice_successful_update_webhook)
     else

diff --git a/app/views/webhook_settings/_show.html.erb b/app/views/webhook_settings/_show.html.erb
@@ -5,6 +5,8 @@
 <span>
   <span><strong>URL</strong></span>
   <%= text_field_tag :url, webhook.url, :size => 80 %>
+  <span><strong>Secret key</strong></span>
+  <%= password_field_tag :secret_key, webhook.secret_key, :size => 40 %>
   <%= submit_tag l(:button_update) %>
 </span>
 <% end %>
@@ -19,6 +21,8 @@
 <span>
   <span><strong>URL</strong></span>
   <%= text_field_tag :url, '', :size => 80 %>
+  <span><strong>Secret key</strong></span>
+  <%= password_field_tag :secret_key, '', :size => 40 %>
   <%= submit_tag l(:button_add) %>
 </span>
 </div>

diff --git a/db/migrate/20221023_add_webhook_secret_key.rb b/db/migrate/20221023_add_webhook_secret_key.rb
@@ -0,0 +1,5 @@
+class AddWebhookSecretKey < ActiveRecord::Migration[4.2]
+    def change
+      add_column :webhooks, :secret_key, :text
+    end
+  end
diff --git a/lib/redmine_webhook/webhook_listener.rb b/lib/redmine_webhook/webhook_listener.rb
@@ -78,9 +78,16 @@ def post(webhooks, request_body)
       Thread.start do
         webhooks.each do |webhook|
           begin
+            # Sign payload
+            key = webhook.secret_key
+            # TODO: Allow configuration of algorithm in redmine configuration
+            hmac_alg = "sha1"
+            mac = OpenSSL::HMAC.hexdigest(hmac_alg, key, request_body)
             Faraday.post do |req|
               req.url webhook.url
               req.headers['Content-Type'] = 'application/json'
+              req.headers['X-RedmineWebhook-HMAC-Alg'] = hmac_alg
+              req.headers['X-RedmineWebhook-HMAC-Signature'] = mac
               req.body = request_body
             end
           rescue => e