From 89fffedc02136d413f3d27a123450ee0c818a843 Mon Sep 17 00:00:00 2001
From: Matti Ranta <matti@mdranta.net>
Date: Mon, 25 Mar 2019 17:02:33 -0400
Subject: [PATCH 1/3] Add signatures to webhooks

---
 models/webhook.go | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/models/webhook.go b/models/webhook.go
index 1c6fc45ae3303..8840169186137 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -6,7 +6,10 @@
 package models
 
 import (
+	"crypto/hmac"
+	"crypto/sha256"
 	"crypto/tls"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -101,6 +104,7 @@ type Webhook struct {
 	RepoID       int64  `xorm:"INDEX"`
 	OrgID        int64  `xorm:"INDEX"`
 	URL          string `xorm:"url TEXT"`
+	Signature    string `xorm:"TEXT"`
 	ContentType  HookContentType
 	Secret       string `xorm:"TEXT"`
 	Events       string `xorm:"TEXT"`
@@ -529,6 +533,7 @@ type HookTask struct {
 	UUID            string
 	Type            HookTaskType
 	URL             string `xorm:"TEXT"`
+	Signature       string `xorm:"TEXT"`
 	api.Payloader   `xorm:"-"`
 	PayloadContent  string `xorm:"TEXT"`
 	ContentType     HookContentType
@@ -653,15 +658,27 @@ func prepareWebhook(e Engine, w *Webhook, repo *Repository, event HookEventType,
 			return fmt.Errorf("GetDingtalkPayload: %v", err)
 		}
 	default:
-		p.SetSecret(w.Secret)
+		//p.SetSecret(w.Secret)
 		payloader = p
 	}
 
+	var signature string
+	if len(w.Secret) > 0 {
+		data, err := payloader.JSONPayload()
+		if err != nil {
+			log.Error(2, "prepareWebhooks.JSONPayload: %v", err)
+		}
+		sig := hmac.New(sha256.New, []byte(w.Secret))
+		sig.Write(data)
+		signature = hex.EncodeToString(sig.Sum(nil))
+	}
+
 	if err = createHookTask(e, &HookTask{
 		RepoID:      repo.ID,
 		HookID:      w.ID,
 		Type:        w.HookTaskType,
 		URL:         w.URL,
+		Signature:   signature,
 		Payloader:   payloader,
 		ContentType: w.ContentType,
 		EventType:   event,
@@ -712,6 +729,7 @@ func (t *HookTask) deliver() {
 	req := httplib.Post(t.URL).SetTimeout(timeout, timeout).
 		Header("X-Gitea-Delivery", t.UUID).
 		Header("X-Gitea-Event", string(t.EventType)).
+		Header("X-Gitea-Signature", t.Signature).
 		Header("X-Gogs-Delivery", t.UUID).
 		Header("X-Gogs-Event", string(t.EventType)).
 		HeaderWithSensitiveCase("X-GitHub-Delivery", t.UUID).

From 7946e1821591f0e37f762c93faaede80915d49bb Mon Sep 17 00:00:00 2001
From: Matti Ranta <matti@mdranta.net>
Date: Mon, 25 Mar 2019 17:03:30 -0400
Subject: [PATCH 2/3] uncomment

---
 models/webhook.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/webhook.go b/models/webhook.go
index 8840169186137..c4f85ee54f2d4 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -658,7 +658,7 @@ func prepareWebhook(e Engine, w *Webhook, repo *Repository, event HookEventType,
 			return fmt.Errorf("GetDingtalkPayload: %v", err)
 		}
 	default:
-		//p.SetSecret(w.Secret)
+		p.SetSecret(w.Secret)
 		payloader = p
 	}
 

From f3de0749a4851e8669ce5b9c19c9eb25bca21c3e Mon Sep 17 00:00:00 2001
From: Matti Ranta <matti@mdranta.net>
Date: Mon, 25 Mar 2019 17:06:23 -0400
Subject: [PATCH 3/3] add gogs signature

---
 models/webhook.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/models/webhook.go b/models/webhook.go
index c4f85ee54f2d4..cb5b5c7c972a9 100644
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -732,6 +732,7 @@ func (t *HookTask) deliver() {
 		Header("X-Gitea-Signature", t.Signature).
 		Header("X-Gogs-Delivery", t.UUID).
 		Header("X-Gogs-Event", string(t.EventType)).
+		Header("X-Gogs-Signature", t.Signature).
 		HeaderWithSensitiveCase("X-GitHub-Delivery", t.UUID).
 		HeaderWithSensitiveCase("X-GitHub-Event", string(t.EventType)).
 		SetTLSClientConfig(&tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify})