gitea/vendor/github.com/google/go-github/v24/github/messages.go

// Copyright 2016 The go-github AUTHORS. All rights reserved.
//
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// This file provides functions for validating payloads from GitHub Webhooks.
// GitHub API docs: https://developer.github.com/webhooks/securing/#validating-payloads-from-github

package github

import (
	"crypto/hmac"
	"crypto/sha1"
	"crypto/sha256"
	"crypto/sha512"
	"encoding/hex"
	"encoding/json"
	"errors"
	"fmt"
	"hash"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"
)

const (
	// sha1Prefix is the prefix used by GitHub before the HMAC hexdigest.
	sha1Prefix = "sha1"
	// sha256Prefix and sha512Prefix are provided for future compatibility.
	sha256Prefix = "sha256"
	sha512Prefix = "sha512"
	// signatureHeader is the GitHub header key used to pass the HMAC hexdigest.
	signatureHeader = "X-Hub-Signature"
	// eventTypeHeader is the GitHub header key used to pass the event type.
	eventTypeHeader = "X-Github-Event"
	// deliveryIDHeader is the GitHub header key used to pass the unique ID for the webhook event.
	deliveryIDHeader = "X-Github-Delivery"
)

var (
	// eventTypeMapping maps webhooks types to their corresponding go-github struct types.
	eventTypeMapping = map[string]string{
		"check_run":                      "CheckRunEvent",
		"check_suite":                    "CheckSuiteEvent",
		"commit_comment":                 "CommitCommentEvent",
		"create":                         "CreateEvent",
		"delete":                         "DeleteEvent",
		"deployment":                     "DeploymentEvent",
		"deployment_status":              "DeploymentStatusEvent",
		"fork":                           "ForkEvent",
		"gollum":                         "GollumEvent",
		"installation":                   "InstallationEvent",
		"installation_repositories":      "InstallationRepositoriesEvent",
		"issue_comment":                  "IssueCommentEvent",
		"issues":                         "IssuesEvent",
		"label":                          "LabelEvent",
		"marketplace_purchase":           "MarketplacePurchaseEvent",
		"member":                         "MemberEvent",
		"membership":                     "MembershipEvent",
		"milestone":                      "MilestoneEvent",
		"organization":                   "OrganizationEvent",
		"org_block":                      "OrgBlockEvent",
		"page_build":                     "PageBuildEvent",
		"ping":                           "PingEvent",
		"project":                        "ProjectEvent",
		"project_card":                   "ProjectCardEvent",
		"project_column":                 "ProjectColumnEvent",
		"public":                         "PublicEvent",
		"pull_request_review":            "PullRequestReviewEvent",
		"pull_request_review_comment":    "PullRequestReviewCommentEvent",
		"pull_request":                   "PullRequestEvent",
		"push":                           "PushEvent",
		"repository":                     "RepositoryEvent",
		"repository_vulnerability_alert": "RepositoryVulnerabilityAlertEvent",
		"release":                        "ReleaseEvent",
		"status":                         "StatusEvent",
		"team":                           "TeamEvent",
		"team_add":                       "TeamAddEvent",
		"watch":                          "WatchEvent",
	}
)

// genMAC generates the HMAC signature for a message provided the secret key
// and hashFunc.
func genMAC(message, key []byte, hashFunc func() hash.Hash) []byte {
	mac := hmac.New(hashFunc, key)
	mac.Write(message)
	return mac.Sum(nil)
}

// checkMAC reports whether messageMAC is a valid HMAC tag for message.
func checkMAC(message, messageMAC, key []byte, hashFunc func() hash.Hash) bool {
	expectedMAC := genMAC(message, key, hashFunc)
	return hmac.Equal(messageMAC, expectedMAC)
}

// messageMAC returns the hex-decoded HMAC tag from the signature and its
// corresponding hash function.
func messageMAC(signature string) ([]byte, func() hash.Hash, error) {
	if signature == "" {
		return nil, nil, errors.New("missing signature")
	}
	sigParts := strings.SplitN(signature, "=", 2)
	if len(sigParts) != 2 {
		return nil, nil, fmt.Errorf("error parsing signature %q", signature)
	}

	var hashFunc func() hash.Hash
	switch sigParts[0] {
	case sha1Prefix:
		hashFunc = sha1.New
	case sha256Prefix:
		hashFunc = sha256.New
	case sha512Prefix:
		hashFunc = sha512.New
	default:
		return nil, nil, fmt.Errorf("unknown hash type prefix: %q", sigParts[0])
	}

	buf, err := hex.DecodeString(sigParts[1])
	if err != nil {
		return nil, nil, fmt.Errorf("error decoding signature %q: %v", signature, err)
	}
	return buf, hashFunc, nil
}

// ValidatePayload validates an incoming GitHub Webhook event request
// and returns the (JSON) payload.
// The Content-Type header of the payload can be "application/json" or "application/x-www-form-urlencoded".
// If the Content-Type is neither then an error is returned.
// secretKey is the GitHub Webhook secret message.
//
// Example usage:
//
//     func (s *GitHubEventMonitor) ServeHTTP(w http.ResponseWriter, r *http.Request) {
//       payload, err := github.ValidatePayload(r, s.webhookSecretKey)
//       if err != nil { ... }
//       // Process payload...
//     }
//
func ValidatePayload(r *http.Request, secretKey []byte) (payload []byte, err error) {
	var body []byte // Raw body that GitHub uses to calculate the signature.

	switch ct := r.Header.Get("Content-Type"); ct {
	case "application/json":
		var err error
		if body, err = ioutil.ReadAll(r.Body); err != nil {
			return nil, err
		}

		// If the content type is application/json,
		// the JSON payload is just the original body.
		payload = body

	case "application/x-www-form-urlencoded":
		// payloadFormParam is the name of the form parameter that the JSON payload
		// will be in if a webhook has its content type set to application/x-www-form-urlencoded.
		const payloadFormParam = "payload"

		var err error
		if body, err = ioutil.ReadAll(r.Body); err != nil {
			return nil, err
		}

		// If the content type is application/x-www-form-urlencoded,
		// the JSON payload will be under the "payload" form param.
		form, err := url.ParseQuery(string(body))
		if err != nil {
			return nil, err
		}
		payload = []byte(form.Get(payloadFormParam))

	default:
		return nil, fmt.Errorf("Webhook request has unsupported Content-Type %q", ct)
	}

	sig := r.Header.Get(signatureHeader)
	if err := ValidateSignature(sig, body, secretKey); err != nil {
		return nil, err
	}
	return payload, nil
}

// ValidateSignature validates the signature for the given payload.
// signature is the GitHub hash signature delivered in the X-Hub-Signature header.
// payload is the JSON payload sent by GitHub Webhooks.
// secretKey is the GitHub Webhook secret message.
//
// GitHub API docs: https://developer.github.com/webhooks/securing/#validating-payloads-from-github
func ValidateSignature(signature string, payload, secretKey []byte) error {
	messageMAC, hashFunc, err := messageMAC(signature)
	if err != nil {
		return err
	}
	if !checkMAC(payload, messageMAC, secretKey, hashFunc) {
		return errors.New("payload signature check failed")
	}
	return nil
}

// WebHookType returns the event type of webhook request r.
//
// GitHub API docs: https://developer.github.com/v3/repos/hooks/#webhook-headers
func WebHookType(r *http.Request) string {
	return r.Header.Get(eventTypeHeader)
}

// DeliveryID returns the unique delivery ID of webhook request r.
//
// GitHub API docs: https://developer.github.com/v3/repos/hooks/#webhook-headers
func DeliveryID(r *http.Request) string {
	return r.Header.Get(deliveryIDHeader)
}

// ParseWebHook parses the event payload. For recognized event types, a
// value of the corresponding struct type will be returned (as returned
// by Event.ParsePayload()). An error will be returned for unrecognized event
// types.
//
// Example usage:
//
//     func (s *GitHubEventMonitor) ServeHTTP(w http.ResponseWriter, r *http.Request) {
//       payload, err := github.ValidatePayload(r, s.webhookSecretKey)
//       if err != nil { ... }
//       event, err := github.ParseWebHook(github.WebHookType(r), payload)
//       if err != nil { ... }
//       switch event := event.(type) {
//       case *github.CommitCommentEvent:
//           processCommitCommentEvent(event)
//       case *github.CreateEvent:
//           processCreateEvent(event)
//       ...
//       }
//     }
//
func ParseWebHook(messageType string, payload []byte) (interface{}, error) {
	eventType, ok := eventTypeMapping[messageType]
	if !ok {
		return nil, fmt.Errorf("unknown X-Github-Event in message: %v", messageType)
	}

	event := Event{
		Type:       &eventType,
		RawPayload: (*json.RawMessage)(&payload),
	}
	return event.ParsePayload()
}
Improve migrations to support migrating milestones/labels/issues/comments/pullrequests (#6290) * add migrations * fix package dependency * fix lints * implements migrations except pull requests * add releases * migrating releases * fix bug * fix lint * fix migrate releases * fix tests * add rollback * pull request migtations * fix import * fix go module vendor * add tests for upload to gitea * more migrate options * fix swagger-check * fix misspell * add options on migration UI * fix log error * improve UI options on migrating * add support for username password when migrating from github * fix tests * remove comments and fix migrate limitation * improve error handles * migrate API will also support migrate milestones/labels/issues/pulls/releases * fix tests and remove unused codes * add DownloaderFactory and docs about how to create a new Downloader * fix misspell * fix migration docs * Add hints about migrate options on migration page * fix tests 2019-05-06 21:12:51 -04:00			`// Copyright 2016 The go-github AUTHORS. All rights reserved.`
			`//`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`// This file provides functions for validating payloads from GitHub Webhooks.`
			`// GitHub API docs: https://developer.github.com/webhooks/securing/#validating-payloads-from-github`

			`package github`

			`import (`
			`"crypto/hmac"`
			`"crypto/sha1"`
			`"crypto/sha256"`
			`"crypto/sha512"`
			`"encoding/hex"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
			`"hash"`
			`"io/ioutil"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`)`

			`const (`
			`// sha1Prefix is the prefix used by GitHub before the HMAC hexdigest.`
			`sha1Prefix = "sha1"`
			`// sha256Prefix and sha512Prefix are provided for future compatibility.`
			`sha256Prefix = "sha256"`
			`sha512Prefix = "sha512"`
			`// signatureHeader is the GitHub header key used to pass the HMAC hexdigest.`
			`signatureHeader = "X-Hub-Signature"`
			`// eventTypeHeader is the GitHub header key used to pass the event type.`
			`eventTypeHeader = "X-Github-Event"`
			`// deliveryIDHeader is the GitHub header key used to pass the unique ID for the webhook event.`
			`deliveryIDHeader = "X-Github-Delivery"`
			`)`

			`var (`
			`// eventTypeMapping maps webhooks types to their corresponding go-github struct types.`
			`eventTypeMapping = map[string]string{`
			`"check_run": "CheckRunEvent",`
			`"check_suite": "CheckSuiteEvent",`
			`"commit_comment": "CommitCommentEvent",`
			`"create": "CreateEvent",`
			`"delete": "DeleteEvent",`
			`"deployment": "DeploymentEvent",`
			`"deployment_status": "DeploymentStatusEvent",`
			`"fork": "ForkEvent",`
			`"gollum": "GollumEvent",`
			`"installation": "InstallationEvent",`
			`"installation_repositories": "InstallationRepositoriesEvent",`
			`"issue_comment": "IssueCommentEvent",`
			`"issues": "IssuesEvent",`
			`"label": "LabelEvent",`
			`"marketplace_purchase": "MarketplacePurchaseEvent",`
			`"member": "MemberEvent",`
			`"membership": "MembershipEvent",`
			`"milestone": "MilestoneEvent",`
			`"organization": "OrganizationEvent",`
			`"org_block": "OrgBlockEvent",`
			`"page_build": "PageBuildEvent",`
			`"ping": "PingEvent",`
			`"project": "ProjectEvent",`
			`"project_card": "ProjectCardEvent",`
			`"project_column": "ProjectColumnEvent",`
			`"public": "PublicEvent",`
			`"pull_request_review": "PullRequestReviewEvent",`
			`"pull_request_review_comment": "PullRequestReviewCommentEvent",`
			`"pull_request": "PullRequestEvent",`
			`"push": "PushEvent",`
			`"repository": "RepositoryEvent",`
			`"repository_vulnerability_alert": "RepositoryVulnerabilityAlertEvent",`
			`"release": "ReleaseEvent",`
			`"status": "StatusEvent",`
			`"team": "TeamEvent",`
			`"team_add": "TeamAddEvent",`
			`"watch": "WatchEvent",`
			`}`
			`)`

			`// genMAC generates the HMAC signature for a message provided the secret key`
			`// and hashFunc.`
			`func genMAC(message, key []byte, hashFunc func() hash.Hash) []byte {`
			`mac := hmac.New(hashFunc, key)`
			`mac.Write(message)`
			`return mac.Sum(nil)`
			`}`

			`// checkMAC reports whether messageMAC is a valid HMAC tag for message.`
			`func checkMAC(message, messageMAC, key []byte, hashFunc func() hash.Hash) bool {`
			`expectedMAC := genMAC(message, key, hashFunc)`
			`return hmac.Equal(messageMAC, expectedMAC)`
			`}`

			`// messageMAC returns the hex-decoded HMAC tag from the signature and its`
			`// corresponding hash function.`
			`func messageMAC(signature string) ([]byte, func() hash.Hash, error) {`
			`if signature == "" {`
			`return nil, nil, errors.New("missing signature")`
			`}`
			`sigParts := strings.SplitN(signature, "=", 2)`
			`if len(sigParts) != 2 {`
			`return nil, nil, fmt.Errorf("error parsing signature %q", signature)`
			`}`

			`var hashFunc func() hash.Hash`
			`switch sigParts[0] {`
			`case sha1Prefix:`
			`hashFunc = sha1.New`
			`case sha256Prefix:`
			`hashFunc = sha256.New`
			`case sha512Prefix:`
			`hashFunc = sha512.New`
			`default:`
			`return nil, nil, fmt.Errorf("unknown hash type prefix: %q", sigParts[0])`
			`}`

			`buf, err := hex.DecodeString(sigParts[1])`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("error decoding signature %q: %v", signature, err)`
			`}`
			`return buf, hashFunc, nil`
			`}`

			`// ValidatePayload validates an incoming GitHub Webhook event request`
			`// and returns the (JSON) payload.`
			`// The Content-Type header of the payload can be "application/json" or "application/x-www-form-urlencoded".`
			`// If the Content-Type is neither then an error is returned.`
			`// secretKey is the GitHub Webhook secret message.`
			`//`
			`// Example usage:`
			`//`
			`// func (s GitHubEventMonitor) ServeHTTP(w http.ResponseWriter, r http.Request) {`
			`// payload, err := github.ValidatePayload(r, s.webhookSecretKey)`
			`// if err != nil { ... }`
			`// // Process payload...`
			`// }`
			`//`
			`func ValidatePayload(r *http.Request, secretKey []byte) (payload []byte, err error) {`
			`var body []byte // Raw body that GitHub uses to calculate the signature.`

			`switch ct := r.Header.Get("Content-Type"); ct {`
			`case "application/json":`
			`var err error`
			`if body, err = ioutil.ReadAll(r.Body); err != nil {`
			`return nil, err`
			`}`

			`// If the content type is application/json,`
			`// the JSON payload is just the original body.`
			`payload = body`

			`case "application/x-www-form-urlencoded":`
			`// payloadFormParam is the name of the form parameter that the JSON payload`
			`// will be in if a webhook has its content type set to application/x-www-form-urlencoded.`
			`const payloadFormParam = "payload"`

			`var err error`
			`if body, err = ioutil.ReadAll(r.Body); err != nil {`
			`return nil, err`
			`}`

			`// If the content type is application/x-www-form-urlencoded,`
			`// the JSON payload will be under the "payload" form param.`
			`form, err := url.ParseQuery(string(body))`
			`if err != nil {`
			`return nil, err`
			`}`
			`payload = []byte(form.Get(payloadFormParam))`

			`default:`
			`return nil, fmt.Errorf("Webhook request has unsupported Content-Type %q", ct)`
			`}`

			`sig := r.Header.Get(signatureHeader)`
			`if err := ValidateSignature(sig, body, secretKey); err != nil {`
			`return nil, err`
			`}`
			`return payload, nil`
			`}`

			`// ValidateSignature validates the signature for the given payload.`
			`// signature is the GitHub hash signature delivered in the X-Hub-Signature header.`
			`// payload is the JSON payload sent by GitHub Webhooks.`
			`// secretKey is the GitHub Webhook secret message.`
			`//`
			`// GitHub API docs: https://developer.github.com/webhooks/securing/#validating-payloads-from-github`
			`func ValidateSignature(signature string, payload, secretKey []byte) error {`
			`messageMAC, hashFunc, err := messageMAC(signature)`
			`if err != nil {`
			`return err`
			`}`
			`if !checkMAC(payload, messageMAC, secretKey, hashFunc) {`
			`return errors.New("payload signature check failed")`
			`}`
			`return nil`
			`}`

			`// WebHookType returns the event type of webhook request r.`
			`//`
			`// GitHub API docs: https://developer.github.com/v3/repos/hooks/#webhook-headers`
			`func WebHookType(r *http.Request) string {`
			`return r.Header.Get(eventTypeHeader)`
			`}`

			`// DeliveryID returns the unique delivery ID of webhook request r.`
			`//`
			`// GitHub API docs: https://developer.github.com/v3/repos/hooks/#webhook-headers`
			`func DeliveryID(r *http.Request) string {`
			`return r.Header.Get(deliveryIDHeader)`
			`}`

			`// ParseWebHook parses the event payload. For recognized event types, a`
			`// value of the corresponding struct type will be returned (as returned`
			`// by Event.ParsePayload()). An error will be returned for unrecognized event`
			`// types.`
			`//`
			`// Example usage:`
			`//`
			`// func (s GitHubEventMonitor) ServeHTTP(w http.ResponseWriter, r http.Request) {`
			`// payload, err := github.ValidatePayload(r, s.webhookSecretKey)`
			`// if err != nil { ... }`
			`// event, err := github.ParseWebHook(github.WebHookType(r), payload)`
			`// if err != nil { ... }`
			`// switch event := event.(type) {`
			`// case *github.CommitCommentEvent:`
			`// processCommitCommentEvent(event)`
			`// case *github.CreateEvent:`
			`// processCreateEvent(event)`
			`// ...`
			`// }`
			`// }`
			`//`
			`func ParseWebHook(messageType string, payload []byte) (interface{}, error) {`
			`eventType, ok := eventTypeMapping[messageType]`
			`if !ok {`
			`return nil, fmt.Errorf("unknown X-Github-Event in message: %v", messageType)`
			`}`

			`event := Event{`
			`Type: &eventType,`
			`RawPayload: (*json.RawMessage)(&payload),`
			`}`
			`return event.ParsePayload()`
			`}`