209 lines
5.9 KiB
PHP
209 lines
5.9 KiB
PHP
<?php
|
|
|
|
function error($message, $code = 500) {
|
|
http_response_code($code);
|
|
// Echo to STDOUT, not STDERR as some servers will hide STDERR for security reasons
|
|
echo($message);
|
|
exit();
|
|
}
|
|
|
|
// extract_payload()
|
|
// Find the JSON payload from the POST request
|
|
function extract_payload() {
|
|
// check for POST request
|
|
if ($_SERVER['REQUEST_METHOD'] != 'POST') {
|
|
error('FAILED - not POST - '. $_SERVER['REQUEST_METHOD']);
|
|
}
|
|
// get content type
|
|
$content_type = isset($_SERVER['CONTENT_TYPE']) ? strtolower(trim($_SERVER['CONTENT_TYPE'])) : '';
|
|
if ($content_type != 'application/json') {
|
|
error('FAILED - not application/json - '. $content_type);
|
|
}
|
|
// get payload
|
|
$payload = file_get_contents("php://input");
|
|
if (empty($payload)) {
|
|
error('FAILED - no payload');
|
|
}
|
|
return $payload;
|
|
|
|
}
|
|
|
|
// json_to_array(payload)
|
|
// payload: JSON string
|
|
function json_to_array($payload) {
|
|
// convert json to array
|
|
$json = json_decode($payload, true);
|
|
// check for json decode errors
|
|
if (json_last_error() !== JSON_ERROR_NONE) {
|
|
error('FAILED - json decode - '. json_last_error());
|
|
}
|
|
return $json;
|
|
}
|
|
|
|
// Find header value or die
|
|
function extract_header($header) {
|
|
// PHP embedded server prepends HTTP_ to the header name. WTF?
|
|
$value = isset($_SERVER[$header]) ? $_SERVER[$header]
|
|
: (isset($_SERVER['HTTP_'.$header]) ? $_SERVER['HTTP_'.$header]
|
|
: '');
|
|
|
|
if (empty($value)) {
|
|
error('FAILED - header signature '.$header.' missing');
|
|
}
|
|
|
|
return $value;
|
|
}
|
|
|
|
function verify_signature($payload, $secret, $claimed_signature) {
|
|
$payload_signature = hash_hmac('sha256', $payload, $secret, false);
|
|
|
|
// check payload signature against header signature
|
|
if ($claimed_signature != $payload_signature) {
|
|
error('FAILED - payload signature mismatch', 403);
|
|
}
|
|
|
|
}
|
|
|
|
function verify_token($secret, $claimed_secret) {
|
|
if ($secret !== $claimed_secret) {
|
|
error('FAILED - secret token mismatch', 403);
|
|
}
|
|
}
|
|
|
|
// find_secret($repo_url)
|
|
// Find the secret corresponding to the repo_url, if any. Returns empty string otherwise
|
|
function find_secret($repo_url) {
|
|
$forgehook = isset($_ENV['FORGEHOOK']) ? $_ENV['FORGEHOOK'] // from $ENV
|
|
: (file_exists('forgehook') ? './forgehook' // from current directory
|
|
: 'forgehook'); // from $PATH
|
|
|
|
$repo = escapeshellarg($repo_url);
|
|
|
|
$lines = [];
|
|
$status = NULL;
|
|
$secret = exec($forgehook." secret ".$repo, $lines, $status);
|
|
|
|
if (($secret == NULL) or ($status != 0)) {
|
|
error("Secret not found for \"".$repo."\"");
|
|
}
|
|
|
|
if (empty($secret)) {
|
|
error("Secret empty for ".$repo);
|
|
}
|
|
return $secret;
|
|
}
|
|
|
|
class GiteaWebhook {
|
|
function __construct($payload) {
|
|
$this->data = json_to_array($payload);
|
|
}
|
|
|
|
function repo_url() {
|
|
$repo_url = isset($this->data["repository"]["html_url"]) ?
|
|
$this->data["repository"]["html_url"] : "";
|
|
if (empty($repo_url)) {
|
|
error('Could not find Gitea repository URL');
|
|
}
|
|
return $repo_url;
|
|
}
|
|
|
|
function secret() {
|
|
return extract_header("HTTP_X_GITEA_SIGNATURE");
|
|
}
|
|
}
|
|
|
|
class GitlabWebhook {
|
|
function __construct($payload) {
|
|
$this->data = json_to_array($payload);
|
|
}
|
|
|
|
function repo_url() {
|
|
$repo_url = isset($this->data["project"]["git_http_url"]) ?
|
|
$this->data["project"]["git_http_url"] : "";
|
|
if (empty($repo_url)) {
|
|
error('Could not find Gitlab repository URL');
|
|
}
|
|
return $repo_url;
|
|
}
|
|
|
|
function secret() {
|
|
return extract_header("HTTP_X_GITLAB_TOKEN");
|
|
}
|
|
}
|
|
|
|
class GithubWebhook {
|
|
function __construct($payload) {
|
|
$this->data = json_to_array($payload);
|
|
}
|
|
|
|
function repo_url() {
|
|
$repo_url = isset($this->data["repository"]["html_url"]) ?
|
|
$this->data["repository"]["html_url"] : "";
|
|
if (empty($repo_url)) {
|
|
error('Could not find Github repository URL');
|
|
}
|
|
return $repo_url;
|
|
}
|
|
|
|
function secret() {
|
|
return extract_header("HTTP_X_HUB_SIGNATURE");
|
|
}
|
|
}
|
|
|
|
function notify($repo) {
|
|
//$notify = getenv('FORGEHOOKNOTIFY') ? : 'forgehook-notify';
|
|
$notify = isset($_ENV['FORGEHOOKNOTIFY']) ? $_ENV['FORGEHOOKNOTIFY'] // from $ENV
|
|
: (file_exists('forgehook-notify') ? './forgehook-notify' // from current directory
|
|
: 'forgehook-notify'); // from $PATH
|
|
|
|
$lines = [];
|
|
$status = NULL;
|
|
exec($notify." ".$repo, $lines, $status);
|
|
|
|
if ($status != 0) {
|
|
error("Notify failed (".$notify.") with:\n".print_r($lines));
|
|
}
|
|
}
|
|
|
|
function action() {
|
|
if (!isset($_GET['action'])) {
|
|
error("You need to specify an action (gitea, gitlab) like this: ?action=gitea", 404);
|
|
}
|
|
|
|
$payload = extract_payload();
|
|
|
|
switch($_GET['action']) {
|
|
case 'github':
|
|
$webhook = new GithubWebhook($payload);
|
|
$claimed_secret = $webhook->secret();
|
|
$repo_url = $webhook->repo_url();
|
|
$secret = find_secret($repo_url);
|
|
verify_signature($payload, $secret, $claimed_secret);
|
|
notify($repo_url);
|
|
break;
|
|
case 'gitea':
|
|
$webhook = new GiteaWebhook($payload);
|
|
$claimed_secret = $webhook->secret();
|
|
$repo_url = $webhook->repo_url();
|
|
$secret = find_secret($repo_url);
|
|
verify_signature($payload, $secret, $claimed_secret);
|
|
notify($repo_url);
|
|
break;
|
|
case 'gitlab':
|
|
$webhook = new GitlabWebhook($payload);
|
|
$claimed_secret = $webhook->secret();
|
|
$repo_url = $webhook->repo_url();
|
|
$secret = find_secret($repo_url);
|
|
verify_token($secret, $claimed_secret);
|
|
notify($repo_url);
|
|
break;
|
|
default:
|
|
error("Unrecognized action: ".$_GET['action'], 400);
|
|
}
|
|
}
|
|
|
|
action();
|
|
echo("OK");
|
|
|
|
?>
|