Add signature verification middleware.

src/webhook.rs

@@ -1,17 +1,29 @@
+use std::future::Future;
+
 use axum::async_trait;
+use axum::body::Body;
+use axum::body::Bytes;
 use axum::extract::FromRequest;
 use axum::extract::Request;
 use axum::http::HeaderMap;
 use axum::http::StatusCode;
+use axum::middleware::Next;
 use axum::response::IntoResponse;
 use axum::response::Response;
 use axum::Json;
 use axum::RequestExt;
+use base64::{engine::general_purpose, Engine as _};
+use hmac::Hmac;
+use hmac::Mac;
+use http_body_util::BodyExt;
 use serde::Serialize;
+use sha2::Sha256;
 use tracing::debug;
 
 use crate::hook_push::HookPush;
 
+type HmacSha256 = Hmac<Sha256>;
+
 pub(crate) async fn hook(
     _headers: HeaderMap,
     payload: HookRequest,
@@ -72,3 +84,68 @@ pub(crate) struct HookResponse {
     ok: bool,
     message: Option<String>,
 }
+
+pub(crate) async fn verify_signature(
+    request: Request,
+    next: Next,
+) -> Result<impl IntoResponse, Response> {
+    let signature = request
+        .headers()
+        .get("X-Gitea-Signature")
+        .ok_or(StatusCode::BAD_REQUEST.into_response())?;
+    let signature = signature
+        .to_str()
+        .map_err(|_| StatusCode::BAD_REQUEST.into_response())?;
+    let signature = hex_to_bytes(signature).ok_or(StatusCode::BAD_REQUEST.into_response())?;
+    let secret = std::env::var("WEBHOOK_BRIDGE_HMAC_SECRET")
+        .map_err(|err| (StatusCode::INTERNAL_SERVER_ERROR, err.to_string()).into_response())?;
+
+    let request =
+        inspect_request_body(request, move |body| check_hash(body, secret, signature)).await?;
+
+    Ok(next.run(request).await)
+}
+
+async fn inspect_request_body<F, Fut>(request: Request, inspector: F) -> Result<Request, Response>
+where
+    F: FnOnce(Bytes) -> Fut,
+    Fut: Future<Output = Result<Bytes, Response>>,
+{
+    let (parts, body) = request.into_parts();
+
+    let bytes = body
+        .collect()
+        .await
+        .map_err(|err| (StatusCode::INTERNAL_SERVER_ERROR, err.to_string()).into_response())?
+        .to_bytes();
+
+    let bytes = inspector(bytes).await?;
+
+    Ok(Request::from_parts(parts, Body::from(bytes)))
+}
+
+async fn check_hash(body: Bytes, secret: String, signature: Vec<u8>) -> Result<Bytes, Response> {
+    tracing::info!("Checking signature {:02x?}", signature.as_slice());
+    tracing::info!("Using secret {:?}", secret);
+    tracing::info!("and body {}", general_purpose::STANDARD.encode(&body));
+    let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
+        .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response())?;
+    mac.update(&body);
+    mac.verify_slice(&signature)
+        .map_err(|e| (StatusCode::UNAUTHORIZED, e.to_string()).into_response())?;
+    Ok(body)
+}
+
+fn hex_to_bytes(s: &str) -> Option<Vec<u8>> {
+    if s.len() % 2 == 0 {
+        (0..s.len())
+            .step_by(2)
+            .map(|i| {
+                s.get(i..i + 2)
+                    .and_then(|sub| u8::from_str_radix(sub, 16).ok())
+            })
+            .collect()
+    } else {
+        None
+    }
+}