diff --git a/NEWS.mdtext b/NEWS.mdtext index 3078b76..fa1dd18 100644 --- a/NEWS.mdtext +++ b/NEWS.mdtext @@ -6,6 +6,15 @@ from Scilab ! ATTENTION: You need Pluf [324ae60b](http://projects.ceondo.com/p/pluf/source/commit/324ae60b) or newer to properly run this version of Indefero! +## Changes + +- Indefero's post-commit web hook now by default issues HTTP PUT instead of + HTTP POST requests and carries the authentication digest in the new + `Web-Hook-Hmac` header. The old behaviour can be re-enabled by setting the + `$cfg['webhook_processing']` flag to "compat", we urge you to change the + implementations of this web hook as this setting is likely to be removed + in future versions of Indefero. + ## New Features - Indefero's issue tracker can now bi-directionally link issues with variable, configurable diff --git a/src/IDF/Commit.php b/src/IDF/Commit.php index a00563c..a0d7c2a 100644 --- a/src/IDF/Commit.php +++ b/src/IDF/Commit.php @@ -287,6 +287,12 @@ class IDF_Commit extends Pluf_Model $url = str_replace(array('%p', '%r'), array($project->shortname, $this->scm_id), $conf->getVal('webhook_url', '')); + + // trigger a POST instead of the standard PUT if we're asked for + $method = 'PUT'; + if (Pluf::f('webhook_processing', '') === 'compat') { + $method = 'POST'; + } $payload = array('to_send' => array( 'project' => $project->shortname, 'rev' => $this->scm_id, @@ -299,7 +305,7 @@ class IDF_Commit extends Pluf_Model 'project_id' => $project->id, 'authkey' => $project->getWebHookKey(), 'url' => $url, - 'method' => 'POST', + 'method' => $method, ); $item = new IDF_Queue(); $item->type = 'new_commit'; diff --git a/src/IDF/Views/Project.php b/src/IDF/Views/Project.php index 54c52ee..5ed03e2 100644 --- a/src/IDF/Views/Project.php +++ b/src/IDF/Views/Project.php @@ -594,6 +594,10 @@ class IDF_Views_Project 'mtn' => __('monotone'), ); $repository_type = $options[$scm]; + $hook_request_method = 'PUT'; + if (Pluf::f('webhook_processing','') === 'compat') { + $hook_request_method = 'POST'; + } return Pluf_Shortcuts_RenderToResponse('idf/admin/source.html', array( 'remote_svn' => $remote_svn, @@ -603,6 +607,7 @@ class IDF_Views_Project 'page_title' => $title, 'form' => $form, 'hookkey' => $prj->getWebHookKey(), + 'hook_request_method' => $hook_request_method, ), $request); } diff --git a/src/IDF/Webhook.php b/src/IDF/Webhook.php index 7cf2a91..9d33d09 100644 --- a/src/IDF/Webhook.php +++ b/src/IDF/Webhook.php @@ -39,14 +39,20 @@ class IDF_Webhook public static function processNotification($payload) { $data = json_encode($payload['to_send']); + $sign_header = 'Web-Hook-Hmac'; + // use the old signature header if we're asked for + if (Pluf::f('webhook_processing', '') === 'compat') { + $sign_header = 'Post-Commit-Hook-Hmac'; + } $sign = hash_hmac('md5', $data, $payload['authkey']); $params = array('http' => array( + // fall-back to POST for old queue items 'method' => empty($payload['method']) ? 'POST' : $payload['method'], 'content' => $data, 'user_agent' => 'Indefero Hook Sender (http://www.indefero.net)', 'max_redirects' => 0, 'timeout' => 15, - 'header'=> 'Post-Commit-Hook-Hmac: '.$sign."\r\n" + 'header'=> $sign_header.': '.$sign."\r\n" .'Content-Type: application/json'."\r\n", ) ); diff --git a/src/IDF/conf/idf.php-dist b/src/IDF/conf/idf.php-dist index 6660d1b..62fe1ce 100644 --- a/src/IDF/conf/idf.php-dist +++ b/src/IDF/conf/idf.php-dist @@ -495,5 +495,20 @@ $cfg['idf_strong_key_check'] = false; # always have precedence. # $cfg['max_upload_size'] = 2097152; // Size in bytes +# Older versions of Indefero submitted a POST request to a configured +# post-commit web hook when new revisions arrived, whereas a PUT request +# would have been more appropriate. Also, the payload's HMAC digest was +# submitted as value of the HTTP header 'Post-Commit-Hook-Hmac' during +# such a request. Since newer versions of Indefero use the same authentication +# mechanism (based on the same secret key) for other web hooks of the same +# project as well, the name of this HTTP header was no longer appropriate +# and as such changed to simply 'Web-Hook-Hmac'. +# +# Setting the following configuration option to 'compat' now restores the +# old behaviour in both cases. Please notice however that this compatibility +# option is likely to go away in the next major version of Indefero, so you +# should really change the other end of your web hooks! +$cfg['webhook_processing'] = 'compat'; + return $cfg; diff --git a/src/IDF/templates/idf/admin/source.html b/src/IDF/templates/idf/admin/source.html index 69f3e88..85fca2a 100644 --- a/src/IDF/templates/idf/admin/source.html +++ b/src/IDF/templates/idf/admin/source.html @@ -67,9 +67,9 @@
-{blocktrans}

The webhook URL setting specifies an URL to which a HTTP POST -request is sent after each repository commit. If this field is empty, -notifications are disabled.

+{blocktrans}

The webhook URL setting specifies an URL to which a HTTP +{$hook_request_method} request is sent after each repository +commit. If this field is empty, notifications are disabled.

Only properly-escaped HTTP URLs are supported, for example: