Change post-commit webhooks to issue PUTs instead of POST requests

and generalize the HTTP header name for the auth digest; introduce
an option to restore the old behaviour and document that; place a
big warning in NEWS.mdtext about this change.

This change has been sponsored by Scilab.

NEWS.mdtext

@@ -6,6 +6,15 @@ from Scilab <http://www.scilab.org/>!
 ATTENTION: You need Pluf [324ae60b](http://projects.ceondo.com/p/pluf/source/commit/324ae60b)
 or newer to properly run this version of Indefero!
 
+## Changes
+
+- Indefero's post-commit web hook now by default issues HTTP PUT instead of
+  HTTP POST requests and carries the authentication digest in the new
+  `Web-Hook-Hmac` header.  The old behaviour can be re-enabled by setting the
+  `$cfg['webhook_processing']` flag to "compat", we urge you to change the
+  implementations of this web hook as this setting is likely to be removed
+  in future versions of Indefero.
+ 
 ## New Features
 
 - Indefero's issue tracker can now bi-directionally link issues with variable, configurable

src/IDF/Commit.php

@@ -287,6 +287,12 @@ class IDF_Commit extends Pluf_Model
         $url = str_replace(array('%p', '%r'),
                            array($project->shortname, $this->scm_id),
                            $conf->getVal('webhook_url', ''));
+
+        // trigger a POST instead of the standard PUT if we're asked for
+        $method = 'PUT';
+        if (Pluf::f('webhook_processing', '') === 'compat') {
+            $method = 'POST';
+        }
         $payload = array('to_send' => array(
                                             'project' => $project->shortname,
                                             'rev' => $this->scm_id,
@@ -299,7 +305,7 @@ class IDF_Commit extends Pluf_Model
                          'project_id' => $project->id,
                          'authkey' => $project->getWebHookKey(),
                          'url' => $url,
-                         'method' => 'POST',
+                         'method' => $method,
                          );
         $item = new IDF_Queue();
         $item->type = 'new_commit';

src/IDF/Views/Project.php

@@ -594,6 +594,10 @@ class IDF_Views_Project
                          'mtn' => __('monotone'),
                          );
         $repository_type = $options[$scm];
+        $hook_request_method = 'PUT';
+        if (Pluf::f('webhook_processing','') === 'compat') {
+            $hook_request_method = 'POST';
+        }
         return Pluf_Shortcuts_RenderToResponse('idf/admin/source.html',
                                                array(
                                                      'remote_svn' => $remote_svn,
@@ -603,6 +607,7 @@ class IDF_Views_Project
                                                      'page_title' => $title,
                                                      'form' => $form,
                                                      'hookkey' => $prj->getWebHookKey(),
+                                                     'hook_request_method' => $hook_request_method,
                                                      ),
                                                $request);
     }

src/IDF/Webhook.php

@@ -39,14 +39,20 @@ class IDF_Webhook
     public static function processNotification($payload)
     {
         $data = json_encode($payload['to_send']);
+        $sign_header = 'Web-Hook-Hmac';
+        // use the old signature header if we're asked for
+        if (Pluf::f('webhook_processing', '') === 'compat') {
+            $sign_header = 'Post-Commit-Hook-Hmac';
+        }
         $sign = hash_hmac('md5', $data, $payload['authkey']);
         $params = array('http' => array(
+                      // fall-back to POST for old queue items
                       'method' => empty($payload['method']) ? 'POST' : $payload['method'],
                       'content' => $data,
                       'user_agent' => 'Indefero Hook Sender (http://www.indefero.net)',
                       'max_redirects' => 0,
                       'timeout' => 15,
-                      'header'=> 'Post-Commit-Hook-Hmac: '.$sign."\r\n"
+                      'header'=> $sign_header.': '.$sign."\r\n"
                                 .'Content-Type: application/json'."\r\n",
                                         )
                         );

src/IDF/conf/idf.php-dist

@@ -495,5 +495,20 @@ $cfg['idf_strong_key_check'] = false;
 # always have precedence.
 # $cfg['max_upload_size'] = 2097152; // Size in bytes
 
+# Older versions of Indefero submitted a POST request to a configured
+# post-commit web hook when new revisions arrived, whereas a PUT request
+# would have been more appropriate.  Also, the payload's HMAC digest was
+# submitted as value of the HTTP header 'Post-Commit-Hook-Hmac' during
+# such a request.  Since newer versions of Indefero use the same authentication
+# mechanism (based on the same secret key) for other web hooks of the same
+# project as well, the name of this HTTP header was no longer appropriate 
+# and as such changed to simply 'Web-Hook-Hmac'.
+#
+# Setting the following configuration option to 'compat' now restores the
+# old behaviour in both cases. Please notice however that this compatibility
+# option is likely to go away in the next major version of Indefero, so you
+# should really change the other end of your web hooks!
+$cfg['webhook_processing'] = 'compat';
+
 return $cfg;
 

src/IDF/templates/idf/admin/source.html

@@ -67,9 +67,9 @@
 <br>
 <div class="issue-submit-info">
 
-{blocktrans}<p>The webhook URL setting specifies an URL to which a HTTP POST
+{blocktrans}<p>The webhook URL setting specifies an URL to which a HTTP 
-request is sent after each repository commit. If this field is empty,
+<strong>{$hook_request_method}</strong> request is sent after each repository
-notifications are disabled.</p>
+commit. If this field is empty, notifications are disabled.</p>
 
 <p>Only properly-escaped <strong>HTTP</strong> URLs are supported, for example:</p>