NEW: Webhook view & controller modified to include secret_key text field (tagged as password field in the view).
NEW: Webhook posts contain two new headers.
X-RedmineWebhook-HMAC-Alg: The algorithm used for the HMAC signature. Currently hard-coded as sha1.
X-RedmineWebhook-HMAC-Signature: The HMAC signature.
Testing
The changes were tested against the latest docker redmine container (5.0.3 at the time of this PR). A small Python Flask server was written to perform the HMAC validation that clients are expected to do (can be found in this gist).
I've tested with three configurations: (1) an incorrect key, (2) a correct key, and (3) no key.
The algorithm used for the digest is hard-coded to use SHA1. This should be configurable to some extent.
This is potentially a breaking change with existing webhook setups. I'm not sure how database migrations work with existing entries. If the secret_key is not a proper text entry (ie. null), I expect this code could break.
Additional notes
I followed the naming convention (somewhat) for db migrations from the main redmine project, prepending the date at the front in YYYYMMDD format.
I do not have much experience with Ruby development, verification from a maintainer regarding code quality would be much appreciated.
This implemented the feature requested in #9 .
Changes
X-RedmineWebhook-HMAC-Alg
: The algorithm used for the HMAC signature. Currently hard-coded assha1
.X-RedmineWebhook-HMAC-Signature
: The HMAC signature.Testing
The changes were tested against the latest docker redmine container (5.0.3 at the time of this PR). A small Python Flask server was written to perform the HMAC validation that clients are expected to do (can be found in this gist).
I've tested with three configurations: (1) an incorrect key, (2) a correct key, and (3) no key.
The Flask web server output for this is:
Potential issues / improvements
Additional notes