gitea-sdk-rs 0.1.0

Rust SDK for the Gitea API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

// Copyright 2026 infinitete. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

//! Authentication mechanisms for the Gitea API client.

pub(crate) mod httpsig;
pub(crate) mod pageant;
pub(crate) mod ssh_agent;
pub(crate) mod ssh_sign;

use hmac::{Hmac, Mac};
use sha2::Sha256;
use subtle::ConstantTimeEq;

type HmacSha256 = Hmac<Sha256>;

/// Verify a Gitea webhook HMAC-SHA256 signature.
///
/// Returns `Ok(true)` if the signature matches, `Ok(false)` if it doesn't,
/// or `Err` if the expected signature is not valid hex.
///
/// Uses constant-time comparison to prevent timing attacks.
pub fn verify_webhook_signature(
    secret: &str,
    expected: &str,
    payload: &[u8],
) -> crate::Result<bool> {
    let expected_bytes = hex::decode(expected)
        .map_err(|_| crate::Error::Validation("invalid hex signature".into()))?;

    let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
        .map_err(|_| crate::Error::Validation("HMAC key error".into()))?;
    mac.update(payload);
    let computed = mac.finalize().into_bytes();

    Ok(computed.ct_eq(&expected_bytes).into())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_webhook_valid() {
        let secret = "my-secret";
        let payload = b"test-payload";
        let mut mac = HmacSha256::new_from_slice(secret.as_bytes()).unwrap();
        mac.update(payload);
        let expected_hex = hex::encode(mac.finalize().into_bytes());

        assert!(verify_webhook_signature(secret, &expected_hex, payload).unwrap());
    }

    #[test]
    fn test_webhook_invalid() {
        let secret = "my-secret";
        let payload = b"test-payload";
        let wrong_sig = "0000000000000000000000000000000000000000000000000000000000000000";

        assert!(!verify_webhook_signature(secret, wrong_sig, payload).unwrap());
    }

    #[test]
    fn test_webhook_bad_hex() {
        let result = verify_webhook_signature("secret", "not-hex-at-all!", b"payload");
        assert!(result.is_err());
    }

    #[test]
    fn test_webhook_wrong_length() {
        let secret = "secret";
        let payload = b"payload";
        let wrong_sig = "abcd";
        assert!(!verify_webhook_signature(secret, wrong_sig, payload).unwrap());
    }

    #[test]
    fn test_webhook_empty_secret() {
        let secret = "";
        let payload = b"test";
        let mut mac = HmacSha256::new_from_slice(secret.as_bytes()).unwrap();
        mac.update(payload);
        let expected_hex = hex::encode(mac.finalize().into_bytes());

        assert!(verify_webhook_signature("", &expected_hex, payload).unwrap());
    }
}