sloc_git/
webhook.rs

1// SPDX-License-Identifier: AGPL-3.0-or-later
2// Copyright (C) 2026 Nima Shafie <nimzshafie@gmail.com>
3
4use anyhow::Result;
5use serde::{Deserialize, Serialize};
6
7// ── types ─────────────────────────────────────────────────────────────────────
8
9#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
10#[serde(rename_all = "snake_case")]
11pub enum WebhookProvider {
12    GitHub,
13    GitLab,
14    Bitbucket,
15}
16
17#[derive(Debug, Clone, Serialize, Deserialize)]
18pub struct WebhookEvent {
19    pub provider: WebhookProvider,
20    pub repo_url: String,
21    pub branch: String,
22    pub commit_sha: String,
23    pub pusher: Option<String>,
24}
25
26// ── HMAC-SHA256 verification ──────────────────────────────────────────────────
27
28/// Verify a GitHub-style `sha256=<hex>` HMAC-SHA256 signature.
29/// Returns `false` for any malformed input rather than erroring.
30#[must_use]
31pub fn verify_github_sig(body: &[u8], sig_header: &str, secret: &str) -> bool {
32    use ring::hmac;
33
34    let Some(hex_sig) = sig_header.strip_prefix("sha256=") else {
35        return false;
36    };
37    let key = hmac::Key::new(hmac::HMAC_SHA256, secret.as_bytes());
38    let computed = hmac::sign(&key, body);
39    let expected_hex = bytes_to_hex(computed.as_ref());
40    constant_eq_str(&expected_hex, hex_sig)
41}
42
43/// Bitbucket uses the same HMAC-SHA256 scheme as GitHub.
44#[must_use]
45pub fn verify_bitbucket_sig(body: &[u8], sig_header: &str, secret: &str) -> bool {
46    verify_github_sig(body, sig_header, secret)
47}
48
49fn bytes_to_hex(bytes: &[u8]) -> String {
50    use std::fmt::Write as _;
51    bytes
52        .iter()
53        .fold(String::with_capacity(bytes.len() * 2), |mut s, b| {
54            write!(s, "{b:02x}").expect("write to String is infallible");
55            s
56        })
57}
58
59fn constant_eq_str(a: &str, b: &str) -> bool {
60    use subtle::ConstantTimeEq;
61    a.as_bytes().ct_eq(b.as_bytes()).into()
62}
63
64// ── payload parsers ───────────────────────────────────────────────────────────
65
66/// Parse a GitHub `push` webhook payload.
67///
68/// # Errors
69/// Returns an error if the body is not valid JSON or required fields are missing.
70pub fn parse_github_push(body: &[u8]) -> Result<WebhookEvent> {
71    let v: serde_json::Value = serde_json::from_slice(body)?;
72    let repo_url = require_str(&v, &["repository", "clone_url"], "repository.clone_url")?;
73    let ref_str = v["ref"]
74        .as_str()
75        .ok_or_else(|| anyhow::anyhow!("missing field: ref"))?;
76    let branch = strip_refs_heads(ref_str);
77    let commit_sha = v["after"]
78        .as_str()
79        .filter(|s| !s.is_empty())
80        .ok_or_else(|| anyhow::anyhow!("missing field: after"))?
81        .to_owned();
82    let pusher = v["pusher"]["name"].as_str().map(str::to_owned);
83    Ok(WebhookEvent {
84        provider: WebhookProvider::GitHub,
85        repo_url,
86        branch,
87        commit_sha,
88        pusher,
89    })
90}
91
92/// Parse a GitLab `push` webhook payload.
93///
94/// # Errors
95/// Returns an error if the body is not valid JSON or required fields are missing.
96pub fn parse_gitlab_push(body: &[u8]) -> Result<WebhookEvent> {
97    let v: serde_json::Value = serde_json::from_slice(body)?;
98    let repo_url = require_str(&v, &["project", "git_http_url"], "project.git_http_url")?;
99    let ref_str = v["ref"]
100        .as_str()
101        .ok_or_else(|| anyhow::anyhow!("missing field: ref"))?;
102    let branch = strip_refs_heads(ref_str);
103    let commit_sha = v["checkout_sha"]
104        .as_str()
105        .filter(|s| !s.is_empty())
106        .ok_or_else(|| anyhow::anyhow!("missing field: checkout_sha"))?
107        .to_owned();
108    let pusher = v["user_username"].as_str().map(str::to_owned);
109    Ok(WebhookEvent {
110        provider: WebhookProvider::GitLab,
111        repo_url,
112        branch,
113        commit_sha,
114        pusher,
115    })
116}
117
118/// Parse a Bitbucket Server / Cloud `push` webhook payload.
119///
120/// # Errors
121/// Returns an error if the body is not valid JSON or required fields are missing.
122pub fn parse_bitbucket_push(body: &[u8]) -> Result<WebhookEvent> {
123    let v: serde_json::Value = serde_json::from_slice(body)?;
124    let repo_url = extract_bitbucket_clone_url(&v)
125        .ok_or_else(|| anyhow::anyhow!("missing field: repository.links.clone[https].href"))?;
126    let push = &v["push"]["changes"][0]["new"];
127    let branch = push["name"]
128        .as_str()
129        .filter(|s| !s.is_empty())
130        .ok_or_else(|| anyhow::anyhow!("missing field: push.changes[0].new.name"))?
131        .to_owned();
132    let commit_sha = push["target"]["hash"]
133        .as_str()
134        .filter(|s| !s.is_empty())
135        .ok_or_else(|| anyhow::anyhow!("missing field: push.changes[0].new.target.hash"))?
136        .to_owned();
137    let pusher = v["actor"]["display_name"].as_str().map(str::to_owned);
138    Ok(WebhookEvent {
139        provider: WebhookProvider::Bitbucket,
140        repo_url,
141        branch,
142        commit_sha,
143        pusher,
144    })
145}
146
147// ── helpers ───────────────────────────────────────────────────────────────────
148
149fn require_str(v: &serde_json::Value, path: &[&str], field: &str) -> Result<String> {
150    let s = path
151        .iter()
152        .fold(v, |cur, key| &cur[key])
153        .as_str()
154        .filter(|s| !s.is_empty())
155        .ok_or_else(|| anyhow::anyhow!("missing field: {field}"))?;
156    Ok(s.to_owned())
157}
158
159fn strip_refs_heads(r: &str) -> String {
160    r.strip_prefix("refs/heads/").unwrap_or(r).to_owned()
161}
162
163fn extract_bitbucket_clone_url(v: &serde_json::Value) -> Option<String> {
164    v["repository"]["links"]["clone"]
165        .as_array()
166        .and_then(|arr| arr.iter().find(|e| e["name"] == "https"))
167        .and_then(|e| e["href"].as_str())
168        .filter(|s| !s.is_empty())
169        .map(str::to_owned)
170}
sloc_git/webhook.rs

sloc_git/
webhook.rs
