From 83e91a1fd8f45279ad5f260d6a7a1b8e8ad12a4c Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Fri, 9 Oct 2020 08:57:01 +0000
Subject: [PATCH] bugfix gitea deploy and bash script

---
 examples/deploy.sh                            |  6 ++++--
 .../git.example.com/org/project/deploy.sh     |  3 +++
 internal/webhooks/gitea/gitea.go              | 19 +++++++++++++++----
 3 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 examples/git.example.com/org/project/deploy.sh

diff --git a/examples/deploy.sh b/examples/deploy.sh
index 0852fe3..1626f5e 100644
--- a/examples/deploy.sh
+++ b/examples/deploy.sh
@@ -8,11 +8,13 @@ GIT_REPO_OWNER
 GIT_REPO_NAME
 GIT_CLONE_URL'
 
+# The directory of this bash script
 base_dir="$(dirname "$(readlink -f "$0")")"
-if [[ -f "scripts/${GIT_REPO_ID}/deploy.sh" ]]
+
+if [[ -f "${base_dir}/${GIT_REPO_ID}/deploy.sh" ]]
 then
   echo "Running deplay script for ${GIT_REPO_ID}"
-  bash "scripts/${GIT_REPO_ID}/deploy.sh"
+  bash "${base_dir}/${GIT_REPO_ID}/deploy.sh"
 else
   echo "Nothing to do for ${GIT_REPO_ID}"
   for x in $my_envs; do
diff --git a/examples/git.example.com/org/project/deploy.sh b/examples/git.example.com/org/project/deploy.sh
new file mode 100644
index 0000000..9c443ef
--- /dev/null
+++ b/examples/git.example.com/org/project/deploy.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo 'Hello World'
diff --git a/internal/webhooks/gitea/gitea.go b/internal/webhooks/gitea/gitea.go
index 067b614..cbd3ad5 100644
--- a/internal/webhooks/gitea/gitea.go
+++ b/internal/webhooks/gitea/gitea.go
@@ -1,6 +1,9 @@
 package gitea
 
 import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -13,7 +16,6 @@ import (
 	"git.ryanburnette.com/ryanburnette/git-deploy/internal/webhooks"
 
 	"github.com/go-chi/chi"
-	"github.com/google/go-github/v32/github"
 )
 
 func init() {
@@ -50,9 +52,10 @@ func InitWebhook(providername string, secret *string, envname string) func() {
 					return
 				}
 
-				sig := "sha256=" + r.Header.Get("X_GITEA_SIGNATURE")
-				if err := github.ValidateSignature(sig, payload, secretB); nil != err {
-					log.Printf("invalid gitea signature: error: %s\n", err)
+				sig := r.Header.Get("X-Gitea-Signature")
+				sigB, err := hex.DecodeString(sig)
+				if !ValidMAC(payload, sigB, secretB) {
+					log.Printf("invalid gitea signature: %q\n", sig)
 					http.Error(w, "invalid gitea signature", http.StatusBadRequest)
 					return
 				}
@@ -98,3 +101,11 @@ func InitWebhook(providername string, secret *string, envname string) func() {
 		})
 	}
 }
+
+// ValidMAC reports whether messageMAC is a valid HMAC tag for message.
+func ValidMAC(message, messageMAC, key []byte) bool {
+	mac := hmac.New(sha256.New, key)
+	mac.Write(message)
+	expectedMAC := mac.Sum(nil)
+	return hmac.Equal(messageMAC, expectedMAC)
+}