HMAC verify 500 error with Teams

[izenk]

• Plugin version used: 1.71

• Jenkins version used: Jenkins 2.249

  • Environment: MS Teams outgoing webhook with Jenkins. Jenkins is configured to use HMAC verification

• Build job log app_1 | 2020-11-05 21:05:34.173+0000 [id=11] WARNING o.e.j.s.h.ContextHandler$Context#log: Error while serving https://<my-host>:8443/generic-webhook-trigger/invoke app_1 | java.lang.ArrayIndexOutOfBoundsException: 1 app_1 | at org.jenkinsci.plugins.gwt.whitelist.HMACVerifier.getHeaderValue(HMACVerifier.java:70)

• Actual result: Jenkins returns 500 error, instead of executing job

I think, I found the problem: here

MS Teams generate HMAC token during webhook registration and this token always contains '=' at the end of string and this block of code (To handle X-Hub-Signature: sha256=87e3e7...) if (value.contains("=")) { return value.split("=")[1];} tries to split on '=' and take right part, what leads to ArrayIndexOutOfBoundsException because '=' is the last symbol in the string.

[tomasbjerre]

Problem seems to be that Teams is sending the HMAC value as Base64 encoded.

If the plugin tries to decode any value as Base64, and fall back on current implementation, it would succeed with decoding things that are not really Base64 encoded, like 87e3e7b7e4567f528342a75b6d88c619f272c68a4d0d565c68d596a830213164.

So I think the fix here needs to be an option in the plugin to decode the header, as it cannot be auto detected.

[tomasbjerre]

On second thought, I can just Base64 encode the calculated HMAC and also compare that. Fixed and released in 1.72.

[izenk]

@tomasbjerre thanks! Plugin was updated and error gone. Any ways to debug plugin issues? May be a logger? Error gone, but now jenkins just returns 403 on HMAC from ms teams.

[tomasbjerre]

There is also response content along with that 403 error.

Best way, in my opinion, to troubleshoot is with curl, as explained in readme.