search

jenkinsci / generic-webhook-trigger-plugin

Can receive any HTTP request, extract any values from JSON or XML and trigger a job with those values available as variables. Works with GitHub, GitLab, Bitbucket, Jira and many more.
https://plugins.jenkins.io/generic-webhook-trigger
410 stars 161 forks source link

Base64 encoded HMAC is not generated correctly. #216

Closed uday4923 closed 3 years ago

uday4923 commented 3 years ago

Plugin version used: 1.75 Jenkins version used: 2.289.3

I am trying to configure job triggering from microsoft teams, teams sends authetication in BASE 64 encoded HMAC and I am unable to trigger the job, i tried with CURL and was getting 403 as HMAC was not generated correctly.

I am trying with following values: final String algorithm = WhitelistItem.HMAC_SHA256; headers = new HashMap<>(); headers.put("X-Hub-Signature", Arrays.asList("sha256=h+Pnt+RWf1KDQqdbbYjGGfJyxopNDVZcaNWWqDAhMWQ="));

and the generated base64 encoded HMAC via line: final String calculateHmacBase64 = new String(Base64.getEncoder().encode(calculateHmac.getBytes(UTF_8)), UTF_8); is: ODdFM0U3QjdFNDU2N0Y1MjgzNDJBNzVCNkQ4OEM2MTlGMjcyQzY4QTREMEQ1NjVDNjhENTk2QTgzMDIxMzE2NA==

but if i use this line in code Base64.getEncoder().encodeToString(sha512_HMAC.doFinal(postContent.getBytes("UTF-8")));

it returns correct value.

image

tomasbjerre commented 3 years ago

What is the value of postContent and calculateHmac in your code?

Are you not comparing SHA256 and SHA512?

Can you repeat the problem with a test? https://github.com/jenkinsci/generic-webhook-trigger-plugin/blob/master/src/test/java/org/jenkinsci/plugins/gwt/whitelist/HMACVerifierTest.java

uday4923 commented 3 years ago

Hi @tomasbjerre i am already using the test provided in HMACVerifierTest @Test public void testThatHmacCanBeVerifiedAndValid() throws Exception { final Map<String, List> headers; final String postContent = new String( Files.readAllBytes( Paths.get(this.getClass().getResource("/hmac/hmac-bitbucket-server-payload.json").toURI())), UTF_8); final String hmacHeader = "X-Hub-Signature"; final String hmacSecret = "this is secret"; final String algorithm = WhitelistItem.HMAC_SHA256; headers = new HashMap<>(); headers.put("X-Hub-Signature", Arrays.asList("h+Pnt+RWf1KDQqdbbYjGGfJyxopNDVZcaNWWqDAhMWQ="));

    final boolean actual = this.testHmacVerify(headers, postContent, hmacHeader, hmacSecret, algorithm);
    assertThat(actual).isTrue();
}

the value of calculatedHmac: 87E3E7B7E4567F528342A75B6D88C619F272C68A4D0D565C68D596A830213164

and the postContent is the same as provided in test

tomasbjerre commented 3 years ago

Are you saying that bytesToHex should not be done here? https://github.com/jenkinsci/generic-webhook-trigger-plugin/blob/cc4c3246b9f5a00b45f9c8d634b598046a980c0f/src/main/java/org/jenkinsci/plugins/gwt/whitelist/HMACVerifier.java#L49

tomasbjerre commented 3 years ago

I think this should fix the issue: https://github.com/jenkinsci/generic-webhook-trigger-plugin/pull/217

What do you think?

uday4923 commented 3 years ago

yes @tomasbjerre it should fix the issue, thanks. one more thing currently teams send authorization as

authorization: 'HMAC w2g2swwmrsvRLZ5W68LfjaLrSR4fN0ErKGyfTPbLrBs=',

so should be also do: if (value.contains("HMAC")) { // To handle teams signature authorization: 'HMAC w2g2swwmrsvRLZ5W68LfjaLrSR4fN0ErKGyfTPbLrBs=' return value.split("HMAC")[1].trim(); } return value;

should i raise another ticket for this, if yes please let me know.

tomasbjerre commented 3 years ago

I released 1.76. Open issue again if not working.