fix: signature header

pupilcc · Sep 23, 2023 · c99fa64 · c99fa64
1 parent b666a14
commit c99fa64
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 17 deletions.
diff --git a/src/main/java/com/pupilcc/pushbot/controller/WebhookController.java b/src/main/java/com/pupilcc/pushbot/controller/WebhookController.java
@@ -49,9 +49,9 @@ public void docker(@RequestBody DockerWebHookDTO dto, @PathVariable String chatT
      * @param chatToken 用户Token
      */
     @PostMapping("/workflow/{chatToken}")
-    public void workflow(@RequestHeader("x-hub-signature-256") String signature,
+    public void workflow(@RequestHeader("x-hub-signature-256") String signatureHeader,
                          @RequestBody WorkflowDTO dto,
                          @PathVariable String chatToken) {
-        webhookService.workflow(signature, dto, chatToken);
+        webhookService.workflow(signatureHeader, dto, chatToken);
     }
 }
diff --git a/src/main/java/com/pupilcc/pushbot/entity/WorkflowDTO.java b/src/main/java/com/pupilcc/pushbot/entity/WorkflowDTO.java
@@ -1,6 +1,5 @@
 package com.pupilcc.pushbot.entity;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
 import lombok.Data;
 
 import java.util.Map;
@@ -25,8 +24,7 @@ public class WorkflowDTO {
 
     private String workflow;
 
-    @JsonProperty("requestID")
-    private String requestId;
+    private String requestID;
 
     private Map<String, String> data;
 }
diff --git a/src/main/java/com/pupilcc/pushbot/service/WebhookService.java b/src/main/java/com/pupilcc/pushbot/service/WebhookService.java
@@ -1,5 +1,6 @@
 package com.pupilcc.pushbot.service;
 
+import cn.hutool.json.JSONUtil;
 import com.pengrad.telegrambot.model.request.ParseMode;
 import com.pupilcc.pushbot.config.BotProperties;
 import com.pupilcc.pushbot.entity.DockerWebHookDTO;
@@ -75,24 +76,24 @@ public void docker(DockerWebHookDTO dto, String chatToken) {
     /**
      * Workflow Webhook Action
      *
-     * @param signature
+     * @param signatureHeader
      * @param dto
      * @param chatToken
      */
-    public void workflow(String signature, WorkflowDTO dto, String chatToken) {
-        // 验证发送端
-        log.info("Workflow 验证签名:{}", signature);
-        log.info("Workflow 验证内容:{}", dto.toString());
-        boolean isValid = WorkflowUtils.verifySignature(chatToken, signature, dto.toString());
-        log.info("Workflow 验证结果:{}", isValid);
+    public void workflow(String signatureHeader, WorkflowDTO dto, String chatToken) {
+        // TODO Ensure that the Webhook request is from GitHub, so compare the Signature
+        boolean isValid = WorkflowUtils.verifySignature(chatToken, signatureHeader, JSONUtil.toJsonStr(dto));
+//        if (!isValid) {
+//            return;
+//        }
 
         Users users = usersRepository.findByChatToken(chatToken);
         if (ObjectUtils.isEmpty(users)) {
             log.info("用户 Token:{} 不存在", chatToken);
         }
 
         SendMessageDTO messageDTO = new SendMessageDTO();
-        messageDTO.setText(dto.getRepository() + dto.getWorkflow());
+        messageDTO.setText(dto.getRepository() + ":" + dto.getWorkflow());
         messageDTO.setParseMode(ParseMode.Markdown);
         messageService.sendMessage(messageDTO, chatToken);
     }

diff --git a/src/main/java/com/pupilcc/pushbot/utils/WorkflowUtils.java b/src/main/java/com/pupilcc/pushbot/utils/WorkflowUtils.java
@@ -19,12 +19,18 @@ public class WorkflowUtils {
      * <a href="https://docs.github.com/en/webhooks/using-webhooks/securing-your-webhooks">GitHub</a>
      *
      * @param secret
-     * @param signature
+     * @param header
      * @param payload
      * @return
      */
     @SneakyThrows
-    public static boolean verifySignature(String secret, String signature, String payload) {
+    public static boolean verifySignature(String secret, String header, String payload) {
+        String[] parts = header.split("=");
+        if (parts.length < 2) {
+            throw new IllegalArgumentException("Invalid header format: " + header);
+        }
+        String sigHex = parts[1];
+
         byte[] keyBytes = secret.getBytes(StandardCharsets.UTF_8);
         SecretKeySpec key = new SecretKeySpec(keyBytes, "HmacSHA256");
 
@@ -34,7 +40,7 @@ public static boolean verifySignature(String secret, String signature, String pa
         byte[] dataBytes = payload.getBytes(StandardCharsets.UTF_8);
         byte[] computedSigBytes = mac.doFinal(dataBytes);
 
-        byte[] sigBytes = hexToBytes(signature);
+        byte[] sigBytes = hexToBytes(sigHex);
 
         return Arrays.equals(computedSigBytes, sigBytes);
     }
@@ -54,7 +60,7 @@ private static byte[] hexToBytes(String hex) {
 
 //    public static void main(String[] args) {
 //        String secret = "It's a Secret to Everybody";
-//        String header = "757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17";
+//        String header = "sha256=757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17";
 //        String payload = "Hello, World!";
 //
 //        boolean isValid = verifySignature(secret, header, payload);