From c99fa641b802b29df5d8f1118e6eb16dbde7f318 Mon Sep 17 00:00:00 2001 From: pupilcc Date: Sun, 24 Sep 2023 01:51:03 +0800 Subject: [PATCH] fix: signature header --- .../pushbot/controller/WebhookController.java | 4 ++-- .../com/pupilcc/pushbot/entity/WorkflowDTO.java | 4 +--- .../pupilcc/pushbot/service/WebhookService.java | 17 +++++++++-------- .../pupilcc/pushbot/utils/WorkflowUtils.java | 14 ++++++++++---- 4 files changed, 22 insertions(+), 17 deletions(-) diff --git a/src/main/java/com/pupilcc/pushbot/controller/WebhookController.java b/src/main/java/com/pupilcc/pushbot/controller/WebhookController.java index 51d3d33..5a262a9 100644 --- a/src/main/java/com/pupilcc/pushbot/controller/WebhookController.java +++ b/src/main/java/com/pupilcc/pushbot/controller/WebhookController.java @@ -49,9 +49,9 @@ public void docker(@RequestBody DockerWebHookDTO dto, @PathVariable String chatT * @param chatToken 用户Token */ @PostMapping("/workflow/{chatToken}") - public void workflow(@RequestHeader("x-hub-signature-256") String signature, + public void workflow(@RequestHeader("x-hub-signature-256") String signatureHeader, @RequestBody WorkflowDTO dto, @PathVariable String chatToken) { - webhookService.workflow(signature, dto, chatToken); + webhookService.workflow(signatureHeader, dto, chatToken); } } diff --git a/src/main/java/com/pupilcc/pushbot/entity/WorkflowDTO.java b/src/main/java/com/pupilcc/pushbot/entity/WorkflowDTO.java index ec12aa6..6255205 100644 --- a/src/main/java/com/pupilcc/pushbot/entity/WorkflowDTO.java +++ b/src/main/java/com/pupilcc/pushbot/entity/WorkflowDTO.java @@ -1,6 +1,5 @@ package com.pupilcc.pushbot.entity; -import com.fasterxml.jackson.annotation.JsonProperty; import lombok.Data; import java.util.Map; @@ -25,8 +24,7 @@ public class WorkflowDTO { private String workflow; - @JsonProperty("requestID") - private String requestId; + private String requestID; private Map data; } diff --git a/src/main/java/com/pupilcc/pushbot/service/WebhookService.java b/src/main/java/com/pupilcc/pushbot/service/WebhookService.java index df7e024..247b4cf 100644 --- a/src/main/java/com/pupilcc/pushbot/service/WebhookService.java +++ b/src/main/java/com/pupilcc/pushbot/service/WebhookService.java @@ -1,5 +1,6 @@ package com.pupilcc.pushbot.service; +import cn.hutool.json.JSONUtil; import com.pengrad.telegrambot.model.request.ParseMode; import com.pupilcc.pushbot.config.BotProperties; import com.pupilcc.pushbot.entity.DockerWebHookDTO; @@ -75,16 +76,16 @@ public void docker(DockerWebHookDTO dto, String chatToken) { /** * Workflow Webhook Action * - * @param signature + * @param signatureHeader * @param dto * @param chatToken */ - public void workflow(String signature, WorkflowDTO dto, String chatToken) { - // 验证发送端 - log.info("Workflow 验证签名:{}", signature); - log.info("Workflow 验证内容:{}", dto.toString()); - boolean isValid = WorkflowUtils.verifySignature(chatToken, signature, dto.toString()); - log.info("Workflow 验证结果:{}", isValid); + public void workflow(String signatureHeader, WorkflowDTO dto, String chatToken) { + // TODO Ensure that the Webhook request is from GitHub, so compare the Signature + boolean isValid = WorkflowUtils.verifySignature(chatToken, signatureHeader, JSONUtil.toJsonStr(dto)); +// if (!isValid) { +// return; +// } Users users = usersRepository.findByChatToken(chatToken); if (ObjectUtils.isEmpty(users)) { @@ -92,7 +93,7 @@ public void workflow(String signature, WorkflowDTO dto, String chatToken) { } SendMessageDTO messageDTO = new SendMessageDTO(); - messageDTO.setText(dto.getRepository() + dto.getWorkflow()); + messageDTO.setText(dto.getRepository() + ":" + dto.getWorkflow()); messageDTO.setParseMode(ParseMode.Markdown); messageService.sendMessage(messageDTO, chatToken); } diff --git a/src/main/java/com/pupilcc/pushbot/utils/WorkflowUtils.java b/src/main/java/com/pupilcc/pushbot/utils/WorkflowUtils.java index 7c8c245..470aa7d 100644 --- a/src/main/java/com/pupilcc/pushbot/utils/WorkflowUtils.java +++ b/src/main/java/com/pupilcc/pushbot/utils/WorkflowUtils.java @@ -19,12 +19,18 @@ public class WorkflowUtils { * GitHub * * @param secret - * @param signature + * @param header * @param payload * @return */ @SneakyThrows - public static boolean verifySignature(String secret, String signature, String payload) { + public static boolean verifySignature(String secret, String header, String payload) { + String[] parts = header.split("="); + if (parts.length < 2) { + throw new IllegalArgumentException("Invalid header format: " + header); + } + String sigHex = parts[1]; + byte[] keyBytes = secret.getBytes(StandardCharsets.UTF_8); SecretKeySpec key = new SecretKeySpec(keyBytes, "HmacSHA256"); @@ -34,7 +40,7 @@ public static boolean verifySignature(String secret, String signature, String pa byte[] dataBytes = payload.getBytes(StandardCharsets.UTF_8); byte[] computedSigBytes = mac.doFinal(dataBytes); - byte[] sigBytes = hexToBytes(signature); + byte[] sigBytes = hexToBytes(sigHex); return Arrays.equals(computedSigBytes, sigBytes); } @@ -54,7 +60,7 @@ private static byte[] hexToBytes(String hex) { // public static void main(String[] args) { // String secret = "It's a Secret to Everybody"; -// String header = "757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17"; +// String header = "sha256=757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17"; // String payload = "Hello, World!"; // // boolean isValid = verifySignature(secret, header, payload);