Supporting Base64 encoded HMAC header #187

jenkinsci · Nov 6, 2020 · 17c8f34 · 17c8f34
1 parent 99821d5
commit 17c8f34
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Generic Webhook Plugin Changelog
 Changelog of Generic Webhook Plugin.
+## Unreleased
+### No issue
+
+**Documenting**
+
+
+[99821d521ee09b8](https://github.com/jenkinsci/generic-webhook-trigger-plugin/commit/99821d521ee09b8) Tomas Bjerre *2020-10-28 15:56:51*
+
+
 ## 1.70 (2020-10-28 15:34:10)
 ### GitHub [#186](https://github.com/jenkinsci/generic-webhook-trigger-plugin/issues/186) Support X-Gitlab-Token  
 

diff --git a/src/main/java/org/jenkinsci/plugins/gwt/whitelist/HMACVerifier.java b/src/main/java/org/jenkinsci/plugins/gwt/whitelist/HMACVerifier.java
@@ -5,6 +5,7 @@
 import java.io.UnsupportedEncodingException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -22,7 +23,11 @@ public static void hmacVerify(
       throws WhitelistException {
     final String headerValue = getHeaderValue(hmacHeader, headers);
     final String calculateHmac = getCalculatedHmac(postContent, hmacSecret, algorithm);
-    if (!headerValue.equalsIgnoreCase(calculateHmac)) {
+    final String calculateHmacBase64 =
+        new String(Base64.getEncoder().encode(calculateHmac.getBytes(UTF_8)), UTF_8);
+
+    if (!headerValue.equalsIgnoreCase(calculateHmac)
+        && !headerValue.equalsIgnoreCase(calculateHmacBase64)) {
       throw new WhitelistException(
           "HMAC verification failed with \""
               + hmacHeader
@@ -65,7 +70,7 @@ private static String getHeaderValue(
       final boolean oneValue = ck.getValue().size() == 1;
       if (sameHeader && oneValue) {
         final String value = ck.getValue().get(0);
-        if (value.contains("=")) {
+        if (value.contains("=") && !value.endsWith("=")) {
           // To handle X-Hub-Signature: sha256=87e3e7...
           return value.split("=")[1];
         }

diff --git a/src/test/java/org/jenkinsci/plugins/gwt/whitelist/HMACVerifierTest.java b/src/test/java/org/jenkinsci/plugins/gwt/whitelist/HMACVerifierTest.java
@@ -22,7 +22,9 @@ public void testThatHmacCanBeVerifiedAndValid() throws Exception {
         new String(
             Files.readAllBytes(
                 Paths.get(
-                    getClass().getResource("/hmac/hmac-bitbucket-server-payload.json").toURI())),
+                    this.getClass()
+                        .getResource("/hmac/hmac-bitbucket-server-payload.json")
+                        .toURI())),
             UTF_8);
     final String hmacHeader = "X-Hub-Signature";
     final String hmacSecret = "this is secret";
@@ -32,7 +34,27 @@ public void testThatHmacCanBeVerifiedAndValid() throws Exception {
         "X-Hub-Signature",
         Arrays.asList("sha256=87e3e7b7e4567f528342a75b6d88c619f272c68a4d0d565c68d596a830213164"));
 
-    final boolean actual = testHmacVerify(headers, postContent, hmacHeader, hmacSecret, algorithm);
+    final boolean actual =
+        this.testHmacVerify(headers, postContent, hmacHeader, hmacSecret, algorithm);
+
+    assertThat(actual).isTrue();
+  }
+
+  @Test
+  public void testThatHmacCanBeBase64() throws Exception {
+    final Map<String, List<String>> headers;
+    final String postContent = "whatever";
+    final String hmacHeader = "hmac";
+    final String hmacSecret = "this is secret";
+    final String algorithm = WhitelistItem.HMAC_SHA256;
+    headers = new HashMap<>();
+    headers.put(
+        hmacHeader,
+        Arrays.asList(
+            "NzEyMTJGODU0RTIzQzU3NUQ3QjFBQUQ0QzM0NjcwRkYwOEVCRjcyMUMzODM3NjY4NjEzRTk2Qzg3RjZFRThCMg=="));
+
+    final boolean actual =
+        this.testHmacVerify(headers, postContent, hmacHeader, hmacSecret, algorithm);
 
     assertThat(actual).isTrue();
   }
@@ -44,7 +66,9 @@ public void testThatHmacCanBeVerifiedAndValidWIthoutAlgorithmInHeader() throws E
         new String(
             Files.readAllBytes(
                 Paths.get(
-                    getClass().getResource("/hmac/hmac-bitbucket-server-payload.json").toURI())),
+                    this.getClass()
+                        .getResource("/hmac/hmac-bitbucket-server-payload.json")
+                        .toURI())),
             UTF_8);
     final String hmacHeader = "X-Hub-Signature";
     final String hmacSecret = "this is secret";
@@ -54,7 +78,8 @@ public void testThatHmacCanBeVerifiedAndValidWIthoutAlgorithmInHeader() throws E
         "X-Hub-Signature",
         Arrays.asList("87e3e7b7e4567f528342a75b6d88c619f272c68a4d0d565c68d596a830213164"));
 
-    final boolean actual = testHmacVerify(headers, postContent, hmacHeader, hmacSecret, algorithm);
+    final boolean actual =
+        this.testHmacVerify(headers, postContent, hmacHeader, hmacSecret, algorithm);
 
     assertThat(actual).isTrue();
   }
@@ -66,7 +91,9 @@ public void testThatHmacCanBeVerifiedAndInvalid() throws Exception {
         new String(
             Files.readAllBytes(
                 Paths.get(
-                    getClass().getResource("/hmac/hmac-bitbucket-server-payload.json").toURI())),
+                    this.getClass()
+                        .getResource("/hmac/hmac-bitbucket-server-payload.json")
+                        .toURI())),
             UTF_8);
     final String hmacHeader = "X-Hub-Signature";
     final String hmacSecret = "this is secret";
@@ -76,7 +103,8 @@ public void testThatHmacCanBeVerifiedAndInvalid() throws Exception {
         "X-Hub-Signature",
         Arrays.asList("sha256=97e3e7b7e4567f528342a75b6d88c619f272c68a4d0d565c68d596a830213164"));
 
-    final boolean actual = testHmacVerify(headers, postContent, hmacHeader, hmacSecret, algorithm);
+    final boolean actual =
+        this.testHmacVerify(headers, postContent, hmacHeader, hmacSecret, algorithm);
 
     assertThat(actual).isFalse();
   }