webhook: gogs payload validation failed

I’m trying to use the webhook with Gogs (Go Git Server) and the payload validation is failing:

May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] incoming HTTP GET request from 172.22.0.1:52448
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] gogs got matched
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] error parsing JSON payload EOF
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] error evaluating hook: invalid payload signatures [76cda40505e58837211ee37fe7e8c819e31f33a1221a686fbebbe5829002ea01]
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] GET /hooks/gogs
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] Accept-Encoding: gzip
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] Content-Type: application/json
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] Referer: http://nixie.home.honig.net:18140//hooks/gogs
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] User-Agent: GogsServer
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Github-Delivery: f45348ae-7fdf-4697-8230-45b07e55e056
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Github-Event: push
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Gogs-Delivery: f45348ae-7fdf-4697-8230-45b07e55e056
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Gogs-Event: push
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Gogs-Signature: 76cda40505e58837211ee37fe7e8c819e31f33a1221a686fbebbe5829002ea01
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] id:
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | < [c84770] Internal Server Error
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | < [c84770] Error occurred while evaluating hook rules.
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k |
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] 500 | 43 B | 133.025µs | nixie.home.honig.net:18140 | GET /hooks/gogs

I’m using a version of https://github.com/camptocamp/docker-g10k-webhook where I’ve upgraded to 2.7.0 and swapped -verbose for -debug to try to debug this.

Now the funny thing is that I have python flask implementation of a hook that verifies the signatures that has been working with Gogs webhooks for a long time.

The template file looks to be derrived from the example in the git repo:

- id: gogs
  execute-command: /push-to-g10k.sh
  command-working-directory: /
  pass-arguments-to-command:
  - source: payload
    name: ref
  - source: payload
    name: repository.ssh_url
  trigger-rule:
    and:
      - match:
          type: payload-hash-sha256
          secret: "{{ getenv "HOOK_SECRET" | js }}"
          parameter:
            source: header
            name: X-Gogs-Signature

I’ve verified that HOOK_SECRET in the environment is correct. I even replaced

with

                secret: FRED

(which is the secret I’m using so that I can share stuff here).

Any tips to help debug this?

Gogs gives me the following information about the hook call:

Request URL: http://nixie.home.honig.net:18140//hooks/gogs
Request method: POST
Content-Type: application/json
X-Github-Delivery: 9a37cb8c-151c-4801-9f38-f722e93c85fa
X-Github-Event: push
X-Gogs-Delivery: 9a37cb8c-151c-4801-9f38-f722e93c85fa
X-Gogs-Event: push
X-Gogs-Signature: 76cda40505e58837211ee37fe7e8c819e31f33a1221a686fbebbe5829002ea01
{
  "ref": "refs/heads/production",
  "before": "0d63846da1e52542b34ec1cd7f63598a42e4a9fe",
  "after": "0d63846da1e52542b34ec1cd7f63598a42e4a9fe",
  "compare_url": "",
  "commits": [
    {
      "id": "0d63846da1e52542b34ec1cd7f63598a42e4a9fe",
      "message": "fixup! Fix trim_ssd errors with FUSE% variables\n",
      "url": "https://git.home.honig.net/Sysadmin/puppet/commit/0d63846da1e52542b34ec1cd7f63598a42e4a9fe",
      "author": {
        "name": "Jeffrey C Honig",
        "email": "jch@honig.net",
        "username": "jch"
      },
      "committer": {
        "name": "Jeffrey C Honig",
        "email": "jch@honig.net",
        "username": "jch"
      },
      "added": null,
      "removed": null,
      "modified": [
        "site/profile/files/bin/trim_ssd"
      ],
      "timestamp": "0001-01-01T00:00:00Z"
    }
  ],
  "repository": {
    "id": 10,
    "owner": {
      "id": 3,
      "username": "Sysadmin",
      "login": "Sysadmin",
      "full_name": "Sysadmin repos",
      "email": "",
      "avatar_url": "https://git.home.honig.net/avatars/3"
    },
    "name": "puppet",
    "full_name": "Sysadmin/puppet",
    "description": "Server puppet configs",
    "private": true,
    "fork": false,
    "parent": null,
    "empty": false,
    "mirror": false,
    "size": 23244800,
    "html_url": "https://git.home.honig.net/Sysadmin/puppet",
    "ssh_url": "git@git-new.home.honig.net:Sysadmin/puppet.git",
    "clone_url": "https://git.home.honig.net/Sysadmin/puppet.git",
    "website": "",
    "stars_count": 0,
    "forks_count": 0,
    "watchers_count": 2,
    "open_issues_count": 0,
    "default_branch": "production",
    "created_at": "2017-04-22T23:31:30Z",
    "updated_at": "2020-05-19T13:02:51Z"
  },
  "pusher": {
    "id": 1,
    "username": "jch",
    "login": "jch",
    "full_name": "Jeffrey Honig",
    "email": "jch@honig.net",
    "avatar_url": "https://secure.gravatar.com/avatar/b25e2ae1f07ec30647f346df81d2d841"
  },
  "sender": {
    "id": 1,
    "username": "jch",
    "login": "jch",
    "full_name": "Jeffrey Honig",
    "email": "jch@honig.net",
    "avatar_url": "https://secure.gravatar.com/avatar/b25e2ae1f07ec30647f346df81d2d841"
  }
}

Any other suggestions for debugging this?

Thanks.

Jeff

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 18 (6 by maintainers)

Commits related to this issue

Most upvoted comments

Could you also try one more thing before doing that, fix the request url so that it’s hooks/gogs instead of /hooks/gogs in the gogs?

D’oh! That was it!

Here’s some debugging that I added:

diff --git a/webhook.go b/webhook.go
index 3af8ab4..840bd4d 100644
--- a/webhook.go
+++ b/webhook.go
@@ -246,6 +246,9 @@ func hookHandler(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			log.Printf("[%s] error reading the request body. %+v\n", rid, err)
 		}
+//		fmt.Printf("BODY: %d %d '%s'\n", len(body), len(string(body)), string(body))
+		fmt.Printf("REQUEST: %#v\n", r)
+		fmt.Printf("REQUEST: %#v\n", r.Body)
 
 		// parse headers
 		headers := valuesToMap(r.Header)

Which shows:

REQUEST: &http.Request{Method:"GET", URL:(*url.URL)(0xc00012a200), Proto:"HTTP/1.1", ProtoMajor:1, ProtoMinor:1, Header:http.Header{"Accept-Encoding":[]string{"gzip"}, "Content-Type":[]string{"application/json"}, "Referer":[]string{"http://nixie.home.honig.net:18140//hooks/gogs"}, "User-Agent":[]string{"GogsServer"}, "X-Github-Delivery":[]string{"9a37cb8c-151c-4801-9f38-f722e93c85fa"}, "X-Github-Event":[]string{"push"}, "X-Gogs-Delivery":[]string{"9a37cb8c-151c-4801-9f38-f722e93c85fa"}, "X-Gogs-Event":[]string{"push"}, "X-Gogs-Signature":[]string{"76cda40505e58837211ee37fe7e8c819e31f33a1221a686fbebbe5829002ea01"}}, Body:http.noBody{}, GetBody:(func() (io.ReadCloser, error))(nil), ContentLength:0, TransferEncoding:[]string(nil), Close:false, Host:"nixie.home.honig.net:18140", Form:url.Values(nil), PostForm:url.Values(nil), MultipartForm:(*multipart.Form)(nil), Trailer:http.Header(nil), RemoteAddr:"172.19.0.2:42716", RequestURI:"/hooks/gogs", TLS:(*tls.ConnectionState)(nil), Cancel:(<-chan struct {})(nil), Response:(*http.Response)(nil), ctx:(*context.valueCtx)(0xc0000f8360)}
REQUEST: http.noBody{}

Might I suggest checking for an empty body. And also bailing if the json.Decode() fails?

Thanks for your help finding my typo!