webhook: gogs payload validation failed
I’m trying to use the webhook with Gogs (Go Git Server) and the payload validation is failing:
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] incoming HTTP GET request from 172.22.0.1:52448
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] gogs got matched
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] error parsing JSON payload EOF
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] error evaluating hook: invalid payload signatures [76cda40505e58837211ee37fe7e8c819e31f33a1221a686fbebbe5829002ea01]
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] GET /hooks/gogs
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] Accept-Encoding: gzip
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] Content-Type: application/json
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] Referer: http://nixie.home.honig.net:18140//hooks/gogs
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] User-Agent: GogsServer
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Github-Delivery: f45348ae-7fdf-4697-8230-45b07e55e056
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Github-Event: push
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Gogs-Delivery: f45348ae-7fdf-4697-8230-45b07e55e056
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Gogs-Event: push
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] X-Gogs-Signature: 76cda40505e58837211ee37fe7e8c819e31f33a1221a686fbebbe5829002ea01
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | > [c84770] id:
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | < [c84770] Internal Server Error
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | < [c84770] Error occurred while evaluating hook rules.
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k |
May 19 19:25:29 nixie docker-compose[3608844]: puppet_g10k | [webhook] 2020/05/19 23:25:29 [c84770] 500 | 43 B | 133.025µs | nixie.home.honig.net:18140 | GET /hooks/gogs
I’m using a version of https://github.com/camptocamp/docker-g10k-webhook where I’ve upgraded to 2.7.0 and swapped -verbose for -debug to try to debug this.
Now the funny thing is that I have python flask implementation of a hook that verifies the signatures that has been working with Gogs webhooks for a long time.
The template file looks to be derrived from the example in the git repo:
- id: gogs
execute-command: /push-to-g10k.sh
command-working-directory: /
pass-arguments-to-command:
- source: payload
name: ref
- source: payload
name: repository.ssh_url
trigger-rule:
and:
- match:
type: payload-hash-sha256
secret: "{{ getenv "HOOK_SECRET" | js }}"
parameter:
source: header
name: X-Gogs-Signature
I’ve verified that HOOK_SECRET in the environment is correct. I even replaced
with
secret: FRED
(which is the secret I’m using so that I can share stuff here).
Any tips to help debug this?
Gogs gives me the following information about the hook call:
Request URL: http://nixie.home.honig.net:18140//hooks/gogs
Request method: POST
Content-Type: application/json
X-Github-Delivery: 9a37cb8c-151c-4801-9f38-f722e93c85fa
X-Github-Event: push
X-Gogs-Delivery: 9a37cb8c-151c-4801-9f38-f722e93c85fa
X-Gogs-Event: push
X-Gogs-Signature: 76cda40505e58837211ee37fe7e8c819e31f33a1221a686fbebbe5829002ea01
{
"ref": "refs/heads/production",
"before": "0d63846da1e52542b34ec1cd7f63598a42e4a9fe",
"after": "0d63846da1e52542b34ec1cd7f63598a42e4a9fe",
"compare_url": "",
"commits": [
{
"id": "0d63846da1e52542b34ec1cd7f63598a42e4a9fe",
"message": "fixup! Fix trim_ssd errors with FUSE% variables\n",
"url": "https://git.home.honig.net/Sysadmin/puppet/commit/0d63846da1e52542b34ec1cd7f63598a42e4a9fe",
"author": {
"name": "Jeffrey C Honig",
"email": "jch@honig.net",
"username": "jch"
},
"committer": {
"name": "Jeffrey C Honig",
"email": "jch@honig.net",
"username": "jch"
},
"added": null,
"removed": null,
"modified": [
"site/profile/files/bin/trim_ssd"
],
"timestamp": "0001-01-01T00:00:00Z"
}
],
"repository": {
"id": 10,
"owner": {
"id": 3,
"username": "Sysadmin",
"login": "Sysadmin",
"full_name": "Sysadmin repos",
"email": "",
"avatar_url": "https://git.home.honig.net/avatars/3"
},
"name": "puppet",
"full_name": "Sysadmin/puppet",
"description": "Server puppet configs",
"private": true,
"fork": false,
"parent": null,
"empty": false,
"mirror": false,
"size": 23244800,
"html_url": "https://git.home.honig.net/Sysadmin/puppet",
"ssh_url": "git@git-new.home.honig.net:Sysadmin/puppet.git",
"clone_url": "https://git.home.honig.net/Sysadmin/puppet.git",
"website": "",
"stars_count": 0,
"forks_count": 0,
"watchers_count": 2,
"open_issues_count": 0,
"default_branch": "production",
"created_at": "2017-04-22T23:31:30Z",
"updated_at": "2020-05-19T13:02:51Z"
},
"pusher": {
"id": 1,
"username": "jch",
"login": "jch",
"full_name": "Jeffrey Honig",
"email": "jch@honig.net",
"avatar_url": "https://secure.gravatar.com/avatar/b25e2ae1f07ec30647f346df81d2d841"
},
"sender": {
"id": 1,
"username": "jch",
"login": "jch",
"full_name": "Jeffrey Honig",
"email": "jch@honig.net",
"avatar_url": "https://secure.gravatar.com/avatar/b25e2ae1f07ec30647f346df81d2d841"
}
}
Any other suggestions for debugging this?
Thanks.
Jeff
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 18 (6 by maintainers)
Commits related to this issue
- Signature validation should error on empty payload Updates #423 — committed to moorereason/webhook by moorereason 4 years ago
- Warn on failed validate of empty payload signature If signature validation fails on an empty payload, append a note to the end of the error message. Updates #423 — committed to moorereason/webhook by moorereason 4 years ago
D’oh! That was it!
Here’s some debugging that I added:
Which shows:
Might I suggest checking for an empty body. And also bailing if the json.Decode() fails?
Thanks for your help finding my typo!