[JENKINS-73851] Add SHA-256 HMAC webhook signature validation #438
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add SignatureAlgorithm enum with SHA-256 as default and SHA-1 for legacy support - Extend GHWebhookSignature class to support SHA-256 HMAC computation - Update HookSecretConfig to include configurable signature algorithm - Modify RequirePostWithGHHookPayload.Processor to use configured algorithm - Add comprehensive unit tests for SHA-256 functionality - Maintain backwards compatibility with existing SHA-1 configurations - Log deprecation warnings when SHA-1 is used This implements GitHub's recommended SHA-256 HMAC signature validation while maintaining backwards compatibility through configuration. SHA-256 becomes the default for enhanced security. Resolves: JENKINS-73851 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add doFillSignatureAlgorithmItems() method to provide dropdown options - Create signature algorithm selection dropdown in Jenkins configuration UI - Add help documentation for signature algorithm selection - Update HookSecretConfig constructor to parse algorithm from UI string input - Add parseSignatureAlgorithm() method with case-insensitive parsing - Update tests to work with new string-based constructor - Add comprehensive test cases for algorithm parsing edge cases Users can now choose between SHA-256 (Recommended) and SHA-1 (Legacy) signature algorithms through the Jenkins UI in the GitHub plugin configuration section. The dropdown properly displays both options with SHA-256 set as default for enhanced security, while SHA-1 remains available for legacy compatibility. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove trailing whitespace from all modified files - Fix line length violations by properly wrapping long lines - Fix operator wrap issues by placing operators on new lines - Maintain consistent code formatting throughout 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove IDE-specific configuration file from version control - Add .vscode/ directory to .gitignore to prevent future tracking - Keep IDE configurations local to individual developer environments 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Maybe we can discuss about adding SHA-256 headers to validation tests. This is something github adds by default. |
…re algorithm - Add jenkins.github.webhook.signature.default system property - Allows overriding default from SHA-256 to SHA-1 for CI compatibility - Maintains SHA-256 as secure default when no property is set - Dynamic evaluation prevents static initialization issues - Added comprehensive test coverage and documentation Usage: - Default: SHA-256 (secure) - CI override: -Djenkins.github.webhook.signature.default=SHA1 - Invalid values fallback to SHA-256 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
|
some test failure.. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implements GitHub's recommended SHA-256 HMAC signature validation while maintaining backwards compatibility through configuration. SHA-256 becomes the default for enhanced security.
Resolves: JENKINS-73851
Testing done
Submitter checklist