Skip to content

[JENKINS-74983] Add support for authenticated Webhooks registered in Bitbucket #1044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[JENKINS-74983] Add support for authenticated Webhooks registered in Bitbucket #1044

wants to merge 1 commit into from
+854 −199

Conversation

nfalco79
Copy link
Member

@nfalco79 nfalco79 commented May 16, 2025
edited
Loading

Add signature check in the webhooks processor.

Since development teams are not responsible for security, otherwise one project might enforce security and another might not, the admin should constantly check that all projects have the correct configuration.
For this reason it must be enabled for all or none. Another consideration is that the webhook is configured globally. Users can disable it for a specific project and manage it manually, but this means that if disabled, the global secret key must still be used.

immagine

The secret is not customisable by single project for the following reasons:

  • events should contains a duplicate of the payload to be verified only in BitbucketSCMSource.retrieve method.
  • that means spend a lot of resources just to ignore the payload. Multiple fake requests, would overload Jenkins that have to process events to lookup the right project.
  • could not response to Bitbucket that the payload is invalid because events are managed async.
  • each event could serve multiple projects that potentially could be configured with a different secret.

@nfalco79 nfalco79 force-pushed the feature/JENKINS-74983 branch from c44b39e to cf2c3e1 Compare May 18, 2025 10:38
@nfalco79 nfalco79 force-pushed the feature/JENKINS-74983 branch 4 times, most recently from 903a287 to 55f31de Compare May 18, 2025 13:00
@nfalco79
Copy link
Member Author

@KalleOlaviNiemitalo any idea where I can find the API Documentation to register a webhook secret for the "Jenkins and Azure DevOps Post Webhooks for Bitbucket"?

@nfalco79 nfalco79 force-pushed the feature/JENKINS-74983 branch from 55f31de to 5d6e547 Compare May 18, 2025 16:11
@nfalco79 nfalco79 marked this pull request as ready for review May 18, 2025 16:12
github-advanced-security[bot]
github-advanced-security bot found potential problems May 18, 2025
View reviewed changes
.../java/com/cloudbees/jenkins/plugins/bitbucket/client/repository/BitbucketRepositoryHook.java
@@ -83,4 +85,12 @@
this.uuid = uuid;
}

public String getSecret() {

Check notice

Code scanning / CodeQL

Missing Override annotation Note

This method overrides
BitbucketWebHook.getSecret
Loading
; it is advisable to add an Override annotation.
@KalleOlaviNiemitalo
Copy link
Contributor

I don't know whether "Jenkins and Azure DevOps Post Webhooks for Bitbucket" supports HMAC signatures in webhook requests. https://help.moveworkforward.com/BPW/how-to-choose-an-authentication-type lists only Basic, Bearer, and Kerberos authentication. https://help.moveworkforward.com/BPW/how-to-create-a-new-webhook and https://help.moveworkforward.com/BPW/how-to-manage-configurations-using-post-webhooks-f don't seem to mention a setting for the HMAC key.

@nfalco79 nfalco79 force-pushed the feature/JENKINS-74983 branch 6 times, most recently from 03bf7ba to 166de2d Compare May 18, 2025 17:43
@nfalco79
[JENKINS-74983] Add support for authenticated Webhooks registered in …
ceaf5e0 
…Bitbucket

Verify in the webhooks processor when the signature is present is matches the configured
Add configuration in the global settings to setup HMAC credentials. The secret is not customisable by single project for the following reasons:
* events should contains a duplicate of the payload to be verified only in BitbucketSCMSource.retrieve method.
* that means spend a lot of resources just to ignore the payload. Multiple fake requests, would overload Jenkins that have to process events to lookup the right project.
* could not response to Bitbucket that the payload is invalid because events are managed async.
* each event could serve multiple projects that potentially could be configured with a different secret.
@nfalco79 nfalco79 force-pushed the feature/JENKINS-74983 branch from 166de2d to ceaf5e0 Compare May 19, 2025 09:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KalleOlaviNiemitalo KalleOlaviNiemitalo KalleOlaviNiemitalo left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nfalco79 @KalleOlaviNiemitalo