GitHub GitHub Webhook密码验证

Question

我正在尝试使用应用编程接口网关验证GitHub webhook密钥。

这是我的lambda：

import json
import hmac
import hashlib
import re


GITHUB_SECRET = 'HELLO WORLD' # from Github UI


def lambda_handler(event, context):
    print("Lambda execution starting up...")

    incoming_signature = re.sub(r'^sha1=', '', event['headers']['X-Hub-Signature'])
    enhanced_body_msg = json.dumps(event['body'], default=str)
    calculated_signature = calculate_signature(GITHUB_SECRET, enhanced_body_msg.encode('utf-8'))

    print("Incoming sig:", incoming_signature)
    print("calculated_signature:", calculated_signature)
    if incoming_signature != calculated_signature:
        print('Unauthorized attempt')
        return {
            'statusCode': 403,
            'body': json.dumps('Forbidden')
        }

    print('Request successfully authorized')

    # do stuff in Lambda

    return {
        'statusCode': 200,
        'body': json.dumps(f'Work in progress')
    }


def calculate_signature(github_signature, githhub_payload):
    signature_bytes = bytes(github_signature, 'utf-8')
    digest = hmac.new(key=signature_bytes, msg=githhub_payload, digestmod=hashlib.sha1)
    signature = digest.hexdigest()
    return signature

将其用作引用(Github Webhooks secret with AWS API Gateway)，但它始终无法匹配。如果有人能指出一个错误，请指正。也已尝试解决X-Hub-Signature-256的相同问题。

Answer 1

使用sha256实现Lambda函数：

import hmac
import hashlib
import re


GITHUB_SECRET = 'hello' # from Github UI

def calculate_signature(github_signature, payload):
    """
    Signature calculator
    """
    signature_bytes = bytes(github_signature, 'utf-8')
    digest = hmac.new(key=signature_bytes, msg=payload, digestmod=hashlib.sha256)
    signature = digest.hexdigest()
    print(f"Calculated signature: {signature}")
    return signature
    
def lambda_handler(event, context):
    print("Lambda execution starting...")
    incoming_signature = re.sub(r'^sha256=', '', event['headers']['X-Hub-Signature-256'])
    print(f"Incoming Signature: {incoming_signature}")
    calculated_signature = calculate_signature(GITHUB_SECRET, event['body'].encode('utf-8'))
    if incoming_signature != calculated_signature:
        print("Unauthorized attempt")
    else:
        print("Authorized access")
    # Lambda logic 


In API Gateway configuration, ensure `Lambda Proxy Integration` box should is checked, else the body from github is not what is needed.