Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

[closed] HTTP 403 when trying to call the GitHub WebHook using curl

  Currently I'm trying to integrate GitHub (hosted in a cloud) with an internal RTC System. As the systems have no direct connection I'm using a runner which is called inside the internal network. 


The runner invokes the following curl statement:

curl -X POST --data /net/XXX/fs0/ALM-actions-runner/_work/_temp/_github_workflow/event.json "$RTC_GITHUB_ENDPOINT" -H "Content-Type: application/json" -H "x-github-event: push" 

But I always receive a HTTP 403 as a response. So my question why does calling the URL not work? 

GIT Access is granted in RTC. I've also tried it with a functional user. And I tried using a secret but for this my question would be how to pass the secret to the Git WebHook? What is the proper parameter name for it? I've tried several ones but nothing had worked. 

E.g. curl -X POST --data $GITHUB_EVENT_PATH "$RTC_GITHUB_ENDPOINT" -H "$HEADER_CONTENT_TYPE" -H "$HEADER_GITHUB_EVENT" -H "X-Hub-Signature: sha1=MY_HASH"

Thanks for any help!
      

0 votes


The question has been closed for the following reason: "The question is answered, right answer was accepted" by davidhoney Mar 16 '23, 5:50 a.m.

Accepted answer

Permanent link

 if someone is interested in the solution. This solved my problem:


Example shell script:

COOKIES=./cookies.txt

USER=xxx
PASSWORD="sha1=xxx"
HOST="xxx"

curl -k -c $COOKIES "$HOST/authenticated/identity"

curl -k -L -b $COOKIES -c $COOKIES -d j_username=$USER -d j_password=$PASSWORD "$HOST/authenticated/j_security_check"

RTC_GITHUB_ENDPOINT="xxx"
HEADER_CONTENT_TYPE="Content-Type: application/json"
HEADER_GITHUB_EVENT="x-github-event: push"
curl -k -b $COOKIES -X POST --data "@data_prd.json" "$RTC_GITHUB_ENDPOINT" -H "$HEADER_CONTENT_TYPE" -H "$HEADER_GITHUB_EVENT"

Ralph Schoon selected this answer as the correct answer

0 votes

Comments

Thanks for sharing. 

Some additional thoughts. 

  1. I think you use form based authentication, so in other cases the authentication might look different.
  2. Please keep in mind that the authentication has an expiration time.
 


One other answer

Permanent link

 I found the root cause. Problem is the missing header X-Jazz-CSRF-Prevent with a valid JSessionID. 


But the web hook call has no session and it should work without this header. 

How can this behavior be changed?

0 votes

Comments

Try a value such as "1" instead of the JSessionID.

I've already tried that but it only works with a valid JSessionID 

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Jan 26 '23, 7:38 a.m.

Question was seen: 1,134 times

Last updated: Mar 16 '23, 5:50 a.m.

Confirmation Cancel Confirm