It's all about the answers!

Ask a question

[closed] HTTP 403 when trying to call the GitHub WebHook using curl


Christian Sommerfeld (26) | asked Jan 26 '23, 7:38 a.m.
closed Mar 16 '23, 5:50 a.m. by David Honey (1.8k17)

  Currently I'm trying to integrate GitHub (hosted in a cloud) with an internal RTC System. As the systems have no direct connection I'm using a runner which is called inside the internal network. 


The runner invokes the following curl statement:

curl -X POST --data /net/XXX/fs0/ALM-actions-runner/_work/_temp/_github_workflow/event.json "$RTC_GITHUB_ENDPOINT" -H "Content-Type: application/json" -H "x-github-event: push" 

But I always receive a HTTP 403 as a response. So my question why does calling the URL not work? 

GIT Access is granted in RTC. I've also tried it with a functional user. And I tried using a secret but for this my question would be how to pass the secret to the Git WebHook? What is the proper parameter name for it? I've tried several ones but nothing had worked. 

E.g. curl -X POST --data $GITHUB_EVENT_PATH "$RTC_GITHUB_ENDPOINT" -H "$HEADER_CONTENT_TYPE" -H "$HEADER_GITHUB_EVENT" -H "X-Hub-Signature: sha1=MY_HASH"

Thanks for any help!
      

The question has been closed for the following reason: "The question is answered, right answer was accepted" by davidhoney Mar 16 '23, 5:50 a.m.

Accepted answer


permanent link
Christian Sommerfeld (26) | answered Mar 16 '23, 3:52 a.m.

 if someone is interested in the solution. This solved my problem:


Example shell script:

COOKIES=./cookies.txt

USER=xxx
PASSWORD="sha1=xxx"
HOST="xxx"

curl -k -c $COOKIES "$HOST/authenticated/identity"

curl -k -L -b $COOKIES -c $COOKIES -d j_username=$USER -d j_password=$PASSWORD "$HOST/authenticated/j_security_check"

RTC_GITHUB_ENDPOINT="xxx"
HEADER_CONTENT_TYPE="Content-Type: application/json"
HEADER_GITHUB_EVENT="x-github-event: push"
curl -k -b $COOKIES -X POST --data "@data_prd.json" "$RTC_GITHUB_ENDPOINT" -H "$HEADER_CONTENT_TYPE" -H "$HEADER_GITHUB_EVENT"

Ralph Schoon selected this answer as the correct answer

Comments
Ralph Schoon commented Mar 16 '23, 4:09 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Thanks for sharing. 

Some additional thoughts. 

  1. I think you use form based authentication, so in other cases the authentication might look different.
  2. Please keep in mind that the authentication has an expiration time.
 

One other answer



permanent link
Christian Sommerfeld (26) | answered Mar 10 '23, 5:53 a.m.

 I found the root cause. Problem is the missing header X-Jazz-CSRF-Prevent with a valid JSessionID. 


But the web hook call has no session and it should work without this header. 

How can this behavior be changed?


Comments
David Honey commented Mar 10 '23, 5:59 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Try a value such as "1" instead of the JSessionID.


Christian Sommerfeld commented Mar 10 '23, 6:00 a.m.

I've already tried that but it only works with a valid JSessionID