gitee-webhook 部署测试

2025-06-25 11:37:36 +08:00 · 2025-06-25 11:37:36 +08:00 · 2c7a88f900
parent 5f77193e57
commit 2c7a88f900
2 changed files with 102 additions and 32 deletions
--- a/web/src/main/java/com/dite/znpt/web/controller/DeployController.java
+++ b/web/src/main/java/com/dite/znpt/web/controller/DeployController.java
@ -1,41 +1,47 @@
-package com.dite.znpt.web.controller;
+package com.dite.znpt.web.build;
-import org.apache.commons.codec.binary.Hex;
+import cn.hutool.core.util.StrUtil;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.MessageDigest;
@RestController
 public class DeployController {
    @Value("${deploy.secret}")
-    private String secret;
+    private String webhookSecret;
-    @Value("${deploy.app-dir}")
+    @Value("${deploy.build-dir}")
-    private String appDir;
+    private String buildDir;
    private Process deploymentProcess;
    private final GiteeSignatureVerifier signatureVerifier = new GiteeSignatureVerifier();
    @PostMapping("/gitee-webhook")
    public ResponseEntity<String> handleWebhook(
-            @RequestHeader(value = "X-Gitee-Token", required = false) String signature,
+            @RequestHeader(value = "X-Gitee-Token", required = false) String receivedSignature,
            @RequestHeader(value = "X-Gitee-Timestamp", required = false) String timestamp,
            @RequestBody String payload) {
-        // 验证签名
+        // 0. 基本验证
-        if (signature == null || !signature.equals(calculateSignature(payload))) {
+        if (StrUtil.isAllNotBlank(receivedSignature, timestamp)) {
-            return ResponseEntity.status(401).body("无效签名");
+            return ResponseEntity.status(403).body("签名验证失败");
        }
-        // 安全启动部署
+        // 1. 验证签名
        if (!signatureVerifier.verifySignature(receivedSignature, timestamp, payload, webhookSecret)) {
            System.out.println("签名验证失败");
            return ResponseEntity.status(403).body("签名验证失败");
        }
        // 2. 启动部署流程
        startDeployment();
        return ResponseEntity.ok("部署流程已启动");
@ -44,7 +50,7 @@ public class DeployController {
    @GetMapping("/deployment-status")
    public ResponseEntity<String> getDeploymentStatus() {
        try {
-            Path statusFile = Path.of(appDir, "deployment-status.txt");
+            Path statusFile = Path.of(buildDir, "deployment-status.txt");
            if (!Files.exists(statusFile)) {
                return ResponseEntity.ok("尚未开始部署");
            }
@ -60,7 +66,7 @@ public class DeployController {
    public ResponseEntity<String> getDeploymentLog(
            @RequestParam(defaultValue = "20") int lines) {
        try {
-            Path logFile = Path.of(appDir, "deploy.log");
+            Path logFile = Path.of(buildDir, "deploy.log");
            if (!Files.exists(logFile)) {
                return ResponseEntity.ok("无可用日志");
            }
@ -85,12 +91,9 @@ public class DeployController {
        }
        try {
            // 清理旧状态
            Files.deleteIfExists(Path.of(appDir, "deployment-status.txt"));
            // 启动部署脚本
            ProcessBuilder builder = new ProcessBuilder("./deploy.sh");
-            builder.directory(new File(appDir));
+            builder.directory(new File(buildDir));
            builder.redirectErrorStream(true);
            deploymentProcess = builder.start();
@ -119,7 +122,7 @@ public class DeployController {
        } catch (Exception e) {
            System.err.println("启动部署脚本失败: " + e.getMessage());
            try {
-                Files.writeString(Path.of(appDir, "deployment-status.txt"),
+                Files.writeString(Path.of(buildDir, "deployment-status.txt"),
                        "START_FAILED - " + e.getMessage());
            } catch (Exception ex) {
                // 忽略
@ -142,16 +145,4 @@ public class DeployController {
        }
        return output.toString();
    }
    private String calculateSignature(String payload) {
        try {
            MessageDigest digest = MessageDigest.getInstance("SHA-256");
            byte[] signatureBytes = digest.digest(
                    (payload + secret).getBytes(StandardCharsets.UTF_8)
            );
            return Hex.encodeHexString(signatureBytes);
        } catch (Exception e) {
            throw new RuntimeException("签名生成失败", e);
        }
    }
 }
--- a/web/src/main/java/com/dite/znpt/web/build/GiteeSignatureVerifier.java
+++ b/web/src/main/java/com/dite/znpt/web/build/GiteeSignatureVerifier.java
@ -0,0 +1,79 @@
 package com.dite.znpt.web.build;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.time.Instant;
 import java.util.Base64;
 public class GiteeSignatureVerifier {
    private static final long MAX_TIME_DIFF = 3600 * 1000; // 1小时（毫秒）
    public boolean verifySignature(String receivedSignature,
                                   String receivedTimestamp,
                                   String payload,
                                   String secret) {
        // 1. 验证时间有效性（避免重放攻击）
        if (!validateTimestamp(receivedTimestamp)) {
            System.out.println("时间戳超出允许范围");
            return false;
        }
        // 2. 计算期望签名
        String computedSignature = computeSignature(
                receivedTimestamp,
                payload,
                secret
        );
        // 3. 安全比较签名（防止时序攻击）
        return constantTimeEquals(receivedSignature, computedSignature);
    }
    private boolean validateTimestamp(String timestampStr) {
        try {
            long timestamp = Long.parseLong(timestampStr);
            long currentTime = Instant.now().toEpochMilli();
            return Math.abs(currentTime - timestamp) < MAX_TIME_DIFF;
        } catch (NumberFormatException e) {
            System.err.println("无效的时间戳格式: " + timestampStr);
            return false;
        }
    }
    private String computeSignature(String timestamp, String payload, String secret) {
        try {
            // Step 1: HMAC-SHA256(ts + "\n" + secret)
            String data = timestamp + "\n" + secret;
            Mac hmac = Mac.getInstance("HmacSHA256");
            SecretKeySpec keySpec = new SecretKeySpec(
                    secret.getBytes(StandardCharsets.UTF_8),
                    "HmacSHA256"
            );
            hmac.init(keySpec);
            byte[] rawSignature = hmac.doFinal(data.getBytes(StandardCharsets.UTF_8));
            // Step 2: Base64 encode
            String base64Sig = Base64.getEncoder().encodeToString(rawSignature);
            // Step 3: URL encode
            return URLEncoder.encode(base64Sig, StandardCharsets.UTF_8.toString());
        } catch (Exception e) {
            throw new RuntimeException("签名计算失败", e);
        }
    }
    // 防止时序攻击的安全字符串比较
    private boolean constantTimeEquals(String a, String b) {
        if (a == null || b == null || a.length() != b.length()) {
            return false;
        }
        int result = 0;
        for (int i = 0; i < a.length(); i++) {
            result |= a.charAt(i) ^ b.charAt(i);
        }
        return result == 0;
    }
 }