-2

I'm looking at implementing some functionality in Runbooks, accessed via a webhook. The runbooks will be called from a HALO (ITSM) workflow, through to Github then into Azure.

I'm having problems assuring my security people that webhooks are secure (probably because they aren't). I need my Runbook to be certain that the call has come from an authorized source.

So - network solution ... I'm guessing I need some VPN-like link between Github and Azure - or something like HMAC (?).

Or code solution ... I suspect there's an Azure call I can do to generate an Azure token (maybe a timed one) from Github (or HALO) and then validate that token in my runbook. That's not an Azure Personal Access token though .. or is it? Or is HMAC the way to go?

I'm sure this has been handled before - any pointers? Thanks!

Improve this question
2
  • 1
    There are plenty of ways to provide assurance of the caller’s authenticity using webhooks, and to assert otherwise is ignorant at best. See GitHub’s approach. How you accomplish this will mostly vary upon the caller’s implementation of such an authentication structure, but the documentation for your ITSM of choice doesn’t make it abundantly clear at first glance if/how they support this. Commented May 14 at 0:19
  • Well, thanks for comments. I have a solution which I've posted below. My comment was that webhooks aren't secure by themselves. The caller needs to be identified in some way, manually. Commented May 19 at 3:23

1 Answer 1

Reset to default
0

Came up with an answer that I believe is satisfactory, so I'm posting here. I actually used an HMAC solution, basing the hashkey on the parameters passed into the GitHub program. I run that program on a Github local runner, and start the webhook (on the same server) with the same parameters passed in, and the generated hashkey as an extra one.

The runbook behind the webhook generates its own hashkey from the same parameters, and compares it against the one passed in. If they don't match, I reject.

Hopefully this helps someone else.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.