Jenkins Docker容器- 403请求中未包含有效的crumb

Question

我正在设置我的Jenkins服务器，对于web界面中的简单请求，如创建文件夹、管道、作业等，我会定期收到以下错误：

HTTP ERROR 403
Problem accessing /job/Mgmt/createItem. Reason:

    No valid crumb was included in the request

服务器正在使用Jenkins/Jenkins容器，该容器由Kubernetes在使用kops创建的AWS上的集群上编排。它位于ELB类的后面。

为什么我可能会遇到这种情况？我以为crumb是用来对付特定的CSRF请求的，但我所做的只是使用Jenkins web接口。

Answer 1

启用代理兼容性可能有助于解决此问题。转到->保护部分中的设置->安全启用代理兼容性

一些HTTP代理过滤掉默认的crumb颁发者用来计算nonce值的信息。如果HTTP代理位于浏览器客户端和Jenkins服务器之间，并且您在向Jenkins提交表单时收到403响应，则选中此选项可能会有所帮助。使用此选项可以使nonce值更容易伪造。

Answer 2

经过几个小时的努力，我终于能够让它与curl一起工作了

export JENKINS_URL=http://localhost
export JENKINS_USER=user
export JENKINS_TOKEN=mytoken
export COOKIE_JAR=/tmp/cookies

JENKINS_CRUMB=$(curl --silent --cookie-jar $COOKIE_JAR $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' -u $JENKINS_USER:$JENKINS_TOKEN)

echo $JENKINS_CRUMB

curl --cookie $COOKIE_JAR $JENKINS_URL/createItem?name=yourJob --data-binary @jenkins/config.xml -H $JENKINS_CRUMB -H "Content-Type:text/xml" -u $JENKINS_USER:$JENKINS_TOKEN -v

Answer 3

当调用http://JENKINS_SERVER:JENKINS_PORT/JENKINS_PREFIX/crumbIssuer/api/json时，你会收到一个头部(" set -Cookie")来设置一个JSESSIONID，所以你必须在即将发出的请求中提供它。

原因是jenkins以这种方式测试有效的crumb :将您在请求中发送的crumb与它在服务器端生成的crumb进行比较(使用您的会话id)，

你可以在jenkins代码中看到它:向下滚动到method：

public boolean validateCrumb(ServletRequest request, String salt, String crumb)

这意味着你让在下一个请求中包含一个会话(在取到碎屑之后)！

所以必须按照ThiagoAlves在他的解决方案中所说的那样使用curl --cookie

我使用java，所以我使用下一个测试器(HTTPClient会更好，但我只想要一个简单的java示例)：

import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Base64;


public class JobRunner
{
    String jenkinsUser = "tester";
    String jenkinsPassword = "1234"; // password or API token
    String jenkinsServer = "localhost";
    String jenkinsPort = "8080";
    String jenkinsPrefix = "/jenkins";

    String jSession = null;
    String crumb = null;
    HttpURLConnection connection = null;
    String responseBody = "";

    public void openConnection(String requestMethod, String relativeURL) throws Exception
    {       
        // prepare the authentication string
        String authenticationString = jenkinsUser + ":" + jenkinsPassword;
        String encodedAuthenticationString = Base64.getEncoder().encodeToString(authenticationString.getBytes("utf-8"));

        // construct the url and open a connection to it
        URL url = new URL("http://" + jenkinsServer + ":" + jenkinsPort + jenkinsPrefix + relativeURL);
        connection = (HttpURLConnection) url.openConnection();

        // set the login info as a http header
        connection.setRequestProperty("Authorization", "Basic " + encodedAuthenticationString);

        // set the request method
        connection.setRequestMethod(requestMethod);
    }

    public void readResponse() throws Exception
    {
        // get response body and set it in the body member
        int responseCode = connection.getResponseCode();
        switch (responseCode)
        {
        case 401:
                System.out.println("server returned 401 response code - make sure your user/password are correct");
            break;

        case 404:
            System.out.println("server returned 404 response code - make sure your url is correct");
        break;

        case 201:
        case 200:
            System.out.println("server returned " + responseCode + " response code");
            InputStream responseBodyContent = connection.getInputStream();
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(responseBodyContent));
            String currentLine;
            while ((currentLine = bufferedReader.readLine()) != null)
            {
                responseBody = responseBody + currentLine + "\n";
            }
        break;

        default:
            System.out.println("server returned error response code: " + responseCode);
            break;
        }
    }

    public void setSessionCookie() throws Exception
    {
        jSession = connection.getHeaderField("Set-Cookie"); 
        System.out.println("jSession: " + jSession);
    }

    public void disconnect() throws Exception
    {
        if(connection!=null)
        {
            connection.disconnect();
            connection = null;
            responseBody = "";
        }
    }

    public void getCrumb() throws Exception
    {
        try
        {
            openConnection("GET", "/crumbIssuer/api/json");
            readResponse();
            setSessionCookie();

            int crumbIndex = responseBody.indexOf("crumb\":\"");
            if(crumbIndex!=-1)
            {
                int crumbIndexEnd = responseBody.indexOf("\",\"", crumbIndex);

                crumb = responseBody.substring(crumbIndex + "crumb\":\"".length(), crumbIndexEnd);
                System.out.println(crumb);
            }
        }
        finally
        {
            disconnect();
        }
    }

    public void runJob() throws Exception
    {
        try
        {
            openConnection("POST", "/job/test/build");

            connection.setDoOutput(true);
            connection.setRequestProperty("Cookie", jSession);
            connection.setRequestProperty("Jenkins-Crumb", crumb);

            readResponse();
            System.out.println("Post response: " + responseBody);
        }
        finally
        {
            disconnect();
        }
    }

    public static void main(String[] args)
    {
        JobRunner jobRunner = new JobRunner();

        try
        {
            jobRunner.getCrumb();

            jobRunner.runJob();
        }
        catch (Exception err)
        {
            err.printStackTrace();
        }
    }
}