版本信息:Jenkins2.303.1

Jenkins 403 No valid crumb was included in the request 解决方案

错误清单

1、 请求api接口报错,csrf代理已经关闭

#请求api接口报错,csrf代理已经关闭

Error 403 No valid crumb was included in the request

HTTP ERROR 403 No valid crumb was included in the request

URI:/jenkins/job/BTest/build
STATUS:403
MESSAGE:No valid crumb was included in the request
SERVLET:Stapler

Powered by Jetty:// 9.4.42.v20210604

2、账户密码错误报错,密码写对就行

# 账户密码错误报错,密码写对就行

Error 401 Unauthorized

HTTP ERROR 401 Unauthorized

URI:/jenkins/job/BTest/build
STATUS:401
MESSAGE:Unauthorized
SERVLET:Stapler

Powered by Jetty:// 9.4.42.v20210604

思路寻找,解决第一个错误: 我现在要使用 webhook 发一个 post 请求给 jenkins,结果报了 403 错误。一个可行的解决方案就是给这个请求头加上 crumb。

错误提示是请求中没有包含crumb,但是加上之后还会出错,怀疑是jenkins本身的权限校验问题。

网上也存在有修改源代码的形式来解决此类问题。

也有直接配置CSRF解决的情况(但是我没测通): https://stackoverflow.com/questions/44711696/jenkins-403-no-valid-crumb-was-included-in-the-request/54750559#54750559

最终解决来源于网上的资料的回复:

根据文章:https://coderedirect.com/questions/191379/jenkins-403-no-valid-crumb-was-included-in-the-request

A simple solution without need of making changes to source code (validated with Jenkins v2.222):

Install the Strict Crumb Issuer plugin (https://plugins.jenkins.io/strict-crumb-issuer/)

Enable this plugin and uncheck 'Check the session ID' from its configuration (Under Jenkins Configure Global Security)

A drawback is that this solution makes us dependent on the Strict Crumb Issuer plugin and removes a security feature. But since our application requires many other plugins and only runs behind the firewall without Internet access, this is acceptable.

Friday, August 6, 2021

较老版本的 jenkins 关闭跨站脚本伪造请求保护,新的采取Crumb

一、第一种解决方案

1、安装插件:Strict Crumb Issuer

manage Jenkins ->Configure Global Security ->跨站请求伪造保护,选择strict crumb issuer插件关闭 Check the session ID

2、通过GET请求,获取到crumb 值

获取精确的crumb curl -u ‘admin:password’ “http://jenkins-url:/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)”

也可以如下请求,从结果中获取crumb: curl -v -X GET http://jenkins-url:8080/crumbIssuer/api/json --user :

#

* About to connect() to 120.76.245.243 port 8080 (#0)

* Trying 120.76.245.243...

* Connected to 120.76.245.243 (120.76.245.243) port 8080 (#0)

* Server auth using Basic with user 'genekangit'

> GET /crumbIssuer/api/json HTTP/1.1

> Authorization: Basic Z2VuZWthbmdpdDp2ZVlqKmwrcjc5Wjc4a1VNZCYwQGZURlcpc2hnbz0mSg==

> User-Agent: curl/7.29.0

> Host: 120.76.245.243:8080

> Accept: */*

>

< HTTP/1.1 200 OK

< Date: Fri, 15 Oct 2021 15:05:52 GMT

< X-Content-Type-Options: nosniff

< X-Jenkins: 2.303.1

< X-Jenkins-Session: 8470ef97

< X-Frame-Options: deny

< Content-Type: application/json;charset=utf-8

< Set-Cookie: JSESSIONID.cf0e1294=node01e3god9uq9b2s1iixrqdss0ts8219.node0; Path=/; HttpOnly

< Expires: Thu, 01 Jan 1970 00:00:00 GMT

< Content-Length: 163

< Server: Jetty(9.4.42.v20210604)

<

* Connection #0 to host 120.76.245.243 left intact

{

"_class":"hudson.security.csrf.DefaultCrumbIssuer",

"crumb":"393fbcc5b1671544b571fd667e53e20d7aa6459331ed8c8ea43a268a12d6dad3",

"crumbRequestField":"Jenkins-Crumb"

}

3、通过POST请求,直接运行某一个工程的构建动作

将第2步获取的crumb粘贴到如下脚本中:

curl -X POST http://jenkins-url:8080/job//build --user : -H ‘Jenkins-Crumb: 393fbcc5b1671544b571fd667e53e20d7aa6459331ed8c8ea43a268a12d6dad3’

具体步骤:

you have to installed the plugin called “Strict Crumb Issuer”Once installed restart the jenkins servicegot to “Manage Jenkins” --> “Configure Global Security” --> Under CSRF Protection, select “Strict Crumb Issue” from the drop down list --> - Click on Advance and uncheck everything but select “Prevent Breach Attack” option. --> Apply and save.Now run you crumb script.

二、第二种解决方案

1、用户设置中,添加token信息

I solved this by using API TOKEN as a basic authentication password. Here is how

Note: To Create the API TOKEN under Accounts icon -> configure -> API Token -> Add New token

2、通过POST请求启动任务

2.1、带参数 curl -v -X POST http://jenkins-url:8080/job//buildWithParameters?param=value --user :

2.2、不带参数 curl -X POST http://jenkins-url:8080/job//build --user :

3、远程调用Jenkins API启动任务(OK)

任务名: jobName

远程API服务地址:http://host:8080/jobName/jobName/build

请求方法:POST

用户名、密码添加方法:username:password@hostname:port ....

运行期望结果:

任务启动

服务返回 http status:201

当直接浏览器运行远程API构建工程时会出错

http://120.76.245.243:8080/job//build

官方提示:

You must use POST method to trigger builds. (From scripts you may instead pass a per-project authentication token, or authenticate with your API token.) If you see this page, it may be because a plugin offered a GET link; file a bug report for that plugin.

大致意思是:该请求方法是POST,需要通过身份认证或token校验,另外你提交的GET错误。

4、远程调用Jenkins API返回最新任务编号(OK)

任务名:jobName

远程API服务地址:http://host:8080/job/jobName/lastBuild/buildNumber

请求方法:GET

用户名、密码添加方法:username:password@hostname:port ....

运行期望结果:

任务启动

服务返回http status:201

5、远程调用Jenkins API查询任务状态(OK)

任务名:jobName

远程API服务地址:http://host:8080/job/jobName//api/json

请求方法:GET

用户名、密码添加方法:username:password@hostname:port ....

运行期望结果:

任务详情JSON

服务返回http status:200

6、jenkinsapi库

pip install jenkinsapi

from jenkinsapi.jenkins import Jenkins

jk =Jenkins(url, username, password, useCrumb=True)

7、总结API说明

API首页:http://127.0.0.1:8080/api/

7.1、项目API

获取项目信息 接口:http://127.0.0.1:8080/job/{jobName}/api/json

方式:GET

7.2、获取项目构建信息

接口:http://127.0.0.1:8080/job/{jobName}/{buildNumber}/api/json

方式:GET

7.3、获取项目配置

接口:http://127.0.0.1:8080/job/{jobName}/config.xml

方式:GET

7.4、创建项目

接口:http://127.0.0.1:8080/createItem?name={projectName}

参数:–data-binary @config.xml

头部:-H “Content-Type:text/xml”

方式:POST

7.5、禁用项目

接口:http://127.0.0.1:8080/job/{jobName}/disable

方式:POST

7.6、启用项目

接口:http://127.0.0.1:8080/job/{jobName}/enable

方式:POST

7.7、删除项目

接口:http://127.0.0.1:8080/job/{jobName}/doDelete

方式:POST

7.8、构建项目

接口:http://127.0.0.1:8080/job/{jobName}/build

方式:POST

注意: 需要增加token信息或用户认证

请求:curl -X POST http://127.0.0.1:8080/job/{jobName}/build --user admin:apiToken

7.9、参数化构建

接口:http://127.0.0.1:8080/job/{jobName}/buildWithParameters

方式:POST

精彩文章

评论可见,请评论后查看内容,谢谢!!!评论后请刷新页面。