Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18114

Enabling crumb issuer prevents CLI from working

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      1.480.3. Enable security, with whatever security realm (e.g. Unix authentication), and matrix authentication with one user given all permissions and anonymous none. Enable the default crumb issuer. Configure the authenticated user's SSH public keys. Now from a shell try to use the CLI:

      $ java -jar jenkins-cli.jar -s http://localhost:8080/ -i ~/.ssh/id_dsa help
      Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625)
      	at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:77)
      	at hudson.cli.CLI.connectViaHttp(CLI.java:155)
      	at hudson.cli.CLI.<init>(CLI.java:139)
      	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:68)
      	at hudson.cli.CLI._main(CLI.java:438)
      	at hudson.cli.CLI.main(CLI.java:373)
      

      If you disable the crumb issuer, the same command works as expected.

      Jenkins.doCli in POST mode would go through CrumbFilter, and the CLI client makes no attempt to send a crumb.

      If there is some way a JavaScript form submission could trick a browser into initiating a complete CLI session and sending a destructive command, then the client should be amended to check for /crumbIssuer/api/xml and send a crumb; otherwise CrumbFilter should be amended to exempt /cli.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Also the log shows:

            … hudson.security.csrf.CrumbFilter doFilter
            WARNING: No valid crumb was included in request for /cli.  Returning 403.
            
            Show
            jglick Jesse Glick added a comment - Also the log shows: … hudson.security.csrf.CrumbFilter doFilter WARNING: No valid crumb was included in request for /cli. Returning 403.
            Hide
            danielbeck Daniel Beck added a comment -

            Maybe exclude UnprotectedRootActions from CSRF protection?

            Show
            danielbeck Daniel Beck added a comment - Maybe exclude UnprotectedRootActions from CSRF protection?
            Hide
            jglick Jesse Glick added a comment -

            Yeah. I hope this issue is not still reproducible!

            Show
            jglick Jesse Glick added a comment - Yeah. I hope this issue is not still reproducible!
            Hide
            danielbeck Daniel Beck added a comment -

            I can repro on 1.585 (only tested through reverse proxy) if I disable the JNLP slave port. (If that being enabled is a requirement to use the CLI, as TcpSlaveAgentListener Javadoc indicates, the documentation on the UI is pretty misleading.)

            $ java -jar jenkins-cli.jar -i ~/.ssh/id_rsa -s http://jenkins help
            Exception in thread "main" java.io.IOException: No X-Jenkins-CLI2-Port among [null, X-Required-Permission, X-Jenkins, X-You-Are-In-Group, X-Hudson, Content-Length, Expires, X-You-Are-Authenticated-As, Set-Cookie, X-Permission-Implied-By, Connection, Server, Date, X-Jenkins-Session, Content-Type]
            	at hudson.cli.CLI.getCliTcpPort(CLI.java:283)
            	at hudson.cli.CLI.<init>(CLI.java:126)
            	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72)
            	at hudson.cli.CLI._main(CLI.java:466)
            	at hudson.cli.CLI.main(CLI.java:382)
            	Suppressed: java.io.IOException: Server returned HTTP response code: 403 for URL: http://jenkins/cli
            		at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1626)
            		at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:78)
            		at hudson.cli.CLI.connectViaHttp(CLI.java:156)
            		at hudson.cli.CLI.<init>(CLI.java:130)
            		... 3 more
            Show
            danielbeck Daniel Beck added a comment - I can repro on 1.585 (only tested through reverse proxy) if I disable the JNLP slave port. (If that being enabled is a requirement to use the CLI, as TcpSlaveAgentListener Javadoc indicates, the documentation on the UI is pretty misleading.) $ java -jar jenkins-cli.jar -i ~/.ssh/id_rsa -s http://jenkins help Exception in thread "main" java.io.IOException: No X-Jenkins-CLI2-Port among [null, X-Required-Permission, X-Jenkins, X-You-Are-In-Group, X-Hudson, Content-Length, Expires, X-You-Are-Authenticated-As, Set-Cookie, X-Permission-Implied-By, Connection, Server, Date, X-Jenkins-Session, Content-Type] at hudson.cli.CLI.getCliTcpPort(CLI.java:283) at hudson.cli.CLI.<init>(CLI.java:126) at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72) at hudson.cli.CLI._main(CLI.java:466) at hudson.cli.CLI.main(CLI.java:382) Suppressed: java.io.IOException: Server returned HTTP response code: 403 for URL: http://jenkins/cli at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1626) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:78) at hudson.cli.CLI.connectViaHttp(CLI.java:156) at hudson.cli.CLI.<init>(CLI.java:130) ... 3 more
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            changelog.html
            http://jenkins-ci.org/commit/jenkins/a6b2ff806f12295e8db9925f108d44a2861cbce2
            Log:
            Additional explanation for JENKINS-18114

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: changelog.html http://jenkins-ci.org/commit/jenkins/a6b2ff806f12295e8db9925f108d44a2861cbce2 Log: Additional explanation for JENKINS-18114
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/cli/CliCrumbExclusion.java
            test/src/test/java/hudson/cli/CLIActionTest.java
            http://jenkins-ci.org/commit/jenkins/de740c756f7de7fd225919342fa01796367abf00
            Log:
            [FIX JENKINS-18114] Exclude /cli URL from crumb requirement (#2315)

            • [FIX JENKINS-18114] Exclude /cli URL from crumb requirement

            The CLI doesn't do this either.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/cli/CliCrumbExclusion.java test/src/test/java/hudson/cli/CLIActionTest.java http://jenkins-ci.org/commit/jenkins/de740c756f7de7fd225919342fa01796367abf00 Log: [FIX JENKINS-18114] Exclude /cli URL from crumb requirement (#2315) [FIX JENKINS-18114] Exclude /cli URL from crumb requirement JENKINS-18114 Fix test: Don't send the crumb The CLI doesn't do this either.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/cli/CliCrumbExclusion.java
            test/src/test/java/hudson/cli/CLIActionTest.java
            http://jenkins-ci.org/commit/jenkins/9f42774315a5d6316da8031ff51e5b866fc07d9a
            Log:
            [FIX JENKINS-18114] Exclude /cli URL from crumb requirement (#2315)

            • [FIX JENKINS-18114] Exclude /cli URL from crumb requirement

            The CLI doesn't do this either.

            (cherry picked from commit de740c756f7de7fd225919342fa01796367abf00)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/cli/CliCrumbExclusion.java test/src/test/java/hudson/cli/CLIActionTest.java http://jenkins-ci.org/commit/jenkins/9f42774315a5d6316da8031ff51e5b866fc07d9a Log: [FIX JENKINS-18114] Exclude /cli URL from crumb requirement (#2315) [FIX JENKINS-18114] Exclude /cli URL from crumb requirement JENKINS-18114 Fix test: Don't send the crumb The CLI doesn't do this either. (cherry picked from commit de740c756f7de7fd225919342fa01796367abf00)

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                jglick Jesse Glick
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: