Hello,
ok, answer to my own mail...
The rules seem to be:
1. Use
“curl -s
'http://<user>:<PWD>@<machine>:<port>/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
&& echo”
to get the Crumb
2. The Crumb gets returned, ready to use:
“Jenkins-Crumb:30….b”
Exactly this need to be handed in.
3. “curl -u ‘<user>:<PWD>' …” doesn’t work, while “curl -s
'http://<user>:<PWD>@....” does
4. The hostname gets hashed into the Crumb returned (So the Crumb
changes between aliases for the same machine name (physical/logical/forward
from standby master) )
So it is important to use the same machine name
(physical/logical/forward from standby master) on all calls
5. As to this finding and the documentation, the crumb is constructed
from.
(So this means, it shouldn’t change over time (modulo Jenkins updates ?))
1. Hostname
2. Username
3. Password (It seems API-Token and Password are somehow mapped ?)
4. A Salt
6. Both the API-token, as well as the password can be used (same syntax,
just use PWD or token)
Both lead to the same Crumb returned
Then what is this token about ?
7. The wget call can use
wget … --user=jm0 --password=<PWD> …
--header='Jenkins-Crumb:30430………………71b'
or
wget http://jm0:PW@... --header='Jenkins-Crumb:30430………………71b'
both work with the crumb
Hope this might help others....
Martin
No I just would need to know, that the error messages in the log mean, when
I switch CSRF on....
On Monday, November 6, 2017 at 5:40:35 PM UTC+1, [email protected] wrote:
>
> Hello,
>
> after the update to Jenkins 2.85, CI now "complains":
> "You have not configured the CSRF issuer. This could be a security issue.
> For more information, please refer to this page
> <https://jenkins.io/redirect/csrf-protection>.
> You can change the current configuration using the Security section CSRF
> Protection <http://phytxci.emea.nsn-net.net:9999/configureSecurity>."
>
> So I tried to enable the CSRF protection. But now I fail to get my
> 'wget'-calls to the API to work with it.
>
> How do I need to hand the crumb (in what format) to a wget call to e.g.
> upload a job file to my CI ?
>
> Here is what I tried:
> # get the brumb
> > wget http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml -o out
> --output-document ooooo --user="random" --password="foobar"
> > less ooooo
> <defaultCrumbIssuer
> _class='hudson.security.csrf.DefaultCrumbIssuer'><crumb>1dd7db5ac04440f3c6f2e0b007d9afdb</crumb><crumbRequestField>Jenkins-Crumb</crumbRequestField></defaultCrumbIssuer>
>
> # user/password + crumb as "Jenkins-Crumb" -> No valid crumb
> > /usr/bin/wget --auth-no-challenge --no-proxy --user="random"
> --password="foobar"
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> --post-file=encoded/PHY_TX----trunk--build.xml
> --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
> --2017-10-30 14:59:55--
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
> Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
> HTTP request sent, awaiting response... 403 No valid crumb was included in
> the request
> 2017-10-30 14:59:55 ERROR 403: No valid crumb was included in the request.
>
> # No password; just the crumb -> forbidden (ok, obvious)
> > /usr/bin/wget --auth-no-challenge --no-proxy --user="random"
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> --post-file=encoded/PHY_TX----trunk--build.xml
> --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
> --2017-10-30 15:18:54--
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
> Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2017-10-30 15:18:54 ERROR 403: Forbidden.
>
> # No user/password; just the crumb -> forbidden (ok, obvious)
> > /usr/bin/wget --auth-no-challenge --no-proxy
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> --post-file=encoded/PHY_TX----trunk--build.xml
> --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
> --2017-10-30 15:19:06--
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
> Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2017-10-30 15:19:06 ERROR 403: Forbidden.
>
> # user/password + crumb as "Crumb" -> No valid crumb
> > /usr/bin/wget --auth-no-challenge --no-proxy --user="random"
> --password="foobar"
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> --post-file=encoded/PHY_TX----trunk--build.xml
> --header="Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
> --2017-10-30 15:19:19--
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
> Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
> HTTP request sent, awaiting response... 403 No valid crumb was included in
> the request
> 2017-10-30 15:19:19 ERROR 403: No valid crumb was included in the request.
>
> # same, but 'crumb'
> > /usr/bin/wget --auth-no-challenge --no-proxy --user="random"
> --password="foobar"
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> --post-file=encoded/PHY_TX----trunk--build.xml
> --header="crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
> --2017-10-30 15:19:24--
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
> Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
> HTTP request sent, awaiting response... 403 No valid crumb was included in
> the request
> 2017-10-30 15:19:24 ERROR 403: No valid crumb was included in the request.
>
> # same, but '.crumb'
> > /usr/bin/wget --auth-no-challenge --no-proxy --user="random"
> --password="foobar"
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> --post-file=encoded/PHY_TX----trunk--build.xml
> --header=".crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
> --2017-10-30 15:19:30--
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
> Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
> HTTP request sent, awaiting response... 403 No valid crumb was included in
> the request
> 2017-10-30 15:19:30 ERROR 403: No valid crumb was included in the request.
>
> > wget --output-document ooooo --user="random" --password="foobar" '
> http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,
> ":",//crumb)'
> --2017-10-30 15:28:52--
> http://ullteb105.emea.nsn-net.net:9999/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)
> Resolving ullteb105.emea.nsn-net.net... 10.159.34.240
> Connecting to ullteb105.emea.nsn-net.net|10.159.34.240|:9999... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 46 [text/plain]
> Saving to: ooooo
> 100%[==========================================================================================================================================>]
>
> 46 --.-K/s in 0s
> 2017-10-30 15:28:52 (8.47 MB/s) - ooooo saved [46/46]
>
> > less ooooo
> Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb
>
> # ok, so it is Jenkins-Crumb ?
> # And the crumb itself stayed the same, so it is no timing issue (so far)
> # I think I understood the crumb is a MD5 over user + password + some salt
>
> # ok, then "Jenkins-Crumb" - no luck too
> > /usr/bin/wget --auth-no-challenge --no-proxy --user="random"
> --password="foobar"
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> --post-file=encoded/PHY_TX----trunk--build.xml
> --header="Jenkins-Crumb:1dd7db5ac04440f3c6f2e0b007d9afdb"
> --2017-10-30 15:29:37--
> http://ullteb106.emea.nsn-net.net:9999/job/PHY_TX----trunk--build/config.xml
> Resolving ullteb106.emea.nsn-net.net... 10.159.34.242
> Connecting to ullteb106.emea.nsn-net.net|10.159.34.242|:9999... connected.
> HTTP request sent, awaiting response... 403 No valid crumb was included in
> the request
> 2017-10-30 15:29:37 ERROR 403: No valid crumb was included in the request.
>
> Regards
>
> Martin
>
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/638c1f54-591b-4a0b-bc83-f605bfd08f1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
