search

MCMicS / jenkins-control-plugin

Jenkins integration in IDEA Platforms
https://plugins.jetbrains.com/plugin/6110-jenkins-control-plugin
Apache License 2.0
250 stars 125 forks source link

Plugin can not connect to Jenkins anmyore with: [Fail] CSRF enabled -> Missing or bad crumb data #512

Closed ststoessel closed 1 year ago

ststoessel commented 1 year ago

The Jenkins-Control-Plugin 1.8.3 stopped working. It worked prior to the update.

If I test the connection I got the error message: [Fail] CSRF enabled -> Missing or bad crumb data We already used an application token for authentification.

IntelliJ 2023.2 (Ultimate)
Jenkins 2.346.1

Message shown: HTTP ERROR 403 No valid crumb was included in the request URI: /api/json STATUS: 403 MESSAGE: No valid crumb was included in the request SERVLET: Stapler Powered by Jetty:// 9.4.45.v2022020

MCMicS commented 1 year ago

Hi i have to investigate this because in my test machines/setups it still works. from which version do you have updated?

is the application token still valid or expired?

Can you test following from terminal please:

curl -u user:apiToken http://jenkins.server:8080/api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D
ststoessel commented 1 year ago

Thanks for you fast response. I got an authorization error and so I removed the old token and created a new one. It's working again. You are doing an incredible job with the plugin.

MCMicS commented 1 year ago

Thanks a lot nice to hear that it works now for you

erickne commented 1 year ago

@MCMicS Same problem here.

WebStorm 2023.1 Jenkins 2.417

1) Created a new token 2) Error 403 : missing crumbs 3) Executed cURL command and got the response:

{"_class":"hudson.model.Hudson","nodeName":"","description":null,"primaryView":{"_class":"hudson.model.AllView","name":"all","url":"https://jenkins.*******/"},"url":"https://jenkins.******/"}

I tried server address with (and without) suffix:

image

image

MCMicS commented 1 year ago

And used api token instead of password? because password require crumb which ist not supported anymore

ststoessel commented 1 year ago

My solution was:

  1. Delete your old token from your account within Jenkins
  2. Create a new token
  3. Use this new token in the plugin
MCMicS commented 1 year ago

Hi can you repeat the cur command with -v and share the infos?

erickne commented 1 year ago

And used api token instead of password? because password require crumb which ist not supported anymore

I tried with password and token.

My solution was:

  1. Delete your old token from your account within Jenkins
  2. Create a new token
  3. Use this new token in the plugin

I tried with new token :( .

Hi can you repeat the cur command with -v and share the infos?

Sure!


*   Trying x.x.x.x:443...
* TCP_NODELAY set
* Connected to jenkins.xxx.br (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=jenkins.xxxx.br
*  start date: Aug  7 20:55:12 2023 GMT
*  expire date: Nov  5 20:55:11 2023 GMT
*  subjectAltName: host "jenkins.xxxxxxxxxxxxxxx.br" matched cert's "jenkins.xxxxxxxxxxxxxx.br"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'erick.engelhardt'
* Using Stream ID: 1 (easy handle 0x564faaed78d0)
> GET /api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D HTTP/2
> Host: jenkins.xxxxxxxxxxxxxxxxx.br
> authorization: Basic xxxxxxxxxxxxxxxxxxxTOKENxxxxxxxxxxxx
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Fri, 25 Aug 2023 23:23:34 GMT
< content-type: application/json;charset=utf-8
< content-length: 222
< x-content-type-options: nosniff
< access-control-allow-credentials: true
< access-control-allow-origin: https://observability.browserstack.com
< access-control-allow-methods: POST, GET, OPTIONS, PUT
< access-control-allow-headers: *
< access-control-expose-headers: *
< access-control-max-age: 999
< x-jenkins: 2.417
< x-jenkins-session: 5deddbd9
< x-frame-options: deny
< x-powered-by: PleskLin
<
* Connection #0 to host jenkins.xxxxxxx.br left intact

Just to let you know, this instance is running in a Docker with Nginx reverse proxy.

erickne commented 1 year ago

I used the same token in another plugin (Jenkins Pipeline Linter) and it's working. image

MCMicS commented 1 year ago

Is this aerver public visible and can you geant me access for test? You can contact me privatly on gitter/matrix

Channel: https://matrix.to/#/#jenkins-control-plugin_community:gitter.im Me: https://matrix.to/#/@mcmics-58e400f2d73408ce4f561945:gitter.im

If not possible to grant access I can provide a version with extended logging

If you have any proxy configured in webstorm to use?

Ist this a new installation or was this working before and happens after an update?

Can you retry curl with Post please? I will figure out if configuration/netwowork issue exists curl -v -X Post -u user:apiToken http://jenkins.server:8080/api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D

erickne commented 1 year ago

Is this aerver public visible and can you geant me access for test? You can contact me privatly on gitter/matrix

Channel: https://matrix.to/#/#jenkins-control-plugin_community:gitter.im Me: https://matrix.to/#/@mcmics-58e400f2d73408ce4f561945:gitter.im

If not possible to grant access I can provide a version with extended logging

If you have any proxy configured in webstorm to use?

Ist this a new installation or was this working before and happens after an update?

Can you retry curl with Post please? I will figure out if configuration/netwowork issue exists curl -v -X Post -u user:apiToken http://jenkins.server:8080/api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D

It's working again! Please see my past message https://github.com/MCMicS/jenkins-control-plugin/issues/512#issuecomment-1694031150 .

MCMicS commented 1 year ago

Ai thought you mean with the comment that your token worls in the linter plugin but not in jenkins control.

So its working for +u now? Then can this be closed?

erickne commented 1 year ago

Yes, it's perfect. You can close this issue.

Em dom., 27 de ago. de 2023 às 16:18, MCMicS @.***> escreveu:

Ai thought you mean with the comment that your token worls in the linter plugin but not in jenkins control.

So its working for +u now? Then can this be closed?

— Reply to this email directly, view it on GitHub https://github.com/MCMicS/jenkins-control-plugin/issues/512#issuecomment-1694740863, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM75ZE742YCXPYKGU5LS3LXXOMO5ANCNFSM6AAAAAA3ZUQ5Z4 . You are receiving this because you commented.Message ID: @.***>

theandrewlane commented 7 months ago

Hey @MCMicS!

I'm on 0.13.19-2023.2 and still facing this issue. My Jenkins is a CloudBees Ci Managed Controller, and the Jenkins Linter plugin is able to connect with the same username/token I'm trying here - I was actually configuring both plugins at the same time :)

My Jenkins configuration is a bit different - https://jenkins.server/api/json returns a 503 whereas https://jenkins.server/my-team-name/api/json returns the expected json.

The following curl command returns the expected result:

curl -v -X Post -u user:apiToken https://jenkins.server/my-team-name/api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D

I've also tried these settings with the v0.13.17 (before the crumb config was removed) and got the same result.

Actual configuration params omitted image

MCMicS commented 7 months ago

hmm strange if you use api token the crumb shoulb be not needed. I can have look next week. it is possible to grant access to check against?

theandrewlane commented 7 months ago

hmm strange if you use api token the crumb shoulb be not needed. I can have look next week. it is possible to grant access to check against?

Interesting... Welp I can assure you I'm using a Jenkins token - the same token I'm using for the Jenkins Linter plugin. I unfortunately cannot grant you access to my server, but I'm happy to help you debug!

MCMicS commented 7 months ago

hmm I created special version with additinal logs a time ago (see https://github.com/MCMicS/jenkins-control-plugin/issues/69#issuecomment-1707725875). may you can use this to get further informations or I add additional logs the days in a newer version

org.codinjutsu.tools.jenkins
#org.codinjutsu.tools.jenkins:trace

Plugin: https://github.com/MCMicS/jenkins-control-plugin/files/12533934/jenkins-control-plugin-0.13.19-eap3-2023.2-signed.zip