search

jenkinsci / generic-webhook-trigger-plugin

Can receive any HTTP request, extract any values from JSON or XML and trigger a job with those values available as variables. Works with GitHub, GitLab, Bitbucket, Jira and many more.
https://plugins.jenkins.io/generic-webhook-trigger
404 stars 159 forks source link

No trigger possible with username and password #240

Closed DanInst84 closed 2 years ago

DanInst84 commented 2 years ago

The plugin documentation says user authentication can be done like this: curl -v -H "Content-Type: application/json" -X POST -d '{ "app":{ "name":"some value" }}' https://jenkinsuser:password@jenkinsserver/generic-webhook-trigger/invoke The result is:

* upload completely sent off: 32 out of 32 bytes
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Fri, 13 May 2022 12:22:38 GMT
< X-Content-Type-Options: nosniff
< Content-Type: application/json;charset=utf-8
< Content-Length: 279
< Server: Jetty(9.4.43.v20210629)
<
* Connection #0 to host jenkinsserver left intact
{"jobs":null,"message":"Did not find any jobs with GenericTrigger configured! If you are using a token, you need to pass it like ...trigger/invoke?token=TOKENHERE. If you are not using a token, you need to authenticate like http://user:passsword@example.org/generic-webhook... "}

Thus the answer includes the HTTP error 404 and the Jenkins says it cannot find a job with a webhook trigger matching (as in the answer "jobs" is null). But there is a job configured with Generic Webhook Trigger enabled keeping the fields Token and Token Credential empty. The optional filter for the Generic Webhook Trigger is empty, too.

From my understanding, this job should have been triggered. The main reason in authenticating with credentials instead of token is the job should be started by the mentioned Jenkins user in the curl command.

Changing the user credentials to an invalid user, the answer contains an HTML page with an error message: Oops! A problem occurred while processing the request.

Hence, the authentication in the curl command succeed.

tomasbjerre commented 2 years ago

The plugin does impersonation if a token is supplied. And if not, like in this case, it just gets whatever jobs are visible for the current session: https://github.com/jenkinsci/generic-webhook-trigger-plugin/blob/ccd2bea4e8e6a32ff27adc1d78e78811f26a7fbc/src/main/java/org/jenkinsci/plugins/gwt/jobfinder/JobFinderImpersonater.java#L17

The plugin does not do anything with the username/password.

Perhaps the response message of the plugin can be change to better help in this case. I'm guessing it is a security feature in Jenkins that is the problem here.

DanInst84 commented 2 years ago

Thanks for the hint to the impersonation when using a token. Indeed, I had a problem with the ACL of the user mentioned above.

It would be nice to document the behaviour of the Generic Webhook Trigger plugin if a token is used. Escalting the job in any case to SYSTEM power (if using the token) is nowhere mentioned. Perhaps it can added somewhere in the documentation?

DanInst84 commented 2 years ago

See: https://github.com/jenkinsci/generic-webhook-trigger-plugin/pull/241