How to get list of Jenkins credentials using curl? - jenkins

I have a jenkins instance which contains multiple credentials in different scope.
How do I get the list of jenkins credentials using curl?
I did try to fetch them using
curl -u [USERNAME]:[PASSWORD] -X GET http://[JENKINS_URL]/credentials/store/system/domain/_/api/json
But I'm getting below output which doesn't contain creds IDs or names etc.
3326{"class":"com.cloudbees.plugins.credentials.CredentialsStoreAction$DomainWrapper","credentials":[{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{},{}],"description":"Credentials
that should be available irrespective of domain specification to
requirements matching.","displayName":"Global credentials
(unrestricted)","fullDisplayName":"System » Global credentials
(unrestricted)","fullName":"system/","global":true,"urlName":"_"}
How do I get the creds IDs and names which I see in Jenkins.

Related

Why is Personal Access Token not working for Bitbucket REST API?

TL/DR: (Why) does a name/PAT combination created in the Bitbucket web UI not work with Bitbucket REST API (or repo cloning)?
I've been reading various documentation on Bitbucket REST API and Personal Access Tokens, with the intent of using the latter when invoking the former.
All that I have read so far have said -- in more elaborative words -- that this is possible.
Following along, I created a Personal Access Token (PAT) in the Bitbucket web UI.
Per the screenshot below (posted at the bottom, so as to not break up the text flow), the PAT Name is "test", and let's say the PAT value is Rzg4MGUyN4m4N9U3O1HQHO3ABJyp7xClvsan7sAmFEPy
Why, when I try to use this PAT, do I get an "Authentication failed" error? For example:
user#bld_svr:~$ curl -L -u test:Rzg4MGUyN4m4N9U3O1HQHO3ABJyp7xClvsan7sAmFEPy -H "Content-Type: application/json" -X POST https://bitbucket.svr.com/rest/build-status/1.0/commits/5764bb32f80813b3bbcbf6496c113c1830c52bb0 -d '{"state":"INPROGRESS","key":"job_434","url":"http://bld_svr:8080//blue/organizations/jenkins/prj/detail/prj/434/pipeline"}'
{"errors":[{"context":null,"message":"Authentication failed. Please check your credentials and try again.","exceptionName":"com.atlassian.bitbucket.auth.IncorrectPasswordAuthenticationException"}]}
My readings have led me to believe that all that's necessary is:
Creating the PAT in the Bitbucket UI
Using the Name/PAT combination the same as one would use username/password
Trying to debug the issue a little, this page, specifically, indicates that Name/PAT should be usable to git clone repos. But that also fails:
$ git clone https://bitbucket.svr.com/scm/key/a_project.git
Cloning into 'a_project'...
Username for 'https://bitbucket.svr.com': test
Password for 'https://test#bitbucket.svr.com': # I typed in "Rzg4MGUyN4m4N9U3O1HQHO3ABJyp7xClvsan7sAmFEPy" here
fatal: Authentication failed for 'https://bitbucket.svr.com/scm/key/a_project.git/'
Can anyone give me the straight dope on the Bitbucket PATs and how they should be configured/used with Bitbucket REST API, and even just plain git cloneing?
the PAT Name is "test",
Actually, you would need to use your BitBucket user account name, not the PAT name, as username:
git clone https://username:<token>#bitbucketserver.com/scm/projectname/teamsinspace.git
You also have the syntax (seen here)
git clone "https://x-token-auth:{tokenHere}#bitbucket.org/yourRepoOwnerHere/RepoNameHere"
And you can use gildas/git-credential-bitbucket as a way to cache your token and reuse it automatically
git credential-bitbucket store <<EOM
protocol=https
host=bitbucket.org
username=xxx
clientid=yyy
secret=zzz
git remote add bitbucket https://xxx#bitbucket.org/path/to/repo.git
git config credential.helper bitbucket

How to list projects for particular user

We have our company users list and with that users list we need to prepare a report that each user have access to which gerrit project.
So how to list the project(s) for particular user from gerrit?
Some direction to achieve this will be helpful. Thanks in advance.
You have two options to give a try:
Use the "gerrit ls-projects" SSH command
Using the "--has-acl-for GROUP" option, you can list projects on which access rights for this group are directly assigned. Note: projects which only inherit access rights for this group are not listed:
ssh -p 29418 USER#GERRIT-SERVER gerrit ls-projects --has-acl-for GROUP
See more details in Gerrit documentation here.
Use the "Check Access" project REST endpoint
Using this endpoint you can verify if a user has access to a repository. Note: this requires the View Access global capability:
curl --user USER:PASS --request GET "https://GERRIT-SERVER/a/projects/PROJECT/check.access?account=ACCOUNT-ID&ref=refs%2Fheads%2Fmaster"
This command checks if the user with the ACCOUNT-ID number has access to the branch "master" of the PROJECT. As you have noted, you need to know the user ACCOUNT-ID. You can find the user ACCOUNT-ID using REST too:
curl --user USER:PASS --request GET "https://GERRIT-SERVER/a/accounts/?q=username:USERNAME" | sed 1d | jq --raw-output .[]._account_id
See more details in Gerrit documentation here.

Jenkins API request using Curl

I am trying to make a request to the Jenkins API. However, I always get a 401 unauthorized error. I have tried all permutations of requests using Curl - including sending the API token and Crumb. The Jenkins is hosted on a DEV server and not on my local. I have CSRF protection enabled on Jenkins. Could this be a CORS issue or something else?
Thanks
Trigger Jenkins build with parameters using API token
Variables
UserName is the user with permission to execute jobs
UserTokenValue is the token key assigned to UserName.
JobTokenValue is the token key assigned to the job to allow remote execution.
Create User Token - if jenkins instance requires authorization to execute jobs then user token will be required or the error "missing bread crumb trail" may appear.
Login to Jenkins
Click username in top right corner
Click configure
Click add token
Capture the UserTokenValue. Note:Token id will not be needed going forward.
Optional - verify token assigned to user.
Command curl -v -u <user>:<userTokenValue> <jenkins>/user/<user>/api/json
Example curl -v -u john:11bc70579c86512be9a4356127640abfda http://jenkins.dv.local:8080/user/john/api/json
Enable Jenkins Job to "Trigger builds remotely (e.g., from scripts)"
Locate Jenkins job and click Configure
Scroll to the "Build Triggers" section and enable the checkbox "Trigger builds remotely"
Enter a secret "Authentication Token" in the text box. The Token is required to execute this specific job remotely. Use "SuperSecret"
Because the Token is set in this one job configuration, that value will only allow this one job to execute remotely.
Use the same value for all jobs if you like but there is no way to manage the JobTokenValue Globally that I know of.
Execute job with parameters using Curl POST
Your values will vary...
JenkinsUrl : https://jenkins.dv.local:8080
UserName : john
UserTokenValue : 115e46b2109bda095cc070b6347dafe585
JobTokenValue : SuperSecret
Command
curl -X POST <JenkinsUrl>/job/test/build -user <UserName>:<UserTokenValue> --data token=<JobTokenValue> --data parm1Name=parm1Value --data parm2Name="Parm2Value with spaces"
Example
curl -X POST http://jenkins.dv.local:8080/job/MyRemoteJob/buildWithParameters --user john:115e46b2109bda095cc070b6347dafe585 --data token=SuperSecret --data TEST_PLAN_KEY=QTAK-1040 --data BROWSER="Chrome (headless)"
401 probably means your username/pass are incorrect.
This works for me:
curl -v -X GET "http://$JENKINS_URL/crumbIssuer/api/json" --user $USERNAME:$USERPASS
If there is a CORS issue, use https://plugins.jenkins.io/cors-filter/.

create jenkins ssh username with private key credential via rest xml api

Basically, I am trying to create a credential on jenkins via Rest API. Using xml data below:
<?xml version='1.0' encoding='UTF-8'?>
<com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
<scope>GLOBAL</scope>
<id>jenkins-github-ssh</id>
<description>jenkins-github-ssh</description>
<username>username</username>
<directEntryPrivateKeySource>
<privateKey>-----BEGIN OPENSSH PRIVATE KEY-----
*****************************************
-----END OPENSSH PRIVATE KEY-----</privateKey>
</directEntryPrivateKeySource>
</com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
I can see the credential after calling REST post request. But when I use this credential for a GitHub repository, Jenkins says:
Failed to connect to repository : Command "git ls-remote -h -- git#github.com:***.git HEAD" returned status code 128:
stdout:
stderr: Load key "/tmp/ssh3978703187838467164.key": invalid format
git#github.com: Permission denied (publickey).
fatal: Could not read from remote repository.
But If I update the credential which is created by rest api with same private key above manually. It works. Somehow key is broken while posting. Do you guys have any idea to point me the solution?
Jenkins 2.198 & SSH Credentials Plugin 1.17.3
Thanks
I faced exactly the same problem while pushing private SSH keys to Jenkins by a Python script. I'm using the Requests library to create and update SSH key credential sets in arbitrary credential stores on the Jenkins server.
The general problem is that your XML structure is partially wrong. The tag
<directEntryPrivateKeySource>
must be replaced by
<privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
Getting the basic XML structure
You can get the correct XML structure by yourself from the Jenkins server when you follow these steps:
Create a SSH key credential item manually. In the example below the key's id is test-sshkey. Let's place it in a credential store which is located in the folder "API-Test" which is a subfolder of "Playground", i.e. Playground/API-Test.
When you click on the newly created credential item in the Jenkins UI its URL should look like this:
https://JENKINS_HOSTNAME/job/Playground/job/API-Test/credentials/store/folder/domain/_/credential/test-sshkey/
Add /config.xml to the URL above so that it looks like this:
https://JENKINS_HOSTNAME/job/Playground/job/API-Test/credentials/store/folder/domain/_/credential/test-sshkey/config.xml
The XML structure returned by the URL in step 3 has almost the structure that we need for using with the Credentials API but is partially incomplete:
<com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey plugin="ssh-credentials#1.18.1">
<id>test-sshkey</id>
<description>DELETE AFTER USE</description>
<username>test</username>
<privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
<privateKey>
<secret-redacted/>
</privateKey>
</privateKeySource>
</com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
Using the Credentials API
Add the tags <scope> and <passphrase> for a valid XML scaffold that you can POST to the Credentials API:
<com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
<scope>GLOBAL</scope>
<id>CREDENTIAL_ID</id>
<description>MY_DESCRIPTION</description>
<username>A_USERNAME</username>
<passphrase>OPTIONAL_KEY_PASSWORD</passphrase>
<privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
<privateKey>YOUR_PRIVATE_SSH_KEY_GOES_HERE</privateKey>
</privateKeySource>
</com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
Caveat: If the submitted XML has a wrong structure the REST API of the Credentials Plugin will nevertheless accept it and return a misleading HTTP status code 200!
Now we can use this XML structure to POST it to the API endpoints for creating or updating by cURL or similar tools. We assume that all operations are executed in the credential store of the folder "Playground/API-Test".
The following code example in Python is "dumbed down" completely to focus on the general approach:
def addCredentialSetSshPrivateKey(self, credentialDataObj):
"""
Adds a credential set with a private SSH key to a credential store
credentialDataObj: An instance of a simple DTO
"""
jenkinsRequestUrl = "https://ci-yoda-new.codemanufaktur.com/job/Playground/job/API-Test/credentials/store/folder/domain/_/createCredentials"
authentication = ("jenkins_admin_user", "API-TOKEN_FOR_THE_USER")
completeSamlData = """
<com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
<scope>GLOBAL</scope>
<id>{0}</id>
<description>{1}</description>
<username>{2}</username>
<passphrase>{3}</passphrase>
<privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
<privateKey>{4}</privateKey>
</privateKeySource>
</com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
""".format(credentialDataObj.id(), credentialDataObj.description(), credentialDataObj.username(), credentialDataObj.key_passphrase(), credentialDataObj.private_ssh_key())
# When using CSRF protection in Jenkins a API crumb must be included in the actual REST call.
# The following method requests the Jenkins Crumb Issuer for a API crumb and returns a JSON object like this:
# {'_class': 'hudson.security.csrf.DefaultCrumbIssuer', 'crumb': 'a5d36ef09e063322169888f0b81341fe13b4109482a7936bc08c6f9a01badd39', 'crumbRequestField': 'Jenkins-Crumb'}
jsonCrumb = self._requestApiCrumb()
# The actual REST call with headers, XML payload and all other bells and whistles.
remoteSession = requests.Session()
return remoteSession.post(jenkinsRequestUrl, auth = authentication, headers = {"content-type":"application/xml", jsonCrumb['crumbRequestField']:jsonCrumb['crumb']}, data = completeSamlData)
REST endpoint for creating a SSH credential item:
https://JENKINS_HOSTNAME/job/Playground/job/API-Test/credentials/store/folder/domain/_/createCredentials
REST endpoint for updating a SSH credential item:
https://ci-yoda-new.codemanufaktur.com/job/Playground/job/API-Test/credentials/store/folder/domain/_/credential/credential_ci-yoda-new-project-apex_privatekey/config.xml
Apparently in the latter case you just update the config.xml file of an existing credential item.
Also see the user guide for the Credentials Plugin, section REST API, expecially for constructing the correct REST URLs. For requesting the Jenkins crumb issuer with Python see this StackOverflow answer.
Solution tested with:
Jenkins 2.214
Credentials Plugin 2.3.1
SSH Credentials Plugin 1.18.1
For the people who are having the exact same problem;
I've tried uploading it as a file, uploading it with API, using jenkins CLI, etc. Everything I tried has failed. Same issue is alsoposted in here;
https://issues.jenkins.io/browse/JENKINS-60714
So steps that finally worked is explained as follows;
Install and configure the Jenkins Configuration as Code Plugin.
Upload your configuration similar to yaml file below.
You might also want to define the private key content as an environment variable in the Jenkins instance and use it as "${private_key}" instead of pasting it visibly.
jenkins:
systemMessage: "Example of configuring credentials in Jenkins"
credentials:
system:
domainCredentials:
- credentials:
- basicSSHUserPrivateKey:
description: "kro"
id: "kro"
scope: GLOBAL
username: "kro"
privateKeySource:
directEntry:
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEAvuiaIDs+ydzR7Xxo5Owvv+G9/arbqN0YwhaGQQlicJjM4ZvI
..........YOUR KEY.............
53Zg4QmSb1XGKUTXxIeGd27OIvgkwAn7K/cjQsU9t802iYV3tisnfA==
-----END RSA PRIVATE KEY-----

Jenkins: 403 No valid crumb was included in the request

I configured Jenkins in Spinnaker as follows and setup the Spinnaker pipeline.
jenkins:
# If you are integrating Jenkins, set its location here using the baseUrl
# field and provide the username/password credentials.
# You must also enable the "igor" service listed separately.
#
# If you have multiple Jenkins servers, you will need to list
# them in an igor-local.yml. See jenkins.masters in config/igor.yml.
#
# Note that Jenkins is not installed with Spinnaker so you must obtain this
# on your own if you are interested.
enabled: ${services.igor.enabled:false}
defaultMaster:
name: default
baseUrl: http://server:8080
username: spinnaker
password: password
But I am seeing the following error when trying to run the Spinnaker pipeline.
Exception ( Start Jenkins Job )
403 No valid crumb was included in the request
Finally, this post helped me to do away with the crumb problem, but still securing Jenkins from a CSRF attack.
Solution for no-valid crumb included in the request issue
Basically, we need to first request for a crumb with authentication and then issue a POST API calls with a crumb as a header along with authentication again.
This is how I did it,
curl -v -X GET http://jenkins-url:8080/crumbIssuer/api/json --user <username>:<password>
The response was,
{
"_class":"hudson.security.csrf.DefaultCrumbIssuer",
"crumb":"0db38413bd7ec9e98974f5213f7ead8b",
"crumbRequestField":"Jenkins-Crumb"
}
Then the POST API call with the above crumb information in it.
curl -X POST http://jenkins-url:8080/job/<job-name>/build --user <username>:<password> -H 'Jenkins-Crumb: 0db38413bd7ec9e98974f5213f7ead8b'
This solution is safe to use
We came along this issue when we changed Jenkins to be accessible via a reverse proxy.
There is an option in the "Configure Global Security" that "Enable proxy compatibility"
This helped with my issue.
Another solution
In the GitHub payload URL, make your URL look like this:
https://jenkins:8080/github-webhook/
Don’t forget to mention / at the end.
To resolve this issue I unchecked "Prevent Cross Site Request Forgery exploits" in jenkins.com/configureSecurity section and it started working.
I solved this by using an API token as a basic authentication password. Here is how:
curl -v -X POST http://jenkins-url:8080/job/<job-name>/buildWithParameters?param=value --user <username>:<token>
Note: To create the API token under the accounts icon → Configure → API Token → Add New token.
A crumb is nothing but an access token. Below is the API to get the crumb:
https://jenkins.xxx.xxx.xxx/crumbIssuer/api/json
// Replace it with your Jenkins URL and make a GET call in your Postman or REST API caller.
This will generate output like:
{
"_class": "hudson.security.csrf.DefaultCrumbIssuer",
"crumb": "ba4742b9d92606f4236456568a",
"crumbRequestField": "Jenkins-Crumb"
}
Below are more details and link related to same:
How to request for the crumb issuer for Jenkins
Jenkins wiki page.
If you are calling the same via REST API call, checkout the below link where it is explained how to do a REST call using jenkins-crumb.
https://blog.dahanne.net/2016/05/17/how-to-update-a-jenkins-job-posting-config-xml/
Example:
curl -X POST http://anthony:anthony#localhost:8080/jenkins/job/pof/config.xml --data-binary "#config.xml" -data ".crumb=6bbabc426436b72ec35e5ad4a4344687"
For the new release of Jenkins you should follow the solution below:
From Upgrading to Jenkins 2.176.3:
Upgrading to Jenkins 2.176.2 Improved CSRF protection
SECURITY-626
CSRF tokens (crumbs) are now only valid for the web session they were
created in to limit the impact of attackers obtaining them. Scripts
that obtain a crumb using the /crumbIssuer/api URL will now fail to
perform actions protected from CSRF unless the scripts retain the web
session ID in subsequent requests. Scripts could instead use an API
token, which has not required a CSRF token (crumb) since Jenkins 2.96.
To disable this improvement you can set the system property
hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true.
Alternatively, you can install the Strict Crumb Issuer Plugin which
provides more options to customize the crumb validation. It allows
excluding the web session ID from the validation criteria, and instead
e.g. replacing it with time-based expiration for similar (or even
better) protection from CSRF
In my case, it helped for the installation of the Strict Crumb Issuer Plugin, rebooting Jenkins and applying a less strict policy for the web interface of Jenkins as it is suggested on the vendor's site.
According to Jenkins Directive
First you have to check your Jenkins version if the version is < 2.176.2 then per Jenkins guideline CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them. Scripts that obtain a crumb using the /crumbIssuer/api URL will now fail to perform actions protected from CSRF unless the scripts retain the web session ID in subsequent requests.
Alternatively, you can install the Strict Crumb Issuer Plugin which provides more options to customize the crumb validation. It allows excluding the web session ID from the validation criteria, and instead e.g. replacing it with time-based expiration for similar (or even better) protection from CSRF.
Steps :
you have to installed the plugin called "Strict Crumb Issuer"
Once installed restart the jenkins service
got to "Manage Jenkins" --> "Configure Global Security" --> Under CSRF Protection, select "Strict Crumb Issue" from the drop down list --> Click on Advance and uncheck everything but select "Prevent Breach Attack" option. --> Apply and save.
Now run you crumb script.
It should work now.
Check this image for your reference
You need a two-step procedure to first get a crumb from the server and then use it.
I am using this Bash script and cURL for that:
#!/bin/bash
# buildme.sh Runs a build Jenkins build job that requires a crumb
# e.g.
# $ ./buildme.sh 'builderdude:monkey123' 'awesomebuildjob' 'http://paton.example.com:8080'
# Replace with your admin credentials, build job name and Jenkins URL
#
# More background:
# https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained
USERPASSWORD=$1
JOB=$2
SERVER=$3
# File where web session cookie is saved
COOKIEJAR="$(mktemp)"
CRUMB=$(curl -f -u "$USERPASSWORD" --cookie-jar "$COOKIEJAR" "$SERVER/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)")
status=$?
if [[ $status -eq 0 ]] ; then
curl -f -X POST -u "$USERPASSWORD" --cookie "$COOKIEJAR" -H "$CRUMB" "$SERVER"/job/"$JOB"/build
status=$?
fi
rm "$COOKIEJAR"
exit $status
Here is an example of executing this script with the parameters you need:
./buildme.sh 'builderdude:monkey123' 'awesomebuildjob'
Output:
'http://paton.example.com:8080'
This script will return an error code if one of the cURL command fails for any reason.
More details can be found from cloudbees.
I did get the same "403 No valid crumb was included in request" error when I created a Jenkins job from a Java program using jenkins-client library, i.e., com.offbytwo.jenkins. Then I used the Jenkins API token instead of password in the following code. Now, the issue is fixed.
JenkinsServer jServer = new JenkinsServer(new URI(jenkins_url), jnkn_username, jnkn_password);
We can generate an API token from the Jenkins console. Profile → Configure → API Token (Add new token).
The same API token can also be used instead of a password with curl.
curl -v -X POST http://jenkins-url:port/job/<job-name>/buildWithParameters?param=value --user <jen_username>:<jenkins_api_token>
I lost a bunch of time trying to figure this out. At the end, I just installed the plugin Build Authorization Token Root and enabled build permissions to anonymous users.
At the end doesn't really matter, because the Jenkins instance is behind a VPN and I'm using https://smee.io to forward the webhook to the Jenkins instance.
Also the Jenkins instance is behind a reverse proxy, so the "Enable proxy compatibility" option is checked as well, and the "ignore_invalid_headers" setting set to off in the Nginx configuration at the server level. I am sharing my solution just in case someone else is struggling as well. I'm sure there are better ways to do it, but this is one option.
Note that with this plugin the build URL is set to buildByToken/build?job=JobName&token=TokenValue and the token is generated in the job settings.
This is in Jenkins 2.235.2 which doesn't have an option to disable CSRF.
Since this question is the first SO link when searching for "No valid crumb was included in the request" in Google, I think it's worth mentioning that the same error is generated if you omit/forget the Authorization HTTP header or use a blank username/password:
Relevant error messages related to the Authorization header are only generated when a value is passed:
And, yes, the crumb passed in the first screenshots is actually valid; everything works with the correct username/password:
So, not sure if that's a bug or not, but "No valid crumb was included in the request" could also mean you accidentally forgot the Authorization header.
Jenkins 2.222.3, Ubuntu Server 20.04, Java Runtime 1.8.0_252-8u252-b09-1ubuntu1-b09
For me, the below solutions work in Bitbucket:
I updated the URL to:
http://jenkinsurl:8080/bitbucket-hook/
Bitbucket Webhook:
Visiting Jenkins with https://... instead of http://... solved the problem for me.
For me the solution was to pass the X-Forwarded-Host and X-Forwarded-Port headers
as suggested in the reverse-proxy-configuration-troubleshooting chapter of the Handbook.
HaProxy config, inside the frontend section:
http-request set-header X-Forwarded-Host %[hdr(host)]
http-request set-header X-Forwarded-Port %[dst_port]
I had the same issue while using a GitLab webhook with a Jenkins Multibranch pipeline.
On the GitLab webhook page, I changed the Jenkins job URL base path word job to project, as I found on in this link:
From: http://127.0.0.1:8080/job/user-test-repo
To: http://127.0.0.1:8080/project/user-test-repo
I followed this comment: In Dashboard → Manage Jenkins → Configure Global Security. Under CSRF Protection, choose option Enable proxy compatibility. It works for me.
When I was trying to build a job in Jenkins by following options like build steps, accessing Git code, whatever the options, etc., I
faced the error
jenkins-403-no-valid-crumb-was-included-in-the-request
Seriously, I tried a number of ways to resolve it... But there wasn't any luck...!
Surprisingly, I changed my Wi-Fi network, and then it worked.
In my case, I was able to bypass the error by using Remote Desktop into the Jenkins server directly and using
a localhost-based URL instead of trying to go through the corporate proxy from my computer.
I also faced a similar problem. I was using a password instead of a token.
When updated, it solved my problem. There isn't any need to uncheck anything and make it insecure. Below are the complete steps that I followed to have Jenkins CLI working:
Step 1: Prepare environment variables
export JENKINS_URL=http://localhost:8080/
export JENKINS_USER=admin
export JENKINS_PASSWORD=b7f04f4efe5ee117912a1.....
export JENKINS_CRUMB=f360....
export FOLDER=test
Obtain a token as:
How to get the API token for Jenkins
Get the crumb as:
http://localhost:8080/crumbIssuer/api/json
Step 2: Prepare the XML file, file name creds.xml
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>TEST-CLI</id>
<username>test</username>
<password>test123</password>
<description>this secret if created confirms that jenkins-cli is working</description>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
Step 3: POST using cURL
curl -X POST -u $JENKINS_USER:$JENKINS_PASSWORD -H "Jenkins-Crumb:${JENKINS_CRUMB}" -H 'content-type:application/xml' -d #creds.xml "$JENKINS_URL/job/$FOLDER/credentials/store/folder/domain/_/createCredentials"
Here is my solution to this issue (Git hooks to launch a Jenkins job behind a reverse proxy).
Get the crumb from a first call and store the sessionid in a cookie jar:
CRUMB=$(/usr/bin/curl --cookie-jar ./cookie -sX GET https://******.net/crumbIssuer/api/json|cut -d'"' -f8)
Launch the job:
/usr/bin/curl --cookie ./cookie -X POST https://******.net/job/PROJECTNAME/build -H "Jenkins-Crumb: $CRUMB"
The guide CSRF Protection Explained explains how to generate a Jenkins crumb, save the cookies and use both the crumb and the saved cookies in the subsequent requests that require authentication. This is a must for Jenkins after version 2.176.2.
For Java code to access the Jenkins API I will let my advise out.
The answer of Santhosh does resolve the problem. That consists in changing the password for a token, but as far as I know, the token is now a legacy manner to do it.
So I tried other way, and find out a solution inside Java code.
Here how I did it.
In my Java code I use the com.offbytwo.jenkins package and the class that I use is JenkinsServer.
My problem was to create a job in Jenkins because I was getting an error: "403 No valid crumb was included in request"
Then I found a Boolean parameter called crumbFlag and passed true on it and everything worked.
My code was like this:
jenkins.createJob(job.getName(), config);
Then, I changed for this, and it worked like a charm:
jenkins.createJob(job.getName(), config, true);
This parameter is inside almost all methods of this package, by example:
createJob(String jobName, String jobXml, Boolean crumbFlag)
updateJob(String jobName, String jobXml, boolean crumbFlag)
renameJob(String oldJobName, String newJobName, Boolean crumbFlag)
Others.
The technical documentation inside the code is:
#param crumbFlag true to add crumbIssuer
* false otherwise.
I understood if you pass true for this parameter it will issue a crumb automatically.
Well, the official documentation has this information in detail. If you wish, take a look here:
Class JenkinsServer
I had the same issue when trying to set up a GitHub project with the GitHub Pull Request Builder plugin.
Here is an example of the response I was getting from my Jenkins server
Response content
The problem was happening because my payload URL was missing a forward slash at the end, /.
adding a forward slash at the end of the URL solves the problem
your payload URL should look like this: https://jenkins.host.com/ghprbhook/
Examples after adding the forward slash
I am running with a reverse proxy with nignx. I changed a Jenkins option in the "Configure Global Security", that "Enable proxy compatibility".
This fixed with my issue.
First create a user API token by going to user → API Token → Add new token.
Then use the below script for triggering.
import jenkins,requests
job_name='sleep_job'
jenkins_url = "http://10.10.10.294:8080"
auth = ("jenkins","1143e7efc9371dde2e4f312345bec")
request_url = "{0:s}/job/{1:s}/buildWithParameters".format(jenkins_url,
job_name, )
crumb_data = requests.get("{0:s}/crumbIssuer/api/json".format(jenkins_url),
auth=auth, ).json()
headers = {'Jenkins-Crumb': crumb_data['crumb']}
jenkins_job_params={}
jenkins_job_params['NODE_NAME']='10_10_1_29'
jenkins_job_params['SLEEP_TIME']='1h'
response = requests.post(request_url, data=jenkins_job_params, auth=auth, )
response.raise_for_status()
Head over to Manage Jenkins => Configure global security.
Then uncheck "Prevent Cross Site Request Forgery exploits"
I have run into the same issue. I have only refreshed my browser, logged back in to Jenkins, did the same process and everything worked.

Resources