Jenkins - No valid crumb was included in request - jenkins

Jenkins - 2.263.1(LTS) deployed through tomcat on CentOS-8.2and have Nginx reverse proxy running in-front of Jenkins.
Under Manage Jenkins > Configure Systems - Apply and Save not working, Due to this error, i cannot Apply (or) Save any of my configurations, It always shows below error on browser (Firefox & Chrome).
HTTP Status 403 – Forbidden
Type Status Report
Message No valid crumb was included in the request
Description The server understood the request but refuses to authorize
it. Apache Tomcat/9.0.30
Also Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save not working this too results same above given error.
Systems log error message.
Feb 19, 2021 10:56:05 AM WARNING hudson.security.csrf.CrumbFilter
doFilter No valid crumb was included in request for
/jenkins/configSubmit by ankit.sahu. Returning 403.
Workaround tried:-
1) Under Configure Global security > CSRF Protection > Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even this didn't solve the problem.
3) Installed the Strict Crumb Issuer plugin.
Enabled this plugin and unchecked Check the session ID from its configuration (Under Jenkins Configure Global Security).
4) Restated the Jenkins.
Even tried by adding below in /apache-tomcat-9.0.30/conf/tomcat-users.xml file.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
However still experiencing same problem. I don't know how to fix it, Can someone help me?

You can (temporarily) disable CSRF with below groovy script. Go to Manage Jenkins >> Script Console, then execute the below groovy script.
import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)

The nonces embedded into web output from Jenkins with CSRF protection are based (at least in part as I've read) on values from the requesting client. In addition to making sure your reverse proxy is correctly configured to pass X-Forwarded-For and X-Forwarded-Proto, make sure that Tomcat valve is in place to expose those header values in the servlet request API so Jenkins has access to them.
Add the following to $CATALINA_BASE/conf/server.xml, subordinate to the <Host> element:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-troubleshooting/
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/
ref: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve

If you're using jenkinsapi, I resolved this error by specifying useCrumb=True in the constructor:
j = Jenkins(base_url, username=username, password=password, useCrumb=True)

Related

ZAP SCAN: Jenkins Job failed (url_not_in_context)

I have installed ZAP plugin on Jenkins and downloaded ZAP-Proxy WAR file in Jenkins Server(ubuntu)
and configured as jenkins job but its giving error when I execute the Job
4051 [ZAP-ProxyThread-15] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/xml/spider/action/scanAsUser/] from [127.0.0.1]:
The provided url is not in the required context (url_not_in_context) : url
at org.zaproxy.zap.extension.spider.SpiderAPI.scanURL(SpiderAPI.java:508)
at org.zaproxy.zap.extension.spider.SpiderAPI.handleApiAction(SpiderAPI.java:283)
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:506)
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:499)
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
at java.lang.Thread.run(Thread.java:748)
ERROR: org.zaproxy.clientapi.core.ClientApiException: The provided url is not in the required context
There is a property named Include in Context in job.
Found under: Build > Session Properties > Include in Context
If you have your starting point like
http://<IP/Host>:port/context1/context2/
under attack mode.
Keep Include in Context configured as
http://<IP/Host>:port/.*
so as to consider that URL as valid context with anything changing after /.

Google Spreadsheet Connector Issue: Unable to get valid certificate path to requested Google API OAUTH2 target

Having problems with google-spreadsheets:authorize. The exact error received is the following when going through the oauth2callback...
500 Server Error. Message - Unable to fetch access token.
Local Dev Environment:
Mule ESB 3.9
JDK 1.8_161
Google Spreadsheet Connector 1.2.4
http://localhost:3000/oauth2callback?state=some_generated_state_value&code=some_generated_code
<google-spreadsheets:config-with-oauth name="Google_Spreadsheets" consumerKey="${google.apiKey}" consumerSecret="${google.apiSecret}" doc:name="Google Spreadsheets">
<google-spreadsheets:oauth-callback-config domain="localhost" localPort="3000" remotePort="3000" path="oauth2callback"/>
</google-spreadsheets:config-with-oauth>
<flow name="authorizationAndAuthenticationFlow">
<http:listener config-ref="httpListenerConfig" path="${google.api}/oauth-authorize" allowedMethods="GET" doc:name="HTTP" >
</http:listener>
<google-spreadsheets:authorize config-ref="Google_Spreadsheets" accessTokenUrl="https://accounts.google.com/o/oauth2/token" authorizationUrl="https://accounts.google.com/o/oauth2/auth" doc:name="Google Spreadsheets"/>
<logger message="Google has authorized the connector." level="INFO" doc:name="Logger: Log Google authorization"/>
<set-payload value="You have successfully authorized the connector" doc:name="Set Payload"/>
</flow>
The exact stack trace error is below...
ERROR 2018-02-08 19:35:25,195 [[app-google].auto-generated-listener-config-0.worker.01] org.mule.exception.DefaultMessagingExceptionStrategy:
********************************************************************************
Message : Unable to fetch access token.
Payload : {NullPayload}
Payload Type : org.mule.transport.NullPayload
Element : /DynamicFlow-localhost:3000\/oauth2callback/processors/0/1 # app-google
--------------------------------------------------------------------------------
Root Exception stack trace:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
at org.mule.security.oauth.util.HttpUtilImpl.post(HttpUtilImpl.java:72)
Any ideas on how to resolve this issue. I'm not sure if it's a connector source code issue or an issue with Google potentially changing their OAUTH2 API implementation in v4. Either way the stack trace seems to be clear with TLS certificate issues. Maybe need to provide the google api certificate, so any idea on how to inject a truststore used by the application or JVM to get passed this certifcate issue?
My java installation was not installed correctly after re-imaging my system. Reinstalled JDK 1.8_161 and it fixed the certificate issue.

Create Job Dynamically in Jenkins

I have a job in jenkins with a configuration, then, with the jenkins API in /cli i can get-job (API method) with an xml structure of my job and then i can create-job (API method) in jenkins with the followed xml.
?xml version='1.0' encoding='UTF-8'?>
<project>
<actions/>
<description></description>
<keepDependencies>false</keepDependencies>
<properties/>
<scm class="hudson.plugins.git.GitSCM" plugin="git#2.2.7">
<configVersion>2</configVersion>
<userRemoteConfigs>
<hudson.plugins.git.UserRemoteConfig>
<url>https://username:password#bitbucket.org/repoowner/project.git</url>
<credentialsId>550e8400-e29b-41d4-a716-446655440000</credentialsId>
</hudson.plugins.git.UserRemoteConfig>
</userRemoteConfigs>
....
Even if i give this url tag "https://username:password#bitbucket.org/repoowner/project.git" jenkins needs authentication to work, so in credentialsId tag jenkins give an UUID.
I want to be able to create a job dynamically by an external application with a given URL in this format "https://username:password#bitbucket.org/repoowner/project.git".
How can it be done?
Thanks.
You can get the credentialsId via the API and the credentials-store plugin.
e.g. for credentials in global Domain
${ your-jenkins-domain }/credential-store/domain/_/api/xml
<domainWrapper>
<credentials>
<_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/>
</credentials>
<description></description>
<displayName></displayName>
<fullDisplayName></fullDisplayName>
<fullName>credential-store/_</fullName>
<global>true</global>
<urlName>_</urlName>
</domainWrapper>
But on some point it is a bit tricky:
when accessing the xml api for global domain the id already has a '_' as prefix. When using other domains the prefix is missing (but in a job a prefix is added... couldn't figure out where the prefix can be found)
e.g. I stored github access data in a separated domain, the credentialsId tag was:
<XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/>
but used in a job id was:
0XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Actually i solve the problem just creating an generic user in bitbucket, then the UUID its always the same and i can just copy and paste that UUID to the others project.xml files.

Messages from Gelf4Net are not stored in Graylog2

I have an Ubuntu server with Elasticsearch, MongoDB, and Graylog2 running in Azure, and I have an asp.net mvc4 application I am trying to send logs from. (I am using Gelf4Net / Log4Net as the logging component). To cut to the chase, nothing is being logged.
(skip to the update to see what is wrong)
The setup
1 Xsmall Ubuntu VM running the needed software for graylog2
everything is running as a daemon
1 Xsmall cloud service with the MVC4 app (2 instnaces)
A virtual network setup so they can talk.
So what have I tried?
From the linux box the follow command will cause a message to be logged echo "<86>Dec 24 17:05:01 foo-bar CRON[10049]: pam_unix(cron:session):" |
nc -w 1 -u 127.0.0.1 514
I can change the IP address to use the public IP and it works fine as well.
using this powershell script I can log the same message from my dev machine as well as the production web server
Windows firewall turned off and it still doesn't work.
I can log to a FileAppender Log4Net, so I know Log4Net is working.
tailing the graylog2.log shows nothing of interest. Just a few warning about my plugin directory
So I know everything is working, but I can't get the Gelf4Net appender to work. I'm a loss here. Where can I look? Is there something I am missing
GRAYLOG2.CONF
#only showing the connection stuff here. If you need something else let me know
syslog_listen_port = 514
syslog_listen_address = 0.0.0.0
syslog_enable_udp = true
syslog_enable_tcp = false
web.config/Log4Net
//application_start() has log4net.Config.XmlConfigurator.Configure();
<log4net >
<root>
<level value="ALL" />
<appender-ref ref="GelfUdpAppender" />
</root>
<appender name="GelfUdpAppender" type="Gelf4net.Appender.GelfUdpAppender, Gelf4net">
<remoteAddress value="public.ip.of.server"/>
<remotePort value="514" />
<layout type="Gelf4net.Layout.GelfLayout, Gelf4net">
<param name="Facility" value="RandomPhrases" />
</layout>
</appender>
</log4net>
update
for some reason it didn't occur to me to run graylog in debug mode :) Doing so shows this message.
2013-04-09 03:00:56,202 INFO : org.graylog2.inputs.syslog.SyslogProcessor - Date could not be parsed. Was set to NOW because allow_override_syslog_date is true.
2013-04-09 03:00:56,202 DEBUG: org.graylog2.inputs.syslog.SyslogProcessor - Skipping incomplete message.
So it is sending an incomplete message. How can I see what is wrong with it?
I was using the wrong port (DOH!)
I should have been using the port specified in graylog2.config / gelf_listen_port = 12201
so my web.config/log4net/gelf appender should have had
<appender name="GelfUdpAppender" type="Gelf4net.Appender.GelfUdpAppender, Gelf4net">
...
<remotePort value="12201" />
...
</appender>
For anyone who may have the same problem, make sure Log4Net reloads the configuration after you change it. I don't have it set to watch the config file for changes, so it took me a few minutes to realize that I was using the wrong port. When I changed it from 514 to 12201 the first time, messages still weren't getting though. I had to restart the server for Log4Net to pick up the new config, and then it started to work.

Making JSESSIONID cookie be httpOnly in Jetty 7

We're running grails 2.0 + jetty 7.6.6 and need to set JSESSIONID cookie to be httpOnly.
All of the answers on stackoverflow seem to refer to either Servlet 3.0 (which requires jetty 8) or to tomcat.
Can anyone provide me with a clear way of setting the JSESSIONID cookie be httpOnly for jetty 7.x?
I have tried adding jetty-web.xml file with the following contents, but it still didn't work (i.e. the JSESSIONID wasn't marked as httpOnly):
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="sessionHandler">
<Get name="sessionManager">
<Set name="httpOnly" type="boolean">true</Set>
</Get>
</Get>
</Configure>
All I had to do is to put the jetty-web.xml in the right folder. Initially I was putting into jetty/etc folder, but instead it should have been in the WEB-INF directory.

Resources