How to request for the crumb issuer for Jenkins
I want to use the Jenkins Remote API, and I am looking for safe solution. I came across Prevent Cross Site Request Forgery exploits and I want to use it, but I
-
In any of these answers I didn't find an option to use
Jenkins API token. I really tried all of these options but if you're enablingCSRFprotection, you should access Jenkins APIs withJenkins API tokeninstead of normalpassword. This token can be generated by each individual user in the user config page. The token can be used as follows-JenkinsApi::Client.new(server_url: jenkins_url, username: jenkins_user, password: jenkins_token)P.S. - This initialization is for a Ruby Jenkins API client
讨论(0) -
This Python function gets the crumb, and additionally uses the crumb to post to a Jenkins endpoint. This is tested with Jenkins 2.46.3 with CSRF protection turned on:
import urllib.parse import requests def build_jenkins_job(url, username, password): """Post to the specified Jenkins URL. `username` is a valid user, and `password` is the user's password or (preferably) hex API token. """ # Build the Jenkins crumb issuer URL parsed_url = urllib.parse.urlparse(url) crumb_issuer_url = urllib.parse.urlunparse((parsed_url.scheme, parsed_url.netloc, 'crumbIssuer/api/json', '', '', '')) # Get the Jenkins crumb auth = requests.auth.HTTPBasicAuth(username, password) r = requests.get(crumb_issuer_url, auth=auth) json = r.json() crumb = {json['crumbRequestField']: json['crumb']} # POST to the specified URL headers = {'Content-Type': 'application/x-www-form-urlencoded'} headers.update(crumb) r = requests.post(url, headers=headers, auth=auth) username = 'jenkins' password = '3905697dd052ad99661d9e9f01d4c045' url = 'http://jenkins.example.com/job/sample/build' build_jenkins_job(url, username, password)讨论(0) -
User cheffe's answer helped 90%. Thanks for giving us the right direction.
The missing 10% revolved around HTTP username and password authentication.
Since the Codenameone Java API I was using did not have the Authentication Class,
new UsernamePasswordCredentials(usernName, password));I used:
String apiKey = "yourJenkinsUsername:yourJenkinsPassword"; httpConnection.addRequestHeader("Authorization", "Basic " + Base64.encode(apiKey.getBytes()));讨论(0) -
User cheffe's Java snippet worked great for me on Jenkins v2.89.3 (Eclipse.org) and another Jenkins instance I use, at v2.60.3 (once enabled1).
I've added this to a Maven mojo2 I use for pushing locally-edited
config.xmlchanges back to the server.1 CSRF Protection
2 Hudson job sync plugin讨论(0) -
I haven't found this in the documentation either. This code is tested against an older Jenkins (1.466), but should still work.
To issue the crumb use the
crumbIssuer// left out: you need to authenticate with user & password -> sample below HttpGet httpGet = new HttpGet(jenkinsUrl + "crumbIssuer/api/json"); String crumbResponse = toString(httpclient, httpGet); CrumbJson crumbJson = new Gson().fromJson(crumbResponse, CrumbJson.class);This will get you a response like this
{"crumb":"fb171d526b9cc9e25afe80b356e12cb7","crumbRequestField":".crumb"}This contains two pieces of information you need
- the field name with which you need to pass the crumb
- the crumb itself
If you now want to fetch something from Jenkins, add the crumb as header. In the sample below I fetch the latest build results.
HttpPost httpost = new HttpPost(jenkinsUrl + "rssLatest"); httpost.addHeader(crumbJson.crumbRequestField, crumbJson.crumb);Here is the sample code as a whole. I am using gson 2.2.4 to parse the response and Apache's httpclient 4.2.3 for the rest.
import org.apache.http.auth.*; import org.apache.http.client.*; import org.apache.http.client.methods.*; import org.apache.http.impl.client.*; import com.google.gson.Gson; public class JenkinsMonitor { public static void main(String[] args) throws Exception { String protocol = "http"; String host = "your-jenkins-host.com"; int port = 8080; String usernName = "username"; String password = "passwort"; DefaultHttpClient httpclient = new DefaultHttpClient(); httpclient.getCredentialsProvider().setCredentials( new AuthScope(host, port), new UsernamePasswordCredentials(usernName, password)); String jenkinsUrl = protocol + "://" + host + ":" + port + "/jenkins/"; try { // get the crumb from Jenkins // do this only once per HTTP session // keep the crumb for every coming request System.out.println("... issue crumb"); HttpGet httpGet = new HttpGet(jenkinsUrl + "crumbIssuer/api/json"); String crumbResponse= toString(httpclient, httpGet); CrumbJson crumbJson = new Gson() .fromJson(crumbResponse, CrumbJson.class); // add the issued crumb to each request header // the header field name is also contained in the json response System.out.println("... issue rss of latest builds"); HttpPost httpost = new HttpPost(jenkinsUrl + "rssLatest"); httpost.addHeader(crumbJson.crumbRequestField, crumbJson.crumb); toString(httpclient, httpost); } finally { httpclient.getConnectionManager().shutdown(); } } // helper construct to deserialize crumb json into public static class CrumbJson { public String crumb; public String crumbRequestField; } private static String toString(DefaultHttpClient client, HttpRequestBase request) throws Exception { ResponseHandler<String> responseHandler = new BasicResponseHandler(); String responseBody = client.execute(request, responseHandler); System.out.println(responseBody + "\n"); return responseBody; } }讨论(0) -
Or you can use Python and
requestsinsteadreq = requests.get('http://JENKINS_URL/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)', auth=(username, password)) print(req.text)will give you the name and the crumb:
Jenkins-Crumb:e2e41f670dc128f378b2a010b4fcb493讨论(0)
加载中...
- 热议问题