Jenkins input pipeline step filled via POST with CSRF - howto?

Question

I have Jenkins pipeline with an Input step, and I would like to submit this input(single string argument) via a script. So far I am trying with curl, ideally I'll be sending it via Python requests library. This should be an easy POST request, however with CSRF it becomes tricky. I've obtained Jenkins-Crumb (using curl in this case, from the same machine and same bash session), but still can't send the content...

I'm sending Jenkins-Crumb:XXX header, just like it is explained at https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API

my request looks like this:

curl -vvv -X POST --user '${USER}:${API_KEY}' -H "Jenkins-Crumb:${JENKINS_CRUMB}" -d 'json="{"parameter":{"name":"${PARAM_NAME}","value":"asd"},"Jenkins-Crumb":"${JENKINS_CRUMB}"}"' 'http://${JENKINS_URL}/job/${JOB_NAME}/${BUILD_NR}/input/'

The URL I'm POSTing at is the same, as the one linked in build log (Console output).

Answer 1

There is an easier way, simply call the proceedEmpty URL for the jobs:

curl -X POST -H "Jenkins-Crumb:${JENKINS_CRUMB}" http://${JENKINS_URL}/job/${JOB_NAME}/${BUILD_ID}/input/${INPUT_ID}/proceedEmpty

There is no need to pass in body data.

To abort, use:

curl -X POST -H "Jenkins-Crumb:${JENKINS_CRUMB}" http://${JENKINS_URL}/job/${JOB_NAME}/${BUILD_ID}/input/${INPUT_ID}/abort

Answer 2

I managed to resolve this issue.

Hoping that someone else will benefit from my answer, let me explain how I achieved OPs target.

All that Jenkis Pipeline input step needs is a properly formatted JSON and OK button caption sent to the right URL.

So, the proper syntax is:

curl -X POST -H "Jenkins-Crumb:${JENKINS_CRUMB}" -d json='{"parameter": {"name": "${PARAMETER_NAME}", "value": "${PARAMETER_VALUE}"}}' -d proceed='${SUBMIT_CAPTION}' 'http://j${JENKINS_URL}/job/${JOB_NAME}/${BUILD_ID}/input/${INPUT_ID}/submit'

regards

Answer 3

I just downloaded the latest stable release of Jenkins (2.7.2) and tested the csrf mechanism and it seems like it worked as expected.

For example, the following command successfully kicked off a job called "test".

curl -X POST -u admin:test --header "Jenkins-Crumb:9c771b9e74d8d1d4b80766b63165c79d" http://localhost:8080/job/test/build

That being said, your command looks like it should work. Could you try the following to narrow down the problem:

1. Try to kick off a build using the csrf mechanism rather than using the Jenkins input pipeline. This will at least let us know if it's the csrf that's causing the problem or the plugin.
2. Try a newer version of Jenkins (if you're not on the latest stable).

Let me know your results.

Answer 4

For properly using the wfapi I'd like to recommend the following bash script. You need an API user on jenkins. The API user should have the permissions Overall/Read, Job/Read and Job/Build set using Jenkins -> Manage Jenkins -> Manage and Assign Roles.

Let's assume your build is paused using

input message: 'Does the build work on the Testserver?', ok: 'Yes'

The following script will continue it. This is a simplified version, without any checks. It assumes that the most recent build is paused waiting for input. You need to change the variables at the top to match your environment.

#!/bin/bash
JENKINS_SERVER_URL=https://www.example.com
JENKINS_URL=${JENKINS_SERVER_URL}/jenkins
JENKINS_USER=YOUR-API-USER
JENKINS_API_TOKEN=YOUR-API-TOKEN
JENKINS_PROJECT=your-project
JENKINS_WGET_PARAMS="--auth-no-challenge --http-user=${JENKINS_USER} --http-password=${JENKINS_API_TOKEN}"

# Get the ID of the most recent build
mrBuildInfo=$(wget -q -O - ${JENKINS_WGET_PARAMS} "${JENKINS_URL}/job/${JENKINS_PROJECT}/wfapi/runs" | jq '.[0] | {id: .id, status: .status}')
# mrBuildInfo is now something like: '{ "id": "13", "status": "PAUSED_PENDING_INPUT" }'
mrBuildId=$(echo "$mrBuildInfo" | jq --raw-output '.id')
mrBuildStatus=$(echo "$mrBuildInfo" | jq --raw-output '.status')

# From here on we assume that $mrBuildStatus is PAUSED_PENDING_INPUT
# Get the first pending input action, assuming there is one
mrBuildInputActions=$(wget -q -O - ${JENKINS_WGET_PARAMS} "${JENKINS_URL}/job/${JENKINS_PROJECT}/${mrBuildId}/wfapi/pendingInputActions" | jq --raw-output '.[0]')
mrBuildProceedUrl=$(echo "$mrBuildInputActions" | jq --raw-output '.proceedUrl')
mrBuildProceedText=$(echo "$mrBuildInputActions" | jq --raw-output '.proceedText')
# We need to pass json={} and proceed=Yes, the curly braces are already URL encoded here
wget -q -O - "--post-data=json=%7B%7D&proceed=$mrBuildProceedText" ${JENKINS_WGET_PARAMS} "${JENKINS_SERVER_URL}${mrBuildProceedUrl}"

Which basically boils down to:

wget -q -O - "--post-data=json=%7B%7D&proceed=Yes" --auth-no-challenge --http-user=${JENKINS_USER} --http-password=${JENKINS_API_TOKEN} "https://www.example.com/jenkins/job/${JENKINS_JOB}/${JOB_NR}/wfapi/inputSubmit?inputId=YOUR-INPUT-ID"