Failing REST API tests in 2.222 and newer

[Daniel Beck]

FYI the release 2.222 and therefore the new LTS line may start breaking tests that exercise REST API features due to the enforced CSRF protection[1]: Responses to POST requests will be 403 without a valid CSRF crumb.

Tests like that should be changed to enable authentication in Jenkins if they don't, and authenticate HTTP requests using an API token instead of a password. Doing that is the preferred approach to using REST APIs since 2.96. A short-term alternative to just make tests pass (but less relevant to how Jenkins is actually used) would be setting the system property hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to true before Jenkins is started.

1: https://jenkins.io/changelog/#v2.222

[Jesse Glick]

On Sun, Mar 8, 2020 at 8:23 AM Daniel Beck <m...@beckweb.net> wrote:
> 2.222 and therefore the new LTS line may start breaking tests that exercise REST API features due to the enforced CSRF protection

I guess this should not affect typical functional tests due to

https://github.com/jenkinsci/jenkins-test-harness/blob/d0fc8acc9be04ba3f4b81317734f23a96626a6d4/src/main/java/org/jvnet/hudson/test/JenkinsRule.java#L417

Maybe JTH should be amended to use the stock implementation in 2.222+?

[Daniel Beck]

> On 9. Mar 2020, at 16:17, Jesse Glick <jgl...@cloudbees.com> wrote:
>
> I guess this should not affect typical functional tests due to
>
> https://github.com/jenkinsci/jenkins-test-harness/blob/d0fc8acc9be04ba3f4b81317734f23a96626a6d4/src/main/java/org/jvnet/hudson/test/JenkinsRule.java#L417
>
> Maybe JTH should be amended to use the stock implementation in 2.222+?

Good point, I wasn't aware of that. Looks like it's far more limited then: The failing test I saw was an ATH test.