[JIRA] (JENKINS-59193) Session-ID missing alongside CSRF tokens

2 views
Skip to first unread message

katzdm@gmail.com (JIRA)

unread,
Sep 2, 2019, 6:55:05 PM9/2/19
to jenkinsc...@googlegroups.com
Daniel Katz created an issue
 
Jenkins / Bug JENKINS-59193
Session-ID missing alongside CSRF tokens
Issue Type: Bug Bug
Assignee: Unassigned
Components: swarm-plugin
Created: 2019-09-02 18:54
Environment: Jenkins LTS 2.176.3
Priority: Minor Minor
Reporter: Daniel Katz

Jenkins LTS 2.176.3 incorporated commit ace596, which factors the Session ID into the computation of CSRF crumbs; since a new Session ID is generated if none is provided, previously issued crumbs are rendered useless in the absence of a reusable Session ID. This currently prevents Swarm clients from connecting to Jenkins masters secured with the DefaultCrumbIssuer, since the generated crumb is immediately rendered useless.

I think a fix would involve the Swarm plugin using a persistent session ID on the client-side. I labeled this issue as "minor", because an easy workaround exists (setting hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true on the Jenkins master). It should be noted, however, that this reduces the efficacy of the fixes to SECURITY-626 and SECURITY-1491.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

me@basilcrow.com (JIRA)

unread,
Oct 29, 2019, 8:29:05 PM10/29/19
to jenkinsc...@googlegroups.com
Basil Crow updated an issue
Change By: Basil Crow
Priority: Minor Major
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

me@basilcrow.com (JIRA)

unread,
Oct 29, 2019, 8:29:05 PM10/29/19
to jenkinsc...@googlegroups.com
Basil Crow started work on Bug JENKINS-59193
 
Change By: Basil Crow
Status: Open In Progress

me@basilcrow.com (JIRA)

unread,
Oct 29, 2019, 8:29:05 PM10/29/19
to jenkinsc...@googlegroups.com
Basil Crow assigned an issue to Basil Crow
Change By: Basil Crow
Assignee: Basil Crow

me@basilcrow.com (JIRA)

unread,
Oct 29, 2019, 10:18:03 PM10/29/19
to jenkinsc...@googlegroups.com
Basil Crow commented on Bug JENKINS-59193
 
Re: Session-ID missing alongside CSRF tokens

Daniel Katz Hiroki OHZAKI Can you provide me with a list of steps to reproduce the issue? Bonus points if you can submit a PR with a failing unit test. I tried updated the unit tests to use Jenkins 2.176.3 and DefaultCrumbIssuer, but the tests still passed:

diff --git a/plugin/src/test/java/hudson/plugins/swarm/SwarmClientIntegrationTest.java b/plugin/src/test/java/hudson/plugins/swarm/SwarmClientIntegrationTest.java
index b4d1f12..426e01c 100644
--- a/plugin/src/test/java/hudson/plugins/swarm/SwarmClientIntegrationTest.java
+++ b/plugin/src/test/java/hudson/plugins/swarm/SwarmClientIntegrationTest.java
@@ -12,6 +12,7 @@ import hudson.model.FreeStyleProject;
 import hudson.model.Node;
 import hudson.plugins.swarm.test.ProcessDestroyer;
 import hudson.plugins.swarm.test.TestUtils;
+import hudson.security.csrf.DefaultCrumbIssuer;
 import hudson.tasks.BatchFile;
 import hudson.tasks.CommandInterpreter;
 import hudson.tasks.Shell;
@@ -28,6 +29,7 @@ import org.apache.commons.lang.RandomStringUtils;
 import org.apache.commons.lang.math.NumberUtils;
 import org.junit.After;
 import org.junit.Assume;
+import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.Rule;
 import org.junit.Test;
@@ -51,6 +53,11 @@ public class SwarmClientIntegrationTest {
 
     private final ProcessDestroyer processDestroyer = new ProcessDestroyer();
 
+    @Before
+    public void setIssuer() {
+        j.jenkins.setCrumbIssuer(new DefaultCrumbIssuer(false));
+    }
+
     /** Executes a shell script build on a Swarm Client agent. */
     @Test
     public void buildShellScript() throws Exception {
diff --git a/pom.xml b/pom.xml
index cdaf0ed..3c7d7c2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -24,7 +24,7 @@
     <version>3.18-SNAPSHOT</version>
 
     <properties>
-        <jenkins.version>2.60.3</jenkins.version>
+        <jenkins.version>2.176.3</jenkins.version>
         <java.level>8</java.level>
     </properties>

me@basilcrow.com (JIRA)

unread,
Oct 29, 2019, 10:37:04 PM10/29/19
to jenkinsc...@googlegroups.com

For what it's worth, I also tried a manual test of installing Jenkins 2.190.1, ensuring that "Prevent Cross Site Request Forgery exploits" was checked with "Default Crumb Issuer" as the crumb algorithm, and then running this command:

java -jar swarm-client-3.17.jar -master <url> -username <username> -password <password> -name <name> -disableClientsUniqueId  -deleteExistingClients

This worked fine as well. Without being able to reproduce the error, I won't be able to make progress fixing this I'm afraid.

Kuypers.Dirk@googlemail.com (JIRA)

unread,
Nov 4, 2019, 1:21:03 PM11/4/19
to jenkinsc...@googlegroups.com

I am not sure if this is related. I am hit by 403 after a restart of the master. Node was connected via swarm, master restart due to (Windows) updates, swarm client refuses to connect with 403. Client restart does not help. After 24 hours something seems to expire and clients can connect again. I have installed the new Crumb Issuer Plugin and I have unticked the Session ID.

Environment is Windows 2016 server for the master, Windows 10 for the clients, Active Directory and Role-Based Access (which can be found when googling for swarm and 403 quite often:-/)

me@basilcrow.com (JIRA)

unread,
Nov 6, 2019, 5:16:03 PM11/6/19
to jenkinsc...@googlegroups.com

Thanks for the information Dirk Kuypers. Unfortunately this still doesn't get me any closer to reproducing the problem or resolving it. The unit tests I mentioned above do restart Jenkins (see PipelineJobTest), although not on Windows. If someone can provide me with steps to reproduce this problem from scratch I would be very grateful.
Reply all
Reply to author
Forward
0 new messages