[JIRA] (JENKINS-59967) getting 403 for invalid crumb on trigger remote job

15 views
Skip to first unread message

Ben.Dean@OntarioSystems.com (JIRA)

unread,
Oct 28, 2019, 5:42:03 PM10/28/19
to jenkinsc...@googlegroups.com
Ben Dean created an issue
 
Jenkins / Bug JENKINS-59967
getting 403 for invalid crumb on trigger remote job
Issue Type: Bug Bug
Assignee: KaiHsiang Chang
Components: parameterized-remote-trigger-plugin
Created: 2019-10-28 21:41
Environment: Jenkins 2.198
Parameterized-Remote-Trigger 3.1.0

both jenkins masters running in Kubernetes
Priority: Minor Minor
Reporter: Ben Dean

When I trigger a job from a pipeline with:

triggerRemoteJob([
                auth                   : CredentialsAuth(credentials: 'something'),
                job                    : jobName,
                remoteJenkinsName      : 'Prod Jenkins',
                useCrumbCache          : true,
                useJobInfoCache        : true,
                blockBuildUntilComplete: false,
                parameters             : "VERSION=1.2.3",
])

I get a 403 when it is trying to do crsf crumb stuff. On remote jenkins log I see:

WARNING	hudson.security.csrf.CrumbFilter#doFilter: Found invalid crumb 163***********************************************************3c.  Will check remaining parameters for a valid one...
WARNING	hudson.security.csrf.CrumbFilter#doFilter: No valid crumb was included in request for /job/prod_folder/job/some_repo/job/default/buildWithParameters by Prod-Build-User. Returning 403.

In the build log on the non-remote Jenkins I see output that makes me think it's calling the code to get the crsf. 

CSRF protection is enabled on the remote server.

Which is from this line:
https://github.com/jenkinsci/parameterized-remote-trigger-plugin/blob/Parameterized-Remote-Trigger-3.1.0/src/main/java/org/jenkinsci/plugins/ParameterizedRemoteTrigger/utils/HttpHelper.java#L253

But for some reason the one it gets and sends is not working. I've tried with the csrf caching turned on and turned off. It doesn't make any difference.

There was recently a change to how Jenkins does something with CSRF in 2.190, JENKINS-58734

Not sure if that's playing into this or not
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

danofthebateman@gmail.com (JIRA)

unread,
Nov 12, 2019, 7:18:02 AM11/12/19
to jenkinsc...@googlegroups.com
Dan Bateman commented on Bug JENKINS-59967
 
Re: getting 403 for invalid crumb on trigger remote job

Facing the same issue on v2.190.1 of Jenkins LTS Release and Parameterized Remote Trigger Plugin v3.1.0

https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626 appears to have broken the remote trigger plugin. 

We will attempt to use the strict crumb issuer plugin to disable the session id and see if that works.

 

cash924n@gmail.com (JIRA)

unread,
Nov 12, 2019, 7:29:03 AM11/12/19
to jenkinsc...@googlegroups.com

How about set the crumb cache to false?

danofthebateman@gmail.com (JIRA)

unread,
Nov 12, 2019, 10:01:02 AM11/12/19
to jenkinsc...@googlegroups.com

KaiHsiang Chang nope, that didn't seem to work. If I disable CSF completely, it works, but I will look at strict crumb issuer instead until this is resolved.

danofthebateman@gmail.com (JIRA)

unread,
Nov 12, 2019, 10:34:03 AM11/12/19
to jenkinsc...@googlegroups.com

Also, if anyone interested in the groovy for setting this up, strict crumb issuer - as couldn't find this documented anywhere, here it is (this worked at time of writing):

import hudson.security.csrf.DefaultCrumbIssuer
import hudson.security.csrf.CrumbIssuer
import org.jenkinsci.plugins.strictcrumbissuer.StrictCrumbIssuer
import jenkins.model.Jenkins

def instance = Jenkins.instance
boolean checkClientIP = false
boolean checkSameSource = false
boolean checkOnlyLocalPath = false
boolean checkSessionMatch = false
int hoursValid = 1
boolean xorMasking = true

instance.setCrumbIssuer(new StrictCrumbIssuer(checkClientIP, checkSameSource, checkOnlyLocalPath, checkSessionMatch, hoursValid, xorMasking))

instance.save()

michael.h@pointclickcare.com (JIRA)

unread,
Mar 4, 2020, 9:25:02 AM3/4/20
to jenkinsc...@googlegroups.com

Did strict crumb issuer as set above work for you?
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

michael.h@pointclickcare.com (JIRA)

unread,
Mar 4, 2020, 9:28:04 AM3/4/20
to jenkinsc...@googlegroups.com
Mike Huang updated an issue
 
Change By: Mike Huang
Comment:
Did strict crumb issuer as set above work for you?

michael.h@pointclickcare.com (JIRA)

unread,
Mar 4, 2020, 10:12:03 AM3/4/20
to jenkinsc...@googlegroups.com
 
Re: getting 403 for invalid crumb on trigger remote job

Would definitely prefer an update to the plugin rather than disabling parts of the CSRF check.

I think this is more than minor as the plugin would pretty much fail on any recent Jenkins remote version?
Reply all
Reply to author
Forward
0 new messages