Jenkins 采用API接口进行构建工程及错误解释(10)

Jenkins 采用API接口进行构建工程及错误解释 20211016

版本信息:Jenkins2.303.1

Jenkins 403 No valid crumb was included in the request 解决方案

错误清单

1、 请求api接口报错,csrf代理已经关闭

#请求api接口报错,csrf代理已经关闭
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403 No valid crumb was included in the request</h2>
<table>
<tr><th>URI:</th><td>/jenkins/job/BTest/build</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>No valid crumb was included in the request</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.42.v20210604</a><hr/>

2、账户密码错误报错,密码写对就行

# 账户密码错误报错,密码写对就行
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 Unauthorized</title>
</head>
<body><h2>HTTP ERROR 401 Unauthorized</h2>
<table>
<tr><th>URI:</th><td>/jenkins/job/BTest/build</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Unauthorized</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.42.v20210604</a><hr/>
</body>
</html>

思路寻找,解决第一个错误: 我现在要使用 webhook 发一个 post 请求给 jenkins,结果报了 403 错误。一个可行的解决方案就是给这个请求头加上 crumb。

错误提示是请求中没有包含crumb,但是加上之后还会出错,怀疑是jenkins本身的权限校验问题。

网上也存在有修改源代码的形式来解决此类问题。

也有直接配置CSRF解决的情况(但是我没测通): https://stackoverflow.com/questions/44711696/jenkins-403-no-valid-crumb-was-included-in-the-request/54750559#54750559

最终解决来源于网上的资料的回复:

根据文章:https://coderedirect.com/questions/191379/jenkins-403-no-valid-crumb-was-included-in-the-request

A simple solution without need of making changes to source code (validated with Jenkins v2.222):
Install the Strict Crumb Issuer plugin (https://plugins.jenkins.io/strict-crumb-issuer/)
Enable this plugin and uncheck 'Check the session ID' from its configuration (Under Jenkins Configure Global Security)
A drawback is that this solution makes us dependent on the Strict Crumb Issuer plugin and removes a security feature. But since our application requires many other plugins and only runs behind the firewall without Internet access, this is acceptable.
Friday, August 6, 2021
  • 较老版本的 jenkins 关闭跨站脚本伪造请求保护,新的采取Crumb

一、第一种解决方案

1、安装插件:Strict Crumb Issuer

manage Jenkins ->Configure Global Security ->跨站请求伪造保护,选择strict crumb issuer插件关闭 Check the session ID

2、通过GET请求,获取到crumb 值

获取精确的crumb curl -u 'admin:password' "http://jenkins-url:/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)"

也可以如下请求,从结果中获取crumb: curl -v -X GET http://jenkins-url:8080/crumbIssuer/api/json --user :

# 
* About to connect() to 120.76.245.243 port 8080 (#0)
*   Trying 120.76.245.243...
* Connected to 120.76.245.243 (120.76.245.243) port 8080 (#0)
* Server auth using Basic with user 'genekangit'
> GET /crumbIssuer/api/json HTTP/1.1
> Authorization: Basic Z2VuZWthbmdpdDp2ZVlqKmwrcjc5Wjc4a1VNZCYwQGZURlcpc2hnbz0mSg==
> User-Agent: curl/7.29.0
> Host: 120.76.245.243:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 15 Oct 2021 15:05:52 GMT
< X-Content-Type-Options: nosniff
< X-Jenkins: 2.303.1
< X-Jenkins-Session: 8470ef97
< X-Frame-Options: deny
< Content-Type: application/json;charset=utf-8
< Set-Cookie: JSESSIONID.cf0e1294=node01e3god9uq9b2s1iixrqdss0ts8219.node0; Path=/; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Length: 163
< Server: Jetty(9.4.42.v20210604)
<
* Connection #0 to host 120.76.245.243 left intact

{
"_class":"hudson.security.csrf.DefaultCrumbIssuer",
"crumb":"393fbcc5b1671544b571fd667e53e20d7aa6459331ed8c8ea43a268a12d6dad3",
"crumbRequestField":"Jenkins-Crumb"
}

3、通过POST请求,直接运行某一个工程的构建动作

将第2步获取的crumb粘贴到如下脚本中:

curl -X POST http://jenkins-url:8080/job//build --user : -H 'Jenkins-Crumb: 393fbcc5b1671544b571fd667e53e20d7aa6459331ed8c8ea43a268a12d6dad3'

具体步骤:

  • you have to installed the plugin called "Strict Crumb Issuer"
  • Once installed restart the jenkins service
  • got to "Manage Jenkins" --> "Configure Global Security" --> Under CSRF Protection, select "Strict Crumb Issue" from the drop down list --> - Click on Advance and uncheck everything but select "Prevent Breach Attack" option. --> Apply and save.
  • Now run you crumb script.

二、第二种解决方案

1、用户设置中,添加token信息

I solved this by using API TOKEN as a basic authentication password. Here is how

Note: To Create the API TOKEN under Accounts icon -> configure -> API Token -> Add New token

2、通过POST请求启动任务

2.1、带参数 curl -v -X POST http://jenkins-url:8080/job//buildWithParameters?param=value --user :

2.2、不带参数 curl -X POST http://jenkins-url:8080/job//build --user :

3、远程调用Jenkins API启动任务(OK)

任务名: jobName
远程API服务地址:http://host:8080/jobName/jobName/build
请求方法:POST
用户名、密码添加方法:username:password@hostname:port ....
运行期望结果:
任务启动
服务返回 http status:201

当直接浏览器运行远程API构建工程时会出错

http://120.76.245.243:8080/job//build

官方提示:
You must use POST method to trigger builds. (From scripts you may instead pass a per-project authentication token, or authenticate with your API token.) If you see this page, it may be because a plugin offered a GET link; file a bug report for that plugin.

大致意思是:该请求方法是POST,需要通过身份认证或token校验,另外你提交的GET错误。

4、远程调用Jenkins API返回最新任务编号(OK)

任务名:jobName
远程API服务地址:http://host:8080/job/jobName/lastBuild/buildNumber
请求方法:GET
用户名、密码添加方法:username:password@hostname:port ....
运行期望结果:
任务启动
服务返回http status:201

5、远程调用Jenkins API查询任务状态(OK)

任务名:jobName
远程API服务地址:http://host:8080/job/jobName/<build number>/api/json
请求方法:GET
用户名、密码添加方法:username:password@hostname:port ....
运行期望结果:
任务详情JSON
服务返回http status:200

6、jenkinsapi库

pip install jenkinsapi
from jenkinsapi.jenkins import Jenkins
jk =Jenkins(url, username, password, useCrumb=True)

7、总结API说明

API首页:http://127.0.0.1:8080/api/

7.1、项目API

获取项目信息 接口:http://127.0.0.1:8080/job/{jobName}/api/json

方式:GET

7.2、获取项目构建信息

接口:http://127.0.0.1:8080/job/{jobName}/{buildNumber}/api/json

方式:GET

7.3、获取项目配置

接口:http://127.0.0.1:8080/job/{jobName}/config.xml

方式:GET

7.4、创建项目

接口:http://127.0.0.1:8080/createItem?name={projectName}

参数:--data-binary @config.xml

头部:-H "Content-Type:text/xml"

方式:POST

7.5、禁用项目

接口:http://127.0.0.1:8080/job/{jobName}/disable

方式:POST

7.6、启用项目

接口:http://127.0.0.1:8080/job/{jobName}/enable

方式:POST

7.7、删除项目

接口:http://127.0.0.1:8080/job/{jobName}/doDelete

方式:POST

7.8、构建项目

接口:http://127.0.0.1:8080/job/{jobName}/build

方式:POST

注意: 需要增加token信息或用户认证

请求:curl -X POST http://127.0.0.1:8080/job/{jobName}/build --user admin:apiToken

7.9、参数化构建

接口:http://127.0.0.1:8080/job/{jobName}/buildWithParameters

方式:POST

胡梦旭博客
请先登录后发表评论
  • latest comments
  • 总共0条评论