Jenkins 采用API接口进行构建工程及错误解释（10）

版本信息：Jenkins2.303.1

Jenkins 403 No valid crumb was included in the request 解决方案

错误清单

1、 请求api接口报错，csrf代理已经关闭

#请求api接口报错，csrf代理已经关闭





HTTP ERROR 403 No valid crumb was included in the request

URI:
/jenkins/job/BTest/build
STATUS:
403
MESSAGE:
No valid crumb was included in the request
SERVLET:
Stapler

Powered by Jetty:// 9.4.42.v20210604

1
2
3
4
5
6
7
8
9
10
11
12
13
14

2、账户密码错误报错，密码写对就行

# 账户密码错误报错，密码写对就行





HTTP ERROR 401 Unauthorized

URI:
/jenkins/job/BTest/build
STATUS:
401
MESSAGE:
Unauthorized
SERVLET:
Stapler

Powered by Jetty:// 9.4.42.v20210604



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

思路寻找，解决第一个错误：
我现在要使用 webhook 发一个 post 请求给 jenkins，结果报了 403 错误。一个可行的解决方案就是给这个请求头加上 crumb。

错误提示是请求中没有包含crumb，但是加上之后还会出错，怀疑是jenkins本身的权限校验问题。

网上也存在有修改源代码的形式来解决此类问题。

也有直接配置CSRF解决的情况(但是我没测通)：
https://stackoverflow.com/questions/44711696/jenkins-403-no-valid-crumb-was-included-in-the-request/54750559#54750559

最终解决来源于网上的资料的回复：

根据文章：https://coderedirect.com/questions/191379/jenkins-403-no-valid-crumb-was-included-in-the-request

A simple solution without need of making changes to source code (validated with Jenkins v2.222):
Install the Strict Crumb Issuer plugin (https://plugins.jenkins.io/strict-crumb-issuer/)
Enable this plugin and uncheck 'Check the session ID' from its configuration (Under Jenkins Configure Global Security)
A drawback is that this solution makes us dependent on the Strict Crumb Issuer plugin and removes a security feature. But since our application requires many other plugins and only runs behind the firewall without Internet access, this is acceptable.
Friday, August 6, 2021
1
2
3
4
5

• 较老版本的 jenkins 关闭跨站脚本伪造请求保护，新的采取Crumb

一、第一种解决方案

1、安装插件：Strict Crumb Issuer

manage Jenkins ->Configure Global Security ->跨站请求伪造保护，选择strict crumb issuer插件关闭 Check the session ID

2、通过GET请求，获取到crumb 值

获取精确的crumb
curl -u ‘admin:password’ “http://jenkins-url:/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)”

也可以如下请求，从结果中获取crumb：
curl -v -X GET http://jenkins-url:8080/crumbIssuer/api/json --user :

# 
* About to connect() to 120.76.245.243 port 8080 (#0)
*   Trying 120.76.245.243...
* Connected to 120.76.245.243 (120.76.245.243) port 8080 (#0)
* Server auth using Basic with user 'genekangit'
> GET /crumbIssuer/api/json HTTP/1.1
> Authorization: Basic Z2VuZWthbmdpdDp2ZVlqKmwrcjc5Wjc4a1VNZCYwQGZURlcpc2hnbz0mSg==
> User-Agent: curl/7.29.0
> Host: 120.76.245.243:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 15 Oct 2021 15:05:52 GMT
< X-Content-Type-Options: nosniff
< X-Jenkins: 2.303.1
< X-Jenkins-Session: 8470ef97
< X-Frame-Options: deny
< Content-Type: application/json;charset=utf-8
< Set-Cookie: JSESSIONID.cf0e1294=node01e3god9uq9b2s1iixrqdss0ts8219.node0; Path=/; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Length: 163
< Server: Jetty(9.4.42.v20210604)
<
* Connection #0 to host 120.76.245.243 left intact

{
"_class":"hudson.security.csrf.DefaultCrumbIssuer",
"crumb":"393fbcc5b1671544b571fd667e53e20d7aa6459331ed8c8ea43a268a12d6dad3",
"crumbRequestField":"Jenkins-Crumb"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

3、通过POST请求，直接运行某一个工程的构建动作

将第2步获取的crumb粘贴到如下脚本中：

curl -X POST http://jenkins-url:8080/job//build --user : -H ‘Jenkins-Crumb: 393fbcc5b1671544b571fd667e53e20d7aa6459331ed8c8ea43a268a12d6dad3’

具体步骤：

• you have to installed the plugin called “Strict Crumb Issuer”
• Once installed restart the jenkins service
• got to “Manage Jenkins” --> “Configure Global Security” --> Under CSRF Protection, select “Strict Crumb Issue” from the drop down list --> - Click on Advance and uncheck everything but select “Prevent Breach Attack” option. --> Apply and save.
• Now run you crumb script.

二、第二种解决方案

1、用户设置中，添加token信息

I solved this by using API TOKEN as a basic authentication password. Here is how

Note: To Create the API TOKEN under Accounts icon -> configure -> API Token -> Add New token

2、通过POST请求启动任务

2.1、带参数
curl -v -X POST http://jenkins-url:8080/job//buildWithParameters?param=value --user :

2.2、不带参数
curl -X POST http://jenkins-url:8080/job//build --user :

3、远程调用Jenkins API启动任务（OK）

任务名： jobName
远程API服务地址：http://host:8080/jobName/jobName/build
请求方法：POST
用户名、密码添加方法：username:password@hostname:port ....
运行期望结果：
任务启动
服务返回 http status：201
1
2
3
4
5
6
7

当直接浏览器运行远程API构建工程时会出错

http://120.76.245.243:8080/job//build

官方提示：
You must use POST method to trigger builds. (From scripts you may instead pass a per-project authentication token, or authenticate with your API token.) If you see this page, it may be because a plugin offered a GET link; file a bug report for that plugin.
1
2

大致意思是：该请求方法是POST，需要通过身份认证或token校验，另外你提交的GET错误。

4、远程调用Jenkins API返回最新任务编号（OK）

任务名：jobName
远程API服务地址：http://host:8080/job/jobName/lastBuild/buildNumber
请求方法：GET
用户名、密码添加方法：username:password@hostname:port ....
运行期望结果：
任务启动
服务返回http status：201
1
2
3
4
5
6
7

5、远程调用Jenkins API查询任务状态(OK)

任务名：jobName
远程API服务地址：http://host:8080/job/jobName//api/json
请求方法：GET
用户名、密码添加方法：username:password@hostname:port ....
运行期望结果：
任务详情JSON
服务返回http status：200
1
2
3
4
5
6
7

6、jenkinsapi库

pip install jenkinsapi
from jenkinsapi.jenkins import Jenkins
jk =Jenkins(url, username, password, useCrumb=True)
1
2
3

7、总结API说明

API首页：http://127.0.0.1:8080/api/

7.1、项目API

获取项目信息
接口：http://127.0.0.1:8080/job/{jobName}/api/json

方式：GET

7.2、获取项目构建信息

接口：http://127.0.0.1:8080/job/{jobName}/{buildNumber}/api/json

方式：GET

7.3、获取项目配置

接口：http://127.0.0.1:8080/job/{jobName}/config.xml

方式：GET

7.4、创建项目

接口：http://127.0.0.1:8080/createItem?name={projectName}

参数：–data-binary @config.xml

头部：-H “Content-Type:text/xml”

方式：POST

7.5、禁用项目

接口：http://127.0.0.1:8080/job/{jobName}/disable

方式：POST

7.6、启用项目

接口：http://127.0.0.1:8080/job/{jobName}/enable

方式：POST

7.7、删除项目

接口：http://127.0.0.1:8080/job/{jobName}/doDelete

方式：POST

7.8、构建项目

接口：http://127.0.0.1:8080/job/{jobName}/build

方式：POST

注意： 需要增加token信息或用户认证

请求：curl -X POST http://127.0.0.1:8080/job/{jobName}/build --user admin:apiToken

7.9、参数化构建

接口：http://127.0.0.1:8080/job/{jobName}/buildWithParameters

方式：POST