[JENKINS-18114] Fixing CLI crumbs #3019
Conversation
…ctually serve it, from CrumbIssuer.RestrictedApi.
|
This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation. |
|
Test failures seem related. |
…tuff better checked by authentication(), and was failing since this fake client was not passing a crumb.
|
Perhaps we need to return to the crumb exclusion, and just drop the client code to send the crumb, which adds to the round-trip time; is not needed when there is an exclusion; and in |
|
(Note that |
This may be a symptom of a larger possible problem: Unless we want all UnprotectedRootActions to be CrumbExclusions, there probably should be a way for unauthorized users to get a crumb. Searching I now only found JENKINS-31515, but it's still something we should think about. |
|
I do not think we can (safely) create a crumb for anonymous users. There is JENKINS-22474 which could allow us to delete most |
…ccess, and just let the client stop asking for a crumb.
…ned demonstration of the HTTP Duplex transport.
| @@ -549,7 +549,7 @@ public boolean verify(String s, SSLSession sslSession) { | |||
| for (Handler h : Logger.getLogger("").getHandlers()) { | |||
| h.setLevel(level); | |||
| } | |||
| for (Logger logger : new Logger[] {LOGGER, PlainCLIProtocol.LOGGER, Logger.getLogger("org.apache.sshd")}) { // perhaps also Channel | |||
| for (Logger logger : new Logger[] {LOGGER, FullDuplexHttpStream.LOGGER, PlainCLIProtocol.LOGGER, Logger.getLogger("org.apache.sshd")}) { // perhaps also Channel | |||
| @@ -79,11 +85,10 @@ public FullDuplexHttpStream(URL base, String relativeTarget, String authorizatio | |||
|
|
|||
| URL target = new URL(this.base, relativeTarget); | |||
|
|
|||
| CrumbData crumbData = new CrumbData(); | |||
There was a problem hiding this comment.
As described in PR comments, this did not previously work, and given the existence of an exclusion, was not necessary anyway.
| @@ -193,6 +193,7 @@ public void validateCrumb(StaplerRequest request, String submittedCrumb) { | |||
| } | |||
|
|
|||
| @Override public void doXml(StaplerRequest req, StaplerResponse rsp, @QueryParameter String xpath, @QueryParameter String wrapper, @QueryParameter String tree, @QueryParameter int depth) throws IOException, ServletException { | |||
| setHeaders(rsp); | |||
There was a problem hiding this comment.
Makes the crumb code work. No longer necessary for this PR, which deletes the code that called this endpoint from the context of the CLI (would make that code in old clients start working, which is fine but unnecessary); but generally seems wise to keep the behavior of RestrictedApi consistent with Api.
| @@ -122,16 +117,6 @@ public void serveCliActionToAnonymousUserWithoutPermissions() throws Exception { | |||
| JenkinsRule.WebClient wc = j.createWebClient(); | |||
| // The behavior changed due to SECURITY-192. index page is no longer accessible to anonymous | |||
| wc.assertFails("cli", HttpURLConnection.HTTP_FORBIDDEN); | |||
| // so we check the access by emulating the CLI connection post request | |||
There was a problem hiding this comment.
Actually would pass again given the restored crumb exclusion, but is anyway redundant given more comprehensive, and realistic, tests later added to the CLI system.
| public LoggerRule logging = new LoggerRule().record(FullDuplexHttpService.class, Level.FINE).record(FullDuplexHttpStream.class, Level.FINE); | ||
|
|
||
| @Test | ||
| public void smokes() throws Exception { |
|
|
||
| @Test | ||
| public void smokes() throws Exception { | ||
| logging.record("org.eclipse.jetty", Level.ALL); |
There was a problem hiding this comment.
I have been investigating failures of HTTP Duplex to work in test cases using Jetty 9.4.x. Symptoms are typically a failure to connect the upload side, as in JENKINS-43666.
There was a problem hiding this comment.
(Starting from #2959 which picks up jenkinsci/jenkins-test-harness#63. Seems unrelated to #3011.)
There was a problem hiding this comment.
How verbose is this? Intended to stay on ALL?
There was a problem hiding this comment.
In practice Jetty logs everything at FINE.
jglick
added
the
needs-more-reviews
|
@reviewbybees done |
|
This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation. |
oleg-nenashev
added
ready-for-merge
* [JENKINS-18114] The CLI client already asks for a crumb; we just to actually serve it, from CrumbIssuer.RestrictedApi. * serveCliActionToAnonymousUserWithoutPermissions() was checking some stuff better checked by authentication(), and was failing since this fake client was not passing a crumb. * Bring back CliCrumbExclusion, needed for anonymous use with no read access, and just let the client stop asking for a crumb. * Added FullDuplexHttpServiceTest; useful to have a simple, self-contained demonstration of the HTTP Duplex transport.
Amends #2315. The CLI client was already asking for a crumb. But Jenkins was not properly serving
X-Jenkinsalongside it, so it did not pass it back; but then Jenkins forgave it anyway! Simpler and clearer to just serve the expected header.Proposed changelog entries
None should be needed.
@reviewbybees