1.480.3. Enable security, with whatever security realm (e.g. Unix authentication), and matrix authentication with one user given all permissions and anonymous none. Enable the default crumb issuer. Configure the authenticated user's SSH public keys. Now from a shell try to use the CLI:

      $ java -jar jenkins-cli.jar -s http://localhost:8080/ -i ~/.ssh/id_dsa help
      Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625)
      	at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:77)
      	at hudson.cli.CLI.connectViaHttp(CLI.java:155)
      	at hudson.cli.CLI.<init>(CLI.java:139)
      	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:68)
      	at hudson.cli.CLI._main(CLI.java:438)
      	at hudson.cli.CLI.main(CLI.java:373)
      

      If you disable the crumb issuer, the same command works as expected.

      Jenkins.doCli in POST mode would go through CrumbFilter, and the CLI client makes no attempt to send a crumb.

      If there is some way a JavaScript form submission could trick a browser into initiating a complete CLI session and sending a destructive command, then the client should be amended to check for /crumbIssuer/api/xml and send a crumb; otherwise CrumbFilter should be amended to exempt /cli.

          [JENKINS-18114] Enabling crumb issuer prevents CLI from working

          Jesse Glick added a comment -

          Also the log shows:

          … hudson.security.csrf.CrumbFilter doFilter
          WARNING: No valid crumb was included in request for /cli.  Returning 403.
          

          Jesse Glick added a comment - Also the log shows: … hudson.security.csrf.CrumbFilter doFilter WARNING: No valid crumb was included in request for /cli. Returning 403.

          Daniel Beck added a comment -

          Maybe exclude UnprotectedRootActions from CSRF protection?

          Daniel Beck added a comment - Maybe exclude UnprotectedRootActions from CSRF protection?

          Jesse Glick added a comment -

          Yeah. I hope this issue is not still reproducible!

          Jesse Glick added a comment - Yeah. I hope this issue is not still reproducible!

          Daniel Beck added a comment -

          I can repro on 1.585 (only tested through reverse proxy) if I disable the JNLP slave port. (If that being enabled is a requirement to use the CLI, as TcpSlaveAgentListener Javadoc indicates, the documentation on the UI is pretty misleading.)

          $ java -jar jenkins-cli.jar -i ~/.ssh/id_rsa -s http://jenkins help
          Exception in thread "main" java.io.IOException: No X-Jenkins-CLI2-Port among [null, X-Required-Permission, X-Jenkins, X-You-Are-In-Group, X-Hudson, Content-Length, Expires, X-You-Are-Authenticated-As, Set-Cookie, X-Permission-Implied-By, Connection, Server, Date, X-Jenkins-Session, Content-Type]
          	at hudson.cli.CLI.getCliTcpPort(CLI.java:283)
          	at hudson.cli.CLI.<init>(CLI.java:126)
          	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72)
          	at hudson.cli.CLI._main(CLI.java:466)
          	at hudson.cli.CLI.main(CLI.java:382)
          	Suppressed: java.io.IOException: Server returned HTTP response code: 403 for URL: http://jenkins/cli
          		at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1626)
          		at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:78)
          		at hudson.cli.CLI.connectViaHttp(CLI.java:156)
          		at hudson.cli.CLI.<init>(CLI.java:130)
          		... 3 more

          Daniel Beck added a comment - I can repro on 1.585 (only tested through reverse proxy) if I disable the JNLP slave port. (If that being enabled is a requirement to use the CLI, as TcpSlaveAgentListener Javadoc indicates, the documentation on the UI is pretty misleading.) $ java -jar jenkins-cli.jar -i ~/.ssh/id_rsa -s http://jenkins help Exception in thread "main" java.io.IOException: No X-Jenkins-CLI2-Port among [null, X-Required-Permission, X-Jenkins, X-You-Are-In-Group, X-Hudson, Content-Length, Expires, X-You-Are-Authenticated-As, Set-Cookie, X-Permission-Implied-By, Connection, Server, Date, X-Jenkins-Session, Content-Type] at hudson.cli.CLI.getCliTcpPort(CLI.java:283) at hudson.cli.CLI.<init>(CLI.java:126) at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72) at hudson.cli.CLI._main(CLI.java:466) at hudson.cli.CLI.main(CLI.java:382) Suppressed: java.io.IOException: Server returned HTTP response code: 403 for URL: http://jenkins/cli at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1626) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:78) at hudson.cli.CLI.connectViaHttp(CLI.java:156) at hudson.cli.CLI.<init>(CLI.java:130) ... 3 more

          Code changed in jenkins
          User: Daniel Beck
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/a6b2ff806f12295e8db9925f108d44a2861cbce2
          Log:
          Additional explanation for JENKINS-18114

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: changelog.html http://jenkins-ci.org/commit/jenkins/a6b2ff806f12295e8db9925f108d44a2861cbce2 Log: Additional explanation for JENKINS-18114

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/cli/CliCrumbExclusion.java
          test/src/test/java/hudson/cli/CLIActionTest.java
          http://jenkins-ci.org/commit/jenkins/de740c756f7de7fd225919342fa01796367abf00
          Log:
          [FIX JENKINS-18114] Exclude /cli URL from crumb requirement (#2315)

          • [FIX JENKINS-18114] Exclude /cli URL from crumb requirement

          The CLI doesn't do this either.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/cli/CliCrumbExclusion.java test/src/test/java/hudson/cli/CLIActionTest.java http://jenkins-ci.org/commit/jenkins/de740c756f7de7fd225919342fa01796367abf00 Log: [FIX JENKINS-18114] Exclude /cli URL from crumb requirement (#2315) [FIX JENKINS-18114] Exclude /cli URL from crumb requirement JENKINS-18114 Fix test: Don't send the crumb The CLI doesn't do this either.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/cli/CliCrumbExclusion.java
          test/src/test/java/hudson/cli/CLIActionTest.java
          http://jenkins-ci.org/commit/jenkins/9f42774315a5d6316da8031ff51e5b866fc07d9a
          Log:
          [FIX JENKINS-18114] Exclude /cli URL from crumb requirement (#2315)

          • [FIX JENKINS-18114] Exclude /cli URL from crumb requirement

          The CLI doesn't do this either.

          (cherry picked from commit de740c756f7de7fd225919342fa01796367abf00)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/cli/CliCrumbExclusion.java test/src/test/java/hudson/cli/CLIActionTest.java http://jenkins-ci.org/commit/jenkins/9f42774315a5d6316da8031ff51e5b866fc07d9a Log: [FIX JENKINS-18114] Exclude /cli URL from crumb requirement (#2315) [FIX JENKINS-18114] Exclude /cli URL from crumb requirement JENKINS-18114 Fix test: Don't send the crumb The CLI doesn't do this either. (cherry picked from commit de740c756f7de7fd225919342fa01796367abf00)

            danielbeck Daniel Beck
            jglick Jesse Glick
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: