Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[JENKINS-22474] API Token does not require CSRF token (#3129)
* [JENKINS-22474] API Token does not require CSRF token - in order to ease the use of the api, we are not requiring the request to have a crumb - in terms of security it's not a problem normally since the CSRF attacks use the cookies and in case of API Token, it's session-less / cookie-less * - adjust the license header * - add test for basic authentication - add test for login process * - add test for form submission using ui (htmlunit), not just login form * - modification requested by Jesse * - pom.xml update to use the last version of jenkins-test-harness (with the token helper methods) - beginning of the simplification of tests * - using the try-with-resource approach to ease readability * - using closure method now * - add missing login transformation * - add unit test * - use withToken - remove useless crumb for GET method - add fail (otherwise the assert in catch is not as useful as it could be) * another bunch of test cases * - for HudsonTestCase, some additional modifications are required: changing the view / different type of management for the variable inside the views * - small other tests * - last batch for the login method * - crumb is not more required since we are using API Token * - converting auth to ApiToken to avoid crumb method * - converting auth to ApiToken to avoid crumb method (second) * - remove usage of closure aware methods * - update the pom using the snapshot as adviced by Jesse - modifications on other class to adapt to the last modifications in JTH * - modifications requested during code review * - also put back my changes to the conflicted file * - correction of the merge :)
- Loading branch information
1 parent
1270ba3
commit 814d202
Showing
25 changed files
with
448 additions
and
165 deletions.
There are no files selected for viewing
53 changes: 53 additions & 0 deletions
53
core/src/main/java/jenkins/security/ApiCrumbExclusion.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
/* | ||
* The MIT License | ||
* | ||
* Copyright (c) 2017 CloudBees, Inc. | ||
* | ||
* Permission is hereby granted, free of charge, to any person obtaining a copy | ||
* of this software and associated documentation files (the "Software"), to deal | ||
* in the Software without restriction, including without limitation the rights | ||
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
* copies of the Software, and to permit persons to whom the Software is | ||
* furnished to do so, subject to the following conditions: | ||
* | ||
* The above copyright notice and this permission notice shall be included in | ||
* all copies or substantial portions of the Software. | ||
* | ||
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | ||
* THE SOFTWARE. | ||
*/ | ||
package jenkins.security; | ||
|
||
import hudson.Extension; | ||
import hudson.security.csrf.CrumbExclusion; | ||
import org.jenkinsci.Symbol; | ||
import org.kohsuke.accmod.Restricted; | ||
import org.kohsuke.accmod.restrictions.DoNotUse; | ||
|
||
import javax.servlet.FilterChain; | ||
import javax.servlet.ServletException; | ||
import javax.servlet.http.HttpServletRequest; | ||
import javax.servlet.http.HttpServletResponse; | ||
import java.io.IOException; | ||
|
||
/** | ||
* JENKINS-22474: Makes API Token calls bypass CSRF protection to ease usage | ||
*/ | ||
@Symbol("apiToken") | ||
@Extension | ||
@Restricted(DoNotUse.class) | ||
public class ApiCrumbExclusion extends CrumbExclusion { | ||
@Override | ||
public boolean process(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { | ||
if (Boolean.TRUE.equals(request.getAttribute(BasicHeaderApiTokenAuthenticator.class.getName()))) { | ||
chain.doFilter(request, response); | ||
return true; | ||
} | ||
return false; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.