What are the Slack Archives?

It’s a history of our time together in the Slack Community! There’s a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.

Because this space is not active, you won’t be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..

after latest security update from jenkins we get: ```Store: EN | Environment: demo Scheduler Name: j

Posts: 546 🧑🏻‍🚀 - Cadet
edited May 2020 in Help

after latest security update from jenkins we get:

Store: EN | Environment: demo
Scheduler Name: jenkins
Scheduler Status: ERROR
Client error: `POST <http://123.123.123.123:8080/job/EN__check-product-validity/disable>` resulted in a `403 Forbidden` response:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was in (truncated...)

how is this configured in Spryker?
https://github.com/spryker-shop/suite/blob/master/config/Shared/config_default-development.php#L96 doesn't seem to have anything special enabled for this

Welcome!

It looks like you're new here. Sign in or register to get started.

Comments

  • SRE @ Spryker Sprykee Posts: 1,654 ✨ - Novice
  • Posts: 546 🧑🏻‍🚀 - Cadet

    yes

  • Posts: 546 🧑🏻‍🚀 - Cadet
    edited May 2020

    downgrading to 1.0.0 didn't realy change it so my guess is there's some other incompatibility

  • Freelance Spryker Developer Spryker Solution Partner Posts: 26 ✨ - Novice

    do you have CSRF protection on Jenkins side? If yes, you would need to enable it on Spryker side as well with \Spryker\Shared\SchedulerJenkins\SchedulerJenkinsConfig::SCHEDULER_JENKINS_CSRF_ENABLED

  • Posts: 546 🧑🏻‍🚀 - Cadet

    it is

  • Posts: 546 🧑🏻‍🚀 - Cadet

    and it was enabled for some time now

  • Posts: 516 🧑🏻‍🚀 - Cadet

    Maybe you are calling the command from a user who does not have permission …

  • Posts: 516 🧑🏻‍🚀 - Cadet

    I have this issue when I call the command as my user instead of the webserver user … I dont know if you have a similar setup

  • Freelance Spryker Developer Spryker Solution Partner Posts: 26 ✨ - Novice

    try to check if you have correct output for <jenkinsHost>/crumbIssuer/api/json - we parse this JSON and send crumb based on it.

    Also you can try to debug which headers and which data we send in \Spryker\Zed\SchedulerJenkins\Business\Api\Executor\RequestExecutor::execute — maybe you’ll get more insides from it

  • Posts: 546 🧑🏻‍🚀 - Cadet

    • I do everything as webserver user
    • api response works fine (is a valid jso and seems to have the correct fields)

  • Posts: 546 🧑🏻‍🚀 - Cadet

    I'll check requestexecutor shortly

  • Posts: 546 🧑🏻‍🚀 - Cadet

    ok, for the time being I have changed

        protected function extendRequestWithCsrfToken(RequestInterface $request, ConfigurationProviderInterface $configurationProvider): RequestInterface
        {
            if ($configurationProvider->isJenkinsCsrfProtectionEnabled()) {
                $crumbIssuer = $this->getCrumbIssuer($configurationProvider);
                if(!empty($crumbIssuer['crumb'])){
                   $request = $request->withHeader($crumbIssuer['crumbRequestField'], $crumbIssuer['crumb']);
                }
            }
    

    because when trying to run scheduler:resume for example this gets NULL in crumb issuer which is giving TypeError which I have to additionally change to

        protected function getCrumbIssuer(ConfigurationProviderInterface $configurationProvider): ?array
    
  • Posts: 546 🧑🏻‍🚀 - Cadet

    but checked and MOST of the requests go through with correct crumb

  • SRE @ Spryker Sprykee Posts: 1,654 ✨ - Novice

    So as I'm not a developer, could you tell me if this an issue that needs to be fixed in Spryker? If yes, please create a support ticket. 🙂

  • Posts: 546 🧑🏻‍🚀 - Cadet

    looks like it, but I don't clearly get why this happens, once I know I'll ping you about it, this pretty much broke all our environments at this point

  • Posts: 546 🧑🏻‍🚀 - Cadet
    edited May 2020

    ok I have checked this and scheduler:setup doesn't seem to work on 2.222.3 can anyone check this for me on their instance?

  • Posts: 546 🧑🏻‍🚀 - Cadet
  • Freelance Spryker Developer Spryker Solution Partner Posts: 26 ✨ - Novice

    because when trying to run scheduler:resume for example this gets NULL in crumb issuer which is giving TypeError

    this is not expected for sure. Crumb issuer should always return array of crumbs, and this array is taken from <jenkinsHost>/crumbIssuer/api/json . maybe they changed something here in newer versions of Jenkins?

  • Posts: 546 🧑🏻‍🚀 - Cadet

    which version of jenkins you're running?

  • Posts: 546 🧑🏻‍🚀 - Cadet

    @valerii.trots which stable jenkins version was spryker tested against?

  • SRE @ Spryker Sprykee Posts: 1,654 ✨ - Novice

    I don't know the answer to this question.
    I can say that in docker/sdk env we have older version for sure.

  • Posts: 546 🧑🏻‍🚀 - Cadet

    in that case I'm filing a ticket

  • SRE @ Spryker Sprykee Posts: 1,654 ✨ - Novice

    Please do so! Thanks! 🙂

  • Posts: 546 🧑🏻‍🚀 - Cadet

    done

  • In the event you find this helpful: When I was debugging this behaviour in the past I would use tcpdump or wireshark to check the request/response cycle between spryker and jenkins.

    If jenkins is returning false data it might be because the server is rate limiting API requests for example.

  • Posts: 546 🧑🏻‍🚀 - Cadet

    I have also checked that, but its failing on the first request. thank you anyway, always worth to get an additional idea in

Welcome!

It looks like you're new here. Sign in or register to get started.