reload-configuration-as-code/?casc-reload-token=<token> throws HTTP/1.1 403 Forbidden

[mjayksharma]

Jenkins and plugins versions report

Environment

Jenkins version: 2.452.2
configuration as code plugin version: 1810.v9b_30a_249a_4c

What Operating System are you using (both controller, and any agents involved in the problem)?

jenkins/jenkins:2.452.2-lts-alpine docker image platform=linux/amd64

Only controller is involved in the problem

Reproduction steps

1. set JAVA_OPTS environment variable -Dcasc.reload.token=

2. curl -X POST "JENKINS_URL/reload-configuration-as-code/?casc-reload-token="

Expected Results

Reload successfull with 200 response code

Actual Results

403 Forbidden. Authentication required

Anything else?

No response

[mjayksharma]

I just noticed that even though it throws 403 error, but the configuration reload is successful.

As we have a wehook configured to do a post request to reload configuration and retry if fails, It keeps on retrying every 10 seconds. Which is a problem

[mjayksharma]

Update: I am running this using official helm chart version 5.3.3 on Openshift Cluster.

[mjayksharma]

Seems like it is redirecting the curl request to login page

[mjayksharma]

It works when supplying username and password with curl request.
curl -vvv -X POST http://127.0.0.1:8080/reload-configuration-as-code/?casc-reload-token=test --user user1:password1

I have tried multiple things without success. Any help would be appreciated

[mjayksharma]

Update:
I tried running a standalone docker container to simulate the issue. It had just basic environment variables set:
docker run --platform=linux/arm64 -e CASC_RELOAD_TOKEN=test -e CASC_JENKINS_CONFIG=/var/jenkins_home/casc_configs -v /Users/mksharma/local_jenkins/casc:/var/jenkins_home/casc_configs -p 8080:8080 customjenkins

When I do the reload test, it works just well

jenkins@dbd362f6d1d0:/$ curl -vv -X POST http://127.0.0.1:8080/reload-configuration-as-code/?casc-reload-token=test
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /reload-configuration-as-code/?casc-reload-token=test HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 10 Jul 2024 13:10:20 GMT
< X-Content-Type-Options: nosniff
< Vary: Accept-Encoding
< Content-Length: 0
< Server: Jetty(10.0.21)
<
* Connection #0 to host 127.0.0.1 left intact

The moment I put anything in the directory. I tried putting basic authorization configuration

jenkins:
  authorizationStrategy:
    roleBased:
      roles:
        global:
        - entries:
          - user: admin
          name: "admin"
          pattern: ".*"
          permissions:
          - "Overall/Administer"

And reload it again

jenkins@dbd362f6d1d0:/$ curl -vv -X POST http://127.0.0.1:8080/reload-configuration-as-code/?casc-reload-token=test
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /reload-configuration-as-code/?casc-reload-token=test HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Wed, 10 Jul 2024 13:16:02 GMT
< X-Content-Type-Options: nosniff
< Set-Cookie: JSESSIONID.9fe177d0=node0qmhhn3ksv24j1u35eirr9xt4f1.node0; Path=/; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: text/html;charset=utf-8
< X-Hudson: 1.395
< X-Jenkins: 2.466
< X-Jenkins-Session: 119b7056
< Transfer-Encoding: chunked
< Server: Jetty(10.0.21)
<
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Freload-configuration-as-code%2F%3Fcasc-reload-token%3Dtest'/><script id='redirect' data-redirect-url='/login?from=%2Freload-configuration-as-code%2F%3Fcasc-reload-token%3Dtest' src='/static/119b7056/scripts/redirect.js'></script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
-->

* Connection #0 to host 127.0.0.1 left intact
</body></html>

The error reappears.