Crumb with Golang's net/http header

huangapple
go评论116阅读模式
英文:

Crumb with Golang's net/http header

问题

我正在为与Jenkins RESTful API(https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API)交互的Golang代码添加面包屑CSRF保护支持。

结构体:

  1. type Crumb struct {
  2.   Crumb               string      `json:"crumb"`
  3.   CrumbRequestField   string      `json:"crumbRequestField"`
  4. }

代码:

  1. ...
  2. crb := Crumb{}
  3. // 对面包屑进行Golang结构体的json化处理
  4. // https://jenkins.mydomain.com/crumbIssuer/api/json
  5. ...
  7. if crb.Crumb != "" && crb.CrumbRequestField != "" {
  8.   req.Header.Set(crb.CrumbRequestField, crb.Crumb)
  9. }
  11. req.SetBasicAuth(jenkins.auth.Username, jenkins.auth.ApiToken)
  13. // 我认为问题与DefaultClient有关,但不确定
  14. return http.DefaultClient.Do(req)

但是,使用上述的Golang实现时,一直收到403错误,但使用cURL调用却正常工作。

cURL日志:

  1. > POST /computer/node1/toggleOffline HTTP/1.1
  2. > Authorization: Basic <key>
  3. > User-Agent: curl/7.30.0
  4. > Host: jenkins.mydomain.com
  5. > Accept: */*
  6. > .crumb: 0d6401898751f250ff1f95b5bf9589db
英文:

I was adding crumb CSRF protection support as part of the Golang code I wrote for interacting with Jenkins RESTful API (https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API)

struct:

  1. type Crumb struct {
  2.   Crumb               string      `json:&quot;crumb&quot;`
  3.   CrumbRequestField   string      `json:&quot;crumbRequestField&quot;`
  4. }

code

  1.   ...
  2.   crb := Crumb{}
  3.   // did some work to jsonify the crumb to Golang struct
  4.   // https://jenkins.mydomain.com/crumbIssuer/api/json
  5.   ...
  8.   if (crb.Crumb != &quot;&quot; &amp;&amp; crb.CrumbRequestField != &quot;&quot; ) {
  9.     req.Header.Set(crb.CrumbRequestField, crb.Crumb)
  10.   }
  12.   req.SetBasicAuth(jenkins.auth.Username, jenkins.auth.ApiToken)
  14.   // i think the issue is related to DefaultClient, but not sure
  15.   return http.DefaultClient.Do(req)

But with Golang implementation above keep getting 403, but the same thing works fine with cURL call.

  1. &amp;{403 No valid crumb was included in the request 403 HTTP/1.1 1 1 map[Server:[nginx] Date:[Thu, 31 Jul 2014 05:58:52 GMT] Content-Type:[text/html;charset=ISO-8859-1] Connection:[keep-alive] Cache-Control:[must-revalidate,no-cache,no-store]] 0xc20800ff80 -1 [chunked] false map[] 0xc2082ba270 0xc208005da0}

cURL log:

  1. &gt; POST /computer/node1/toggleOffline HTTP/1.1
  2. &gt; Authorization: Basic &lt;key&gt;
  3. &gt; User-Agent: curl/7.30.0
  4. &gt; Host: jenkins.mydomain.com
  5. &gt; Accept: */*
  6. &gt; .crumb: 0d6401898751f250ff1f95b5bf9589db

答案1

得分: 1

我在这里回答自己的问题。我找到了问题所在,与Golang的net/http库无关。Jenkins的crumb GET请求要求您提供基本身份验证以正确获取crumb。

英文:

I'm answering my own question here. I found my issue and it has nothing related to Golang's net/http lib. The Jenkins crumb GET request required that you need to provide basic auth to obtain properly crumb.

huangapple
  • 本文由 发表于 2014年7月31日 14:37:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/25052286.html
  • csrf
  • csrf-protection
  • curl
  • go
  • jenkins
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定