jenkins_obj.plugin.install Method No Longer Working w/ Jenkins v 2.192

[ninp0]

Greetings!

jenkins_api_client/lib/jenkins_api_client/plugin_manager.rb

Line 346 in 72f49f2

@client.api_post_request("/pluginManager/install", form_data)

It appears the aforementioned line no longer works when interacting w/ Jenkins v2.192 as it throws the following error:

          plugin_arr = ['slack', 'htmlpublisher']
          jenkins_obj = JenkinsApi::Client.new(
            server_ip: jenkins_ip,
            server_port: port,
            username: username,
            password: password,
            follow_redirects: true,
            ssl: ssl_bool,
            proxy_protocol: proxy_protocol,
            proxy_ip: proxy_ip,
            proxy_port: proxy_port
          )
          jenkins_obj.plugin.install(plugin_arr)

I, [2019-08-29T20:58:15.629510 #11064]  INFO -- : Crumbs turned on.  Fetching from the server.
E, [2019-08-29T20:58:15.746594 #11064] ERROR -- : JenkinsApi::Exceptions::Forbidden: Access denied. Please ensure that Jenkins is set up to allow access to this operation. 
I, [2019-08-29T20:58:15.808972 #11064]  INFO -- : Crumb expired.  Refetching from the server.
I, [2019-08-29T20:58:15.873932 #11064]  INFO -- : Retrying: 1 out of 3 times...
E, [2019-08-29T20:58:15.943977 #11064] ERROR -- : JenkinsApi::Exceptions::Forbidden: Access denied. Please ensure that Jenkins is set up to allow access to this operation. 
I, [2019-08-29T20:58:16.012773 #11064]  INFO -- : Crumb expired.  Refetching from the server.
I, [2019-08-29T20:58:16.084756 #11064]  INFO -- : Retrying: 2 out of 3 times...
E, [2019-08-29T20:58:16.153777 #11064] ERROR -- : JenkinsApi::Exceptions::Forbidden: Access denied. Please ensure that Jenkins is set up to allow access to this operation. 
I, [2019-08-29T20:58:16.220758 #11064]  INFO -- : Crumb expired.  Refetching from the server.
I, [2019-08-29T20:58:16.280291 #11064]  INFO -- : Retrying: 3 out of 3 times...
E, [2019-08-29T20:58:16.280534 #11064] ERROR -- : JenkinsApi::Exceptions::ForbiddenWithCrumb: Access denied. Please ensure that Jenkins is set up to allow access to this operation. A crumb was used in attempt to access operation. Access denied. Please ensure that Jenkins is set up to allow access to this operation. 
JenkinsApi::Exceptions::ForbiddenWithCrumb: Access denied. Please ensure that Jenkins is set up to allow access to this operation. A crumb was used in attempt to access operation. Access denied. Please ensure that Jenkins is set up to allow access to this operation. 
from /usr/local/rvm/gems/ruby-2.6.3@csi/gems/jenkins_api_client-1.5.3/lib/jenkins_api_client/client.rb:420:in `rescue in api_post_request'
Caused by JenkinsApi::Exceptions::Forbidden: Access denied. Please ensure that Jenkins is set up to allow access to this operation. 
from /usr/local/rvm/gems/ruby-2.6.3@csi/gems/jenkins_api_client-1.5.3/lib/jenkins_api_client/client.rb:784:in `handle_exception'

I've tested this doesn't occur when running against Jenkins 2.190...upgrade to 2.192 and the error described above occurs. It looks like it's due to some security fixes:
https://jenkins.io/changelog/
https://jenkins.io/security/advisory/2019-08-28/ >>
SECURITY-1491 / CVE-2019-10384

It looks like for whatever reason jenkins_obj.crumbs_enabled is nil when instantiating the JenkinsApi::Client class.

[keeganquinn]

Ran into the same issue with an app of mine. I agree that it appears this is caused by Jenkins SECURITY-1491. I was able to work around this by installing the Strict Crumb Issuer plugin, activating it, and disabling the "Check the session ID" option in the Advanced section of that plugin.

Be forewarned that this workaround effectively disables the security improvement in SECURITY-1491. It appears that jenkins_api_client will need to be updated to support a web session ID to fix this issue correctly.

HTH!

[dmicky0419]

I had examined this problem, too. So, I discovered a jenkins web session ID in cookies.
I tried to implement the patch in PR #292 .