jenkinsci · sboardwell · May 2, 2023
@@ -13,3 +13,6 @@ work
 .settings
 .classpath
 .project
+
+# asdf
+.tool-versions
@@ -65,8 +65,12 @@ private void softLabelUpdate(String sNewLabels) throws SoftLabelUpdateException
                         URI.create(url + "plugin/swarm/getSlaveLabels?name=" + name))
                 .GET();
         SwarmClient.addAuthorizationHeader(builder, options);
-        HttpRequest request = builder.build();
         try {
+            SwarmClient.Crumb csrfCrumb = SwarmClient.getCsrfCrumb(client, options, url);
+            if (csrfCrumb != null) {
+                builder.header(csrfCrumb.crumbRequestField, csrfCrumb.crumb);
+            }
+            HttpRequest request = builder.build();
             HttpResponse<InputStream> response = client.send(request, HttpResponse.BodyHandlers.ofInputStream());
             if (response.statusCode() != HttpURLConnection.HTTP_OK) {
                 logger.log(

@@ -71,6 +71,7 @@ public class SwarmClient {
 
     private final Options options;
     private final String hash;
+    private static boolean crumbHeaderNeeded = true;
     private String name;
     private HttpServer prometheusServer = null;
 
@@ -280,10 +281,15 @@ static void addAuthorizationHeader(HttpRequest.Builder builder, Options clientOp
         }
     }
 
-    private static synchronized Crumb getCsrfCrumb(HttpClient client, Options options, URL url)
+    static synchronized Crumb getCsrfCrumb(HttpClient client, Options options, URL url)
             throws IOException, InterruptedException {
         logger.finer("getCsrfCrumb() invoked");
 
+        // return null if not needed
+        if (!crumbHeaderNeeded) {
+            return null;
+        }
+
         String[] crumbResponse;
 
         URI uri = URI.create(url
@@ -356,13 +362,23 @@ void createSwarmAgent(URL url) throws IOException, InterruptedException, RetryEx
                 + param("keepDisconnectedClients", Boolean.toString(options.keepDisconnectedClients)));
         HttpRequest.Builder builder = HttpRequest.newBuilder(uri).POST(HttpRequest.BodyPublishers.noBody());
         SwarmClient.addAuthorizationHeader(builder, options);
-        Crumb csrfCrumb = getCsrfCrumb(client, options, url);
-        if (csrfCrumb != null) {
-            builder.header(csrfCrumb.crumbRequestField, csrfCrumb.crumb);
-        }
         HttpRequest request = builder.build();
 
         HttpResponse<InputStream> response = client.send(request, HttpResponse.BodyHandlers.ofInputStream());
+        if (response.statusCode() == HttpURLConnection.HTTP_FORBIDDEN) {
+            logger.info("Received HTTP_FORBIDDEN first time - retrying with Crumb...");
+            Crumb csrfCrumb = getCsrfCrumb(client, options, url);
+            if (csrfCrumb != null) {
+                builder.header(csrfCrumb.crumbRequestField, csrfCrumb.crumb);
+            }
+            request = builder.build();
+            response = client.send(request, HttpResponse.BodyHandlers.ofInputStream());
+            if (response.statusCode() != HttpURLConnection.HTTP_FORBIDDEN) {
+                logger.warning("It seems a password is being used to authenticate - please consider using an API token. Password authentication will eventually be DEPRECATED.");
+            }
+        } else {
+            crumbHeaderNeeded = false;
+        }
         if (response.statusCode() != HttpURLConnection.HTTP_OK) {
             throw new RetryException(String.format(
                     "Failed to create a Swarm agent on Jenkins. Response code: %s%n%s",
@@ -630,7 +646,7 @@ public DefaultTrustManager(String fingerprints) {
         }
     }
 
-    private static class Crumb {
+    protected static class Crumb {
         final String crumb;
         final String crumbRequestField;