How do you disable Jenkins CSRF with script?

Question

I'm having issues disabling the CSRF protection in an automated fashion. I want to disable with a groovy init script or just in a property file before Jenkins Master Starts. I'm not sure why I'm getting a crumb issue I assume it has to do with the exposed LB in K8S / AWS. I'm using AWS ELB to expose pods and its causing a csrf exception in the crumb, and I also get a reverse proxy warning sometimes when I goto manage Jenkins.

I researched the issue it said I could enable the expanded proxy compatibility or disable the CSRF checking. I haven't found the groovy or config files where these live.

My current groovy init script is as follows:

import hudson.security.csrf.DefaultCrumbIssuer
import jenkins.model.Jenkins

def j = Jenkins.instance;
j.setCrumbIssuer(null); // I've also tried setting a new crumb issuer here as well.
j.save();
System.setProperty("hudson.security.csrf.CrumbFilter", "false");
System.setProperty("hudson.security.csrf", "false");
System.setProperty("hudson.security.csrf.GlobalCrumbIssuerConfiguration", "false");

I can't seem to find the reference as to how to disable this property or enable the Enable proxy compatibility property either.

Crumb Algorithm
 Default Crumb Issuer   
        Enable proxy compatibility

I intercepted the request to configure when I click apply and the json payload passed seems like the setting is

"hudson-security-csrf-GlobalCrumbIssuerConfiguration": {
    "csrf": {
        "issuer": {
            "value": "0",
            "stapler-class": "hudson.security.csrf.DefaultCrumbIssuer",
            "$class": "hudson.security.csrf.DefaultCrumbIssuer",
            "excludeClientIPFromCrumb": true
        }
    }
},

im not sure what or how I'm supposed to set these.

Answer 1

If you really need to (temporarily) disable CSRF it can be done with groovy:

import jenkins.model.Jenkins

def instance = Jenkins.instance
instance.setCrumbIssuer(null)

It should be enabled afterwards again by setting to the Default CrumbIssuer again as mentioned in the Jenkins Wiki:

import hudson.security.csrf.DefaultCrumbIssuer
import jenkins.model.Jenkins

def instance = Jenkins.instance
instance.setCrumbIssuer(new DefaultCrumbIssuer(true))
instance.save()

N.B.: It's not enough to set the Flag to enable CSRF protection via the GUI afterwards, you need to check the crumb algorithm, too.

Answer 2

I stumbled on this question while I was tearing my hair out trying to figure out more or less the same thing (in my case, I needed to know how the proxy compatibility option mapped to Jenkins' config.xml). In the HTML source for the form, there's this helpful bit of info (truncated for brevity):

<label>Enable proxy compatibility</label><a helpURL="/descriptor/hudson.security.csrf.DefaultCrumbIssuer/help/excludeClientIPFromCrumb"><img /></a>

excludeClientIPFromCrumb is a constructor parameter on DefaultCrumbIssuer, as the javadocs expose: http://javadoc.jenkins-ci.org/hudson/security/csrf/DefaultCrumbIssuer.html. I just needed to flip that value in my config.xml - my confusion stemmed from how the label for the field in the UI differed from the name of the constructor argument.

For your case, if you want to enable CSRF protection using the default crumb provider with "enable proxy compatibility" turned on, in your script you can do

j.setCrumbIssuer(new DefaultCrumbIssuer(true));