Jenkins build monitor wall without manual login

Question

I'm trying to create a completely automatized Jenkins status screen for our office wall with a Raspberry Pi. I was able to configure the Pi to show a browser with a specific URL on the TVs as well as configuring the Build Monitor Plugin in Jenkins with our build jobs.

Our Jenkins uses matrix-based security, so I created separate raspberry user with the required privileges. (After logging in manually the wall plugin is shown properly.)

I can see a valid HTTP answer with the following command:

curl "http://raspberry:0b45...06@localhost:8080/view/wall1/"

0b45...06 is the API Token of the raspberry Jenkins user. (From http://localhost:8080/user/raspberry/configure)

Unfortunately this URL scheme does not work in graphical browsers. I've also tried the token parameter without success:

$ curl "http://localhost:8080/view/wall1/?token=0b45...06"
<html><head>...</head><body ...>


Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:

Permission you need to have (but didn't): hudson.model.Hudson.Read
 ... which is implied by: hudson.security.Permission.GenericRead
 ... which is implied by: hudson.model.Hudson.Administer
-->

</body></html>                               

How can I get an URL which works without login in browsers (like Chromium or Midori) and shows my Jenkins view?

I don't want any manual step, including logging in (though VNC, for example) since it does not scale too well to multiple offices/Pis.

Answer 1

I'd like to see a simpler solution but a workaround could be the following.

I've created a local Apache proxy which listens on port 80, sets authorization headers and forwards requests to our Jenkins instance with the following Apache config:

<VirtualHost 127.0.0.1:80>
    ProxyRequests Off
    ProxyPreserveHost Off
    ProxyErrorOverride Off

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLProxyEngine On
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerExpire On

    ProxyPass   /   https://jenkins.example.com/ nocanon
    ProxyPassReverse   /   https://jenkins.example.com/
    AllowEncodedSlashes NoDecode

    SetOutputFilter INFLATE;proxy-html;DEFLATE
    ProxyHTMLURLMap https://jenkins.example.com/ /
    SetEnv proxy-nokeepalive 1

    <Location />
        RequestHeader set Authorization "Basic {{ jenkins_basic_header }}"
        Header edit Set-Cookie "Secure;" ""
        Order allow,deny
        Allow from all
    </Location>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

(You might need to fine-tune SSL or other paramters, Apache debug log could be helpful.)

Note the Header edit Set-Cookie "Secure;" "" line which removes the secure flag from cookies. It's required since Jenkins uses https and sends secure cookies while the Apache proxy listens only on port 80. Without that the browser gets the session cookie (and other ones) as secure ones but does not send them back on a plain http connection. (It's a problem if your dashboard plugin works with new sessions on every call. The linked Build Monitor Plugin in Jenkins does not support that, it requires stable session IDs.)

Using https on the Apache seemed an overkill here if the Apache listens only on localhost (ports.conf):

Listen 127.0.0.1:80

The jenkins_basic_header variable can be generated with the following Python script:

#!/usr/bin/python
import base64
import errno
import sys

if len(sys.argv) != 3:
    print('Missing user pass/token arguments')
    print('Usage: ./basic-pass.py <user> <pass/token>')
    sys.exit(errno.EINVAL)

hash = base64.b64encode(sys.argv[1] + ':' + sys.argv[2])
sys.stdout.write(hash) # do not print new-line char

It works with the token too.