jenkinsci · jglick · Nov 12, 2024 · Nov 6, 2024 · Nov 8, 2024 · Nov 11, 2024
@@ -51,6 +51,11 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <dependency>
+                <groupId>org.jenkins-ci.plugins</groupId>
+                <artifactId>script-security</artifactId>
+                <version>1367.vdf2fc45f229c</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <dependencies>
@@ -68,5 +73,10 @@
             <artifactId>test-harness</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.jenkins-ci.plugins</groupId>
+            <artifactId>matrix-auth</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>
@@ -23,14 +23,17 @@
  */
 package hudson.slaves;
 
+import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.Nullable;
 import hudson.AbortException;
 import hudson.EnvVars;
 import hudson.Extension;
 import hudson.Functions;
 import hudson.Util;
+import hudson.model.ComputerSet;
 import hudson.model.Descriptor;
+import hudson.model.DescriptorVisibilityFilter;
 import hudson.model.Slave;
 import hudson.model.TaskListener;
 import hudson.remoting.Channel;
@@ -39,6 +42,7 @@
 import hudson.util.StreamCopyThread;
 import java.io.IOException;
 import java.util.Date;
+import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
@@ -49,6 +53,7 @@
 import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
 import org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException;
 import org.jenkinsci.plugins.scriptsecurity.scripts.languages.SystemCommandLanguage;
+import org.kohsuke.stapler.Ancestor;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.Stapler;
@@ -80,10 +85,11 @@
      * @see #CommandLauncher(String command, EnvVars env)
      */
     @DataBoundConstructor
-    public CommandLauncher(String command) {
+    public CommandLauncher(String command) throws Descriptor.FormException {
+        checkSandbox();
         agentCommand = command;
         env = null;
         // TODO add withKey if we can determine the Slave.nodeName being configured
        ScriptApproval.get().configuring(command, SystemCommandLanguage.get(), ApprovalContext.create().withCurrentUser(), Stapler.getCurrentRequest() == null);
    }

@@ -94,17 +100,32 @@
      *                  "sh -c" or write the expression into a script and point to the script)
      * @param env       environment variables for the launcher to include when it runs the command
      */
-    public CommandLauncher(String command, EnvVars env) {
-    	this.agentCommand = command;
+    public CommandLauncher(String command, EnvVars env) throws Descriptor.FormException {
+        checkSandbox();
+        this.agentCommand = command;
     	this.env = env;
         ScriptApproval.get().preapprove(command, SystemCommandLanguage.get());
     }
 
-    /** Constructor for use from {@link CommandConnector}. Never approves the script. */
+    /** Constructor for use from {@link CommandConnector}. Never approves the script.
+     * We don't execute the {@link #checkSandbox()} for backward compatibility, as this is just for running the Scripts
+     */
     CommandLauncher(EnvVars env, String command) {
         this.agentCommand = command;
         this.env = env;
     }
+
+    /**
+     * Check if the current user is forced to use the Sandbox when creating a new instance.
+     * In this case, we don't allow saving new instances of the CommandLauncher object by throwing a new exception
+     */
+    private void checkSandbox() throws Descriptor.FormException {
+          if (ScriptApproval.get().isForceSandboxForCurrentUser()) {
+              throw new Descriptor.FormException(
+                      "This Launch Method requires scripts executions out of the sandbox."
+                      + " This Jenkins instance has been configured to not allow regular users to disable the sandbox", "sandbox");
+          }
+      }
 
     private Object readResolve() {
         ScriptApproval.get().configuring(agentCommand, SystemCommandLanguage.get(), ApprovalContext.create(), true);
@@ -250,4 +271,49 @@
                 return ScriptApproval.get().checking(value, SystemCommandLanguage.get(), !StringUtils.equals(value, oldCommand));
         }
     }
+
+    /**
+     * In case the flag
+     * {@link ScriptApproval#isForceSandboxForCurrentUser} is true, we don't show the {@link DescriptorImpl descriptor}
+     * for the current user, except if we are editing a node that already has the launcher {@link CommandLauncher}
+     */
+    @Extension
+    public static class DescriptorVisibilityFilterForceSandBox extends DescriptorVisibilityFilter {
+        @Override
+        public boolean filter(@CheckForNull Object context, @NonNull Descriptor descriptor) {
+            if(descriptor instanceof DescriptorImpl) {
+                return !ScriptApproval.get().isForceSandboxForCurrentUser() ||
+                       (context instanceof DumbSlave && ((DumbSlave) context).getLauncher() instanceof CommandLauncher);
+            }
+            return true;
+        }
+
+        @Override
+        public boolean filterType(@NonNull Class<?> contextClass, @NonNull Descriptor descriptor) {
+            if(descriptor instanceof DescriptorImpl)
+            {
+                //If we are creating a new object, check ScriptApproval.get().isForceSandboxForCurrentUser()
+                //If we are NOT creating a new object, return true, and delegate the logic to #filter
+                return !(isCreatingNewObject() && ScriptApproval.get().isForceSandboxForCurrentUser());
+            }
+            return true;
+        }
+
+        private boolean isCreatingNewObject() {
+            boolean isCreating = false;
+
+            if (Stapler.getCurrentRequest() != null) {
+                List<Ancestor> ancs = Stapler.getCurrentRequest().getAncestors();
+                for (Ancestor anc : ancs) {
+                    if (!isCreating && anc.getObject() instanceof ComputerSet) {
+                        String uri = Stapler.getCurrentRequest().getOriginalRequestURI();
+                        if (uri.endsWith("createItem")) {
+                            isCreating = true;
+                        }
+                    }
+                }
+            }
+            return isCreating;
+        }
+    }
 }
@@ -0,0 +1,206 @@
+package hudson.slaves;
+
+import java.io.IOException;
+
+import org.htmlunit.html.HtmlForm;
+import org.jenkinsci.plugins.matrixauth.AuthorizationType;
+import org.jenkinsci.plugins.matrixauth.PermissionEntry;
+import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.JenkinsRule.WebClient;
+
+import hudson.model.Descriptor;
+import hudson.model.User;
+import hudson.security.ACL;
+import hudson.security.ACLContext;
+import hudson.security.GlobalMatrixAuthorizationStrategy;
+import jenkins.model.Jenkins;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
+
+public class CommandLauncherForceSandboxTest {
+
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Before
+    public void configureTest() throws IOException {
+        Jenkins.MANAGE.setEnabled(true);
+
+        j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
+
+        PermissionEntry adminPermission = new PermissionEntry(AuthorizationType.USER, "admin");
+        PermissionEntry develPermission = new PermissionEntry(AuthorizationType.USER, "devel");
+
+        GlobalMatrixAuthorizationStrategy strategy = new GlobalMatrixAuthorizationStrategy();
+        strategy.add(Jenkins.ADMINISTER, adminPermission);
+        strategy.add(Jenkins.MANAGE, adminPermission);
+        strategy.add(Jenkins.READ, adminPermission);
+        strategy.add(Jenkins.MANAGE, develPermission);
+        strategy.add(Jenkins.READ, develPermission);
+        SlaveComputer.PERMISSIONS.getPermissions().forEach(p -> strategy.add(p,develPermission));
+        j.jenkins.setAuthorizationStrategy(strategy);
+    }
+
+    @Test
+    public void newCommandLauncher() throws Exception {
+        try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
+            //With forceSandbox enabled, nonadmin users should not create agents with Launcher = CommandLauncher
+            ScriptApproval.get().setForceSandbox(true);
+            Descriptor.FormException ex = assertThrows(Descriptor.FormException.class, () ->
+                    new DumbSlave("s", "/",new CommandLauncher("echo unconfigured")));
+
+            assertEquals("This Launch Method requires scripts executions out of the sandbox."
+                         + " This Jenkins instance has been configured to not allow regular users to disable the sandbox",
+                         ex.getMessage());
+
+            //With forceSandbox disabled, nonadmin users can create agents with Launcher = CommandLauncher
+            ScriptApproval.get().setForceSandbox(false);
+            new DumbSlave("s", "/", new CommandLauncher("echo unconfigured"));
+        }
+
+        try (ACLContext ctx = ACL.as(User.getById("admin", true))) {
+            //admin users can create agents with Launcher = CommandLauncher independently of forceSandbox flag.
+            ScriptApproval.get().setForceSandbox(true);
+            new DumbSlave("s", "/", new CommandLauncher("echo unconfigured"));
+
+            ScriptApproval.get().setForceSandbox(false);
+            new DumbSlave("s", "/", new CommandLauncher("echo unconfigured"));
+        }
+    }
+
+    @Test
+    public void editCommandLauncherUI_ForceSandboxTrue() throws Exception {
+        ScriptApproval.get().setForceSandbox(true);
+
+        DumbSlave commandLauncherAgent = new DumbSlave("commandLauncherAgent", "/", new CommandLauncher("echo unconfigured"));
+        DumbSlave noCommandLauncherAgent = new DumbSlave("noCommandLauncherAgent", "/", new JNLPLauncher());
+        j.jenkins.addNode(commandLauncherAgent);
+        j.jenkins.addNode(noCommandLauncherAgent);
+
+        try (WebClient wc = j.createWebClient().login("devel")) {
+            //Edit noCommandLauncher Agent.
+            //We are not admin and Sandbox is true,
+            //We don't have any html object for CommandLauncher
+            HtmlForm form = wc.getPage(noCommandLauncherAgent, "configure").getFormByName("config");
+            assertTrue(form.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+
+            //Edit CommandLauncher Agent.
+            //We are not admin and Sandbox is true
+            // As the agent is already a commandLauncher one we have some html object for CommandLauncher
+            form = wc.getPage(commandLauncherAgent, "configure").getFormByName("config");
+            assertFalse(form.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+        }
+
+        try (WebClient wc = j.createWebClient().login("admin")) {
+            //Edit noCommandLauncher Agent.
+            //We areadmin and Sandbox is true,
+            //We have some html object for CommandLauncher
+            HtmlForm form = wc.getPage(noCommandLauncherAgent, "configure").getFormByName("config");
+            assertFalse(form.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+
+            //Edit CommandLauncher Agent.
+            //Wwe not admin and Sandbox is true
+            //We have some html object for CommandLauncher
+            form = wc.getPage(commandLauncherAgent, "configure").getFormByName("config");
+            assertFalse(form.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+        }    }
+
+    @Test
+    public void editCommandLauncherUI_ForceSandboxFalse() throws Exception {
+        ScriptApproval.get().setForceSandbox(false);
+
+        DumbSlave commandLauncherAgent = new DumbSlave("commandLauncherAgent", "/", new CommandLauncher("echo unconfigured"));
+        DumbSlave noCommandLauncherAgent = new DumbSlave("noCommandLauncherAgent", "/", new JNLPLauncher());
+        j.jenkins.addNode(commandLauncherAgent);
+        j.jenkins.addNode(noCommandLauncherAgent);
+
+        try (WebClient wc = j.createWebClient().login("devel")) {
+            //Edit noCommandLauncher Agent.
+            //We are not admin and Sandbox is false,
+            //We have some html object for CommandLauncher
+            HtmlForm form = wc.getPage(noCommandLauncherAgent, "configure").getFormByName("config");
+            assertFalse(form.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+
+            //Edit CommandLauncher Agent.
+            //Wwe are not admin and Sandbox is false
+            //We have some html object for CommandLauncher
+            form = wc.getPage(commandLauncherAgent, "configure").getFormByName("config");
+            assertFalse(form.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+        }
+
+        try (WebClient wc = j.createWebClient().login("admin")) {
+            //Edit noCommandLauncher Agent.
+            //We areadmin and Sandbox is false,
+            //We have some html object for CommandLauncher
+            HtmlForm form = wc.getPage(noCommandLauncherAgent, "configure").getFormByName("config");
+            assertFalse(form.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+
+            //Edit CommandLauncher Agent.
+            //Wwe not admin and Sandbox is false
+            //We have some html object for CommandLauncher
+            form = wc.getPage(commandLauncherAgent, "configure").getFormByName("config");
+            assertFalse(form.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+        }
+    }
+
+    @Test
+    public void createCommandLauncherUI_ForceSandboxTrue() throws Exception {
+        ScriptApproval.get().setForceSandbox(true);
+
+        try (WebClient wc = j.createWebClient().login("devel")) {
+            //Create Permanent Agent.
+            //We are not admin and Sandbox is true,
+            //We don't have any html object for CommandLauncher
+            HtmlForm form = wc.goTo("computer/new").getFormByName("createItem");
+            form.getInputByName("name").setValue("devel_ComandLauncher");
+            form.getInputsByValue(DumbSlave.class.getName()).stream().findFirst().get().setChecked(true);
+            HtmlForm createNodeForm =  j.submit(form).getFormByName("config");
+            assertTrue(createNodeForm.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+        }
+
+        try (WebClient wc = j.createWebClient().login("admin")) {
+            //Create Permanent Agent.
+            //We are admin and Sandbox is true,
+            //We have some html object for CommandLauncher
+            HtmlForm form = wc.goTo("computer/new").getFormByName("createItem");
+            form.getInputByName("name").setValue("devel_ComandLauncher");
+            form.getInputsByValue(DumbSlave.class.getName()).stream().findFirst().get().setChecked(true);
+            HtmlForm createNodeForm =  j.submit(form).getFormByName("config");
+            assertFalse(createNodeForm.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+        }
+    }
+
+    @Test
+    public void createCommandLauncherUI_ForceSandboxFalse() throws Exception {
+        ScriptApproval.get().setForceSandbox(false);
+
+        try (WebClient wc = j.createWebClient().login("devel")) {
+            //Create Permanent Agent.
+            //We are not admin and Sandbox is false,
+            //We have some html object for CommandLauncher
+            HtmlForm form = wc.goTo("computer/new").getFormByName("createItem");
+            form.getInputByName("name").setValue("devel_ComandLauncher");
+            form.getInputsByValue(DumbSlave.class.getName()).stream().findFirst().get().setChecked(true);
+            HtmlForm createNodeForm =  j.submit(form).getFormByName("config");
+            assertFalse(createNodeForm.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+        }
+
+        try (WebClient wc = j.createWebClient().login("admin")) {
+            //Create Permanent Agent.
+            //We are admin and Sandbox is true,
+            //We have some html object for CommandLauncher
+            HtmlForm form = wc.goTo("computer/new").getFormByName("createItem");
+            form.getInputByName("name").setValue("devel_ComandLauncher");
+            form.getInputsByValue(DumbSlave.class.getName()).stream().findFirst().get().setChecked(true);
+            HtmlForm createNodeForm =  j.submit(form).getFormByName("config");
+            assertFalse(createNodeForm.getInputsByValue(CommandLauncher.class.getName()).isEmpty());
+        }
+    }
+}