From 4cbf8321c66b6837a332b307d82c681858f296c5 Mon Sep 17 00:00:00 2001 From: Javier Garcia Date: Tue, 22 Oct 2024 13:15:02 +0200 Subject: [PATCH] JENKINS-73941 - New forceSandbox logic - Add CASC support + tests --- .../plugins/scriptsecurity/scripts/ScriptApproval.java | 2 +- .../sandbox/groovy/SecureGroovyScriptTest.java | 2 +- .../plugins/scriptsecurity/scripts/JcascTest.java | 2 ++ .../scriptsecurity/scripts/ScriptApprovalTest.java | 8 ++++---- .../plugins/scriptsecurity/scripts/smoke_test.yaml | 1 + .../scriptsecurity/scripts/smoke_test_expected.yaml | 1 + 6 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java index 8584d57ce..81ce24eae 100644 --- a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java +++ b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java @@ -992,7 +992,7 @@ public synchronized void setApprovedScriptHashes(String[] scriptHashes) throws I } @DataBoundSetter - public synchronized void setforceSandbox(boolean forceSandbox) { + public synchronized void setForceSandbox(boolean forceSandbox) { this.forceSandbox = forceSandbox; save(); } diff --git a/src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java b/src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java index 93ffb83bf..2dfdbc90e 100644 --- a/src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java +++ b/src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScriptTest.java @@ -229,7 +229,7 @@ private void addPostBuildAction(HtmlPage page) throws IOException { () -> ScriptApproval.get().using(groovy,GroovyLanguage.get())); assertEquals(Messages.UnapprovedUsage_NonApproved(), ex.getMessage()); - ScriptApproval.get().setforceSandbox(true); + ScriptApproval.get().setForceSandbox(true); ex = assertThrows(UnapprovedUsageException.class, () -> ScriptApproval.get().using(groovy,GroovyLanguage.get())); assertEquals(Messages.UnapprovedUsage_ForceSandBox(), ex.getMessage()); diff --git a/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/JcascTest.java b/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/JcascTest.java index 67763a443..59b9fd11f 100644 --- a/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/JcascTest.java +++ b/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/JcascTest.java @@ -19,6 +19,7 @@ import static org.hamcrest.collection.IsIterableContainingInAnyOrder.containsInAnyOrder; import static org.hamcrest.core.StringContains.containsString; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; public class JcascTest { @@ -43,6 +44,7 @@ public void smokeTestEntry() throws Exception { assertThat(logger.getMessages(), containsInAnyOrder( containsString("Adding deprecated script hash " + "that will be converted on next use: fccae58c5762bdd15daca97318e9d74333203106"))); + assertTrue(ScriptApproval.get().isForceSandbox()); } @Test diff --git a/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java b/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java index b9a5a0c38..b93d54c7b 100644 --- a/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java +++ b/src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java @@ -211,7 +211,7 @@ public void reload() throws Exception { public void forceSandboxTests() throws Exception { r.jenkins.setSecurityRealm(r.createDummySecurityRealm()); - ScriptApproval.get().setforceSandbox(true); + ScriptApproval.get().setForceSandbox(true); MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy(); mockStrategy.grant(Jenkins.READ).everywhere().to("devel"); @@ -290,7 +290,7 @@ public void forceSandboxTests() throws Exception { @Test public void forceSandboxScriptSignatureException() throws Exception { - ScriptApproval.get().setforceSandbox(true); + ScriptApproval.get().setForceSandbox(true); FreeStyleProject p = r.createFreeStyleProject("p"); p.getPublishersList().add(new TestGroovyRecorder(new SecureGroovyScript("jenkins.model.Jenkins.instance", true, null))); FreeStyleBuild b = r.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0).get()); @@ -304,14 +304,14 @@ public void forceSandboxFormValidation() throws Exception { grant(Jenkins.READ, Item.READ).everywhere().to("dev")); try (ACLContext ctx = ACL.as(User.getById("devel", true))) { - ScriptApproval.get().setforceSandbox(true); + ScriptApproval.get().setForceSandbox(true); { FormValidation result = ScriptApproval.get().checking("test", GroovyLanguage.get(), false); assertEquals(FormValidation.Kind.WARNING, result.kind); assertEquals(Messages.ScriptApproval_ForceSandBoxMessage(), result.getMessage()); } - ScriptApproval.get().setforceSandbox(false); + ScriptApproval.get().setForceSandbox(false); { FormValidation result = ScriptApproval.get().checking("test", GroovyLanguage.get(), false); assertEquals(FormValidation.Kind.WARNING, result.kind); diff --git a/src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test.yaml b/src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test.yaml index 366aa49de..ee6e9902c 100644 --- a/src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test.yaml +++ b/src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test.yaml @@ -4,3 +4,4 @@ security: - method java.net.URI getHost approvedScriptHashes: - fccae58c5762bdd15daca97318e9d74333203106 + forceSandbox: true \ No newline at end of file diff --git a/src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test_expected.yaml b/src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test_expected.yaml index 73bc4b2da..2eb11955a 100644 --- a/src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test_expected.yaml +++ b/src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test_expected.yaml @@ -2,3 +2,4 @@ approvedScriptHashes: - "fccae58c5762bdd15daca97318e9d74333203106" approvedSignatures: - "method java.net.URI getHost" +forceSandbox: true