[JENKINS-39232] Walk the DelegatingComputerLauncher instances when checking if JNLPComputerLauncher #2602
Conversation
…ecking if JNLPComputerLauncher
|
This pull request originates from a CloudBees employee. At CloudBees, we require that all pull requests be reviewed by other CloudBees employees before we seek to have the change accepted. If you want to learn more about our process please see this explanation. |
|
I do not believe it's a perfect fix since anybody can implement his own launcher using I agree it worths adding support of Delegating launchers, but it does not fix the issue |
daniel-beck
added
the
needs-more-reviews
…tinue to work until they get fixed
| * {@link ComputerLauncher} when then should have extended {@link DelegatingComputerLauncher} | ||
| * | ||
| * @since FIXME | ||
| */ |
There was a problem hiding this comment.
@Extension(NoExternalUse.class)
| @Override | ||
| public boolean owns(String clientName) { | ||
| Computer computer = Jenkins.getInstance().getComputer(clientName); | ||
| return computer != null; | ||
| } | ||
|
|
||
| private static ComputerLauncher getDelegate(ComputerLauncher launcher) { |
| Method getDelegate = launcher.getClass().getMethod("getDelegate"); | ||
| return ComputerLauncher.class.isAssignableFrom(getDelegate.getReturnType()) ? (ComputerLauncher) getDelegate | ||
| .invoke(launcher) : null; | ||
| } catch (NoSuchMethodException | InvocationTargetException | IllegalAccessException e) { |
There was a problem hiding this comment.
ReflectiveOperationException?
| launcher = ((DelegatingComputerLauncher) launcher).getLauncher(); | ||
| } else if (launcher instanceof ComputerLauncherFilter) { | ||
| launcher = ((ComputerLauncherFilter) launcher).getCore(); | ||
| } else if (null != (l = getDelegate(launcher))) { // TODO remove when all plugins are fixed |
There was a problem hiding this comment.
Does not guarantee a success for old plugins from what I see
| } else { | ||
| if (disableStrictVerification) { | ||
| LOGGER.log(Level.WARNING, "Connecting {0} as a JNLP agent where the launcher does not mark itself " | ||
| + "correctly as being a JNLP agent", clientName); |
There was a problem hiding this comment.
Please explicitly provide a class of the launcher
| + "correctly as being a JNLP agent", clientName); | ||
| break; | ||
| } else { | ||
| event.reject(new ConnectionRefusalException(String.format("%s is not a JNLP agent", clientName))); |
There was a problem hiding this comment.
🐛 In the case of enforcement must contain more details. E.g. link to the Wiki page providing a workaround info. Or just in-text help
- Since the failure of strict verification is an issue, we should log it as a warning always
|
I approve the code change itself since it makes the situation better that it is in 2.27. So 🐝 and 👍 as a partial fix. But I still do not feel it's a right approach to nuke so many instances. Hence as a community member I keep 👎 regarding the change as a complete fix of JENKINS-39232 |
|
@reviewbybees done |
|
P.S: I will follow-up on the default behavior |
oleg-nenashev
added
ready-for-merge
|
I will merge it into the next weekly if nobody shouts |
| return (ComputerLauncher) getDelegate.invoke(launcher); | ||
| } | ||
| } catch (NoSuchMethodException | InvocationTargetException | IllegalAccessException e) { | ||
| // ignore |
There was a problem hiding this comment.
you can name ignore instead e to disable warnings static analysing tools.
| launcher = ((DelegatingComputerLauncher) launcher).getLauncher(); | ||
| } else if (launcher instanceof ComputerLauncherFilter) { | ||
| launcher = ((ComputerLauncherFilter) launcher).getCore(); | ||
| } else if (null != (l = getDelegate(launcher))) { // TODO remove when all plugins are fixed |
There was a problem hiding this comment.
TODO jenkins 3.x and don't break existing plugins.
There was a problem hiding this comment.
While technically, it doesn't qualify as an S, there are issues of that nature removed by enforcing that only agents explicitly configured to use a JNLP launcher get to use a JNLP launcher... especially as only a JNLP launcher will have a cookie and hence any existing connection will be dropped in favour of an incoming JNLP connection with a valid secret (it's the valid that stops it being an S... because if you've let somebody else get the master key driving the JNLP secrets... well that's your problem right there)
See JENKINS-39232
@jenkinsci/code-reviewers @reviewbybees
Replaces #2601