Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-68404] Add script listener to track usage #416

Draft
wants to merge 14 commits into
base: master
Choose a base branch
from
Draft

[JENKINS-68404] Add script listener to track usage #416

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
6e29f5f
Add script listener to track usage
meiswjn May 7, 2022
e7bb854
Fix imports
meiswjn May 7, 2022
d947485
Remove redundant code
meiswjn May 9, 2022
b9eafc1
Fix docstring
meiswjn May 9, 2022
e69d7cb
Remove NonNull from Run for compatibility
meiswjn May 10, 2022
df3ee0e
Improve compatibility by generalizing origin to String
meiswjn May 10, 2022
7b433d5
Simplify listener by extending from Jenkins
meiswjn May 17, 2022
cf6ae25
Remove unnecessary imports
meiswjn May 17, 2022
6bd9763
Merge branch 'master' into feature/add-script-listener
meiswjn May 17, 2022
abfbc35
Adapt to new scriptlistener format
meiswjn Jun 24, 2022
44b395b
Merge branch 'master' into feature/add-script-listener
meiswjn Jun 24, 2022
aa41a17
Use incremental
daniel-beck Aug 31, 2022
4582926
Make build
daniel-beck Aug 31, 2022
81eef7b
We need to build on JDK 11
daniel-beck Aug 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
import hudson.model.AbstractDescribableImpl;
import hudson.model.Descriptor;
import hudson.model.Item;
import hudson.model.Run;
import hudson.model.TaskListener;
import hudson.util.FormValidation;

Expand Down Expand Up @@ -374,7 +375,8 @@ public Object evaluate(ClassLoader loader, Binding binding, @CheckForNull TaskLi
memoryProtectedLoader = new CleanGroovyClassLoader(loader);
loaderF.set(sh, memoryProtectedLoader);
}
return sh.evaluate(ScriptApproval.get().using(script, GroovyLanguage.get()));
Run run = (Run) binding.getVariable("build");
return sh.evaluate(ScriptApproval.get().using(script, GroovyLanguage.get(), run));
}

} finally {
Expand Down
26 changes: 25 additions & 1 deletion src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@

package org.jenkinsci.plugins.scriptsecurity.scripts;

import hudson.model.Run;
import jenkins.model.GlobalConfiguration;
import jenkins.model.GlobalConfigurationCategory;
import net.sf.json.JSONArray;
Expand Down Expand Up @@ -467,9 +468,32 @@ public synchronized String using(@NonNull String script, @NonNull Language langu
// Probably need not add to pendingScripts, since generally that would have happened already in configuring.
throw new UnapprovedUsageException(hash);
}

return script;
}
/**
* Called when a script is about to be used (evaluated).
* @param script a possibly unapproved script
* @param language the language in which it is written
* @param run the run executing the groovy script.
* @return {@code script}, for convenience
* @throws UnapprovedUsageException in case it has not yet been approved
*/
public synchronized String using(@NonNull String script, @NonNull Language language, @NonNull Run run) throws UnapprovedUsageException {
meiswjn marked this conversation as resolved.
Show resolved Hide resolved
if (script.length() == 0) {
// As a special case, always consider the empty script preapproved, as this is usually the default for new fields,
// and in many cases there is some sensible behavior for an emoty script which we want to permit.
ScriptListener.fireScriptFromPipelineEvent(script, run);
return script;
}
String hash = hash(script, language.getName());
if (!approvedScriptHashes.contains(hash)) {
// Probably need not add to pendingScripts, since generally that would have happened already in configuring.
throw new UnapprovedUsageException(hash);
}
ScriptListener.fireScriptFromPipelineEvent(script, run);
return script;
}

// Only for testing
synchronized boolean isScriptHashApproved(String hash) {
return approvedScriptHashes.contains(hash);
Expand Down
33 changes: 33 additions & 0 deletions src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptListener.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package org.jenkinsci.plugins.scriptsecurity.scripts;

import hudson.ExtensionPoint;
import hudson.model.Run;
import jenkins.util.Listeners;

/**
* A listener to track usage of Groovy scripts running outside of a sandbox.
*
* @see org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript#evaluate(ClassLoader, groovy.lang.Binding, hudson.model.TaskListener)
*/
public interface ScriptListener extends ExtensionPoint {

/**
* Called when a groovy script is executed in a pipeline outside of a sandbox.
*
* @see org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript#evaluate(ClassLoader, groovy.lang.Binding, hudson.model.TaskListener)
* @param script The Groovy script that is excecuted.
* @param run The run calling the Groovy script.
*/
void onScriptFromPipeline(String script, Run run);

/**
* Fires the {@link #onScriptFromPipeline(String, Run)} event to track the usage of groovy scripts running outside the sandbox.
*
* @see org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript#evaluate(ClassLoader, groovy.lang.Binding, hudson.model.TaskListener)
* @param script The Groovy script that is excecuted.
* @param run The run calling the Groovy script.
*/
static void fireScriptFromPipelineEvent(String script, Run run) {
Listeners.notify(ScriptListener.class, true, listener -> listener.onScriptFromPipeline(script, run));
}
}