Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[FIXED JENKINS-36537] Allow the use of custom json signature validato…
…r for metadata signature check (#2442)
  • Loading branch information
varmenise authored and oleg-nenashev committed Aug 23, 2016
1 parent 58ba65c commit 8acc12f
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 3 deletions.
13 changes: 11 additions & 2 deletions core/src/main/java/hudson/model/DownloadService.java
Expand Up @@ -70,6 +70,11 @@
*/
@Extension
public class DownloadService extends PageDecorator {

/**
* the prefix for the signature validator name
*/
private static final String signatureValidatorPrefix = "downloadable";
/**
* Builds up an HTML fragment that starts all the download jobs.
*/
Expand Down Expand Up @@ -397,7 +402,11 @@ private FormValidation load(String json, long dataTimestamp) throws IOException
public FormValidation updateNow() throws IOException {
List<JSONObject> jsonList = new ArrayList<>();
boolean toolInstallerMetadataExists = false;
for (String site : getUrls()) {
for (UpdateSite updatesite : Jenkins.getActiveInstance().getUpdateCenter().getSiteList()) {
String site = updatesite.getMetadataUrlForDownloadable(url);
if (site == null) {
return FormValidation.warning("The update site " + site + " does not look like an update center");
}
String jsonString;
try {
jsonString = loadJSONHTML(new URL(site + ".html?id=" + URLEncoder.encode(getId(), "UTF-8") + "&version=" + URLEncoder.encode(Jenkins.VERSION, "UTF-8")));
Expand All @@ -408,7 +417,7 @@ public FormValidation updateNow() throws IOException {
}
JSONObject o = JSONObject.fromObject(jsonString);
if (signatureCheck) {
FormValidation e = new JSONSignatureValidator("downloadable '"+id+"'").verifySignature(o);
FormValidation e = updatesite.getJsonSignatureValidator(signatureValidatorPrefix +" '"+id+"'").verifySignature(o);
if (e.kind!= Kind.OK) {
LOGGER.log(Level.WARNING, "signature check failed for " + site, e );
continue;
Expand Down
47 changes: 46 additions & 1 deletion core/src/main/java/hudson/model/UpdateSite.java
Expand Up @@ -130,6 +130,10 @@ public class UpdateSite {
*/
private final String url;

/**
* the prefix for the signature validator name
*/
private static final String signatureValidatorPrefix = "update site";


public UpdateSite(String id, String url) {
Expand Down Expand Up @@ -242,10 +246,29 @@ private FormValidation verifySignature(JSONObject o) throws IOException {
/**
* Let sub-classes of UpdateSite provide their own signature validator.
* @return the signature validator.
* @deprecated use {@link #getJsonSignatureValidator(@CheckForNull String)} instead.
*/
@Deprecated
@Nonnull
protected JSONSignatureValidator getJsonSignatureValidator() {
return new JSONSignatureValidator("update site '"+id+"'");
return getJsonSignatureValidator(null);
}

/**
* Let sub-classes of UpdateSite provide their own signature validator.
* @param name, the name for the JSON signature Validator object.
* if name is null, then the default name will be used,
* which is "update site" followed by the update site id
* @return the signature validator.
* @since 2.15
*/
@Nonnull
@Restricted(NoExternalUse.class)
protected JSONSignatureValidator getJsonSignatureValidator(@CheckForNull String name) {
if (name == null) {
name = signatureValidatorPrefix + " '" + id + "'";
}
return new JSONSignatureValidator(name);
}

/**
Expand Down Expand Up @@ -422,6 +445,28 @@ public String getUrl() {
return url;
}


/**
* URL which exposes the metadata location in a specific update site.
* @param downloadable, the downloadable id of a specific metatadata json (e.g. hudson.tasks.Maven.MavenInstaller.json)
* @return the location
* @since 2.15
*/
@CheckForNull
@Restricted(NoExternalUse.class)
public String getMetadataUrlForDownloadable(String downloadable) {
String siteUrl = getUrl();
String updateSiteMetadataUrl = null;
int baseUrlEnd = siteUrl.indexOf("update-center.json");
if (baseUrlEnd != -1) {
String siteBaseUrl = siteUrl.substring(0, baseUrlEnd);
updateSiteMetadataUrl = siteBaseUrl + "updates/" + downloadable;
} else {
LOGGER.log(Level.WARNING, "Url {0} does not look like an update center:", siteUrl);
}
return updateSiteMetadataUrl;
}

/**
* Where to actually download the update center?
*
Expand Down

0 comments on commit 8acc12f

Please sign in to comment.