Skip to content

Commit

Permalink
fixed support for Automatically Generated DSL when using script secur…
Browse files Browse the repository at this point in the history 
…ity sandbox

[FIXES JENKINS-47560]
  • Loading branch information
@daspilker
daspilker committed Jan 26, 2018
1 parent 450e2d9 commit 00fbb57
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 1 deletion.
2 changes: 2 additions & 0 deletions docs/Home.md
View file
Expand Up @@ -31,6 +31,8 @@ Browse the Jenkins issue tracker to see any [open issues](https://issues.jenkins
* 1.67 (unreleased)
* Allow import of Groovy code from the workspace when script security sandbox is enabled
([#1078](https://github.com/jenkinsci/job-dsl-plugin/pull/1078))
* Fixed support for [[Automatically Generated DSL]] when using script security sandbox
([JENKINS-47560](https://issues.jenkins-ci.org/browse/JENKINS-47560))
* Enhanced support for the [Groovy Plugin](https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin)
([JENKINS-44256](https://issues.jenkins-ci.org/browse/JENKINS-44256))
* Enhanced support for the
Expand Down
12 changes: 11 additions & 1 deletion job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy
View file
@@ -1,6 +1,9 @@
package javaposse.jobdsl.plugin

import javaposse.jobdsl.dsl.AbstractExtensibleContext
import javaposse.jobdsl.dsl.Context
import javaposse.jobdsl.plugin.structs.DescribableContext
import javaposse.jobdsl.plugin.structs.DescribableListContext
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.AbstractWhitelist

import java.lang.reflect.Method
Expand All @@ -9,8 +12,15 @@ import java.lang.reflect.Method
* Allows methods defined in {@link Context}.
*/
class JobDslWhitelist extends AbstractWhitelist {
private static final Method INVOKE_METHOD = GroovyObject.getDeclaredMethod('invokeMethod', String, Object)
private static final Set<Class> DYNAMIC_CONTEXTS = [
AbstractExtensibleContext, DescribableContext, DescribableListContext
]

@Override
boolean permitsMethod(Method method, Object receiver, Object[] args) {
Context.isAssignableFrom(method.declaringClass)
Context.isAssignableFrom(method.declaringClass) ||
(method == INVOKE_METHOD && receiver.class.classLoader == JobDslWhitelist.classLoader &&
DYNAMIC_CONTEXTS.any { context -> context.isInstance(receiver) })
}
}
26 changes: 26 additions & 0 deletions job-dsl-plugin/src/test/groovy/javaposse/jobdsl/plugin/ExecuteDslScriptsSpec.groovy
View file
Expand Up @@ -1423,6 +1423,32 @@ class ExecuteDslScriptsSpec extends Specification {
assert ScriptApproval.get().pendingScripts*.script == []
}
def 'run script with dynamic DSL in sandbox'() {
setup:
String script = 'job("test") { triggers { cron { spec("@daily") } } }'
jenkinsRule.instance.securityRealm = jenkinsRule.createDummySecurityRealm()
jenkinsRule.instance.authorizationStrategy = new MockAuthorizationStrategy()
.grant(Jenkins.READ, Item.READ, Item.CONFIGURE, Item.CREATE, Computer.BUILD).everywhere().to('dev')
FreeStyleProject job = jenkinsRule.createFreeStyleProject('seed')
job.buildersList.add(new ExecuteDslScripts(scriptText: script, sandbox: true))
setupQIA('dev', job)
when:
jenkinsRule.submit(jenkinsRule.createWebClient().login('dev').getPage(job, 'configure').getFormByName('config'))
then:
assert ScriptApproval.get().pendingScripts*.script == []
when:
FreeStyleBuild build = job.scheduleBuild2(0).get()
then:
build.result == SUCCESS
assert ScriptApproval.get().pendingScripts*.script == []
}
def 'run script in sandbox with unapproved signature'() {
setup:
String script = 'System.exit(0)'
Expand Down

0 comments on commit 00fbb57

Please sign in to comment.