fixed support for Automatically Generated DSL when using script security sandbox

[FIXES JENKINS-47560]

Author: daspilker

docs/Home.md

@@ -29,6 +29,8 @@ Browse the Jenkins issue tracker to see any [open issues](https://issues.jenkins
 
 ## Release Notes
 * 1.67 (unreleased)
+  * Fixed support for [[Automatically Generated DSL]] when using script security sandbox
+    ([JENKINS-47560](https://issues.jenkins-ci.org/browse/JENKINS-47560))
   * Enhanced support for the [Groovy Plugin](https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin)
     ([JENKINS-44256](https://issues.jenkins-ci.org/browse/JENKINS-44256))
   * Support for the older versions of the [Groovy Plugin](https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin) is

job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy

@@ -1,6 +1,9 @@
 package javaposse.jobdsl.plugin
 
+import javaposse.jobdsl.dsl.AbstractExtensibleContext
 import javaposse.jobdsl.dsl.Context
+import javaposse.jobdsl.plugin.structs.DescribableContext
+import javaposse.jobdsl.plugin.structs.DescribableListContext
 import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.AbstractWhitelist
 
 import java.lang.reflect.Method
@@ -9,8 +12,15 @@ import java.lang.reflect.Method
  * Allows methods defined in {@link Context}.
  */
 class JobDslWhitelist extends AbstractWhitelist {
+    private static final Method INVOKE_METHOD = GroovyObject.getDeclaredMethod('invokeMethod', String, Object)
+    private static final Set<Class> DYNAMIC_CONTEXTS = [
+            AbstractExtensibleContext, DescribableContext, DescribableListContext
+    ]
+
     @Override
     boolean permitsMethod(Method method, Object receiver, Object[] args) {
-        Context.isAssignableFrom(method.declaringClass)
+        Context.isAssignableFrom(method.declaringClass) ||
+                (method == INVOKE_METHOD && receiver.class.classLoader == JobDslWhitelist.classLoader &&
+                        DYNAMIC_CONTEXTS.any { context -> context.isInstance(receiver) })
     }
 }

job-dsl-plugin/src/test/groovy/javaposse/jobdsl/plugin/ExecuteDslScriptsSpec.groovy

@@ -1423,6 +1423,32 @@ class ExecuteDslScriptsSpec extends Specification {
         assert ScriptApproval.get().pendingScripts*.script == []
     }
 
+    def 'run script with dynamic DSL in sandbox'() {
+        setup:
+        String script = 'job("test") { triggers { cron { spec("@daily") } } }'
+
+        jenkinsRule.instance.securityRealm = jenkinsRule.createDummySecurityRealm()
+        jenkinsRule.instance.authorizationStrategy = new MockAuthorizationStrategy()
+                .grant(Jenkins.READ, Item.READ, Item.CONFIGURE, Item.CREATE, Computer.BUILD).everywhere().to('dev')
+
+        FreeStyleProject job = jenkinsRule.createFreeStyleProject('seed')
+        job.buildersList.add(new ExecuteDslScripts(scriptText: script, sandbox: true))
+        setupQIA('dev', job)
+
+        when:
+        jenkinsRule.submit(jenkinsRule.createWebClient().login('dev').getPage(job, 'configure').getFormByName('config'))
+
+        then:
+        assert ScriptApproval.get().pendingScripts*.script == []
+
+        when:
+        FreeStyleBuild build = job.scheduleBuild2(0).get()
+
+        then:
+        build.result == SUCCESS
+        assert ScriptApproval.get().pendingScripts*.script == []
+    }
+
     def 'run script in sandbox with unapproved signature'() {
         setup:
         String script = 'System.exit(0)'