Fix library cache deletion after SECURITY-2586

Author: dwnusbaum

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java

@@ -190,14 +190,15 @@ static List<URL> retrieve(@NonNull LibraryRecord record, @NonNull LibraryRetriev
 
             if(versionCacheDir.exists()) {
                 listener.getLogger().println("Library " + name + "@" + version + " is cached. Copying from home.");
-                lastReadFile.touch(System.currentTimeMillis());
             } else {
                 listener.getLogger().println("Caching library " + name + "@" + version);
                 versionCacheDir.mkdirs();
                 retrieveLockFile.touch(System.currentTimeMillis());
                 retriever.retrieve(name, version, changelog, versionCacheDir, run, listener);
                 retrieveLockFile.delete();
             }
+            lastReadFile.touch(System.currentTimeMillis());
+            versionCacheDir.withSuffix("-name.txt").write(name, "UTF-8");
             versionCacheDir.copyRecursiveTo(libDir);
         } else {
             retriever.retrieve(name, version, changelog, libDir, run, listener);

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryCachingCleanup.java

@@ -8,29 +8,47 @@
 import java.io.IOException;
 import java.util.concurrent.TimeUnit;
 
+import jenkins.util.SystemProperties;
+
 @Extension public class LibraryCachingCleanup extends AsyncPeriodicWork {
-    private final Long recurrencePeriod;
-    private final Long unreadCacheClearTime;
+    public static /* non-final for script console */ int EXPIRE_AFTER_READ_DAYS =
+            SystemProperties.getInteger(LibraryCachingCleanup.class.getName() + ".CACHE_EXPIRY_DAYS", 7);
 
     public LibraryCachingCleanup() {
         super("LibraryCachingCleanup");
-        recurrencePeriod = Long.getLong("jenkins.workflow-libs.cacheCleanupPeriodDays", TimeUnit.DAYS.toMillis(7));
-        unreadCacheClearTime = Long.getLong("jenkins.workflow-libs.unreadCacheClearDays", TimeUnit.DAYS.toMillis(7));
     }
 
     @Override public long getRecurrencePeriod() {
-        return recurrencePeriod;
+        return TimeUnit.HOURS.toMillis(12);
     }
 
     @Override protected void execute(TaskListener listener) throws IOException, InterruptedException {
         FilePath globalCacheDir = LibraryCachingConfiguration.getGlobalLibrariesCacheDir();
-        for (FilePath library: globalCacheDir.list()) {
-            for (FilePath version: library.list()) {
-                final FilePath lastReadFile = new FilePath(version, LibraryCachingConfiguration.LAST_READ_FILE);
-                if (lastReadFile.exists() && (lastReadFile.lastModified() + unreadCacheClearTime) < System.currentTimeMillis()) {
-                    version.deleteRecursive();
+        for (FilePath library : globalCacheDir.list()) {
+            if (!removeIfOldCacheDirectory(library, TimeUnit.DAYS.toMillis(EXPIRE_AFTER_READ_DAYS))) {
+                // Prior to SECURITY-2586 security fixes, library caches had a two-level directory structure.
+                // These caches will never be used again, so we delete any that we find.
+                for (FilePath version: library.list()) {
+                    removeIfOldCacheDirectory(version, 0);
                 }
             }
         }
     }
+
+    /**
+     * Delete cache directories for the given library if they are outdated.
+     * @return true if specified directory is a cache directory, regardless of whether it was outdated. Used to detect
+     * whether the cache was created before or after the fix for SECURITY-2586.
+     */
+    private boolean removeIfOldCacheDirectory(FilePath library, long maxDurationMillis) throws IOException, InterruptedException {
+        final FilePath lastReadFile = new FilePath(library, LibraryCachingConfiguration.LAST_READ_FILE);
+        if (lastReadFile.exists()) {
+            if ((System.currentTimeMillis() - lastReadFile.lastModified()) > maxDurationMillis) {
+                library.deleteRecursive();
+                library.withSuffix("-name.txt").delete(); // Harmless if this is a pre-SECURITY-2586 cache directory.
+            }
+            return true;
+        }
+        return false;
+    }
 }

src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryCachingConfiguration.java

@@ -11,9 +11,12 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
+import org.apache.commons.io.IOUtils;
 
 public final class LibraryCachingConfiguration extends AbstractDescribableImpl<LibraryCachingConfiguration> {
     private int refreshTimeMinutes;
@@ -70,10 +73,21 @@ public static FilePath getGlobalLibrariesCacheDir() {
         public FormValidation doClearCache(@QueryParameter String name) throws InterruptedException {
             Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
-            FilePath cacheDir = new FilePath(LibraryCachingConfiguration.getGlobalLibrariesCacheDir(), name);
             try {
-                if (cacheDir.exists()) {
-                    cacheDir.deleteRecursive();
+                if (LibraryCachingConfiguration.getGlobalLibrariesCacheDir().exists()) {
+                    for (FilePath libraryNamePath : LibraryCachingConfiguration.getGlobalLibrariesCacheDir().list("*-name.txt")) {
+                        // Libraries configured in distinct locations may have the same name. Since only admins are allowed here, this is not a huge issue, but it is probably unexpected.
+                        String cacheName;
+                        try (InputStream stream = libraryNamePath.read()) {
+                            cacheName = IOUtils.toString(stream, StandardCharsets.UTF_8);
+                        }
+                        if (libraryNamePath.readToString().equals(name)) {
+                            FilePath libraryCachePath = LibraryCachingConfiguration.getGlobalLibrariesCacheDir()
+                                    .child(libraryNamePath.getName().replace("-name.txt", ""));
+                            libraryCachePath.deleteRecursive();
+                            libraryNamePath.delete();
+                        }
+                    }
                 }
             } catch (IOException ex) {
                 return FormValidation.error(ex, "The cache dir was not deleted successfully");

src/main/resources/org/jenkinsci/plugins/workflow/libs/LibraryCachingConfiguration/config.jelly

@@ -31,5 +31,7 @@ THE SOFTWARE.
     <f:entry title="${%Versions to exclude}" field="excludedVersionsStr">
         <f:textbox />
     </f:entry>
-    <f:validateButton title="${%Clear cache}" progress="${%Clearing...}" method="clearCache" with="name" />
+    <j:if test="${h.hasPermission(app.ADMINISTER)}">
+        <f:validateButton title="${%Clear cache}" progress="${%Clearing...}" method="clearCache" with="name" />
+    </j:if>
 </j:jelly>

src/test/java/org/jenkinsci/plugins/workflow/libs/LibraryCachingCleanupTest.java

@@ -0,0 +1,93 @@
+/*
+ * The MIT License
+ *
+ * Copyright 2022 CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.jenkinsci.plugins.workflow.libs;
+
+import hudson.ExtensionList;
+import hudson.FilePath;
+import hudson.util.StreamTaskListener;
+import java.io.File;
+import java.time.ZonedDateTime;
+import jenkins.plugins.git.GitSCMSource;
+import jenkins.plugins.git.GitSampleRepoRule;
+import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
+import org.jenkinsci.plugins.workflow.job.WorkflowJob;
+import org.jenkinsci.plugins.workflow.job.WorkflowRun;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.io.FileMatchers.anExistingDirectory;
+import static org.hamcrest.io.FileMatchers.anExistingFile;
+
+public class LibraryCachingCleanupTest {
+
+    @Rule
+    public JenkinsRule r = new JenkinsRule();
+    @Rule
+    public GitSampleRepoRule sampleRepo = new GitSampleRepoRule();
+
+    @Test
+    public void smokes() throws Throwable {
+        sampleRepo.init();
+        sampleRepo.write("vars/foo.groovy", "def call() { echo 'foo' }");
+        sampleRepo.git("add", "vars");
+        sampleRepo.git("commit", "--message=init");
+        LibraryConfiguration config = new LibraryConfiguration("library",
+                new SCMSourceRetriever(new GitSCMSource(null, sampleRepo.toString(), "", "*", "", true)));
+        config.setDefaultVersion("master");
+        config.setImplicit(true);
+        config.setCachingConfiguration(new LibraryCachingConfiguration(30, null));
+        GlobalLibraries.get().getLibraries().add(config);
+        // Run build and check that cache gets created.
+        WorkflowJob p = r.createProject(WorkflowJob.class);
+        p.setDefinition(new CpsFlowDefinition("foo()", true));
+        WorkflowRun b = r.buildAndAssertSuccess(p);
+        LibrariesAction action = b.getAction(LibrariesAction.class);
+        LibraryRecord record = action.getLibraries().get(0);
+        FilePath cache = LibraryCachingConfiguration.getGlobalLibrariesCacheDir().child(record.getDirectoryName());
+        assertThat(new File(cache.getRemote()), anExistingDirectory());
+        // Run LibraryCachingCleanup and show that cache is not deleted.
+        ExtensionList.lookupSingleton(LibraryCachingCleanup.class).execute(StreamTaskListener.fromStderr());
+        assertThat(new File(cache.getRemote()), anExistingDirectory());
+        assertThat(new File(cache.withSuffix("-name.txt").getRemote()), anExistingFile());
+        // Run LibraryCachingCleanup after modifying LAST_READ_FILE to be an old date and and show that cache is deleted.
+        long oldMillis = ZonedDateTime.now().minusDays(LibraryCachingCleanup.EXPIRE_AFTER_READ_DAYS + 1).toInstant().toEpochMilli();
+        cache.child(LibraryCachingConfiguration.LAST_READ_FILE).touch(oldMillis);
+        ExtensionList.lookupSingleton(LibraryCachingCleanup.class).execute(StreamTaskListener.fromStderr());
+        assertThat(new File(cache.getRemote()), not(anExistingDirectory()));
+        assertThat(new File(cache.withSuffix("-name.txt").getRemote()), not(anExistingDirectory()));
+    }
+
+    @Test
+    public void preSecurity2586() throws Throwable {
+        FilePath cache = LibraryCachingConfiguration.getGlobalLibrariesCacheDir().child("name").child("version");
+        cache.mkdirs();
+        cache.child(LibraryCachingConfiguration.LAST_READ_FILE).touch(System.currentTimeMillis());
+        ExtensionList.lookupSingleton(LibraryCachingCleanup.class).execute(StreamTaskListener.fromStderr());
+        assertThat(new File(cache.getRemote()), not(anExistingDirectory()));
+    }
+
+}

src/test/java/org/jenkinsci/plugins/workflow/libs/LibraryCachingConfigurationTest.java

@@ -24,16 +24,34 @@
 
 package org.jenkinsci.plugins.workflow.libs;
 
+import hudson.ExtensionList;
+import hudson.FilePath;
+import java.io.File;
+import jenkins.plugins.git.GitSCMSource;
+import jenkins.plugins.git.GitSampleRepoRule;
+import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
+import org.jenkinsci.plugins.workflow.job.WorkflowJob;
+import org.jenkinsci.plugins.workflow.job.WorkflowRun;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.WithoutJenkins;
 
 import static org.hamcrest.MatcherAssert.*;
 import static org.hamcrest.Matchers.*;
+import static org.hamcrest.io.FileMatchers.anExistingDirectory;
+import static org.hamcrest.io.FileMatchers.anExistingFile;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
 public class LibraryCachingConfigurationTest {
+    @Rule
+    public JenkinsRule r = new JenkinsRule();
+    @Rule
+    public GitSampleRepoRule sampleRepo = new GitSampleRepoRule();
+
     private LibraryCachingConfiguration nullVersionConfig;
     private LibraryCachingConfiguration oneVersionConfig;
     private LibraryCachingConfiguration multiVersionConfig;
@@ -64,36 +82,42 @@ public void createCachingConfiguration() {
 
     @Issue("JENKINS-66045") // NPE getting excluded versions
     @Test
+    @WithoutJenkins
     public void npeGetExcludedVersions() {
         assertFalse(nullVersionConfig.isExcluded(NEVER_EXCLUDED_VERSION));
     }
 
     @Test
+    @WithoutJenkins
     public void getRefreshTimeMinutes() {
         assertThat(nullVersionConfig.getRefreshTimeMinutes(), is(REFRESH_TIME_MINUTES));
         assertThat(oneVersionConfig.getRefreshTimeMinutes(), is(NO_REFRESH_TIME_MINUTES));
     }
 
     @Test
+    @WithoutJenkins
     public void getRefreshTimeMilliseconds() {
         assertThat(nullVersionConfig.getRefreshTimeMilliseconds(), is(60 * 1000L * REFRESH_TIME_MINUTES));
         assertThat(oneVersionConfig.getRefreshTimeMilliseconds(), is(60 * 1000L * NO_REFRESH_TIME_MINUTES));
     }
 
     @Test
+    @WithoutJenkins
     public void isRefreshEnabled() {
         assertTrue(nullVersionConfig.isRefreshEnabled());
         assertFalse(oneVersionConfig.isRefreshEnabled());
     }
 
     @Test
+    @WithoutJenkins
     public void getExcludedVersionsStr() {
         assertThat(nullVersionConfig.getExcludedVersionsStr(), is(NULL_EXCLUDED_VERSION));
         assertThat(oneVersionConfig.getExcludedVersionsStr(), is(ONE_EXCLUDED_VERSION));
         assertThat(multiVersionConfig.getExcludedVersionsStr(), is(MULTIPLE_EXCLUDED_VERSIONS));
     }
 
     @Test
+    @WithoutJenkins
     public void isExcluded() {
         assertFalse(nullVersionConfig.isExcluded(NULL_EXCLUDED_VERSION));
         assertFalse(nullVersionConfig.isExcluded(""));
@@ -117,4 +141,31 @@ public void isExcluded() {
         assertFalse(multiVersionConfig.isExcluded(null));
     }
 
+    @Test
+    public void clearCache() throws Exception {
+        sampleRepo.init();
+        sampleRepo.write("vars/foo.groovy", "def call() { echo 'foo' }");
+        sampleRepo.git("add", "vars");
+        sampleRepo.git("commit", "--message=init");
+        LibraryConfiguration config = new LibraryConfiguration("library",
+                new SCMSourceRetriever(new GitSCMSource(null, sampleRepo.toString(), "", "*", "", true)));
+        config.setDefaultVersion("master");
+        config.setImplicit(true);
+        config.setCachingConfiguration(new LibraryCachingConfiguration(30, null));
+        GlobalLibraries.get().getLibraries().add(config);
+        // Run build and check that cache gets created.
+        WorkflowJob p = r.createProject(WorkflowJob.class);
+        p.setDefinition(new CpsFlowDefinition("foo()", true));
+        WorkflowRun b = r.buildAndAssertSuccess(p);
+        LibrariesAction action = b.getAction(LibrariesAction.class);
+        LibraryRecord record = action.getLibraries().get(0);
+        FilePath cache = LibraryCachingConfiguration.getGlobalLibrariesCacheDir().child(record.getDirectoryName());
+        assertThat(new File(cache.getRemote()), anExistingDirectory());
+        assertThat(new File(cache.withSuffix("-name.txt").getRemote()), anExistingFile());
+        // Clear the cache. TODO: Would be more realistic to set up security and use WebClient.
+        ExtensionList.lookupSingleton(LibraryCachingConfiguration.DescriptorImpl.class).doClearCache("library");
+        assertThat(new File(cache.getRemote()), not(anExistingDirectory()));
+        assertThat(new File(cache.withSuffix("-name.txt").getRemote()), not(anExistingFile()));
+    }
+
 }