New option SCMSourceRetriever.clone to avoid workspace/xxx@libs/

Author: jglick

src/main/java/org/jenkinsci/plugins/workflow/libs/SCMSourceRetriever.java

@@ -60,11 +60,14 @@
 import java.util.logging.Logger;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
+import java.util.Set;
+import java.util.TreeSet;
 import jenkins.model.Jenkins;
 import jenkins.scm.api.SCMRevision;
 import jenkins.scm.api.SCMSource;
 import jenkins.scm.api.SCMSourceDescriptor;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 import org.jenkinsci.Symbol;
 import org.jenkinsci.plugins.structs.describable.CustomDescribableModel;
 import org.jenkinsci.plugins.structs.describable.UninstantiatedDescribable;
@@ -96,6 +99,8 @@ public class SCMSourceRetriever extends LibraryRetriever {
 
     private final SCMSource scm;
 
+    private boolean clone;
+
     /**
      * The path to the library inside of the SCM.
      *
@@ -117,6 +122,14 @@ public SCMSource getScm() {
         return scm;
     }
 
+    public boolean isClone() {
+        return clone;
+    }
+
+    @DataBoundSetter public void setClone(boolean clone) {
+        this.clone = clone;
+    }
+
     public String getLibraryPath() {
         return libraryPath;
     }
@@ -134,7 +147,14 @@ public String getLibraryPath() {
         if (revision == null) {
             throw new AbortException("No version " + version + " found for library " + name);
         }
-        doRetrieve(name, changelog, scm.build(revision.getHead(), revision), libraryPath, target, run, listener);
+        if (clone) {
+            if (changelog) {
+                listener.getLogger().println("WARNING: ignoring request to compute changelog in clone mode");
+            }
+            doClone(scm.build(revision.getHead(), revision), libraryPath, target, run, listener);
+        } else {
+            doRetrieve(name, changelog, scm.build(revision.getHead(), revision), libraryPath, target, run, listener);
+        }
     }
 
     @Override public void retrieve(String name, String version, FilePath target, Run<?, ?> run, TaskListener listener) throws Exception {
@@ -221,6 +241,72 @@ private static String getFilePathSuffix() {
         return System.getProperty(WorkspaceList.class.getName(), "@");
     }
 
+    /**
+     * Similar to {@link #doRetrieve} but used in {@link #clone} mode.
+     */
+    private static void doClone(@NonNull SCM scm, String libraryPath, FilePath target, Run<?, ?> run, TaskListener listener) throws Exception {
+        SCMStep delegate = new GenericSCMStep(scm);
+        delegate.setPoll(false);
+        delegate.setChangelog(false);
+        if (libraryPath == null) {
+            retrySCMOperation(listener, () -> {
+                delegate.checkout(run, target, listener, Jenkins.get().createLauncher(listener));
+                return null;
+            });
+        } else {
+            if (PROHIBITED_DOUBLE_DOT.matcher(libraryPath).matches()) {
+                throw new AbortException("Library path may not contain '..'");
+            }
+            FilePath root = target.child("root");
+            retrySCMOperation(listener, () -> {
+                delegate.checkout(run, root, listener, Jenkins.get().createLauncher(listener));
+                return null;
+            });
+            FilePath subdir = root.child(libraryPath);
+            if (!subdir.isDirectory()) {
+                throw new AbortException("Did not find " + libraryPath + " in checkout");
+            }
+            for (String content : List.of("src", "vars", "resources")) {
+                FilePath contentDir = subdir.child(content);
+                if (contentDir.isDirectory()) {
+                    listener.getLogger().println("Moving " + content + " to top level");
+                    contentDir.renameTo(target.child(content));
+                }
+            }
+            // root itself will be deleted below
+        }
+        Set<String> deleted = new TreeSet<>();
+        if (!INCLUDE_SRC_TEST_IN_LIBRARIES) {
+            FilePath srcTest = target.child("src/test");
+            if (srcTest.isDirectory()) {
+                listener.getLogger().println("Excluding src/test/ from checkout of " + scm.getKey() + " so that library test code cannot be accessed by Pipelines.");
+                listener.getLogger().println("To remove this log message, move the test code outside of src/. To restore the previous behavior that allowed access to files in src/test/, pass -D" + SCMSourceRetriever.class.getName() + ".INCLUDE_SRC_TEST_IN_LIBRARIES=true to the java command used to start Jenkins.");
+                srcTest.deleteRecursive();
+                deleted.add("src/test");
+            }
+        }
+        for (FilePath child : target.list()) {
+            String name = child.getName();
+            switch (name) {
+            case "src":
+                // TODO delete everything that is not *.groovy
+                break;
+            case "vars":
+                // TODO delete everything that is not *.groovy or *.txt, incl. subdirs
+                break;
+            case "resources":
+                // OK, leave it all
+                break;
+            default:
+                deleted.add(name);
+                child.deleteRecursive();
+            }
+        }
+        if (!deleted.isEmpty()) {
+            listener.getLogger().println("Deleted " + deleted.stream().collect(Collectors.joining(", ")));
+        }
+    }
+
     @Override public FormValidation validateVersion(String name, String version, Item context) {
         StringWriter w = new StringWriter();
         try {

src/main/resources/org/jenkinsci/plugins/workflow/libs/SCMSourceRetriever/config.jelly

@@ -27,6 +27,9 @@ THE SOFTWARE.
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
     <f:description>${%blurb}</f:description>
     <f:dropdownDescriptorSelector field="scm" descriptors="${descriptor.SCMDescriptors}" title="${%Source Code Management}"/>
+    <f:entry field="clone" title="${%Fresh clone per build}">
+        <f:checkbox/>
+    </f:entry>
     <f:entry field="libraryPath" title="${%libraryPath}">
         <f:textbox checkMethod="post"/>
     </f:entry>

src/main/resources/org/jenkinsci/plugins/workflow/libs/SCMSourceRetriever/help-clone.html

@@ -0,0 +1,6 @@
+<div>
+    If checked, every build performs a fresh clone of the SCM rather than locking and updating a common copy.
+    No changelog will be computed.
+    For Git, you are advised to select <b>Advanced clone behaviors » Shallow clone</b> to make the clone much faster.
+    You may still enable <b>Cache fetched versions on controller for quick retrieval</b> if you prefer.
+</div>

src/test/java/org/jenkinsci/plugins/workflow/libs/SCMSourceRetrieverTest.java

@@ -60,6 +60,9 @@
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
 
 import static hudson.ExtensionList.lookupSingleton;
+import hudson.plugins.git.extensions.impl.CloneOption;
+import jenkins.plugins.git.traits.CloneOptionTrait;
+import jenkins.scm.api.trait.SCMSourceTrait;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.instanceOf;
@@ -81,13 +84,15 @@
 import static org.hamcrest.Matchers.nullValue;
 import static org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.PROHIBITED_DOUBLE_DOT;
 import static org.junit.Assume.assumeFalse;
+import org.jvnet.hudson.test.FlagRule;
 
 public class SCMSourceRetrieverTest {
 
     @ClassRule public static BuildWatcher buildWatcher = new BuildWatcher();
     @Rule public JenkinsRule r = new JenkinsRule();
     @Rule public GitSampleRepoRule sampleRepo = new GitSampleRepoRule();
     @Rule public SubversionSampleRepoRule sampleRepoSvn = new SubversionSampleRepoRule();
+    @Rule public FlagRule<Boolean> includeSrcTest = new FlagRule<>(() -> SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES, v -> SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES = v);
 
     @Issue("JENKINS-40408")
     @Test public void lease() throws Exception {
@@ -366,6 +371,107 @@ public static class BasicSCMSource extends SCMSource {
         assertFalse(ws.exists());
     }
 
+    @Test public void cloneMode() throws Exception {
+        sampleRepo.init();
+        sampleRepo.write("vars/myecho.groovy", "def call() {echo 'something special'}");
+        sampleRepo.write("README.md", "Summary");
+        sampleRepo.git("rm", "file");
+        sampleRepo.git("add", ".");
+        sampleRepo.git("commit", "--message=init");
+        GitSCMSource src = new GitSCMSource(sampleRepo.toString());
+        src.setTraits(List.<SCMSourceTrait>of(new CloneOptionTrait(new CloneOption(true, null, null))));
+        SCMSourceRetriever scm = new SCMSourceRetriever(src);
+        LibraryConfiguration lc = new LibraryConfiguration("echoing", scm);
+        lc.setIncludeInChangesets(false);
+        scm.setClone(true);
+        GlobalLibraries.get().setLibraries(Collections.singletonList(lc));
+        WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "p");
+        p.setDefinition(new CpsFlowDefinition("@Library('echoing@master') import myecho; myecho()", true));
+        WorkflowRun b = r.buildAndAssertSuccess(p);
+        assertFalse(r.jenkins.getWorkspaceFor(p).withSuffix("@libs").isDirectory());
+        r.assertLogContains("something special", b);
+        r.assertLogContains("Deleted .git, README.md", b);
+        r.assertLogContains("Using shallow clone with depth 1", b);
+    }
+
+    @Test public void cloneModeLibraryPath() throws Exception {
+        sampleRepo.init();
+        sampleRepo.write("sub/path/vars/myecho.groovy", "def call() {echo 'something special'}");
+        sampleRepo.git("add", "sub");
+        sampleRepo.git("commit", "--message=init");
+        SCMSourceRetriever scm = new SCMSourceRetriever(new GitSCMSource(sampleRepo.toString()));
+        LibraryConfiguration lc = new LibraryConfiguration("root_sub_path", scm);
+        lc.setIncludeInChangesets(false);
+        scm.setLibraryPath("sub/path/");
+        scm.setClone(true);
+        GlobalLibraries.get().setLibraries(Collections.singletonList(lc));
+        WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "p");
+        p.setDefinition(new CpsFlowDefinition("@Library('root_sub_path@master') import myecho; myecho()", true));
+        WorkflowRun b = r.buildAndAssertSuccess(p);
+        r.assertLogContains("something special", b);
+        r.assertLogContains("Moving vars to top level", b);
+        r.assertLogContains("Deleted root", b);
+    }
+
+    @Test public void cloneModeLibraryPathSecurity() throws Exception {
+        sampleRepo.init();
+        sampleRepo.write("sub/path/vars/myecho.groovy", "def call() {echo 'something special'}");
+        sampleRepo.git("add", "sub");
+        sampleRepo.git("commit", "--message=init");
+        SCMSourceRetriever scm = new SCMSourceRetriever(new GitSCMSource(sampleRepo.toString()));
+        LibraryConfiguration lc = new LibraryConfiguration("root_sub_path", scm);
+        lc.setIncludeInChangesets(false);
+        scm.setLibraryPath("sub/path/../../../jenkins_home/foo");
+        scm.setClone(true);
+        GlobalLibraries.get().setLibraries(Collections.singletonList(lc));
+        WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "p");
+        p.setDefinition(new CpsFlowDefinition("@Library('root_sub_path@master') import myecho; myecho()", true));
+        WorkflowRun b = r.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0));
+        r.assertLogContains("Library path may not contain '..'", b);
+    }
+
+    @Test public void cloneModeExcludeSrcTest() throws Exception {
+        sampleRepo.init();
+        sampleRepo.write("vars/myecho.groovy", "def call() {echo 'something special'}");
+        sampleRepo.write("src/test/X.groovy", "// irrelevant");
+        sampleRepo.write("README.md", "Summary");
+        sampleRepo.git("add", ".");
+        sampleRepo.git("commit", "--message=init");
+        SCMSourceRetriever scm = new SCMSourceRetriever(new GitSCMSource(sampleRepo.toString()));
+        LibraryConfiguration lc = new LibraryConfiguration("echoing", scm);
+        lc.setIncludeInChangesets(false);
+        scm.setClone(true);
+        GlobalLibraries.get().setLibraries(Collections.singletonList(lc));
+        WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "p");
+        p.setDefinition(new CpsFlowDefinition("@Library('echoing@master') import myecho; myecho()", true));
+        SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES = false;
+        WorkflowRun b = r.buildAndAssertSuccess(p);
+        assertFalse(r.jenkins.getWorkspaceFor(p).withSuffix("@libs").isDirectory());
+        r.assertLogContains("something special", b);
+        r.assertLogContains("Excluding src/test/ from checkout", b);
+    }
+
+    @Test public void cloneModeIncludeSrcTest() throws Exception {
+        sampleRepo.init();
+        sampleRepo.write("vars/myecho.groovy", "def call() {echo(/got ${new test.X().m()}/)}");
+        sampleRepo.write("src/test/X.groovy", "package test; class X {def m() {'something special'}}");
+        sampleRepo.write("README.md", "Summary");
+        sampleRepo.git("add", ".");
+        sampleRepo.git("commit", "--message=init");
+        SCMSourceRetriever scm = new SCMSourceRetriever(new GitSCMSource(sampleRepo.toString()));
+        LibraryConfiguration lc = new LibraryConfiguration("echoing", scm);
+        lc.setIncludeInChangesets(false);
+        scm.setClone(true);
+        GlobalLibraries.get().setLibraries(Collections.singletonList(lc));
+        WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "p");
+        p.setDefinition(new CpsFlowDefinition("@Library('echoing@master') import myecho; myecho()", true));
+        SCMSourceRetriever.INCLUDE_SRC_TEST_IN_LIBRARIES = true;
+        WorkflowRun b = r.buildAndAssertSuccess(p);
+        assertFalse(r.jenkins.getWorkspaceFor(p).withSuffix("@libs").isDirectory());
+        r.assertLogContains("got something special", b);
+        r.assertLogNotContains("Excluding src/test/ from checkout", b);
+    }
+
     @Issue("SECURITY-2441")
     @Test public void libraryNamesAreNotUsedAsCheckoutDirectories() throws Exception {
         sampleRepo.init();