[FIXED JENKINS-33614] Add link to script approval when a rejection occurs

I don't *love* this, so feel free to critique/veto.

Author: abayer

src/main/java/org/jenkinsci/plugins/workflow/cps/SandboxContinuable.java

@@ -2,13 +2,19 @@
 
 import com.cloudbees.groovy.cps.Continuable;
 import com.cloudbees.groovy.cps.Outcome;
+
+import java.io.IOException;
 import java.util.List;
+
+import hudson.console.HyperlinkNote;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
 
 import java.util.concurrent.Callable;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import javax.annotation.CheckForNull;
 
 /**
@@ -36,6 +42,13 @@ public Outcome call() {
                     RejectedAccessException x = findRejectedAccessException(outcome.getAbnormal());
                     if (x != null) {
                         ScriptApproval.get().accessRejected(x, ApprovalContext.create());
+                        try {
+                            e.getOwner().getListener().getLogger().println(x.getMessage() + ". " +
+                                    HyperlinkNote.encodeTo("/" + ScriptApproval.get().getUrlName(),
+                                    Messages.SandboxContinuable_ScriptApprovalLink()));
+                        } catch (IOException ex) {
+                            LOGGER.log(Level.WARNING, null, ex);
+                        }
                     }
                     return outcome;
                 }
@@ -59,4 +72,5 @@ public Outcome call() {
         }
     }
 
+    private static final Logger LOGGER = Logger.getLogger(SandboxContinuable.class.getName());
 }

src/main/resources/org/jenkinsci/plugins/workflow/cps/Messages.properties

@@ -1 +1,2 @@
 Snippetizer.this_step_should_not_normally_be_used_in=This step should not normally be used in your script. Consult the inline help for details.
+SandboxContinuable.ScriptApprovalLink=Administrators can click here to approve or reject this signature.

src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java

@@ -25,6 +25,9 @@
 package org.jenkinsci.plugins.workflow.cps;
 
 import com.cloudbees.groovy.cps.CpsTransformer;
+import com.gargoylesoftware.htmlunit.TextPage;
+import com.gargoylesoftware.htmlunit.html.DomNodeUtil;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import hudson.Functions;
 import hudson.model.Computer;
 import hudson.model.Executor;
@@ -34,6 +37,8 @@
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
 import org.jenkinsci.plugins.workflow.test.steps.SemaphoreStep;
+
+import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assert.*;
 
 import org.junit.Assert;
@@ -177,6 +182,15 @@ public void sandboxInvokerUsed() throws Exception {
 
         WorkflowRun r = jenkins.assertBuildStatus(Result.FAILURE, job.scheduleBuild2(0).get());
         jenkins.assertLogContains("org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance", r);
+        jenkins.assertLogContains("Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink(), r);
+
+        // make sure we see the annotation
+        HtmlPage rsp = jenkins.createWebClient().getPage(r, "console");
+        assertEquals(1, DomNodeUtil.selectNodes(rsp, "//A[@href='" + jenkins.contextPath + "/scriptApproval']").size());
+
+        // make sure raw console output doesn't include the garbage
+        TextPage raw = (TextPage)jenkins.createWebClient().goTo(r.getUrl()+"consoleText","text/plain");
+        assertThat(raw.getContent(), containsString(" getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink()));
     }
 
     @Issue("SECURITY-551")