Merge pull request #205 from abayer/jenkins-33614

[FIXED JENKINS-33614] Add link to script approval when a rejection occurs

Author: abayer

src/main/java/org/jenkinsci/plugins/workflow/cps/SandboxContinuable.java

@@ -2,13 +2,27 @@
 
 import com.cloudbees.groovy.cps.Continuable;
 import com.cloudbees.groovy.cps.Outcome;
+
+import java.io.IOException;
 import java.util.List;
+
+import hudson.Extension;
+import hudson.MarkupText;
+import hudson.console.ConsoleAnnotationDescriptor;
+import hudson.console.ConsoleAnnotator;
+import hudson.console.ConsoleNote;
+import jenkins.model.Jenkins;
+import org.jenkinsci.Symbol;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
+import org.kohsuke.stapler.Stapler;
+import org.kohsuke.stapler.StaplerRequest;
 
 import java.util.concurrent.Callable;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import javax.annotation.CheckForNull;
 
 /**
@@ -36,6 +50,12 @@ public Outcome call() {
                     RejectedAccessException x = findRejectedAccessException(outcome.getAbnormal());
                     if (x != null) {
                         ScriptApproval.get().accessRejected(x, ApprovalContext.create());
+                        try {
+                            e.getOwner().getListener().getLogger().println(x.getMessage() + ". " +
+                                    ScriptApprovalNote.encodeTo(Messages.SandboxContinuable_ScriptApprovalLink()));
+                        } catch (IOException ex) {
+                            LOGGER.log(Level.WARNING, null, ex);
+                        }
                     }
                     return outcome;
                 }
@@ -59,4 +79,52 @@ public Outcome call() {
         }
     }
 
+    public static final class ScriptApprovalNote extends ConsoleNote {
+        private int length;
+
+        public ScriptApprovalNote(int length) {
+            this.length = length;
+        }
+
+        @Override
+        public ConsoleAnnotator annotate(Object context, MarkupText text, int charPos) {
+            if (Jenkins.getActiveInstance().hasPermission(Jenkins.RUN_SCRIPTS)) {
+                String url = "/" + ScriptApproval.get().getUrlName();
+
+                StaplerRequest req = Stapler.getCurrentRequest();
+
+                if (req!=null) {
+                    // if we are serving HTTP request, we want to use app relative URL
+                    url = req.getContextPath()+url;
+                } else {
+                    // otherwise presumably this is rendered for e-mails and other non-HTTP stuff
+                    url = Jenkins.getInstance().getRootUrl()+url.substring(1);
+                }
+
+                text.addMarkup(charPos, charPos + length, "<a href='" + url + "'>", "</a>");
+            }
+
+            return null;
+        }
+
+        public static String encodeTo(String text) {
+            try {
+                return new ScriptApprovalNote(text.length()).encode()+text;
+            } catch (IOException e) {
+                // impossible, but don't make this a fatal problem
+                LOGGER.log(Level.WARNING, "Failed to serialize "+ScriptApprovalNote.class,e);
+                return text;
+            }
+        }
+
+        @Extension
+        @Symbol("scriptApprovalLink")
+        public static class DescriptorImpl extends ConsoleAnnotationDescriptor {
+            public String getDisplayName() {
+                return "Script Approval Link";
+            }
+        }
+    }
+
+    private static final Logger LOGGER = Logger.getLogger(SandboxContinuable.class.getName());
 }

src/main/resources/org/jenkinsci/plugins/workflow/cps/Messages.properties

@@ -1 +1,2 @@
 Snippetizer.this_step_should_not_normally_be_used_in=This step should not normally be used in your script. Consult the inline help for details.
+SandboxContinuable.ScriptApprovalLink=Administrators can decide whether to approve or reject this signature.

src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java

@@ -25,15 +25,25 @@
 package org.jenkinsci.plugins.workflow.cps;
 
 import com.cloudbees.groovy.cps.CpsTransformer;
+import com.gargoylesoftware.htmlunit.TextPage;
+import com.gargoylesoftware.htmlunit.html.DomNodeUtil;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import hudson.Functions;
 import hudson.model.Computer;
 import hudson.model.Executor;
+import hudson.model.Item;
 import hudson.model.Result;
+
 import java.util.logging.Level;
+
+import hudson.security.GlobalMatrixAuthorizationStrategy;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.workflow.flow.FlowExecutionOwner;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
 import org.jenkinsci.plugins.workflow.test.steps.SemaphoreStep;
+
+import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assert.*;
 
 import org.junit.Assert;
@@ -44,6 +54,7 @@
 import org.junit.Test;
 import org.jvnet.hudson.test.BuildWatcher;
 import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.LoggerRule;
 
 public class CpsFlowDefinition2Test extends AbstractCpsFlowTest {
@@ -169,6 +180,15 @@ public void superCallsSandboxed() throws Exception {
 
     @Test
     public void sandboxInvokerUsed() throws Exception {
+        jenkins.jenkins.setSecurityRealm(jenkins.createDummySecurityRealm());
+        GlobalMatrixAuthorizationStrategy gmas = new GlobalMatrixAuthorizationStrategy();
+        // Set up a user with RUN_SCRIPTS and one without..
+        gmas.add(Jenkins.RUN_SCRIPTS, "runScriptsUser");
+        gmas.add(Jenkins.READ, "runScriptsUser");
+        gmas.add(Item.READ, "runScriptsUser");
+        gmas.add(Jenkins.READ, "otherUser");
+        gmas.add(Item.READ, "otherUser");
+        jenkins.jenkins.setAuthorizationStrategy(gmas);
         WorkflowJob job = jenkins.jenkins.createProject(WorkflowJob.class, "p");
         job.setDefinition(new CpsFlowDefinition("[a: 1, b: 2].collectEntries { k, v ->\n" +
                 "  Jenkins.getInstance()\n" +
@@ -177,6 +197,27 @@ public void sandboxInvokerUsed() throws Exception {
 
         WorkflowRun r = jenkins.assertBuildStatus(Result.FAILURE, job.scheduleBuild2(0).get());
         jenkins.assertLogContains("org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance", r);
+        jenkins.assertLogContains("Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink(), r);
+
+        JenkinsRule.WebClient wc = jenkins.createWebClient();
+
+        wc.login("runScriptsUser");
+        // make sure we see the annotation for the RUN_SCRIPTS user.
+        HtmlPage rsp = wc.getPage(r, "console");
+        assertEquals(1, DomNodeUtil.selectNodes(rsp, "//A[@href='" + jenkins.contextPath + "/scriptApproval']").size());
+
+        // make sure raw console output doesn't include the garbage and has the right message.
+        TextPage raw = (TextPage)wc.goTo(r.getUrl()+"consoleText","text/plain");
+        assertThat(raw.getContent(), containsString(" getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink()));
+
+        wc.login("otherUser");
+        // make sure we don't see the link for the other user.
+        HtmlPage rsp2 = wc.getPage(r, "console");
+        assertEquals(0, DomNodeUtil.selectNodes(rsp2, "//A[@href='" + jenkins.contextPath + "/scriptApproval']").size());
+
+        // make sure raw console output doesn't include the garbage and has the right message.
+        TextPage raw2 = (TextPage)wc.goTo(r.getUrl()+"consoleText","text/plain");
+        assertThat(raw2.getContent(), containsString(" getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink()));
     }
 
     @Issue("SECURITY-551")