Only add hyperlink if the user has RUN_SCRIPTS.

Author: abayer

src/main/java/org/jenkinsci/plugins/workflow/cps/SandboxContinuable.java

@@ -6,11 +6,19 @@
 import java.io.IOException;
 import java.util.List;
 
-import hudson.console.HyperlinkNote;
+import hudson.Extension;
+import hudson.MarkupText;
+import hudson.console.ConsoleAnnotationDescriptor;
+import hudson.console.ConsoleAnnotator;
+import hudson.console.ConsoleNote;
+import jenkins.model.Jenkins;
+import org.jenkinsci.Symbol;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
+import org.kohsuke.stapler.Stapler;
+import org.kohsuke.stapler.StaplerRequest;
 
 import java.util.concurrent.Callable;
 import java.util.logging.Level;
@@ -44,8 +52,7 @@ public Outcome call() {
                         ScriptApproval.get().accessRejected(x, ApprovalContext.create());
                         try {
                             e.getOwner().getListener().getLogger().println(x.getMessage() + ". " +
-                                    HyperlinkNote.encodeTo("/" + ScriptApproval.get().getUrlName(),
-                                    Messages.SandboxContinuable_ScriptApprovalLink()));
+                                    ScriptApprovalNote.encodeTo(Messages.SandboxContinuable_ScriptApprovalLink()));
                         } catch (IOException ex) {
                             LOGGER.log(Level.WARNING, null, ex);
                         }
@@ -72,5 +79,52 @@ public Outcome call() {
         }
     }
 
+    public static final class ScriptApprovalNote extends ConsoleNote {
+        private int length;
+
+        public ScriptApprovalNote(int length) {
+            this.length = length;
+        }
+
+        @Override
+        public ConsoleAnnotator annotate(Object context, MarkupText text, int charPos) {
+            if (Jenkins.getActiveInstance().hasPermission(Jenkins.RUN_SCRIPTS)) {
+                String url = "/" + ScriptApproval.get().getUrlName();
+
+                StaplerRequest req = Stapler.getCurrentRequest();
+
+                if (req!=null) {
+                    // if we are serving HTTP request, we want to use app relative URL
+                    url = req.getContextPath()+url;
+                } else {
+                    // otherwise presumably this is rendered for e-mails and other non-HTTP stuff
+                    url = Jenkins.getInstance().getRootUrl()+url.substring(1);
+                }
+
+                text.addMarkup(charPos, charPos + length, "<a href='" + url + "'>", "</a>");
+            }
+
+            return null;
+        }
+
+        public static String encodeTo(String text) {
+            try {
+                return new ScriptApprovalNote(text.length()).encode()+text;
+            } catch (IOException e) {
+                // impossible, but don't make this a fatal problem
+                LOGGER.log(Level.WARNING, "Failed to serialize "+ScriptApprovalNote.class,e);
+                return text;
+            }
+        }
+
+        @Extension
+        @Symbol("scriptApprovalLink")
+        public static class DescriptorImpl extends ConsoleAnnotationDescriptor {
+            public String getDisplayName() {
+                return "Script Approval Link";
+            }
+        }
+    }
+
     private static final Logger LOGGER = Logger.getLogger(SandboxContinuable.class.getName());
 }

src/main/resources/org/jenkinsci/plugins/workflow/cps/Messages.properties

@@ -1,2 +1,2 @@
 Snippetizer.this_step_should_not_normally_be_used_in=This step should not normally be used in your script. Consult the inline help for details.
-SandboxContinuable.ScriptApprovalLink=Administrators can click here to approve or reject this signature.
+SandboxContinuable.ScriptApprovalLink=Administrators can decide whether to approve or reject this signature.

src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition2Test.java

@@ -31,8 +31,13 @@
 import hudson.Functions;
 import hudson.model.Computer;
 import hudson.model.Executor;
+import hudson.model.Item;
 import hudson.model.Result;
+
 import java.util.logging.Level;
+
+import hudson.security.GlobalMatrixAuthorizationStrategy;
+import jenkins.model.Jenkins;
 import org.jenkinsci.plugins.workflow.flow.FlowExecutionOwner;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
@@ -49,6 +54,7 @@
 import org.junit.Test;
 import org.jvnet.hudson.test.BuildWatcher;
 import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.LoggerRule;
 
 public class CpsFlowDefinition2Test extends AbstractCpsFlowTest {
@@ -174,6 +180,15 @@ public void superCallsSandboxed() throws Exception {
 
     @Test
     public void sandboxInvokerUsed() throws Exception {
+        jenkins.jenkins.setSecurityRealm(jenkins.createDummySecurityRealm());
+        GlobalMatrixAuthorizationStrategy gmas = new GlobalMatrixAuthorizationStrategy();
+        // Set up a user with RUN_SCRIPTS and one without..
+        gmas.add(Jenkins.RUN_SCRIPTS, "runScriptsUser");
+        gmas.add(Jenkins.READ, "runScriptsUser");
+        gmas.add(Item.READ, "runScriptsUser");
+        gmas.add(Jenkins.READ, "otherUser");
+        gmas.add(Item.READ, "otherUser");
+        jenkins.jenkins.setAuthorizationStrategy(gmas);
         WorkflowJob job = jenkins.jenkins.createProject(WorkflowJob.class, "p");
         job.setDefinition(new CpsFlowDefinition("[a: 1, b: 2].collectEntries { k, v ->\n" +
                 "  Jenkins.getInstance()\n" +
@@ -184,13 +199,25 @@ public void sandboxInvokerUsed() throws Exception {
         jenkins.assertLogContains("org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance", r);
         jenkins.assertLogContains("Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink(), r);
 
-        // make sure we see the annotation
-        HtmlPage rsp = jenkins.createWebClient().getPage(r, "console");
+        JenkinsRule.WebClient wc = jenkins.createWebClient();
+
+        wc.login("runScriptsUser");
+        // make sure we see the annotation for the RUN_SCRIPTS user.
+        HtmlPage rsp = wc.getPage(r, "console");
         assertEquals(1, DomNodeUtil.selectNodes(rsp, "//A[@href='" + jenkins.contextPath + "/scriptApproval']").size());
 
-        // make sure raw console output doesn't include the garbage
-        TextPage raw = (TextPage)jenkins.createWebClient().goTo(r.getUrl()+"consoleText","text/plain");
+        // make sure raw console output doesn't include the garbage and has the right message.
+        TextPage raw = (TextPage)wc.goTo(r.getUrl()+"consoleText","text/plain");
         assertThat(raw.getContent(), containsString(" getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink()));
+
+        wc.login("otherUser");
+        // make sure we don't see the link for the other user.
+        HtmlPage rsp2 = wc.getPage(r, "console");
+        assertEquals(0, DomNodeUtil.selectNodes(rsp2, "//A[@href='" + jenkins.contextPath + "/scriptApproval']").size());
+
+        // make sure raw console output doesn't include the garbage and has the right message.
+        TextPage raw2 = (TextPage)wc.goTo(r.getUrl()+"consoleText","text/plain");
+        assertThat(raw2.getContent(), containsString(" getInstance. " + Messages.SandboxContinuable_ScriptApprovalLink()));
     }
 
     @Issue("SECURITY-551")