[JENKINS-69651] CSP compatibility for ScriptApproval
#582
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
basil
commented
Oct 11, 2024
...n/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/render-classpaths.js
Outdated
Show resolved
Hide resolved
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/bom
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/bom
that referenced
this pull request
Oct 11, 2024
basil
commented
Oct 11, 2024
| @@ -0,0 +1,236 @@ | |||
| function hideScript(hash) { | |||
There was a problem hiding this comment.
Diff from original:
@@ -1,4 +1,3 @@
-var mgr = <st:bind value="${it}"/>;
function hideScript(hash) {
document.getElementById('ps-' + hash).remove();
}
@@ -161,8 +145,92 @@
});
}
-window.addEventListener("load", function(){
+document.addEventListener('DOMContentLoaded', function() {
mgr.getClasspathRenderInfo(function(r) {
renderClasspaths(r);
});
+
+ const approveScriptButtons = document.querySelectorAll('.ps-context button.approve');
+ approveScriptButtons.forEach(function (button) {
+ button.addEventListener('click', function () {
+ approveScript(button.dataset.hash);
+ });
+ });
+
+ const denyScriptButtons = document.querySelectorAll('.ps-context button.deny');
+ denyScriptButtons.forEach(function (button) {
+ button.addEventListener('click', function () {
+ denyScript(button.dataset.hash);
+ });
+ });
+
+ const deprecatedApprovedScriptsClearButton = document.querySelector('#deprecated-approvedScripts-clear button');
+ if (deprecatedApprovedScriptsClearButton) {
+ deprecatedApprovedScriptsClearButton.addEventListener('click', function () {
+ if (confirm('Really delete all deprecated approvals? Any existing scripts will need to be requeued and reapproved.')) {
+ mgr.clearDeprecatedApprovedScripts();
+ document.getElementById('deprecated-approvedScripts-clear').style.display = 'none';
+ }
+ });
+ }
+
+ const approvedScriptsClearButton = document.querySelector('#approvedScripts-clear button');
+ approvedScriptsClearButton.addEventListener('click', function () {
+ if (confirm('Really delete all approvals? Any existing scripts will need to be requeued and reapproved.')) {
+ mgr.clearApprovedScripts();
+ }
+ });
+
+ const approveSignatureButtons = document.querySelectorAll('.s-context button.approve');
+ approveSignatureButtons.forEach(function (button) {
+ button.addEventListener('click', function () {
+ approveSignature(button.dataset.signature, button.dataset.hash);
+ });
+ });
+
+ const aclApproveSignatureButtons = document.querySelectorAll('.s-context button.acl-approve');
+ aclApproveSignatureButtons.forEach(function (button) {
+ button.addEventListener('click', function () {
+ aclApproveSignature(button.dataset.signature, button.dataset.hash);
+ });
+ });
+
+ const denySignatureButtons = document.querySelectorAll('.s-context button.deny');
+ denySignatureButtons.forEach(function (button) {
+ button.addEventListener('click', function () {
+ denySignature(button.dataset.signature, button.dataset.hash);
+ });
+ });
+
+ const approvedSignaturesClearButton = document.querySelector('#approvedSignatures-clear button');
+ approvedSignaturesClearButton.addEventListener('click', function () {
+ if (confirm('Really delete all approvals? Any existing scripts will need to be rerun and signatures reapproved.')) {
+ clearApprovedSignatures();
+ }
+ });
+
+ const dangerousApprovedSignaturesClearButton = document.querySelector('#dangerousApprovedSignatures-clear button');
+ if (dangerousApprovedSignaturesClearButton) {
+ dangerousApprovedSignaturesClearButton.addEventListener('click', function () {
+ clearDangerousApprovedSignatures();
+ });
+ }
+
+ const deprecatedApprovedClasspathsClearButton = document.querySelector('#deprecated-approvedClasspaths-clear-btn button');
+ if (deprecatedApprovedClasspathsClearButton) {
+ deprecatedApprovedClasspathsClearButton.addEventListener('click', function () {
+ if (confirm('This will be scheduled on a background thread. You can follow the progress in the system log')) {
+ mgr.convertDeprecatedApprovedClasspathEntries();
+ document.getElementById('deprecated-approvedClasspaths-clear-btn').style.display = 'none';
+ document.getElementById('deprecated-approvedClasspaths-clear-spinner').style.display = '';
+ }
+ });
+ }
+
+ const approvedClasspathEntriesClearButton = document.querySelector('#approvedClasspathEntries-clear button');
+ approvedClasspathEntriesClearButton.addEventListener('click', function () {
+ if (confirm('Really delete all approvals? Any existing scripts using a classpath will need to be rerun and entries reapproved.')) {
+ clearApprovedClasspathEntries();
+ }
+ });
});There was a problem hiding this comment.
Explanation of changes:
var mgr = <st:bind value="${it}"/>is replaced with CSP-compliant<st:bind value="${it}" var="mgr"/>- Used
DOMContentLoadedas suggested in https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers.
basil
commented
Oct 11, 2024
| renderClasspaths(r); | ||
| }); | ||
|
|
||
| const approveScriptButtons = document.querySelectorAll('.ps-context button.approve'); |
There was a problem hiding this comment.
This element is always displayed, so no need for an if statement on the next line.
| }); | ||
| }); | ||
|
|
||
| const denyScriptButtons = document.querySelectorAll('.ps-context button.deny'); |
There was a problem hiding this comment.
This element is always displayed, so no need for an if statement on the next line.
| }); | ||
|
|
||
| const deprecatedApprovedScriptsClearButton = document.querySelector('#deprecated-approvedScripts-clear button'); | ||
| if (deprecatedApprovedScriptsClearButton) { |
There was a problem hiding this comment.
This element might not be displayed, so an if statement is needed.
| }); | ||
| } | ||
|
|
||
| const approvedScriptsClearButton = document.querySelector('#approvedScripts-clear button'); |
There was a problem hiding this comment.
This element is always displayed, so no need for an if statement on the next line.
| }); | ||
| }); | ||
|
|
||
| const approvedSignaturesClearButton = document.querySelector('#approvedSignatures-clear button'); |
There was a problem hiding this comment.
This element is always displayed, so no need for an if statement on the next line.
| } | ||
| }); | ||
|
|
||
| const dangerousApprovedSignaturesClearButton = document.querySelector('#dangerousApprovedSignatures-clear button'); |
There was a problem hiding this comment.
This element is always displayed, so no need for an if statement on the next line.
| } | ||
|
|
||
| const deprecatedApprovedClasspathsClearButton = document.querySelector('#deprecated-approvedClasspaths-clear-btn button'); | ||
| if (deprecatedApprovedClasspathsClearButton) { |
There was a problem hiding this comment.
This element might not be displayed, so an if statement is needed.
| }); | ||
| } | ||
|
|
||
| const approvedClasspathEntriesClearButton = document.querySelector('#approvedClasspathEntries-clear button'); |
There was a problem hiding this comment.
This element is always displayed, so no need for an if statement on the next line.
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/bom
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
basil
added a commit
to basil/acceptance-test-harness
that referenced
this pull request
Oct 11, 2024
|
@yaroslavafenkin Are you interested in helping me manually test the remaining cases that aren't covered by automation in the Testing Done section? If not, I will try to get to it sometime next week. |
Yeah, I'm interested. That would be on Monday though, I hope that's not too late. |
|
Sure, that sounds great. Let's pick up where we left off on Monday. |
basil
added a commit
to basil/bom
that referenced
this pull request
Oct 12, 2024
yaroslavafenkin
approved these changes
Oct 14, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use the CSP-compliant
<st:bind>as in jenkinsci/warnings-ng-plugin#1859 and extract event handlers to a separate JavaScript adjunct.Testing done
Regression testing (ATH): https://ci.jenkins.io/job/Core/job/acceptance-test-harness/job/PR-1781/4/
Regression testing (PCT): https://ci.jenkins.io/job/Tools/job/bom/job/PR-3734/4/
Verified in https://ci.jenkins.io/job/Core/job/acceptance-test-harness/job/PR-1749/11/ and https://ci.jenkins.io/job/Core/job/acceptance-test-harness/job/PR-1743/18/ that this resolves the following ATH failures when running in CSP mode (both report-only, and full CSP mode):
plugins.GroovyPluginTest#run_system_groovy_from_fileplugins.JobDslPluginTest#should_use_grooy_sandbox_no_whitelisted_contentplugins.JobDslPluginTest#should_use_script_approvalplugins.ScriptSecurityPluginTest#pipelineNeedsApprovalplugins.ScriptSecurityPluginTest#pipelineSignatureNeedsApprovalplugins.ScriptSecurityPluginTest#scriptNeedsApprovalplugins.ScriptSecurityPluginTest#signatureNeedsApproval