-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add delete and add methods for parsers in global configuration #1599
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
What is going to call these? Does |
Thanks for your input @KalleOlaviNiemitalo! In our case, the methods are called directly from pipelines. We want to allow users to create their own parsers without using setParsers, because it is much more prone to accidentially delete all other parsers. -> We also don't need DataBoundSetter, thanks! |
Can you please show how you plan to invoke these methods? How do you get the config in your script? |
Sure. Here is a real example (edited actual values) that I grabbed from a user. In this example, they delete all other parsers. Of course they could simply extend the list, but they have to know that. def InitParser(){
def config = io.jenkins.plugins.analysis.warnings.groovy.ParserConfiguration.getInstance()
config.setParsers([]) // Here, the user accidentially deleted all other parsers.
def newParser = new io.jenkins.plugins.analysis.warnings.groovy.GroovyParser(
'some_id',
'some_name',
'my_regex',
'...script...',
'...',
"..."
)
config.setParsers([newParser]) // Same thing: All other parsers deleted by accident.
}
InitParser() With this PR, you can do (the script that I tested myself with the new changes): def InitParser(){
def config = io.jenkins.plugins.analysis.warnings.groovy.ParserConfiguration.getInstance()
def newParser = new io.jenkins.plugins.analysis.warnings.groovy.GroovyParser(
'some_id',
'some_name',
'my_regex',
'...script...',
'...',
"..."
)
config.addParser(newParser)
}
InitParser() |
Interesting. Which permissions do users have to execute such code that normally requires admin permission? |
No special permission is needed. However, the method must be allowed via Script Approval. Because of this, we would also be able to prevent users from using |
It definitely is better than allowing them to directly use |
How would they be able to do that with those two methods? From my understanding they are only able to make changes to the |
I guess @uhafner means the Groovy code in the parser runs without a Groovy sandbox and has the same access to files as the Jenkins agent process. (I'm not sure whether parsers run in agents or in the Jenkins controller.) Lines 23 to 25 in 610b02f
Apart from that, I think there might be a conflict if multiple pipelines attempt to register the parser with the same ID in parallel. |
The code runs sandboxed. I was also surprised by this, but it is the case. The conflict chance is not increased by this PR, I think. It should be the same as with |
I don't see where the sandbox is set up. How did you test it?
If If |
The code runs without sandboxing on an agent (agents do not use the sandbox, this is a controller concept only). And running Groovy parsers on the controller is not allowed. |
You are correct in your scenario, but I am comparing the scenarios where a user calls |
But you would still need to allow the function in the script approval on a per-function basis. From what I understand, the mentioned ParserConfiguration functions are not able to erase an agents disk. Users are not able to run any other commands except for |
This is not true. Users can run any groovy script that is passed in the parameter |
The OTOH, if a pipeline can add an unsandboxed Groovy parser to the global configuration and this parser ends up being executed by other pipelines on other agents, then that seems a privilege escalation risk. |
I wonder if the parsers could be set up as local to the pipeline, without changing the global configuration. Similar to how the withWarningsGroovyParsers([[
id: 'some_id',
name: 'some_name',
regexp: 'my_regex',
script: '...script...', // or perhaps readTrusted('my_parser.groovy') for easier editing
example: '...']])
{
// Use the recordIssues step here.
}
Is that restriction specific to Groovy parsers, or does it just follow from how the |
-> But that would not resolve this concern, if I am correct?
|
All parsers run on the agent since they might need access to other local files. |
BTW: this issue is tracked as https://issues.jenkins.io/browse/JENKINS-52237. |
Just to make sure: I have no concern about this PR, it just simplifies something that is already possible (and documented in https://github.com/jenkinsci/warnings-ng-plugin/blob/master/doc/Documentation.md#creating-support-for-a-custom-tool). I just wanted to make you aware that this might introduce a security problem. |
Thanks for your input @uhafner, I appreciate it! I will follow this up, if more features are required I would open new PRs. As you stated that you do not have any problems with this PR in particular, I would still appreciate this PR being reviewed/merged :) -> Should I adapt the documentation? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As @KalleOlaviNiemitalo mentioned, your code is not thread safe and might produce problems in the way you are intending to use it. But I think we can ignore that right now and change that later if users complain.
Optional enhancement: add an integration test that shows your approach in code, example
warnings-ng-plugin/plugin/src/test/java/io/jenkins/plugins/analysis/warnings/steps/StepsITest.java
Line 799 in 51cca6b
void shouldShowWarningsOfGroovyParserWhenScanningConsoleLogWhenThatIsPermitted() throws IOException { |
plugin/src/main/java/io/jenkins/plugins/analysis/warnings/groovy/ParserConfiguration.java
Outdated
Show resolved
Hide resolved
plugin/src/main/java/io/jenkins/plugins/analysis/warnings/groovy/ParserConfiguration.java
Outdated
Show resolved
Hide resolved
plugin/src/test/java/io/jenkins/plugins/analysis/warnings/groovy/ParserConfigurationTest.java
Outdated
Show resolved
Hide resolved
plugin/src/test/java/io/jenkins/plugins/analysis/warnings/groovy/ParserConfigurationTest.java
Outdated
Show resolved
Hide resolved
plugin/src/test/java/io/jenkins/plugins/analysis/warnings/groovy/ParserConfigurationTest.java
Outdated
Show resolved
Hide resolved
plugin/src/test/java/io/jenkins/plugins/analysis/warnings/groovy/ParserConfigurationTest.java
Outdated
Show resolved
Hide resolved
plugin/src/test/java/io/jenkins/plugins/analysis/warnings/groovy/ParserConfigurationTest.java
Outdated
Show resolved
Hide resolved
Thanks for your review, @uhafner. I implemented the changes and one integration test. |
Codecov Report
@@ Coverage Diff @@
## master #1599 +/- ##
============================================
+ Coverage 81.85% 82.00% +0.15%
- Complexity 1404 1411 +7
============================================
Files 249 249
Lines 5339 5352 +13
Branches 396 397 +1
============================================
+ Hits 4370 4389 +19
+ Misses 850 847 -3
+ Partials 119 116 -3
... and 1 file with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I have a Jenkins instance that multiple teams work on at the same time. Since it requires admin permissions to add a new parser via the UI, we allow users to add them via Groovy. However, the function
ParserConfiguration#setParsers
is much more prone to accidentally deleting all other parsers.With this PR, single parsers can be added and deleted from within pipelines.
Testing done
-> Unit Tests and tested in localhost instance
Submitter checklist