Script Security check during descriptor load

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Script Security check during descriptor load

slide
I am looking into  https://issues.jenkins-ci.org/browse/JENKINS-60002 for email-ext. The issue arises when a pre-send script is configured and Jenkins is starting up. This particular code is something that was implemented while I was not the maintainer of the plugin, so I am not as well versed in the history as other code in the plugin. 

The constructor is calling load() and then calling some methods to setup parts of the plugin. One of the things it does is call setDefaultPresendScript so that a check is done on the approval status for the script security plugin. The check looks like this:

this.defaultPresendScript = ScriptApproval.get().configuring(((script ==  null) ?  ""  : script), GroovyLanguage.get(), ApprovalContext.create().withCurrentUser());
  The ApprovalContext.create().withCurrentUser() seems to be the problem because during Jenkins startup, there is no user (it is null). So, this causes the issue in the bug. How do I make sure the script security stuff is setup correctly for the pre-send script while fixing this issue?  

Here is the full stack trace from the error:

 0.682 [id=78] WARNING h.ExtensionFinder$GuiceFinder$FaultTolerantScope$1#error: Failed to instantiate Key[type=hudson.plugins.emailext.ExtendedEmailPublisherDescriptor, annotation=[none]]; skipping this component
com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) Tried proxying hudson.plugins.emailext.ExtendedEmailPublisherDescriptor to support a circular dependency, but it is not an interface.

1 error
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:52)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:440)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at hudson.ExtensionFinder$GuiceFinder._find(ExtensionFinder.java:402)
at hudson.ExtensionFinder$GuiceFinder.find(ExtensionFinder.java:393)
at hudson.ClassicPluginStrategy.findComponents(ClassicPluginStrategy.java:335)
at hudson.ExtensionList.load(ExtensionList.java:380)
at hudson.ExtensionList.ensureLoaded(ExtensionList.java:318)
at hudson.ExtensionList.getComponents(ExtensionList.java:183)
at hudson.DescriptorExtensionList.load(DescriptorExtensionList.java:193)
at hudson.ExtensionList.ensureLoaded(ExtensionList.java:318)
at hudson.ExtensionList.iterator(ExtensionList.java:172)
at hudson.model.User.allocateDefaultPropertyInstancesAsNeeded(User.java:209)
at hudson.model.User.load(User.java:198)
at hudson.model.User.<init>(User.java:191)
at hudson.model.User.getOrCreateById(User.java:523)
at hudson.model.User.getById(User.java:619)
at hudson.model.User.get(User.java:603)
at hudson.model.User.current(User.java:586)
at org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext.withCurrentUser(ApprovalContext.java:72)
at hudson.plugins.emailext.ExtendedEmailPublisherDescriptor.setDefaultPostsendScript(ExtendedEmailPublisherDescriptor.java:580)
at hudson.plugins.emailext.ExtendedEmailPublisherDescriptor.<init>(ExtendedEmailPublisherDescriptor.java:196)
at hudson.plugins.emailext.ExtendedEmailPublisherDescriptor$$FastClassByGuice$$5dfa54d0.newInstance(<generated>)
at com.google.inject.internal.cglib.reflect.$FastConstructor.newInstance(FastConstructor.java:40)
at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:105)
at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:89)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at hudson.ExtensionFinder$GuiceFinder$SezpozModule.onProvision(ExtensionFinder.java:567)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:126)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:87)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:440)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at hudson.ExtensionFinder$GuiceFinder._find(ExtensionFinder.java:402)
at hudson.ExtensionFinder$GuiceFinder.find(ExtensionFinder.java:393)
at hudson.ClassicPluginStrategy.findComponents(ClassicPluginStrategy.java:335)
at hudson.ExtensionList.load(ExtensionList.java:380)
at hudson.ExtensionList.ensureLoaded(ExtensionList.java:318)
at hudson.ExtensionList.iterator(ExtensionList.java:172)
at hudson.diagnosis.NullIdDescriptorMonitor.verify(NullIdDescriptorMonitor.java:72)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
at jenkins.model.Jenkins$5.runTask(Jenkins.java:1096)
at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)


Any help or pointers would be greatly appreciated.

Thanks,

Alex

--

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPiUgVe247FySV9SMSAKtgx5UoVSNYT_m9s4z6xKdmBBBLMMiQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Script Security check during descriptor load

Basil Crow
Hey Alex,

Coincidentally, I ran across a very similar circular dependency issue recently in the Copy Artifact plugin (JENKINS-62267). On further examination, I also found a similar circular dependency issue in the Folders plugin (JENKINS-60393). The Copy Artifact plugin maintainer based his fix for JENKINS-62267 on the fix for JENKINS-60393. You might find some inspiration  reading those bugs and PRs.

Basil

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjqrNtwf9_87Xw6fi2VUAvdvn0KjTDN7z1FeaLcL3QzpYQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Script Security check during descriptor load

slide
Hi Basil,


Thanks so much for your help! I'll review those items and see what I can do. The Jenkins community is great!

Regards,

Alex

On Mon, Jul 27, 2020, 17:48 Basil Crow <[hidden email]> wrote:
Hey Alex,

Coincidentally, I ran across a very similar circular dependency issue recently in the Copy Artifact plugin (JENKINS-62267). On further examination, I also found a similar circular dependency issue in the Folders plugin (JENKINS-60393). The Copy Artifact plugin maintainer based his fix for JENKINS-62267 on the fix for JENKINS-60393. You might find some inspiration  reading those bugs and PRs.

Basil

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjqrNtwf9_87Xw6fi2VUAvdvn0KjTDN7z1FeaLcL3QzpYQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPiUgVcEZ9VSbey%3Ds0wKo_FMyZEwTF39tjpWWK6bPAwKRGCoQw%40mail.gmail.com.