Enable groovy sandbox for properties-inject

The groovy-plugin has introduced with it's 2.0 release on April 10th 2017 the notion of SecureGroovyScript with the associated sandbox for groovy code To enable JJB jobs relying on the sandbox groovy execution we need to enable the expected SecureGroovyScript XML stanza. When used with the groovy 2.0 plugin this will enable the following JJB YAML stanza properties: - inject: groovy-content: test groovy-content location 004 groovy-sandbox: true Needed for groovy code sandbox mode This implementation is the same as the wrapper implementation in jenkins_jobs/modules/wrappers.py L949- L989 Change-Id: I93e890a7a0496520246532adbdfd84e3be746abf
2018-09-14 15:07:52 +02:00 · 2018-09-14 15:07:52 +02:00 · 8f1ade81ce
parent 8773289f17
commit 8f1ade81ce
10 changed files with 75 additions and 1 deletions
--- a/jenkins_jobs/modules/properties.py
+++ b/jenkins_jobs/modules/properties.py
@ -372,6 +372,7 @@ def inject(registry, xml_parent, data):
    :arg str script-file: file with script to run (optional)
    :arg str script-content: script to run (optional)
    :arg str groovy-content: groovy script to run (optional)
+    :arg bool groovy-sandbox: run groovy script in sandbox (default false)
    :arg bool load-from-master: load files from master (default false)
    :arg bool enabled: injection enabled (default true)
    :arg bool keep-system-variables: keep system variables (default true)
@ -394,11 +395,29 @@ def inject(registry, xml_parent, data):
        ('properties-content', 'propertiesContent', None),
        ('script-file', 'scriptFilePath', None),
        ('script-content', 'scriptContent', None),
-        ('groovy-content', 'groovyScriptContent', None),
        ('load-from-master', 'loadFilesFromMaster', False),
    ]
    helpers.convert_mapping_to_xml(info, data, mapping, fail_required=False)

+    # determine version of plugin
+    plugin_info = registry.get_plugin_info("Groovy")
+    version = pkg_resources.parse_version(plugin_info.get('version', '0'))
+
+    if version >= pkg_resources.parse_version("2.0.0"):
+        secure_groovy_script = XML.SubElement(info, 'secureGroovyScript')
+        mapping = [
+            ('groovy-content', 'script', None),
+            ('groovy-sandbox', 'sandbox', False),
+        ]
+        helpers.convert_mapping_to_xml(secure_groovy_script, data, mapping,
+                            fail_required=False)
+    else:
+        mapping = [
+            ('groovy-content', 'groovyScriptContent', None),
+        ]
+        helpers.convert_mapping_to_xml(info, data, mapping,
+                            fail_required=False)
+
    mapping = [
        ('enabled', 'on', True),
        ('keep-system-variables', 'keepJenkinsSystemVariables', True),
--- a/tests/properties/fixtures/inject001.plugins_info.yaml
+++ b/tests/properties/fixtures/inject001.plugins_info.yaml
@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "1.30"
--- a/tests/properties/fixtures/inject002.plugins_info.yaml
+++ b/tests/properties/fixtures/inject002.plugins_info.yaml
@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "1.30"
--- a/tests/properties/fixtures/inject003.plugins_info.yaml
+++ b/tests/properties/fixtures/inject003.plugins_info.yaml
@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "1.30"
--- a/tests/properties/fixtures/inject004.plugins_info.yaml
+++ b/tests/properties/fixtures/inject004.plugins_info.yaml
@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "2.0"
--- a/tests/properties/fixtures/inject004.xml
+++ b/tests/properties/fixtures/inject004.xml
@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <properties>
+    <EnvInjectJobProperty>
+      <info>
+        <loadFilesFromMaster>false</loadFilesFromMaster>
+        <secureGroovyScript>
+          <script>test groovy-content location 004</script>
+          <sandbox>true</sandbox>
+        </secureGroovyScript>
+      </info>
+      <on>true</on>
+      <keepJenkinsSystemVariables>true</keepJenkinsSystemVariables>
+      <keepBuildVariables>true</keepBuildVariables>
+      <overrideBuildParameters>false</overrideBuildParameters>
+    </EnvInjectJobProperty>
+  </properties>
+</project>
--- a/tests/properties/fixtures/inject004.yaml
+++ b/tests/properties/fixtures/inject004.yaml
@ -0,0 +1,4 @@
+properties:
+  - inject:
+      groovy-content: test groovy-content location 004
+      groovy-sandbox: true
--- a/tests/properties/fixtures/inject005.plugins_info.yaml
+++ b/tests/properties/fixtures/inject005.plugins_info.yaml
@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "1.30"
--- a/tests/properties/fixtures/inject005.xml
+++ b/tests/properties/fixtures/inject005.xml
@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <properties>
+    <EnvInjectJobProperty>
+      <info>
+        <loadFilesFromMaster>false</loadFilesFromMaster>
+        <groovyScriptContent>test groovy-content location 005</groovyScriptContent>
+      </info>
+      <on>true</on>
+      <keepJenkinsSystemVariables>true</keepJenkinsSystemVariables>
+      <keepBuildVariables>true</keepBuildVariables>
+      <overrideBuildParameters>false</overrideBuildParameters>
+    </EnvInjectJobProperty>
+  </properties>
+</project>
--- a/tests/properties/fixtures/inject005.yaml
+++ b/tests/properties/fixtures/inject005.yaml
@ -0,0 +1,3 @@
+properties:
+  - inject:
+      groovy-content: test groovy-content location 005