From 8f1ade81ce2363bf53e61c76916813bdde391cb7 Mon Sep 17 00:00:00 2001
From: Arne Luehrs <arne.luehrs@gmail.com>
Date: Fri, 14 Sep 2018 15:07:52 +0200
Subject: [PATCH] Enable groovy sandbox for properties-inject

The groovy-plugin has introduced with it's 2.0 release on April 10th 2017
the notion of SecureGroovyScript with the associated sandbox for groovy code
To enable JJB jobs relying on the sandbox groovy execution we need to enable
the expected SecureGroovyScript XML stanza.

When used with the groovy 2.0 plugin this will
enable the following JJB YAML stanza

  properties:
    - inject:
        groovy-content: test groovy-content location 004
        groovy-sandbox: true

Needed for groovy code sandbox mode

This implementation is the same as the wrapper implementation in
jenkins_jobs/modules/wrappers.py L949- L989

Change-Id: I93e890a7a0496520246532adbdfd84e3be746abf
---
 jenkins_jobs/modules/properties.py            | 21 ++++++++++++++++++-
 .../fixtures/inject001.plugins_info.yaml      |  3 +++
 .../fixtures/inject002.plugins_info.yaml      |  3 +++
 .../fixtures/inject003.plugins_info.yaml      |  3 +++
 .../fixtures/inject004.plugins_info.yaml      |  3 +++
 tests/properties/fixtures/inject004.xml       | 18 ++++++++++++++++
 tests/properties/fixtures/inject004.yaml      |  4 ++++
 .../fixtures/inject005.plugins_info.yaml      |  3 +++
 tests/properties/fixtures/inject005.xml       | 15 +++++++++++++
 tests/properties/fixtures/inject005.yaml      |  3 +++
 10 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 tests/properties/fixtures/inject001.plugins_info.yaml
 create mode 100644 tests/properties/fixtures/inject002.plugins_info.yaml
 create mode 100644 tests/properties/fixtures/inject003.plugins_info.yaml
 create mode 100644 tests/properties/fixtures/inject004.plugins_info.yaml
 create mode 100644 tests/properties/fixtures/inject004.xml
 create mode 100644 tests/properties/fixtures/inject004.yaml
 create mode 100644 tests/properties/fixtures/inject005.plugins_info.yaml
 create mode 100644 tests/properties/fixtures/inject005.xml
 create mode 100644 tests/properties/fixtures/inject005.yaml

diff --git a/jenkins_jobs/modules/properties.py b/jenkins_jobs/modules/properties.py
index 8f1a1b025..a3dded2c4 100644
--- a/jenkins_jobs/modules/properties.py
+++ b/jenkins_jobs/modules/properties.py
@@ -372,6 +372,7 @@ def inject(registry, xml_parent, data):
     :arg str script-file: file with script to run (optional)
     :arg str script-content: script to run (optional)
     :arg str groovy-content: groovy script to run (optional)
+    :arg bool groovy-sandbox: run groovy script in sandbox (default false)
     :arg bool load-from-master: load files from master (default false)
     :arg bool enabled: injection enabled (default true)
     :arg bool keep-system-variables: keep system variables (default true)
@@ -394,11 +395,29 @@ def inject(registry, xml_parent, data):
         ('properties-content', 'propertiesContent', None),
         ('script-file', 'scriptFilePath', None),
         ('script-content', 'scriptContent', None),
-        ('groovy-content', 'groovyScriptContent', None),
         ('load-from-master', 'loadFilesFromMaster', False),
     ]
     helpers.convert_mapping_to_xml(info, data, mapping, fail_required=False)
 
+    # determine version of plugin
+    plugin_info = registry.get_plugin_info("Groovy")
+    version = pkg_resources.parse_version(plugin_info.get('version', '0'))
+
+    if version >= pkg_resources.parse_version("2.0.0"):
+        secure_groovy_script = XML.SubElement(info, 'secureGroovyScript')
+        mapping = [
+            ('groovy-content', 'script', None),
+            ('groovy-sandbox', 'sandbox', False),
+        ]
+        helpers.convert_mapping_to_xml(secure_groovy_script, data, mapping,
+                            fail_required=False)
+    else:
+        mapping = [
+            ('groovy-content', 'groovyScriptContent', None),
+        ]
+        helpers.convert_mapping_to_xml(info, data, mapping,
+                            fail_required=False)
+
     mapping = [
         ('enabled', 'on', True),
         ('keep-system-variables', 'keepJenkinsSystemVariables', True),
diff --git a/tests/properties/fixtures/inject001.plugins_info.yaml b/tests/properties/fixtures/inject001.plugins_info.yaml
new file mode 100644
index 000000000..5010fa91f
--- /dev/null
+++ b/tests/properties/fixtures/inject001.plugins_info.yaml
@@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "1.30"
diff --git a/tests/properties/fixtures/inject002.plugins_info.yaml b/tests/properties/fixtures/inject002.plugins_info.yaml
new file mode 100644
index 000000000..5010fa91f
--- /dev/null
+++ b/tests/properties/fixtures/inject002.plugins_info.yaml
@@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "1.30"
diff --git a/tests/properties/fixtures/inject003.plugins_info.yaml b/tests/properties/fixtures/inject003.plugins_info.yaml
new file mode 100644
index 000000000..5010fa91f
--- /dev/null
+++ b/tests/properties/fixtures/inject003.plugins_info.yaml
@@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "1.30"
diff --git a/tests/properties/fixtures/inject004.plugins_info.yaml b/tests/properties/fixtures/inject004.plugins_info.yaml
new file mode 100644
index 000000000..98b412566
--- /dev/null
+++ b/tests/properties/fixtures/inject004.plugins_info.yaml
@@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "2.0"
diff --git a/tests/properties/fixtures/inject004.xml b/tests/properties/fixtures/inject004.xml
new file mode 100644
index 000000000..7d0793ff0
--- /dev/null
+++ b/tests/properties/fixtures/inject004.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <properties>
+    <EnvInjectJobProperty>
+      <info>
+        <loadFilesFromMaster>false</loadFilesFromMaster>
+        <secureGroovyScript>
+          <script>test groovy-content location 004</script>
+          <sandbox>true</sandbox>
+        </secureGroovyScript>
+      </info>
+      <on>true</on>
+      <keepJenkinsSystemVariables>true</keepJenkinsSystemVariables>
+      <keepBuildVariables>true</keepBuildVariables>
+      <overrideBuildParameters>false</overrideBuildParameters>
+    </EnvInjectJobProperty>
+  </properties>
+</project>
diff --git a/tests/properties/fixtures/inject004.yaml b/tests/properties/fixtures/inject004.yaml
new file mode 100644
index 000000000..4c02e880e
--- /dev/null
+++ b/tests/properties/fixtures/inject004.yaml
@@ -0,0 +1,4 @@
+properties:
+  - inject:
+      groovy-content: test groovy-content location 004
+      groovy-sandbox: true
diff --git a/tests/properties/fixtures/inject005.plugins_info.yaml b/tests/properties/fixtures/inject005.plugins_info.yaml
new file mode 100644
index 000000000..5010fa91f
--- /dev/null
+++ b/tests/properties/fixtures/inject005.plugins_info.yaml
@@ -0,0 +1,3 @@
+- longName: 'Groovy'
+  shortName: 'groovy'
+  version: "1.30"
diff --git a/tests/properties/fixtures/inject005.xml b/tests/properties/fixtures/inject005.xml
new file mode 100644
index 000000000..262ec1f17
--- /dev/null
+++ b/tests/properties/fixtures/inject005.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <properties>
+    <EnvInjectJobProperty>
+      <info>
+        <loadFilesFromMaster>false</loadFilesFromMaster>
+        <groovyScriptContent>test groovy-content location 005</groovyScriptContent>
+      </info>
+      <on>true</on>
+      <keepJenkinsSystemVariables>true</keepJenkinsSystemVariables>
+      <keepBuildVariables>true</keepBuildVariables>
+      <overrideBuildParameters>false</overrideBuildParameters>
+    </EnvInjectJobProperty>
+  </properties>
+</project>
diff --git a/tests/properties/fixtures/inject005.yaml b/tests/properties/fixtures/inject005.yaml
new file mode 100644
index 000000000..6d55aa31e
--- /dev/null
+++ b/tests/properties/fixtures/inject005.yaml
@@ -0,0 +1,3 @@
+properties:
+  - inject:
+      groovy-content: test groovy-content location 005