[JENKINS-75232] Prevent dynamic plugin installation from registering the same extension twice in some cases

[dwnusbaum]

See JENKINS-75232. The relevant ExtensionList code has not changed since it was introduced in #1673, but in the real-world case I saw the listener that is causing the issues comes from #3496.

This PR requires jenkinsci/jenkins-test-harness#920 for the new test.

Testing done

A new automated test has been created to demonstrate the bug and test the fix. @jgreffe and I also tested the fix against the real-world plugin which triggered the bug (a proprietary CloudBees plugin).

Proposed changelog entries

• Prevent dynamic plugin installation from registering the same extension twice in some cases

Proposed upgrade guidelines

N/A

### Submitter checklist
- [x] The Jira issue, if it exists, is well-described.
- [x] The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see [examples](https://github.com/jenkins-infra/jenkins.io/blob/master/content/_data/changelogs/weekly.yml)). Fill in the **Proposed upgrade guidelines** section only if there are breaking changes or changes that may require extra steps from users during upgrade.
- [x] There is automated testing or an explanation as to why this change has no tests.
- [x] New public classes, fields, and methods are annotated with `@Restricted` or have `@since TODO` Javadocs, as appropriate.
- [ ] New deprecations are annotated with `@Deprecated(since = "TODO")` or `@Deprecated(forRemoval = true, since = "TODO")`, if applicable.
- [ ] New or substantially changed JavaScript is not defined inline and does not call `eval` to ease future introduction of Content Security Policy (CSP) directives (see [documentation](https://www.jenkins.io/doc/developer/security/csp/)).
- [ ] For dependency updates, there are links to external changelogs and, if possible, full differentials.
- [ ] For new APIs and extension points, there is a link to at least one consumer.

Desired reviewers

Before the changes are marked as ready-for-merge:

### Maintainer checklist
- [x] There are at least two (2) approvals for the pull request and no outstanding requests for change.
- [ ] Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
- [ ] Changelog entries in the pull request title and/or **Proposed changelog entries** are accurate, human-readable, and in the imperative mood.
- [ ] Proper changelog labels are set so that the changelog can be generated automatically.
- [ ] If the change needs additional upgrade steps from users, the `upgrade-guide-needed` label is set and there is a **Proposed upgrade guidelines** section in the pull request title (see [example](https://github.com/jenkinsci/jenkins/pull/4387)).
- [ ] If it would make sense to backport the change to LTS, a Jira issue must exist, be a _Bug_ or _Improvement_, and be labeled as `lts-candidate` to be considered (see [query](https://issues.jenkins.io/issues/?filter=12146)).

[dwnusbaum]

This is an incompatible API change, but given the Javadoc, there really should not be any external callers, and a quick GitHub search (I also checked the cloudbees org) looked ok.

If desired, I can instead introduce a new method and preserve the old one for compatibility. We might still want to add @Restricted(NoExternalUse.class) to the old method if we take that approach though.

[dwnusbaum]

I am also happy to consider alternative fixes if anyone has any ideas. One thing I considered was to instead check for duplicates in

jenkins/core/src/main/java/hudson/ExtensionList.java

Line 348 in 630b6b6

l.addAll(found);

but delaying the listener notifications seemed clearer in terms of what we are trying to fix. In general this bug makes me think that there might be deeper problems with dynamic extension loading, but I am not familiar enough with the extension system to know how best to fix things.

[dwnusbaum]

Duplicate prevention added in 6817532 to fix issues with extensions that load other extensions in their constructors.

[jglick]

Source code looks fine. Recommend trying another approach for test plugin maintenance.

[jtnord]

Whilst this fixes the test case, I can't help but feel this doesn't fix the case where an Extension loads another extension (either in its constructor, or a Thread it kicks off).

The listener causing a load of an extension by proxy of calling some code, would just be one trigger of the wider cause here?

The suggested alternative of checking for duplicates and not using addAll would seem sane, however IIUC we would create 2 objects for the same extension (not the return the same Object). So if the extension is kicking off something async in its constructor things have already got into a bad state (and the plugin is already liable highly suspect to race conditions)?

Iff we are only creating a single extension for the class but registering it twice I think the addAll fix would be more robust

[dwnusbaum]

Whilst this fixes the test case, I can't help but feel this doesn't fix the case where an Extension loads another extension (either in its constructor, or a Thread it kicks off).

Ok, I can check this case.

however IIUC we would create 2 objects for the same extension (not the return the same Object)

Iff we are only creating a single extension for the class but registering it twice I think the addAll fix would be more robust

As far as I can tell, right now we really are only creating one object, just registering it twice. I'll recheck though.

[jtnord]

Iff we are only creating a single extension for the class but registering it twice I think the addAll fix would be more robust

As far as I can tell, right now we really are only creating one object, just registering it twice. I'll recheck though.

if that is the case it may be worthwhile doing both.

• not calling listeners means less churn if there is interdependency
• the addAll change means the singleton would be respected if someone does funky stuff in more areas.

[dwnusbaum]

Whilst this fixes the test case, I can't help but feel this doesn't fix the case where an Extension loads another extension (either in its constructor, or a Thread it kicks off).

@jtnord Indeed this case is still broken. I confirmed that in the problematic cases the extension is only instantiated once but registered twice. I'll add duplicate prevention to ExtensionList.refresh as well.

[jtnord]

Whilst this fixes the test case, I can't help but feel this doesn't fix the case where an Extension loads another extension (either in its constructor, or a Thread it kicks off).

@jtnord Indeed this case is still broken. I confirmed that in the problematic cases the extension is only instantiated once but registered twice. I'll add duplicate prevention to ExtensionList.refresh as well.

it's a shame that ExtensionList was a List not a Set and it's likely going to break a lot of things if we changed that :-(
The internal representation (ExtensionList.extensions) could be changed, but the front end code uses indexes into the list for some things IIRC, and changing this smells very risky to me.

[github-actions]

Please take a moment and address the merge conflicts of your pull request. Thanks!

stale

[dwnusbaum]

it's a shame that ExtensionList was a List not a Set ... changing this smells very risky to me.

Yeah, in retrospect it seems that having this class actually be a collection was not really necessary. If we had instead only defined collection-like methods to covered the critical use cases, I would feel more comfortable refactoring the internal representation.

[jtnord]

Seems reasonable, did not pay much attention to the test code.

[jglick]

Main code change is opaque to me, but test looks nice.

[jglick]

Expected: Exited with 0 return code
     but: CLI command exited with 1
STDOUT:
Installing a plugin from standard input

STDERR:
-name is deprecated; it is no longer necessary nor honored.

ERROR: Unexpected exception occurred while performing install-plugin command.
jenkins.RestartRequiredException
 at hudson.PluginManager.dynamicLoad(PluginManager.java:957)
 at hudson.PluginManager.dynamicLoad(PluginManager.java:927)
 at hudson.cli.InstallPluginCommand.run(InstallPluginCommand.java:100)
 at hudson.cli.CLICommand.main(CLICommand.java:258)
 at hudson.cli.CLICommandInvoker.invoke(CLICommandInvoker.java:156)
 at hudson.cli.CLICommandInvoker.invokeWithArgs(CLICommandInvoker.java:135)
 at hudson.cli.EnablePluginCommandTest.installTestPlugin(EnablePluginCommandTest.java:54)
 at hudson.cli.EnablePluginCommandTest.enableNoPluginsWithRestartIsNoOp(EnablePluginCommandTest.java:143)

smells like a regression at least in test code?

[github-actions]

Please take a moment and address the merge conflicts of your pull request. Thanks!

[dwnusbaum]

smells like a regression at least in test code?

Ah, yes, EnablePluginCommandTest.enableNoPluginsWithRestartIsNoOp tries to install variant dynamically, which no longer works because I had to add variant as a test-scope dependency. I'll fix it.

[dwnusbaum]

There were quite a few tests that were installing variant dynamically. I tried to fix the failing test and clean things up in 99b8be8.

[dwnusbaum]

Moved into ExtensionListRjrTest.installDependedOptionalPluginWithoutRestart.

Really, most of the tests here should probably be migrated to use RealJenkinsRule and synthetic plugins, but there are a lot of them.

[dwnusbaum]

Also moved into ExtensionListRjrTest.installDependedOptionalPluginWithoutRestart.

I did make some changes though to the test to make it more closely match the scenario described in JENKINS-50336 (also so that I could delete variant.hpi).

[dwnusbaum]

Just swapping for another no-op plugin that is already here. Probably all of these tests should be using RealJenkinsRule and synthetic plugins though.

[jglick]

A lot easier to follow the test, not to say edit it!

[jglick]

Clearly could stand to be rewritten.

[dwnusbaum]

I think the hudson.model.RunTest.preventXssInBadgeTooltip test failure is an unrelated flake, or at least I don't see any obvious relation to this PR.

[timja]

I think the hudson.model.RunTest.preventXssInBadgeTooltip test failure is an unrelated flake, or at least I don't see any obvious relation to this PR.

likely

---

FWIW this PR triggered narrowing down a bit jenkinsci/avatar-plugin#18.

I've tested and this PR doesn't resolve it though, but seems to be another issue related to dynamic loading.
The plugin is pretty simple although I didn't manage to trigger the same issue in e.g. theme manager.

[timja]

/label ready-for-merge

---

This PR is now ready for merge, after the upcoming security release, we will merge it if there's no negative feedback.

Thanks!

[A1exKH]

LGTM.