Skip to content

[JENKINS-75378] Adding a CLI command listener #10382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
krisstern merged 18 commits into from
Mar 22, 2025
Merged

[JENKINS-75378] Adding a CLI command listener #10382

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
b41633f
[JENKINS-75378] cli command listener
apuig Mar 5, 2025
99ba771
fix checkstyle
apuig Mar 6, 2025
5cb32e0
impersonate as SYSTEM in listeners
apuig Mar 7, 2025
7b9cb0a
introduce `fire` methods on the interface
apuig Mar 7, 2025
b1e15c4
@since in interface. @Restricted default impl
apuig Mar 7, 2025
32ead10
Simplify CliListener interface.
apuig Mar 10, 2025
b8f360a
introduce hudson.cli.listeners.CliContext
apuig Mar 11, 2025
206147e
missing header in CliContext
apuig Mar 11, 2025
5433f59
pr comments
apuig Mar 11, 2025
751313c
pr comments:
apuig Mar 11, 2025
dcbbdf6
Merge branch 'master' into JENKINS-75378-cli-listener
krisstern Mar 17, 2025
b5c3f70
Update core/src/main/java/hudson/cli/CLICommand.java
krisstern Mar 17, 2025
1138c0d
move new classes to jenkins.cli package
apuig Mar 20, 2025
4d7e35a
rename new classes to capitalize CLI
apuig Mar 20, 2025
3679a4d
single call to getTransportAuthentication2
apuig Mar 20, 2025
676835c
test CLIMethod unexpected error
apuig Mar 20, 2025
bdf2895
rename to `onThrowable`
apuig Mar 21, 2025
737c08d
Merge branch 'master' into JENKINS-75378-cli-listener
apuig Mar 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 47 additions & 46 deletions core/src/main/java/hudson/cli/CLICommand.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,10 @@
import java.nio.charset.Charset;
import java.util.List;
import java.util.Locale;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.cli.listeners.CLIContext;
import jenkins.cli.listeners.CLIListener;
import jenkins.model.Jenkins;
import jenkins.util.Listeners;
import jenkins.util.SystemProperties;
import org.jvnet.hudson.annotation_indexer.Index;
import org.jvnet.tiger_types.Types;
Expand Down Expand Up @@ -242,70 +242,73 @@
this.locale = locale;
CmdLineParser p = getCmdLineParser();

Authentication auth = getTransportAuthentication2();
CLIContext context = new CLIContext(getName(), args, auth);

// add options from the authenticator
SecurityContext sc = null;
Authentication old = null;
Authentication auth;
try {
// TODO as in CLIRegisterer this may be doing too much work
sc = SecurityContextHolder.getContext();
old = sc.getAuthentication();

sc.setAuthentication(auth = getTransportAuthentication2());
sc.setAuthentication(auth);

if (!(this instanceof HelpCommand || this instanceof WhoAmICommand))
Jenkins.get().checkPermission(Jenkins.READ);
p.parseArgument(args.toArray(new String[0]));
LOGGER.log(Level.FINE, "Invoking CLI command {0}, with {1} arguments, as user {2}.",
new Object[] {getName(), args.size(), auth.getName()});

Listeners.notify(CLIListener.class, true, listener -> listener.onExecution(context));
int res = run();
LOGGER.log(Level.FINE, "Executed CLI command {0}, with {1} arguments, as user {2}, return code {3}",
new Object[] {getName(), args.size(), auth.getName(), res});
Listeners.notify(CLIListener.class, true, listener -> listener.onCompleted(context, res));

return res;
} catch (CmdLineException e) {
logFailedCommandAndPrintExceptionErrorMessage(args, e);
printUsage(stderr, p);
return 2;
} catch (IllegalStateException e) {
logFailedCommandAndPrintExceptionErrorMessage(args, e);
return 4;
} catch (IllegalArgumentException e) {
logFailedCommandAndPrintExceptionErrorMessage(args, e);
return 3;
} catch (AbortException e) {
logFailedCommandAndPrintExceptionErrorMessage(args, e);
return 5;
} catch (AccessDeniedException e) {
logFailedCommandAndPrintExceptionErrorMessage(args, e);
return 6;
} catch (BadCredentialsException e) {
// to the caller, we can't reveal whether the user didn't exist or the password didn't match.
// do that to the server log instead
String id = UUID.randomUUID().toString();
logAndPrintError(e, "Bad Credentials. Search the server log for " + id + " for more details.",
"CLI login attempt failed: " + id, Level.INFO);
return 7;
} catch (Throwable e) {
String errorMsg = "Unexpected exception occurred while performing " + getName() + " command.";
logAndPrintError(e, errorMsg, errorMsg, Level.WARNING);
Functions.printStackTrace(e, stderr);
return 1;
int exitCode = handleException(e, context, p);
Listeners.notify(CLIListener.class, true, listener -> listener.onThrowable(context, e));
return exitCode;
} finally {
if (sc != null)
sc.setAuthentication(old); // restore
}
}

private void logFailedCommandAndPrintExceptionErrorMessage(List<String> args, Throwable e) {
Authentication auth = getTransportAuthentication2();
String logMessage = String.format("Failed call to CLI command %s, with %d arguments, as user %s.",
getName(), args.size(), auth != null ? auth.getName() : "<unknown>");

logAndPrintError(e, e.getMessage(), logMessage, Level.FINE);
/**
* Determines command stderr output and return the exit code as described on {@link #main(List, Locale, InputStream, PrintStream, PrintStream)}
* */
protected int handleException(Throwable e, CLIContext context, CmdLineParser p) {
int exitCode;
if (e instanceof CmdLineException) {
exitCode = 2;
printError(e.getMessage());
printUsage(stderr, p);
} else if (e instanceof IllegalArgumentException) {
exitCode = 3;
printError(e.getMessage());
} else if (e instanceof IllegalStateException) {
exitCode = 4;
printError(e.getMessage());
} else if (e instanceof AbortException) {
exitCode = 5;
printError(e.getMessage());
} else if (e instanceof AccessDeniedException) {
exitCode = 6;
printError(e.getMessage());
} else if (e instanceof BadCredentialsException) {

Check warning on line 298 in core/src/main/java/hudson/cli/CLICommand.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 298 is only partially covered, one branch is missing
Copy link
Copy Markdown
Contributor Author

@apuig apuig Mar 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like BadCredentialsException is not longer possible inside CLICommand#main, note {set/get}TransportAuth2:

  • for HTTP or WebSocket the BadCredential is thrown/handled in the filters. When using command line -auth user:pass basic auth : BasicHeaderAuthenticator / AbstractUserAuth.

  • for SSH auth errors (not a BadCredentials) is also handled before executing the command (PublicKeyAuthenticatorImpl / UserAuthNamedFactory).

b1803a9 I can't find CliAuthenticationTest, may not apply anymore.

EDIT: this branch is only possible if a CLICommand implementation throws a BadCredentialsException,

exitCode = 7;
printError(
"Bad Credentials. Search the server log for " + context.getCorrelationId() + " for more details.");

Check warning on line 301 in core/src/main/java/hudson/cli/CLICommand.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered lines 

Lines 299-301 are not covered by tests
} else {
exitCode = 1;
printError("Unexpected exception occurred while performing " + getName() + " command.");
Functions.printStackTrace(e, stderr);
}
return exitCode;
}

private void logAndPrintError(Throwable e, String errorMessage, String logMessage, Level logLevel) {
LOGGER.log(logLevel, logMessage, e);

private void printError(String errorMessage) {
this.stderr.println();
this.stderr.println("ERROR: " + errorMessage);
}
Expand Down Expand Up @@ -541,8 +544,6 @@
return null;
}

private static final Logger LOGGER = Logger.getLogger(CLICommand.class.getName());

private static final ThreadLocal<CLICommand> CURRENT_COMMAND = new ThreadLocal<>();

/*package*/ static CLICommand setCurrent(CLICommand cmd) {
Expand Down
63 changes: 14 additions & 49 deletions core/src/main/java/hudson/cli/declarative/CLIRegisterer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,9 @@
import static java.util.logging.Level.SEVERE;

import edu.umd.cs.findbugs.annotations.NonNull;
import hudson.AbortException;
import hudson.Extension;
import hudson.ExtensionComponent;
import hudson.ExtensionFinder;
import hudson.Functions;
import hudson.Util;
import hudson.cli.CLICommand;
import hudson.cli.CloneableCLICommand;
Expand All @@ -49,19 +47,17 @@
import java.util.Locale;
import java.util.MissingResourceException;
import java.util.Stack;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
import jenkins.ExtensionComponentSet;
import jenkins.ExtensionRefreshException;
import jenkins.cli.listeners.CLIContext;
import jenkins.cli.listeners.CLIListener;
import jenkins.model.Jenkins;
import jenkins.util.Listeners;
import org.jvnet.hudson.annotation_indexer.Index;
import org.jvnet.localizer.ResourceBundleHolder;
import org.kohsuke.args4j.CmdLineException;
import org.kohsuke.args4j.CmdLineParser;
import org.kohsuke.args4j.ParserProperties;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
Expand Down Expand Up @@ -202,6 +198,9 @@

List<MethodBinder> binders = new ArrayList<>();

Authentication auth = getTransportAuthentication2();
CLIContext context = new CLIContext(getName(), args, auth);

CmdLineParser parser = bindMethod(binders);
try {
// TODO this could probably use ACL.as; why is it calling SecurityContext.setAuthentication rather than SecurityContextHolder.setContext?
Expand All @@ -211,19 +210,19 @@
// fill up all the binders
parser.parseArgument(args);

Authentication auth = getTransportAuthentication2();
sc.setAuthentication(auth); // run the CLI with the right credential
jenkins.checkPermission(Jenkins.READ);

Listeners.notify(CLIListener.class, true, listener -> listener.onExecution(context));

// resolve them
Object instance = null;
for (MethodBinder binder : binders)
instance = binder.call(instance);

if (instance instanceof Integer)
return (Integer) instance;
else
return 0;
Integer exitCode = (instance instanceof Integer) ? (Integer) instance : 0;

Check warning on line 223 in core/src/main/java/hudson/cli/declarative/CLIRegisterer.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 223 is only partially covered, one branch is missing
Listeners.notify(CLIListener.class, true, listener -> listener.onCompleted(context, exitCode));
return exitCode;
} catch (InvocationTargetException e) {
Throwable t = e.getTargetException();
if (t instanceof Exception)
Expand All @@ -232,47 +231,13 @@
} finally {
sc.setAuthentication(old); // restore
}
} catch (CmdLineException e) {
printError(e.getMessage());
printUsage(stderr, parser);
return 2;
} catch (IllegalStateException e) {
printError(e.getMessage());
return 4;
} catch (IllegalArgumentException e) {
printError(e.getMessage());
return 3;
} catch (AbortException e) {
printError(e.getMessage());
return 5;
} catch (AccessDeniedException e) {
printError(e.getMessage());
return 6;
} catch (BadCredentialsException e) {
// to the caller, we can't reveal whether the user didn't exist or the password didn't match.
// do that to the server log instead
String id = UUID.randomUUID().toString();
logAndPrintError(e, "Bad Credentials. Search the server log for " + id + " for more details.",
"CLI login attempt failed: " + id, Level.INFO);
return 7;
} catch (Throwable e) {
final String errorMsg = "Unexpected exception occurred while performing " + getName() + " command.";
logAndPrintError(e, errorMsg, errorMsg, Level.WARNING);
Functions.printStackTrace(e, stderr);
return 1;
int exitCode = handleException(e, context, parser);
Listeners.notify(CLIListener.class, true, listener -> listener.onThrowable(context, e));
return exitCode;
}
}

private void printError(String errorMessage) {
this.stderr.println();
this.stderr.println("ERROR: " + errorMessage);
}

private void logAndPrintError(Throwable e, String errorMessage, String logMessage, Level logLevel) {
LOGGER.log(logLevel, logMessage, e);
printError(errorMessage);
}

@Override
protected int run() throws Exception {
throw new UnsupportedOperationException();
Expand Down
88 changes: 88 additions & 0 deletions core/src/main/java/jenkins/cli/listeners/CLIContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
/*
* The MIT License
*
* Copyright (c) 2025, CloudBees, Inc.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/

package jenkins.cli.listeners;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import java.util.List;
import java.util.UUID;
import org.springframework.security.core.Authentication;

/**
* Holds information of a command execution. Same instance is used to all {@link CLIListener} invocations.
* Use {@code correlationId} in order to group related events to the same command.
*
* @since TODO
*/
public class CLIContext {
private final String correlationId = UUID.randomUUID().toString();
private final String command;
private final List<String> args;
private final Authentication auth;

/**
* @param command The command being executed.
* @param args Arguments passed to the command.
* @param auth Authenticated user performing the execution.
*/
public CLIContext(@NonNull String command, @CheckForNull List<String> args, @Nullable Authentication auth) {
this.command = command;
this.args = args != null ? args : List.of();

Check warning on line 53 in core/src/main/java/jenkins/cli/listeners/CLIContext.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 53 is only partially covered, one branch is missing
this.auth = auth;
}

/**
* @return Correlate this command event to other, related command events.
*/
@NonNull
public String getCorrelationId() {
return correlationId;

Check warning on line 62 in core/src/main/java/jenkins/cli/listeners/CLIContext.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered line 

Line 62 is not covered by tests
}

/**
* @return Command being executed.
*/
@NonNull
public String getCommand() {
return command;
}

/**
* @return Arguments passed to the command.
*/
@NonNull
public List<String> getArgs() {
return args;
}

/**
* @return Authenticated user performing the execution.
*/
@CheckForNull
public Authentication getAuth() {
return auth;
}
}
Loading
Loading