Merge pull request #907 from amuniz/JENKINS-73470

[JENKINS-73470] Option to hide "Use Groovy Sandbox"

Author: jglick

plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java

@@ -24,25 +24,33 @@
 
 package org.jenkinsci.plugins.workflow.cps;
 
+import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.AbortException;
 import hudson.Extension;
 import hudson.model.Action;
+import hudson.model.Descriptor;
+import hudson.model.Failure;
 import hudson.model.Item;
 import hudson.model.Job;
 import hudson.model.Queue;
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.FormValidation;
 import hudson.util.StreamTaskListener;
+import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.apache.commons.lang.StringUtils;
+import org.jenkinsci.plugins.workflow.cps.config.CPSConfiguration;
 import org.jenkinsci.plugins.workflow.cps.persistence.PersistIn;
 import org.jenkinsci.plugins.workflow.flow.DurabilityHintProvider;
 import org.jenkinsci.plugins.workflow.flow.FlowDefinition;
 import org.jenkinsci.plugins.workflow.flow.FlowDefinitionDescriptor;
 import org.jenkinsci.plugins.workflow.flow.FlowDurabilityHint;
 import org.jenkinsci.plugins.workflow.flow.FlowExecutionOwner;
 import org.jenkinsci.plugins.workflow.flow.GlobalDefaultFlowDurabilityLevel;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 
@@ -75,16 +83,22 @@ public class CpsFlowDefinition extends FlowDefinition {
      * @deprecated use {@link #CpsFlowDefinition(String, boolean)} instead
      */
     @Deprecated
-    public CpsFlowDefinition(String script) {
+    public CpsFlowDefinition(String script) throws Descriptor.FormException {
         this(script, false);
     }
 
     @DataBoundConstructor
-    public CpsFlowDefinition(String script, boolean sandbox) {
+    public CpsFlowDefinition(String script, boolean sandbox) throws Descriptor.FormException {
+        if (CPSConfiguration.get().isHideSandbox() && !sandbox && !Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+            // this will end up in the /oops page until https://github.com/jenkinsci/jenkins/pull/9495 is picked up
+            throw new Descriptor.FormException("Sandbox cannot be disabled. This Jenkins instance has been configured to not " +
+                    "allow regular users to disable the sandbox in pipelines", "sandbox");
+        }
         StaplerRequest req = Stapler.getCurrentRequest();
         this.script = sandbox ? script : ScriptApproval.get().configuring(script, GroovyLanguage.get(),
                 ApprovalContext.create().withCurrentUser().withItemAsKey(req != null ? req.findAncestorObject(Item.class) : null), req == null);
         this.sandbox = sandbox;
+
     }
 
     private Object readResolve() {
@@ -178,5 +192,13 @@ public JSON doCheckScriptCompile(@AncestorInPath Item job, @QueryParameter Strin
             // Approval requirements are managed by regular stapler form validation (via doCheckScript)
         }
 
+        @Restricted(NoExternalUse.class) // stapler
+        public boolean shouldHideSandbox(@CheckForNull CpsFlowDefinition instance) {
+            // sandbox checkbox is shown to admins even if the global configuration says otherwise
+            // it's also shown when sandbox == false, so regular users can enable it
+            return CPSConfiguration.get().isHideSandbox() && !Jenkins.get().hasPermission(Jenkins.ADMINISTER)
+                    && (instance == null || instance.sandbox);
+        }
+
     }
 }

plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/config/CPSConfiguration.java

@@ -0,0 +1,65 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2024, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package org.jenkinsci.plugins.workflow.cps.config;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.ExtensionList;
+import jenkins.model.GlobalConfiguration;
+import jenkins.model.GlobalConfigurationCategory;
+import org.jenkinsci.Symbol;
+
+@Symbol("cps")
+@Extension
+public class CPSConfiguration extends GlobalConfiguration {
+
+    /**
+     * Whether to show the sandbox checkbox in jobs to users without Jenkins.ADMINISTER
+     */
+    private boolean hideSandbox;
+
+    public CPSConfiguration() {
+        load();
+    }
+
+    public boolean isHideSandbox() {
+        return hideSandbox;
+    }
+
+    public void setHideSandbox(boolean hideSandbox) {
+        this.hideSandbox = hideSandbox;
+        save();
+    }
+
+    @NonNull
+    @Override
+    public GlobalConfigurationCategory getCategory() {
+        return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class);
+    }
+
+    public static CPSConfiguration get() {
+        return ExtensionList.lookupSingleton(CPSConfiguration.class);
+    }
+}

plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition/config.jelly

@@ -28,7 +28,7 @@
   <f:entry title="${%Script}" field="script">
     <wfe:workflow-editor />
   </f:entry>
-  <f:entry field="sandbox">
+  <f:entry field="sandbox" class="${descriptor.shouldHideSandbox(instance) ? 'jenkins-hidden' : ''}">
     <f:checkbox title="${%Use Groovy Sandbox}" default="true"/>
   </f:entry>
     <f:block>

plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/config/CPSConfiguration/config.jelly

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+The MIT License
+
+Copyright 2024 CloudBees, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-->
+
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
+    <f:section title="${%Pipeline Sandbox}">
+        <f:entry field="hideSandbox" title="${%Hide Sandbox checkbox in pipeline jobs}">
+            <f:checkbox/>
+        </f:entry>
+    </f:section>
+</j:jelly>

plugin/src/main/resources/org/jenkinsci/plugins/workflow/cps/config/CPSConfiguration/help-hideSandbox.html

@@ -0,0 +1,6 @@
+<div>
+    <p>Controls whether the "Use Groovy Sandbox" is shown in pipeline jobs configuration page to users without Overall/Administer permission.</p>
+    <p>This can be used to get a better UX in highly secured environments where all pipelines are required to run in the sandbox (ie. running arbitrary code is never approved)</p>
+    <p>Note that this does not prevent users to configure and run pipelines with sandbox disabled if they create or update jobs by other means (like CLI or HTTP API).
+        This option is only hiding the checkbox from the HTML UI</p>
+</div>

plugin/src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinitionTest.java

@@ -24,6 +24,8 @@
 
 package org.jenkinsci.plugins.workflow.cps;
 
+import hudson.util.VersionNumber;
+import org.htmlunit.FailingHttpStatusCodeException;
 import org.htmlunit.HttpMethod;
 import org.htmlunit.WebRequest;
 import org.htmlunit.html.HtmlCheckBoxInput;
@@ -41,20 +43,28 @@
 import org.apache.tools.ant.filters.StringInputStream;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
 import org.jenkinsci.plugins.scriptsecurity.scripts.languages.GroovyLanguage;
+import org.jenkinsci.plugins.workflow.cps.config.CPSConfiguration;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.junit.Rule;
 import org.junit.Test;
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.MockAuthorizationStrategy;
 
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsStringIgnoringCase;
+import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasSize;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.nullValue;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 public class CpsFlowDefinitionTest {
 
@@ -280,4 +290,84 @@ public void cpsScriptSubmissionViaRest() throws Exception {
         assertFalse(ScriptApproval.get().isScriptApproved(configuredViaRestByNonAdmin, GroovyLanguage.get()));
         wc.close();
     }
+
+    @Test
+    public void cpsScriptSandboxHide() throws Exception {
+        jenkins.jenkins.setSecurityRealm(jenkins.createDummySecurityRealm());
+
+        MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy();
+        mockStrategy.grant(Jenkins.READ).everywhere().to("devel");
+        for (Permission p : Item.PERMISSIONS.getPermissions()) {
+            mockStrategy.grant(p).everywhere().to("devel");
+        }
+        mockStrategy.grant(Jenkins.ADMINISTER).everywhere().to("admin");
+        jenkins.jenkins.setAuthorizationStrategy(mockStrategy);
+
+        WorkflowJob p = jenkins.createProject(WorkflowJob.class);
+        p.setDefinition(new CpsFlowDefinition("echo 'Hello'", true));
+
+        JenkinsRule.WebClient wcDevel = jenkins.createWebClient();
+
+        // non-admins can see the sandbox checkbox in jobs by default
+        wcDevel.login("devel");
+        {
+            HtmlForm config = wcDevel.getPage(p, "configure").getFormByName("config");
+            assertThat(config.getVisibleText(), containsStringIgnoringCase("Use Groovy Sandbox"));
+        }
+
+        // non-admins cannot see the sandbox checkbox in jobs if hideSandbox is On globally
+        CPSConfiguration.get().setHideSandbox(true);
+        {
+            HtmlForm config = wcDevel.getPage(p, "configure").getFormByName("config");
+            assertThat(config.getVisibleText(), not(containsStringIgnoringCase("Use Groovy Sandbox")));
+
+            // but, when the sandbox is disabled the checkbox is shown so users can enable it
+            p.setDefinition(new CpsFlowDefinition("echo 'Hello'", false));
+            config = wcDevel.getPage(p, "configure").getFormByName("config");
+            assertThat(config.getVisibleText(), containsStringIgnoringCase("Use Groovy Sandbox"));
+        }
+
+        // admins can always see the sandbox checkbox
+        CPSConfiguration.get().setHideSandbox(false);
+        wcDevel.login("admin");
+        {
+            HtmlForm config = wcDevel.getPage(p, "configure").getFormByName("config");
+            assertThat(config.getVisibleText(), containsStringIgnoringCase("Use Groovy Sandbox"));
+        }
+
+        // even when set to hide globally
+        CPSConfiguration.get().setHideSandbox(true);
+        {
+            HtmlForm config = wcDevel.getPage(p, "configure").getFormByName("config");
+            assertThat(config.getVisibleText(), containsStringIgnoringCase("Use Groovy Sandbox"));
+        }
+
+        // regular users cannot save jobs if the sandbox is disabled
+        p.setDefinition(new CpsFlowDefinition("echo 'Hello'", false));
+        wcDevel.login("devel");
+        {
+            HtmlForm config = wcDevel.getPage(p, "configure").getFormByName("config");
+            assertThat(config.getVisibleText(), containsStringIgnoringCase("Use Groovy Sandbox"));
+            List<HtmlInput> sandboxes = config.getInputsByName("_.sandbox");
+            // Get the last one, because previous ones might be from Lockable Resources during PCT.
+            HtmlCheckBoxInput sandbox = (HtmlCheckBoxInput) sandboxes.get(sandboxes.size() - 1);
+            assertFalse("Sandbox is disabled", sandbox.isChecked());
+            VersionNumber jenkinsVersion = new VersionNumber(Jenkins.VERSION);
+            int expectedStatus = 500;
+            if (jenkinsVersion.isNewerThanOrEqualTo(new VersionNumber("2.470"))) { // TODO pending https://github.com/jenkinsci/jenkins/pull/9495 in baseline
+                expectedStatus = 400;
+            }
+            try {
+                jenkins.submit(config);
+                fail("Expected HTTP " + expectedStatus);
+            } catch (FailingHttpStatusCodeException e) {
+                // good, expected
+                assertThat(e.getStatusCode(), equalTo(expectedStatus));
+                if (expectedStatus == 400) {
+                    assertThat(e.getResponse().getContentAsString(StandardCharsets.UTF_8), containsStringIgnoringCase("Sandbox cannot be disabled"));
+                }
+            }
+
+        }
+    }
 }