Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make plugin CSP compliant #2551

Merged
merged 2 commits into from
Aug 27, 2024
Merged

make plugin CSP compliant #2551

merged 2 commits into from
Aug 27, 2024

Conversation

mawinter69
Copy link
Contributor

  • remove inline javascript from checkUrl
  • remove inline style tags and move styles to own css file

tested that after visiting the pages from CasC no things are found in CSP plugin reports

Your checklist for this pull request

🚨 Please review the guidelines for contributing to this repository.

  • Make sure you are requesting to pull a topic/feature/bugfix branch (right side) and not your master branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or in Jenkins JIRA
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Did you provide a test-case? That demonstrates feature works or fixes the issue.

@mawinter69
make plugin CSP compliant
904d441 
- remove inline javascript from checkUrl
- remove inline style tags and move styles to own css file
@mawinter69 mawinter69 requested a review from a team as a code owner August 26, 2024 20:51
timja
timja approved these changes Aug 26, 2024
View reviewed changes
Copy link
Member

@timja timja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

plugin/src/main/resources/io/jenkins/plugins/casc/ConfigurationAsCode/reference.jelly
<html><head>
<style class='anchorjs'></style><link href='https://jenkins.io/assets/bower/bootstrap/css/bootstrap.min.css' media='screen' rel='stylesheet'/>
<link href='https://jenkins.io/assets/bower/bootstrap/css/bootstrap.min.css' media='screen' rel='stylesheet'/>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤯 what is this doing here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know what that style could be for. The reference page works just fine without it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if its fine do you mind removing it now too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the bootstrap is required, without it the page looks bad, I was referring to the <style class="anchorjs"></style>, that this isn't required

@timja timja enabled auto-merge (squash) August 26, 2024 21:04
@timja
Copy link
Member

timja commented Aug 26, 2024

Test failure may be relevant: https://ci.jenkins.io/job/Plugins/job/configuration-as-code-plugin/job/PR-2551/1/testReport/io.jenkins.plugins.casc/RoundTripMailerTest/linux_21___Build__linux_21____roundTripTest/

auto-merge was automatically disabled August 26, 2024 21:26

Head branch was pushed to by a user without write access

@timja timja enabled auto-merge (squash) August 26, 2024 21:52
@timja timja merged commit 3ad2056 into jenkinsci:master Aug 27, 2024
18 checks passed
@basil
Copy link
Member

basil commented Aug 27, 2024

Breaks:

  • com.cloudbees.jenkins.plugins.advisor.casc.AdvisorJCasCompatibilityTest#roundTripTest
  • com.cloudbees.jenkins.plugins.awscredentials.ConfigurationAsCodeTest#roundTripTest
  • hudson.plugins.active_directory.ActiveDirectoryJCasCCompatibilityTest#roundTripTest
  • hudson.views.ViewJobFiltersConfigAsCodeTest#roundTripTest
  • jenkins.metrics.RoundTripJCascMetricsTest#roundTripTest
  • jenkins.plugins.git.BrowsersJCasCCompatibilityTest#roundTripTest
  • jenkins.plugins.git.GitJCasCCompatibilityTest#roundTripTest
  • jenkins.plugins.git.GitSCMJCasCCompatibilityTest#roundTripTest
  • jenkins.plugins.git.GitToolJCasCCompatibilityTest#roundTripTest
  • jenkins.plugins.git.GlobalLibraryWithLegacyJCasCCompatibilityTest#roundTripTest
  • jenkins.plugins.git.GlobalLibraryWithModernJCasCCompatibilityTest#roundTripTest
  • org.csanchez.jenkins.plugins.kubernetes.casc.CasCTest#roundTripTest
  • org.csanchez.jenkins.plugins.kubernetes.casc.EnvVarCasCTest#roundTripTest
  • org.csanchez.jenkins.plugins.kubernetes.casc.WorkspaceVolumeCasCTest#roundTripTest
  • org.jenkinsci.plugins.docker.commons.CasCTest#roundTripTest
  • org.jenkinsci.plugins.gitclient.JcascTest#roundTripTest
  • org.jenkinsci.plugins.saml.SamlJCasCCompatibilityTest#roundTripTest

Reverted in jenkinsci/bom#3496

@basil basil mentioned this pull request Aug 27, 2024
Closed
@mawinter69
Copy link
Contributor Author

I'm not able to reproduce the problem.
I used the git plugin and explicitly set the dependency to configuration-as-code to version 1849.v3a_d20568000a_ for both dependencies declared in git plugin (to the plugin and the test-harness).
Then I ran the test jenkins.plugins.git.GitJCasCCompatibilityTest which succeeded successfully.

@basil
Copy link
Member

basil commented Aug 27, 2024

I'm not able to reproduce the problem.

See jenkinsci/bom#3496.

@mawinter69
Copy link
Contributor Author

There is no hint what could be wrong in there.

@basil
Copy link
Member

basil commented Aug 27, 2024

There is no hint what could be wrong in there.

The hint was to reproduce the problem in jenkinsci/bom.

I'm not able to reproduce the problem.

Did you follow the README in jenkinsci/bom? I can reproduce the problem as of jenkinsci/bom@e3a686bb by running PLUGINS=saml TEST=org.jenkinsci.plugins.saml.SamlJCasCCompatibilityTest#roundTripTest bash local-test.sh as described in the README.

@mawinter69
Copy link
Contributor Author

mawinter69 commented Aug 27, 2024
edited
Loading

OK, so the error I get is

Expected: a string containing "The configuration can be applied"
     but: was "<div/>"

In the surefire report I can see that the classpath contains
io\jenkins\configuration-as-code\test-harness\1700.v6f448841296e
and
io\jenkins\configuration-as-code\1849.v3a_d20568000a_
So test-harness doesn't fit the the plugin version. This looks like a bug in PCT.

I can workaround in configuration-as-code by sticking to the newSource parameter and using
<f:textbox checkUrl="checkNewSource" checkDependsOn="newSource"/>

Then the RoundTripAbstractTest stays compatible.

@basil
Copy link
Member

basil commented Aug 27, 2024

So test-harness doesn't fit the the plugin version. This looks like a bug in PCT.

PCT updates plugins, but it doesn't update non-plugins (like the JCasC test harness). If we want PCT to update the JCasC test harness in lockstep with the JCasC plugin, we'll need to write a hook for that in https://github.com/jenkinsci/plugin-compat-tester/tree/9eebb111439fbe8d33545288687d54103917ebeb/src/main/java/org/jenkins/tools/test/hook

I can workaround in configuration-as-code by sticking to the newSource parameter and using
<f:textbox checkUrl="checkNewSource" checkDependsOn="newSource"/> Then the RoundTripAbstractTest stays compatible.

This sounds perfectly fine in the short term.

@mawinter69 mawinter69 mentioned this pull request Aug 27, 2024
Merged
6 tasks
@basil basil mentioned this pull request Aug 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timja timja timja approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mawinter69 @timja @basil