fix: auto re-request approval once dismissed [JENKINS-63668]

Author: meiswjn

src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java

@@ -641,7 +641,10 @@ public synchronized String using(@NonNull String script, @NonNull Language langu
         }
         ConversionCheckResult result = checkAndConvertApprovedScript(script, language);
         if (!result.approved) {
-            // Probably need not add to pendingScripts, since generally that would have happened already in configuring.
+            // Usually. this method is called once the job configuration with the script is saved.
+            // If a script was previously pending and is now deleted, however, it would require to re-configure the job.
+            // That's why we call it again if it is unapproved in a running job.
+            this.configuring(script, language, ApprovalContext.create(), false);
             throw new UnapprovedUsageException(result.newHash);
         }
         return script;

src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java

@@ -51,7 +51,11 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.nullValue;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 public class ScriptApprovalTest extends AbstractApprovalTest<ScriptApprovalTest.Script> {
@@ -65,6 +69,41 @@ public class ScriptApprovalTest extends AbstractApprovalTest<ScriptApprovalTest.
     private static final String WHITELISTED_SIGNATURE = "method java.lang.String trim";
     private static final String DANGEROUS_SIGNATURE = "staticMethod hudson.model.User current";
 
+    private String approveIfExists(String script, ScriptApproval sa) throws IOException {
+        for (ScriptApproval.PendingScript pending : sa.getPendingScripts()) {
+            if(pending.script.equals(script)) {
+                String hash = pending.getHash();
+                sa.approveScript(hash);
+                return hash;
+            }
+        }
+        return null;
+    }
+
+    @Test
+    public void reapprovingShouldFail() throws Exception {
+        configureSecurity();
+        final ScriptApproval sa = ScriptApproval.get();
+        FreeStyleProject p = r.createFreeStyleProject();
+        String testScript = "jenkins.model.Jenkins.instance";
+        p.getPublishersList().add(new TestGroovyRecorder(
+                new SecureGroovyScript(testScript, false, null)));
+
+        String approvedHash = approveIfExists(testScript, sa);
+        assertNotNull(approvedHash);
+        r.assertBuildStatus(Result.SUCCESS, p.scheduleBuild2(0).get());
+
+        sa.denyScript(approvedHash);
+
+        /*
+            * The script is not approved but should be pending.
+         */
+        r.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0).get());
+        approvedHash = approveIfExists(testScript, sa);
+        assertNotNull(approvedHash);
+        r.assertBuildStatus(Result.SUCCESS, p.scheduleBuild2(0).get());
+    }
+
     @Test public void emptyScript() throws Exception {
         configureSecurity();
         script("").use();