Add script listener to track usage

meiswjn · meiswjn · commit 6e29f5fafde5 · 2022-05-07T11:52:11.000+02:00
diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
@@ -30,10 +30,7 @@
 import groovy.lang.GroovyShell;
 import hudson.Extension;
 import hudson.PluginManager;
-import hudson.model.AbstractDescribableImpl;
-import hudson.model.Descriptor;
-import hudson.model.Item;
-import hudson.model.TaskListener;
+import hudson.model.*;
 import hudson.util.FormValidation;
 
 import java.beans.Introspector;
@@ -62,11 +59,7 @@
 import org.codehaus.groovy.control.CompilerConfiguration;
 import org.codehaus.groovy.control.SourceUnit;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
-import org.jenkinsci.plugins.scriptsecurity.scripts.ApprovalContext;
-import org.jenkinsci.plugins.scriptsecurity.scripts.ClasspathEntry;
-import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
-import org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedClasspathException;
-import org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException;
+import org.jenkinsci.plugins.scriptsecurity.scripts.*;
 import org.jenkinsci.plugins.scriptsecurity.scripts.languages.GroovyLanguage;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
@@ -374,7 +367,8 @@ public Object evaluate(ClassLoader loader, Binding binding, @CheckForNull TaskLi
                     memoryProtectedLoader = new CleanGroovyClassLoader(loader);
                     loaderF.set(sh, memoryProtectedLoader);
                 }
-                return sh.evaluate(ScriptApproval.get().using(script, GroovyLanguage.get()));
+                Run run = (Run) binding.getVariable("build");
+                return sh.evaluate(ScriptApproval.get().using(script, GroovyLanguage.get(), run));
             }
 
         } finally {
diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
@@ -24,6 +24,7 @@
 
 package org.jenkinsci.plugins.scriptsecurity.scripts;
 
+import hudson.model.Run;
 import jenkins.model.GlobalConfiguration;
 import jenkins.model.GlobalConfigurationCategory;
 import net.sf.json.JSONArray;
@@ -467,9 +468,32 @@ public synchronized String using(@NonNull String script, @NonNull Language langu
             // Probably need not add to pendingScripts, since generally that would have happened already in configuring.
             throw new UnapprovedUsageException(hash);
         }
+
+        return script;
+    }
+    /**
+     * Called when a script is about to be used (evaluated).
+     * @param script a possibly unapproved script
+     * @param language the language in which it is written
+     * @param run the run executing the groovy script.
+     * @return {@code script}, for convenience
+     * @throws UnapprovedUsageException in case it has not yet been approved
+     */
+    public synchronized String using(@NonNull String script, @NonNull Language language, @NonNull Run run) throws UnapprovedUsageException {
+        if (script.length() == 0) {
+            // As a special case, always consider the empty script preapproved, as this is usually the default for new fields,
+            // and in many cases there is some sensible behavior for an emoty script which we want to permit.
+            ScriptListener.fireScriptFromConsoleEvent(script, run);
+            return script;
+        }
+        String hash = hash(script, language.getName());
+        if (!approvedScriptHashes.contains(hash)) {
+            // Probably need not add to pendingScripts, since generally that would have happened already in configuring.
+            throw new UnapprovedUsageException(hash);
+        }
+        ScriptListener.fireScriptFromConsoleEvent(script, run);
         return script;
     }
-
     // Only for testing
     synchronized boolean isScriptHashApproved(String hash) {
         return approvedScriptHashes.contains(hash);
diff --git a/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptListener.java b/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptListener.java
@@ -0,0 +1,35 @@
+package org.jenkinsci.plugins.scriptsecurity.scripts;
+
+import hudson.ExtensionPoint;
+import hudson.model.Run;
+import jenkins.model.Jenkins;
+import jenkins.util.Listeners;
+
+/**
+ * A listener to track usage of Groovy scripts running outside of a sandbox.
+ *
+ * @see org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript#evaluate(groovy.lang.GroovyClassLoader, groovy.lang.Binding, hudson.model.TaskListener)
+ */
+public interface ScriptListener extends ExtensionPoint {
+
+    /**
+     * Called when a groovy script is executed in a pipeline outside of a sandbox.
+     *
+     * @see org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript#evaluate(groovy.lang.GroovyClassLoader, groovy.lang.Binding, hudson.model.TaskListener)
+     * @param script The Groovy script that is excecuted.
+     * @param run The run calling the Groovy script.
+     */
+    void onScriptFromPipeline(String script, Run run);
+
+
+    /**
+     * Fires the {@link #onScriptFromPipeline(String, Run)} event to track the usage of the script console.
+     *
+     * @see org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript#evaluate(ClassLoader, Binding, TaskListener)
+     * @param script The Groovy script that is excecuted.
+     * @param run The run calling the Groovy script.
+     */
+    static void fireScriptFromConsoleEvent(String script, Run run) {
+        Listeners.notify(ScriptListener.class, true, listener -> listener.onScriptFromPipeline(script, run));
+    }
+}
