Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
LinuxSuRen
jenkins
提交
01a24e2c
J
jenkins
项目概览
LinuxSuRen
/
jenkins
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jenkins
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
01a24e2c
编写于
2月 12, 2013
作者:
K
Kohsuke Kawaguchi
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
[SECURITY-54]
Jesse's original patch
上级
46d94e08
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
61 addition
and
8 deletion
+61
-8
core/src/main/java/hudson/slaves/SlaveComputer.java
core/src/main/java/hudson/slaves/SlaveComputer.java
+50
-1
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/java/jenkins/model/Jenkins.java
+2
-0
core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly
.../src/main/resources/hudson/slaves/JNLPLauncher/main.jelly
+3
-2
core/src/main/resources/hudson/slaves/SlaveComputer/slave-agent.jnlp.jelly
...ources/hudson/slaves/SlaveComputer/slave-agent.jnlp.jelly
+1
-3
pom.xml
pom.xml
+1
-1
test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
...est/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
+4
-1
未找到文件。
core/src/main/java/hudson/slaves/SlaveComputer.java
浏览文件 @
01a24e2c
...
...
@@ -40,6 +40,7 @@ import hudson.AbortException;
import
hudson.remoting.Launcher
;
import
static
hudson
.
slaves
.
SlaveComputer
.
LogHolder
.
SLAVE_LOG_HANDLER
;
import
hudson.slaves.OfflineCause.ChannelTermination
;
import
hudson.util.Secret
;
import
java.io.File
;
import
java.io.OutputStream
;
...
...
@@ -58,6 +59,13 @@ import java.util.concurrent.Future;
import
java.security.Security
;
import
hudson.util.io.ReopenableFileOutputStream
;
import
java.io.ByteArrayOutputStream
;
import
java.io.PrintWriter
;
import
java.security.GeneralSecurityException
;
import
javax.crypto.Cipher
;
import
javax.crypto.SecretKey
;
import
javax.crypto.spec.SecretKeySpec
;
import
javax.servlet.RequestDispatcher
;
import
jenkins.model.Jenkins
;
import
jenkins.slaves.JnlpSlaveAgentProtocol
;
import
org.kohsuke.stapler.StaplerRequest
;
...
...
@@ -67,7 +75,11 @@ import org.kohsuke.stapler.HttpResponse;
import
org.kohsuke.stapler.HttpRedirect
;
import
javax.servlet.ServletException
;
import
javax.servlet.http.HttpServletResponse
;
import
javax.servlet.ServletOutputStream
;
import
javax.servlet.http.HttpServletResponseWrapper
;
import
org.kohsuke.stapler.ResponseImpl
;
import
org.kohsuke.stapler.WebMethod
;
import
org.kohsuke.stapler.compression.FilterServletOutputStream
;
/**
* {@link Computer} for {@link Slave}s.
...
...
@@ -129,6 +141,9 @@ public class SlaveComputer extends Computer {
return
acceptingTasks
;
}
/**
* @since 1.498
*/
public
String
getJnlpMac
()
{
return
JnlpSlaveAgentProtocol
.
SLAVE_SECRET
.
mac
(
getName
());
}
...
...
@@ -535,6 +550,40 @@ public class SlaveComputer extends Computer {
return
new
Slave
.
JnlpJar
(
fileName
);
}
@WebMethod
(
name
=
"slave-agent.jnlp"
)
public
void
doSlaveAgentJnlp
(
StaplerRequest
req
,
StaplerResponse
res
)
throws
IOException
,
ServletException
{
RequestDispatcher
view
=
req
.
getView
(
this
,
"slave-agent.jnlp.jelly"
);
if
(
"true"
.
equals
(
req
.
getParameter
(
"encrypt"
)))
{
req
.
setAttribute
(
"jnlpMac"
,
"SLAVE_SECRET"
);
final
ByteArrayOutputStream
baos
=
new
ByteArrayOutputStream
();
StaplerResponse
temp
=
new
ResponseImpl
(
req
.
getStapler
(),
new
HttpServletResponseWrapper
(
res
)
{
@Override
public
ServletOutputStream
getOutputStream
()
throws
IOException
{
return
new
FilterServletOutputStream
(
baos
);
}
@Override
public
PrintWriter
getWriter
()
throws
IOException
{
throw
new
IllegalStateException
();
}
});
view
.
forward
(
req
,
temp
);
byte
[]
jnlpMac
=
JnlpSlaveAgentProtocol
.
SLAVE_SECRET
.
mac
(
getName
().
getBytes
(
"UTF-8"
));
SecretKey
key
=
new
SecretKeySpec
(
jnlpMac
,
0
,
/* export restrictions */
128
/
8
,
"AES"
);
byte
[]
encrypted
;
try
{
Cipher
c
=
Secret
.
getCipher
(
"AES"
);
c
.
init
(
Cipher
.
ENCRYPT_MODE
,
key
);
encrypted
=
c
.
doFinal
(
baos
.
toByteArray
());
}
catch
(
GeneralSecurityException
x
)
{
throw
new
IOException
(
x
);
}
res
.
setContentType
(
"application/octet-stream"
);
res
.
getOutputStream
().
write
(
encrypted
);
}
else
{
checkPermission
(
CONNECT
);
req
.
setAttribute
(
"jnlpMac"
,
getJnlpMac
());
view
.
forward
(
req
,
res
);
}
}
@Override
protected
void
kill
()
{
super
.
kill
();
...
...
core/src/main/java/jenkins/model/Jenkins.java
浏览文件 @
01a24e2c
...
...
@@ -3567,6 +3567,8 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
||
rest
.
startsWith
(
"/adjuncts/"
)
||
rest
.
startsWith
(
"/signup"
)
||
rest
.
startsWith
(
"/tcpSlaveAgentListener"
)
// XXX SlaveComputer.doSlaveAgentJnlp; there should be an annotation to request unprotected access
||
rest
.
matches
(
"/computer/.+/slave-agent[.]jnlp"
)
&&
"true"
.
equals
(
Stapler
.
getCurrentRequest
().
getParameter
(
"encrypt"
))
||
rest
.
startsWith
(
"/cli"
)
||
rest
.
startsWith
(
"/federatedLoginService/"
)
||
rest
.
startsWith
(
"/securityRealm"
))
...
...
core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly
浏览文件 @
01a24e2c
...
...
@@ -65,7 +65,8 @@ THE SOFTWARE.
<p>
${%Run from slave command line:}
</p>
<pre>java -jar <a href="${rootURL}/jnlpJars/slave.jar">slave.jar</a> -jnlpUrl ${h.inferHudsonURL(request)}${it.url}slave-agent.jnlp -jnlpCredentials ${app.authentication.name}:<a href="${rootURL}/user/${app.authentication.name}/configure" target="_blank">your-API-token</a></pre>
<!-- XXX conceal secret w/ JS if possible -->
<pre>java -jar <a href="${rootURL}/jnlpJars/slave.jar">slave.jar</a> -jnlpUrl ${h.inferHudsonURL(request)}${it.url}slave-agent.jnlp -secret ${it.jnlpMac}</pre>
</li>
</j:otherwise>
</j:choose>
...
...
@@ -85,4 +86,4 @@ THE SOFTWARE.
</p>
</j:otherwise>
</j:choose>
</j:jelly>
\ No newline at end of file
</j:jelly>
core/src/main/resources/hudson/slaves/SlaveComputer/slave-agent.jnlp.jelly
浏览文件 @
01a24e2c
...
...
@@ -31,8 +31,6 @@ THE SOFTWARE.
<!--
See http://www.dallaway.com/acad/webstart/ for obtaining the certificate.
-->
<j:getStatic var="connect" className="hudson.model.Computer" field="CONNECT"/>
${it.checkPermission(connect)}
<!-- See http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/syntax.html for the syntax -->
<jnlp spec="1.0+"
...
...
@@ -63,7 +61,7 @@ THE SOFTWARE.
</resources>
<application-desc main-class="hudson.remoting.jnlp.Main">
<argument>${
it.
jnlpMac}</argument>
<argument>${jnlpMac}</argument>
<argument>${it.node.nodeName}</argument>
<j:if test="${it.launcher.tunnel!=null}">
<argument>-tunnel</argument>
...
...
pom.xml
浏览文件 @
01a24e2c
...
...
@@ -187,7 +187,7 @@ THE SOFTWARE.
<dependency>
<groupId>
org.jenkins-ci.main
</groupId>
<artifactId>
remoting
</artifactId>
<version>
2.2
1
</version>
<version>
2.2
2
</version>
</dependency>
<dependency>
...
...
test/src/test/java/hudson/bugs/JnlpAccessWithSecuredHudsonTest.java
浏览文件 @
01a24e2c
...
...
@@ -83,7 +83,7 @@ public class JnlpAccessWithSecuredHudsonTest extends HudsonTestCase {
assertTrue
(
jarResource
.
getWebResponse
().
getContentType
().
toLowerCase
(
Locale
.
ENGLISH
).
startsWith
(
"application/"
));
}
// XXX this should be the only part with ANONYMOUS_READONLY
try
{
jnlp
=
(
XmlPage
)
jnlpAgent
.
goTo
(
"computer/test/slave-agent.jnlp"
,
"application/x-java-jnlp-file"
);
fail
(
"anonymous users must not be able to get secrets"
);
...
...
@@ -91,4 +91,7 @@ public class JnlpAccessWithSecuredHudsonTest extends HudsonTestCase {
assertEquals
(
HttpURLConnection
.
HTTP_FORBIDDEN
,
x
.
getStatusCode
());
}
}
// XXX try to use -secret
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录