Merge branch 'security-stable-2.32' into security-master

765af977 · Jesse Glick · 696d2259 · 26ded361 · 765af977 · 765af977
6 changed file
--- a/core/src/main/java/hudson/console/ConsoleNote.java
+++ b/core/src/main/java/hudson/console/ConsoleNote.java
@@ -189,9 +189,11 @@ public abstract class ConsoleNote<T> implements Serializable, Describable<Consol
        DataOutputStream dos = new DataOutputStream(new Base64OutputStream(buf2,true,-1,null));
        try {
            buf2.write(PREAMBLE);
-            byte[] mac = MAC.mac(buf.toByteArray());
-            dos.writeInt(- mac.length); // negative to differentiate from older form
-            dos.write(mac);
+            if (Jenkins.getInstanceOrNull() != null) { // else we are in another JVM and cannot sign; result will be ignored unless INSECURE
+                byte[] mac = MAC.mac(buf.toByteArray());
+                dos.writeInt(- mac.length); // negative to differentiate from older form
+                dos.write(mac);
+            }
            dos.writeInt(buf.size());
            buf.writeTo(dos);
        } finally {

--- a/core/src/main/java/jenkins/security/ConfidentialStore.java
+++ b/core/src/main/java/jenkins/security/ConfidentialStore.java
@@ -59,9 +59,7 @@ public abstract class ConfidentialStore {
     * Retrieves the currently active singleton instance of {@link ConfidentialStore}.
     */
    public static @Nonnull ConfidentialStore get() {
-        if (TEST != null) {
-            return TEST;
-        }
+        if (TEST!=null) return TEST.get();

        Jenkins j = Jenkins.getInstance();
        Lookup lookup = j.lookup;
@@ -92,7 +90,7 @@ public abstract class ConfidentialStore {
    /**
     * Testing only. Used for testing {@link ConfidentialKey} without {@link Jenkins}
     */
-    /*package*/ static ConfidentialStore TEST = null;
+    /*package*/ static ThreadLocal<ConfidentialStore> TEST = null;

    private static final Logger LOGGER = Logger.getLogger(ConfidentialStore.class.getName());
 }
--- a/core/src/test/java/hudson/model/TaskActionTest.java
+++ b/core/src/test/java/hudson/model/TaskActionTest.java
 package hudson.model;

-import static org.junit.Assert.*;
+import static org.junit.Assert.assertTrue;

 import java.io.ByteArrayOutputStream;

 import hudson.console.AnnotatedLargeText;
 import hudson.security.ACL;
 import hudson.security.Permission;
-import jenkins.security.ConfidentialStoreRule;
 import org.acegisecurity.Authentication;
-import static org.hamcrest.CoreMatchers.startsWith;
-import org.junit.Rule;
 import org.junit.Test;

 /**
@@ -18,9 +15,6 @@ import org.junit.Test;
 */
 public class TaskActionTest {

-    @Rule
-    public ConfidentialStoreRule confidentialStoreRule = new ConfidentialStoreRule();
-
    private static class MyTaskThread extends TaskThread {
        MyTaskThread(TaskAction taskAction) {
            super(taskAction, ListenerAndText.forMemory(taskAction));
@@ -69,6 +63,6 @@ public class TaskActionTest {
        }
        ByteArrayOutputStream os = new ByteArrayOutputStream();
        annotatedText.writeLogTo(0, os);
-        assertThat(os.toString("UTF-8"), startsWith("a linkCompleted"));
+        assertTrue(os.toString("UTF-8").startsWith("a linkCompleted"));
    }
 }
--- a/core/src/test/java/jenkins/security/ConfidentialStoreRule.java
+++ b/core/src/test/java/jenkins/security/ConfidentialStoreRule.java
@@ -14,13 +14,16 @@ public class ConfidentialStoreRule extends ExternalResource {
    @Override
    protected void before() throws Throwable {
        tmp.create();
-        ConfidentialStore.TEST = new DefaultConfidentialStore(tmp.getRoot());
+        ConfidentialStore.TEST.set(new DefaultConfidentialStore(tmp.getRoot()));
    }

    @Override
    protected void after() {
-        ConfidentialStore.TEST = null;
+        ConfidentialStore.TEST.set(null);
        tmp.delete();
    }

+    static {
+        ConfidentialStore.TEST = new ThreadLocal<ConfidentialStore>();
+    }
 }
--- a/pom.xml
+++ b/pom.xml
@@ -93,7 +93,7 @@ THE SOFTWARE.

    <guavaVersion>11.0.1</guavaVersion>
    <slf4jVersion>1.7.7</slf4jVersion> <!-- < 1.6.x version didn't specify the license (MIT) -->
-    <maven-plugin.version>2.14.1-20170124.191714-1</maven-plugin.version>
+    <maven-plugin.version>2.14</maven-plugin.version>
    <matrix-project.version>1.4.1</matrix-project.version>
    <sorcerer.version>0.11</sorcerer.version>
    <animal.sniffer.skip>${skipTests}</animal.sniffer.skip>

--- a/core/src/test/java/hudson/console/AnnotatedLargeTextTest.java
+++ b/core/src/test/java/hudson/console/AnnotatedLargeTextTest.java
@@ -29,26 +29,27 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.io.StringWriter;
-import jenkins.security.ConfidentialStoreRule;
+import java.util.logging.Level;
 import org.apache.commons.io.Charsets;
 import static org.hamcrest.CoreMatchers.*;
 import static org.junit.Assert.*;
-import org.junit.Test;
+import org.junit.ClassRule;
 import org.junit.Rule;
+import org.junit.Test;
 import org.jvnet.hudson.test.For;
 import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.LoggerRule;
 import org.kohsuke.stapler.framework.io.ByteBuffer;

 @For({AnnotatedLargeText.class, ConsoleNote.class, ConsoleAnnotationOutputStream.class, PlainTextConsoleOutputStream.class})
 public class AnnotatedLargeTextTest {

-    @Rule
-    public ConfidentialStoreRule confidentialStoreRule = new ConfidentialStoreRule();
+    @ClassRule
+    public static JenkinsRule r = new JenkinsRule();

-    /* TODO defined in jenkins-test-harness and so not available from tests in core module; use if moved to test module:
    @Rule
    public LoggerRule logging = new LoggerRule().record(ConsoleAnnotationOutputStream.class, Level.FINE).capture(100);
-    */

    @Test
    public void smokes() throws Exception {
@@ -78,7 +79,7 @@ public class AnnotatedLargeTextTest {
        StringWriter w = new StringWriter();
        text.writeHtmlTo(0, w);
        assertEquals("hellothere\n", w.toString());
-        // TODO expect log record with message "Failed to resurrect annotation" and IOException with message "Refusing to deserialize unsigned note from an old log."
+        assertThat(logging.getMessages(), hasItem("Failed to resurrect annotation")); // TODO assert that this is IOException: Refusing to deserialize unsigned note from an old log.
        ConsoleNote.INSECURE = true;
        try {
            w = new StringWriter();
@@ -101,7 +102,7 @@ public class AnnotatedLargeTextTest {
        StringWriter w = new StringWriter();
        text.writeHtmlTo(0, w);
        assertEquals("Go back to your home.\n", w.toString());
-        // TODO expect log record with message "Failed to resurrect annotation" and IOException with message "MAC mismatch"
+        assertThat(logging.getMessages(), hasItem("Failed to resurrect annotation")); // TODO assert that this is IOException: MAC mismatch
    }

    /** Simplified version of {@link HyperlinkNote}. */