Removed DownloadSettings.checkSignature; back to using a plain system property for this.

df9c92e4 · Jesse Glick · db8d6508 · df9c92e4 · df9c92e4 · df9c92e4
12 changed file
--- a/core/src/main/java/hudson/PluginManager.java
+++ b/core/src/main/java/hudson/PluginManager.java
@@ -111,7 +111,6 @@ import static hudson.init.InitMilestone.*;
 import hudson.model.DownloadService;
 import hudson.util.FormValidation;
 import static java.util.logging.Level.WARNING;
-import jenkins.security.DownloadSettings;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;

@@ -801,7 +800,7 @@ public abstract class PluginManager extends AbstractModelObject implements OnMas
    @Restricted(NoExternalUse.class)
    @RequirePOST public HttpResponse doCheckUpdatesServer() throws IOException {
        for (UpdateSite site : Jenkins.getInstance().getUpdateCenter().getSites()) {
-            FormValidation v = site.updateDirectlyNow(DownloadSettings.get().isCheckSignature());
+            FormValidation v = site.updateDirectlyNow(DownloadService.signatureCheck);
            if (v.kind != FormValidation.Kind.OK) {
                // TODO crude but enough for now
                return v;

--- a/core/src/main/java/hudson/model/DownloadService.java
+++ b/core/src/main/java/hudson/model/DownloadService.java
@@ -38,7 +38,7 @@ import java.io.InputStream;
 import java.net.URL;
 import java.net.URLEncoder;
 import java.util.logging.Logger;
-import jenkins.security.DownloadSettings;
+import jenkins.model.DownloadSettings;
 import jenkins.model.Jenkins;
 import jenkins.util.JSONSignatureValidator;
 import net.sf.json.JSONException;
@@ -301,7 +301,7 @@ public class DownloadService extends PageDecorator {
        private FormValidation load(String json, long dataTimestamp) throws IOException {
            JSONObject o = JSONObject.fromObject(json);

-            if (DownloadSettings.get().isCheckSignature()) {
+            if (signatureCheck) {
                FormValidation e = new JSONSignatureValidator("downloadable '"+id+"'").verifySignature(o);
                if (e.kind!= Kind.OK) {
                    return e;
@@ -345,7 +345,12 @@ public class DownloadService extends PageDecorator {

    public static boolean neverUpdate = Boolean.getBoolean(DownloadService.class.getName()+".never");

-    /** Now used only to set default value of, and enable UI switching of, {@link DownloadSettings#setIgnoreSignature}. */
+    /**
+     * May be used to temporarily disable signature checking on {@link DownloadService} and {@link UpdateCenter}.
+     * Useful when upstream signatures are broken, such as due to expired certificates.
+     * Should only be used when {@link DownloadSettings#isUseBrowser};
+     * disabling signature checks for in-browser downloads is <em>very dangerous</em> as unprivileged users could submit spoofed metadata!
+     */
    public static boolean signatureCheck = !Boolean.getBoolean(DownloadService.class.getName()+".noSignatureCheck");
 }

--- a/core/src/main/java/hudson/model/UpdateCenter.java
+++ b/core/src/main/java/hudson/model/UpdateCenter.java
@@ -88,7 +88,6 @@ import java.util.jar.JarFile;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.CheckForNull;
-import jenkins.security.DownloadSettings;
 import org.acegisecurity.context.SecurityContextHolder;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
@@ -631,7 +630,7 @@ public class UpdateCenter extends AbstractModelObject implements Saveable, OnMas
    public List<FormValidation> updateAllSites() throws InterruptedException, ExecutionException {
        List <Future<FormValidation>> futures = new ArrayList<Future<FormValidation>>();
        for (UpdateSite site : getSites()) {
-            Future<FormValidation> future = site.updateDirectly(DownloadSettings.get().isCheckSignature());
+            Future<FormValidation> future = site.updateDirectly(DownloadService.signatureCheck);
            if (future != null) {
                futures.add(future);
            }

--- a/core/src/main/java/hudson/model/UpdateSite.java
+++ b/core/src/main/java/hudson/model/UpdateSite.java
@@ -55,7 +55,7 @@ import java.util.logging.Logger;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import jenkins.model.Jenkins;
-import jenkins.security.DownloadSettings;
+import jenkins.model.DownloadSettings;
 import jenkins.util.JSONSignatureValidator;
 import net.sf.json.JSONException;
 import net.sf.json.JSONObject;

--- a/core/src/main/java/jenkins/security/DownloadSettings.java
+++ b/core/src/main/java/jenkins/security/DownloadSettings.java
@@ -22,24 +22,19 @@
 * THE SOFTWARE.
 */

-package jenkins.security;
+package jenkins.model;

 import hudson.Extension;
-import hudson.PluginManager;
 import hudson.model.AsyncPeriodicWork;
 import hudson.model.DownloadService;
 import hudson.model.TaskListener;
 import hudson.model.UpdateSite;
 import hudson.util.FormValidation;
 import java.io.IOException;
-import jenkins.model.GlobalConfiguration;
-import jenkins.model.GlobalConfigurationCategory;
-import jenkins.model.Jenkins;
 import net.sf.json.JSONObject;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.HttpResponse;
-import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;

 /**
@@ -55,17 +50,11 @@ import org.kohsuke.stapler.StaplerRequest;
    }

    private boolean useBrowser = true; // historical default, not necessarily recommended
-    @SuppressWarnings("deprecation")
-    private boolean checkSignature = DownloadService.signatureCheck;
    
    public DownloadSettings() {
        load();
    }

-    @Override public GlobalConfigurationCategory getCategory() {
-        return GlobalConfigurationCategory.get(GlobalConfigurationCategory.Security.class);
-    }
-
    @Override public boolean configure(StaplerRequest req, JSONObject json) throws FormException {
        req.bindJSON(this, json);
        return true;
@@ -80,30 +69,6 @@ import org.kohsuke.stapler.StaplerRequest;
        save();
    }

-    public boolean isCheckSignature() {
-        return checkSignature;
-    }
-    
-    public void setCheckSignature(boolean checkSignature) {
-        if (!checkSignature) {
-            // Just to be on the safe side. Normally this is implied by ADMINISTER, needed to configure the security screen anyway,
-            // but in case ADMINISTER but not CONFIGURE_UPDATECENTER is somehow granted, make sure signature checking cannot be disabled.
-            Jenkins.getInstance().checkPermission(PluginManager.CONFIGURE_UPDATECENTER);
-        }
-        this.checkSignature = checkSignature;
-        save();
-    }
-
-    public FormValidation doCheckCheckSignature(@QueryParameter boolean value, @QueryParameter boolean useBrowser) {
-        if (value) {
-            return FormValidation.ok();
-        } else if (useBrowser) {
-            return FormValidation.warningWithMarkup(Messages.DownloadSettings_disabling_signature_checks_for_in_browse());
-        } else {
-            return FormValidation.warningWithMarkup(Messages.DownloadSettings_disabling_signature_checks_is_not_recomm());
-        }
-    }
-
    @Extension public static final class DailyCheck extends AsyncPeriodicWork {

        public DailyCheck() {

--- a/core/src/main/resources/hudson/PluginManager/advanced.jelly
+++ b/core/src/main/resources/hudson/PluginManager/advanced.jelly
@@ -96,7 +96,7 @@ THE SOFTWARE.
      </tr>
    </table>
    <div align="right" style="margin-top:1em">
-      <j:invokeStatic var="ds" className="jenkins.security.DownloadSettings" method="get"/>
+      <j:invokeStatic var="ds" className="jenkins.model.DownloadSettings" method="get"/>
      <form method="post" action="${ds.useBrowser ? 'checkUpdates' : 'checkUpdatesServer'}">
        ${%lastUpdated(app.updateCenter.lastUpdatedString)}
        <f:submit value="${%Check now}" />

--- a/core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly
+++ b/core/src/main/resources/hudson/model/UpdateCenter/PageDecoratorImpl/footer.jelly
@@ -31,7 +31,7 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <j:invokeStatic var="ds" className="jenkins.security.DownloadSettings" method="get"/>
+  <j:invokeStatic var="ds" className="jenkins.model.DownloadSettings" method="get"/>
  <j:if test="${ds.useBrowser}">
  <j:forEach var="site" items="${app.updateCenter.sites}">
    <j:if test="${site.due or forcedUpdateCheck}">

--- a/core/src/main/resources/jenkins/security/DownloadSettings/config.groovy
+++ b/core/src/main/resources/jenkins/security/DownloadSettings/config.groovy
@@ -6,9 +6,4 @@ f.section(title: _("Download Preferences")) {
    f.entry(title: _("Use Browser"), field: "useBrowser") {
        f.checkbox()
    }
-    if (!instance.checkSignature || !hudson.model.DownloadService.signatureCheck) { // do not display this option by default
-        f.entry(title: _("Check Signatures"), field: "checkSignature") {
-            f.checkbox()
-        }
-    }
 }
--- a/core/src/main/resources/jenkins/security/DownloadSettings/help-useBrowser.html
+++ b/core/src/main/resources/jenkins/security/DownloadSettings/help-useBrowser.html
--- a/core/src/main/resources/jenkins/security/DownloadSettings/help-checkSignature.html
+++ b/core/src/main/resources/jenkins/security/DownloadSettings/help-checkSignature.html
-<div>
-    Uncheck to skip the signature check on downloaded metadata.
-    This is generally dangerous and should only be used as an emergency measure when dealing with broken upstream metadata.
-</div>
--- a/core/src/main/resources/jenkins/security/Messages.properties
+++ b/core/src/main/resources/jenkins/security/Messages.properties
@@ -22,6 +22,4 @@

 ApiTokenProperty.DisplayName=API Token
 ApiTokenProperty.ChangeToken.Success=<div>Updated</div>
-DownloadSettings.disabling_signature_checks_for_in_browse=Disabling signature checks for in-browser downloads is <em>very dangerous</em> as unprivileged users could submit spoofed metadata!
-DownloadSettings.disabling_signature_checks_is_not_recomm=Disabling signature checks is not recommended except as a temporary measure when upstream metadata is broken, such as due to expired certificates.
-RekeySecretAdminMonitor.DisplayName=Re-keying
+RekeySecretAdminMonitor.DisplayName=Re-keying
\ No newline at end of file
--- a/test/src/test/java/hudson/model/DownloadServiceTest.java
+++ b/test/src/test/java/hudson/model/DownloadServiceTest.java
@@ -5,7 +5,6 @@ import java.io.IOException;
 import java.net.URL;
 import java.util.Set;
 import java.util.TreeSet;
-import jenkins.security.DownloadSettings;
 import net.sf.json.JSONObject;
 import org.jvnet.hudson.test.Bug;
 import org.jvnet.hudson.test.HudsonTestCase;
@@ -41,13 +40,13 @@ public class DownloadServiceTest extends HudsonTestCase {
        assertNull(job.getData());

        // and now it should work
-        DownloadSettings.get().setCheckSignature(false);
+        DownloadService.signatureCheck = false;
        try {
            createWebClient().goTo("/self/testPost");
            JSONObject d = job.getData();
            assertEquals(hashCode(),d.getInt("hello"));
        } finally {
-            DownloadSettings.get().setCheckSignature(true);
+            DownloadService.signatureCheck = true;
        }

        // TODO: test with a signature