[JENKINS-36720] - Fix Spotbugs issues (SE_COMPARATOR_SHOULD_BE_SERIALIZABLE, ES_COMPARING_STRINGS_WITH_EQ) (#4379)

* fixed Spotbugs issues (SE_COMPARATOR_SHOULD_BE_SERIALIZABLE, ES_COMPARING_STRINGS_WITH_EQ)

* replaced wildcard import with specific imports

* added missing import

* fixed spotbugs issues

* removed accidently added import

* [JENKINS-59656] when stopping a Run via the executors widget, make sure it's the intended one

* [JENKINS-59656] added Executor.stopBuild(String) instead of .stop(String)

* revert change to deprecated doStop(StaplerRequest,StaplerResponse), useless now that it's doStopBuild(String) which takes a runExtId parameter

* javadoc: "@since TODO" rather than "@since 2.???"

* [JENKINS-59656] added test case

* jelly cleanup with h.urlEncode(String)

* make Functions.urlEncode(null) return empty String

* Executor.doStopBuild(runExtId): ignore runExtId if executable is not a Run

* Executor.doStopBuild(runExtId) doesn't have to be a public API

removed some redundant constructs and replaced stringbuilder operations with too few arguments with string concatenation

* set HttpOnly flag to prevent cookie read by a malicious script in browser

* Update core/src/main/java/hudson/Functions.java
Co-Authored-By: NWadeck Follonier <Wadeck@users.noreply.github.com>

* Hide password form fields by default

* Trying to bypass enforced autocompletion by just having a test field at first

Something like onfocus didn't work, you'd tab through form elements
and unless you filled in the user name, changing the form field to
password would cause it to autocomplete.

It looks like, at least in Mac/Firefox, going from plain text to password
in the 'oninput' event handler works. The plain text is revealed neither
with typing nor pasting.

* Update core/src/main/resources/lib/form/password.jelly
Co-Authored-By: Ndaniel-beck <daniel-beck@users.noreply.github.com>

* Use previously defined value

* Make new password form fields opt-out

* Add support for redacting form secrets in new password field

* Have a password value pre-set in Jelly

* Fix method

* Fix test by clicking on the button to change the password

* Forgot period separator between class and property name

* Implement user setting for timezone

* Apply timezone everywhere

* Revert to medium dateStyle

* Simplify and cleanup

* Add javadocs and fix file headers

* Revert auto-changes by IntelliJ

* Add nullable annotation

* Use better display names

* Add tests

* Log a warning when the user's time zone is not valid

* Add username to log statement

* Make suggested change

* Cleaner way of dealing with invalid timezone

* Update core/src/main/resources/hudson/model/TimeZoneProperty/config.jelly
Co-Authored-By: NMatt Sicker <boards@gmail.com>

* Update tests

* Update config.properties

* Update config.jelly

* Update Functions.java

* Update layout.jelly

* Update Functions.java

* Update TimeZoneProperty.java

* Update TimeZoneProperty.java

* Update config.jelly

* Update config.properties

* Update TimeZonePropertyTest.java

* Update TimeZoneProperty.java

* Update Functions.java

[JENKINS-59164] - `Functions#toEmailSafeString()` was not really sanitizing the email string (#4185)

* Change getInstance() (deprecated) to get()

* Reverting modifications according review

* Changing for use the variable

[JENKINS-38719] Console note/annotator script.js URLs must include SESSION_HASH

(cherry picked from commit 0331d47d)

Functions.generateConsoleAnnotationScriptAndStylesheet needs to include the SESSION_HASH in the URL to properly invalidate scripts across restarts.

Signed-off-by: NMatt Sicker <boards@gmail.com>

* [JENKINS-50447] New design and slim down of login page

The change will provide a new designed login page that is using no external deps to prevent any possible malvious javascript.
We still allow the user to use the legacy login page, which has not changed the behaviour.

[JENKINS-50447] Implement error case and use final svg jenkins logo

[JENKINS-50447] remove mock up logo

[JENKINS-50447] Fix feet back from jlong

[JENKINS-50447_squash] Use theme css which only contains values to be overriden. Drop ie js since with the theme css it is not needed anymore

* [JENKINS-50447_squash] Fix expression to evaluate when to show an error and when to simply redirect

* eslint - formating changes and fix offences

* [JENKINS-50447_squash] Use system property to controll whether or not to use the legacy login

* [JENKINS-50447_squash] prevent that the jsessionId appears in the url which should fix most tests

* [JENKINS-50447_squash] Fix cli test by adding pageDecorators magic from layout.jelly

* [JENKINS-50447_squash] remove pageDecorators because they assume existence of js that we do not have

* [JENKINS-50447] New design and slim down of login page

The change will provide a new designed login page that is using no external deps to prevent any possible malvious javascript.
We still allow the user to use the legacy login page, which has not changed the behaviour.

[JENKINS-50447] Implement error case and use final svg jenkins logo

[JENKINS-50447] remove mock up logo

[JENKINS-50447] Fix feet back from jlong

[JENKINS-50447_squash] Use theme css which only contains values to be overriden. Drop ie js since with the theme css it is not needed anymore

[JENKINS-50447_squash] Fix expression to evaluate when to show an error and when to simply redirect

eslint - formating changes and fix offences

[JENKINS-50447_squash] Use system property to controll whether or not to use the legacy login

[JENKINS-50447_squash] prevent that the jsessionId appears in the url which should fix most tests

[JENKINS-50447_squash] Fix cli test by adding pageDecorators magic from layout.jelly

[JENKINS-50447_squash] remove pageDecorators because they assume existence of js that we do not have

[JENKINS-50447_squash] make login page extensible with pagedecorators

[JENKINS-50447_squash] drop legacy support

* Make theme customisable by using a magic package for css and header. Limiting the implemetation of those to one.

* [JENKINS-50447_squash] Creating a specific decorator for login which only returns one instance

* [JENKINS-50447_squash] using rounded corner

* JENKINS-50447 remove legacy code

* [JENKINS-50447_squash] Fix comments from @amuniz about javadoc and uniqueness of css for login

* [JENKINS-50447_squash] Fix click on label span to toggle the select of the checkbox

* [JENKINS-50447_squash] fix comments from @daniel-beck

* [JENKINS-50447_squash] Fix license headers

* [JENKINS-50447_squash] Implement loading/restarting and signup with same design

* [JENKINS-50447_squash] Implement the loading/restarting view and signup with same design as the login page

* [JENKINS-50447_squash] Remove limitation that only one validation error can be shown at a time

* [JENKINS-50447_squash] implement password strength checker

* [JENKINS-50447_squash] Fix different comments from @daniel-beck regarding titles. Further enhanced spacing of label and input

* [JENKINS-50447_squash] Fix restart screen css. Fix comments regarding signup page.

* [JENKINS-50447_squash] fix tabindex flow

* harmonize design
- of checkboxes using jdl styles.
- distance of headers

* [JENKINS-50447] Fix comments from @daniel-beck
- fix some accessibility issues
-- html has now a lang tag
-- define main region
- fix missplaced }
- fix when server down for real that we still show the loading page

* [JENKINS-50447_squash] should never ended up here

(cherry picked from commit 7c23884c)

* Add getSystemProperty(key) to fix hudson.consoleTailKB system property

* Add Javadoc, @Restricted and delegate to SystemProperties

These changes were requested by @daniel-beck.

* PR was not merged in time for 2.96

* Changes as requested by @oleg-nenashev

(cherry picked from commit 006c5125)

* Add getSystemProperty(key) to fix hudson.consoleTailKB system property

* Add Javadoc, @Restricted and delegate to SystemProperties

These changes were requested by @daniel-beck.

* PR was not merged in time for 2.96

* Changes as requested by @oleg-nenashev

* [JENKINS-27026] Notify the SecurityListener in case of Token based authentication success
- due the current version of the method, the UserDetails required for the event was not accessible. In order to stay with the same API in SecurityListener, two "protected" methods were created to split the job and let the UserDetails accessible

* - add test to ensure the SecurityListener is called for REST Token but also for regular basic auth

* - remove the comment about the split, will be put in GitHub comment instead

* - add check for anonymous call instead of just putting a comment
- remove the constructor in the dummy
- add link to PR from Daniel to simplify a call

* - separate the before/after to save one clear and be more explicit
- put more meaning in the assertLastEventIs method by explicitly say we will remove the last event

* - add comment about why we do not fire the "failedToAuthenticated" in the case of an invalid token (tips: it's because it could be a valid password)

* - also add the authenticated trigger on legacy filter as pointed by Ivan

* - add support of event on CLI remoting authentication
- adjust tests by moving the helper class used to spy on events

* - as mentioned Yvan, the code had some problems with null checking, so the approach is changed in order to encapsulate all that internal mechanism

* - add javadoc
- open the getUserDetailsForImpersonation from the User (will let the SSHD module to retrieve UserDetails from that)

* - remove single quote in log messages

* - basic corrections requested by Jesse

* - just another typo

* - adjust the javadoc for SecurityListener events

* - add the link to Jenkins#Anonymous

* - add link (not using see)

* - update comment on the isAnonymous as we (me + Oleg) do not find a best place at the moment

* - put the new method isAnonymous in ACL instead of Functions

* - little typo
- add requirement about the SecurityContext authentication

* Add default implementations to deprecated methods of BuilableItem and Item.

Currently the interface requires the API user to implement already deprecated methods.
It does not make much sense, and the API could be simplified.

* Address comments from @jglick

* Introducing ItemGroup.allItems and similar default methods.

* Do not get me started.

Clarifying relation between host/port variables as used by Remoting-based CLI vs. other protocol clients.

* Add support for exporting jobs in folders recursively

* Convert cc.xml into a Groovy view

* Revert "Convert cc.xml into a Groovy view"

This reverts commit 990ec3ebfb0838ec3b1b421dfe5d6518cbd79784.

* Move logic in jelly view to static method

* Adding some interface default method implementations rather than catching AbstractMethodError or providing partial implementation classes.

* Show Javadoc warnings and errors, but not ‘Generating …/core/target/site/apidocs/jenkins/model/lazy/class-use/AbstractLazyLoadRunMap.html...’ and the like.

* Javadoc fixes.

* Review comments from @oleg-nenashev.

* Test fixes.

* Remove the unused import

* Reference redirectors and jenkins.io as much as possible

* Something went wrong, so this is a troubleshooting URL

* More specific redirect URLs