Mixing trusted & untrusted code in one CPS session #36
Conversation
See doc/sandbox.md for the explanation of this change. Previously, whether to sandbox or not was a decision made at the point of thread creation, which made it impossible to mix trusted code & untrusted code in single program. This change fixes that by making this decision at the call site level. In Jenkins, this enables plugins to package Groovy code that gets CPS-transformed but runs outside sandbox. Attention was paid to preserve backward compatibility with the persisted form of the program, which is translated without any trusted/untrusted call site tags.
Without a downstream PR it is unclear what this is for. Would it allow JENKINS-34650 to be solved, as per jenkinsci/workflow-cps-global-lib-plugin#2? |
You are right that this needs some downstream PR before concluding. That said, this change is ready to be looked at. I was doing this to enable plugins that are written in Groovy that are CPS transformed, in the context of a joint PoC effort with @abayer. I think JENKINS-34650 is a good user visible feature out of this change. I'll work on it. |
🐝 |
or the invocation should be always allowed to happen (trusted.) | ||
|
||
The call site tagging mechanism itself is more general, so it can be used for other purposes, | ||
for example to record where it came from, etc. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So it could at some point be used to record a CodeSource
, for example?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right
🐝 |
@@ -240,7 +240,7 @@ class CpsTransformer extends CompilationCustomizer implements GroovyCodeVisitor | |||
/** | |||
* {@link Trusted} or {@link Untrusted} tag that gets added to call site. | |||
* | |||
* @see 'doc/sandbox.md' | |||
* @see "doc/sandbox.md" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not correct either AFAIK.
See
doc/sandbox.md
for the explanation of what this does.@reviewbybees