New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mixing trusted & untrusted code in one CPS session #36

Merged
merged 4 commits into from Jul 29, 2016

Conversation

Projects
None yet
3 participants
@kohsuke
Member

kohsuke commented Jul 22, 2016

See doc/sandbox.md for the explanation of what this does.

@reviewbybees

kohsuke added some commits Jul 22, 2016

Call site tagging + enable mixing trusted/untrusted code
See doc/sandbox.md for the explanation of this change.

Previously, whether to sandbox or not was a decision made at the point
of thread creation, which made it impossible to mix trusted code &
untrusted code in single program.

This change fixes that by making this decision at the call site level.
In Jenkins, this enables plugins to package Groovy code that gets
CPS-transformed but runs outside sandbox.

Attention was paid to preserve backward compatibility with the persisted
form of the program, which is translated without any trusted/untrusted
call site tags.

@kohsuke kohsuke changed the title from Call site tag to Mixing trusted & untrusted code in one CPS session Jul 22, 2016

@jglick

This comment has been minimized.

Member

jglick commented Jul 25, 2016

Without a downstream PR it is unclear what this is for. Would it allow JENKINS-34650 to be solved, as per jenkinsci/workflow-cps-global-lib-plugin#2?

@kohsuke

This comment has been minimized.

Member

kohsuke commented Jul 25, 2016

You are right that this needs some downstream PR before concluding. That said, this change is ready to be looked at.

I was doing this to enable plugins that are written in Groovy that are CPS transformed, in the context of a joint PoC effort with @abayer.

I think JENKINS-34650 is a good user visible feature out of this change. I'll work on it.

@abayer

This comment has been minimized.

Contributor

abayer commented Jul 28, 2016

🐝

or the invocation should be always allowed to happen (trusted.)
The call site tagging mechanism itself is more general, so it can be used for other purposes,
for example to record where it came from, etc.

This comment has been minimized.

@jglick

jglick Jul 29, 2016

Member

So it could at some point be used to record a CodeSource, for example?

This comment has been minimized.

@kohsuke

kohsuke Jul 29, 2016

Member

Right

/**
* {@link Trusted} or {@link Untrusted} tag that gets added to call site.
*
* @see 'doc/sandbox.md'

This comment has been minimized.

@jglick

jglick Jul 29, 2016

Member

Invalid syntax AFAIK; you can specify either a member (as per link), or an HTML <a> element.

This comment has been minimized.

@kohsuke

kohsuke Jul 29, 2016

Member

James Nord educated me that I have to use double-quotes.

*/
public interface CallSiteBlock extends Serializable, Block {
/**
* Tags assocaited with this call site.

This comment has been minimized.

@jglick
@jglick

This comment has been minimized.

Member

jglick commented Jul 29, 2016

🐝

@kohsuke kohsuke merged commit 5539bb7 into master Jul 29, 2016

@kohsuke kohsuke deleted the call-site-tag branch Jul 29, 2016

@@ -240,7 +240,7 @@ class CpsTransformer extends CompilationCustomizer implements GroovyCodeVisitor
/**
* {@link Trusted} or {@link Untrusted} tag that gets added to call site.
*
* @see 'doc/sandbox.md'
* @see "doc/sandbox.md"

This comment has been minimized.

@jglick

jglick Aug 4, 2016

Member

This is not correct either AFAIK.

@@ -18,6 +19,7 @@
* @see Env#getInvoker()
* @see Continuable#Continuable(Script, Env)
* @see Envs#empty(Invoker)
* @see "doc/sandbox.md"

This comment has been minimized.

@jglick

jglick Aug 4, 2016

Member

🐜 This is invalid syntax for @see AFAIK.

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment