Implement fix for access control #135
Description
Slave To Master Access Control documents the need for plugins to properly implement access control so that whitelisting <JENKINS_HOME>/plugins/selenium/.* in <JENKINS_HOME>/secrets/filepath-filters.d/50-gui.conf would not be necessary.
Logs:
Starting Selenium nodes on <redacted>
Ouch:
java.io.IOException: Failed to copy <JENKINS_HOME>/plugins/selenium/WEB-INF/lib/selenium-server-standalone-3.12.0.jar to C:\Users\Administrator\selenium-server-standalone-3.12.0.jar
at hudson.FilePath.copyTo(FilePath.java:2233)
at hudson.plugins.selenium.callables.SeleniumCallable.invoke(SeleniumCallable.java:76)
at hudson.plugins.selenium.callables.SeleniumCallable.invoke(SeleniumCallable.java:23)
at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3085)
at hudson.remoting.UserRequest.perform(UserRequest.java:212)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:369)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to Selenium (sir-nssig92k)
at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1741)
at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357)
at hudson.remoting.Channel.call(Channel.java:955)
at hudson.FilePath.act(FilePath.java:1071)
at hudson.FilePath.act(FilePath.java:1060)
at hudson.plugins.selenium.process.SeleniumJarRunner.start(SeleniumJarRunner.java:42)
at hudson.plugins.selenium.configuration.global.SeleniumGlobalConfiguration.start(SeleniumGlobalConfiguration.java:50)
at hudson.plugins.selenium.PluginImpl.startSeleniumNode(PluginImpl.java:503)
at hudson.plugins.selenium.ComputerListenerImpl.onOnline(ComputerListenerImpl.java:30)
at hudson.slaves.SlaveComputer.setChannel(SlaveComputer.java:693)
at hudson.slaves.SlaveComputer.setChannel(SlaveComputer.java:432)
at hudson.plugins.ec2.win.EC2WindowsLauncher.launch(EC2WindowsLauncher.java:70)
at hudson.plugins.ec2.EC2ComputerLauncher.launch(EC2ComputerLauncher.java:122)
at hudson.slaves.SlaveComputer$1.call(SlaveComputer.java:294)
at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Failed to deserialize response to UserRequest:hudson.FilePath$CopyTo@3adba329: java.lang.SecurityException: agent may not read <JENKINS_HOME>/plugins/selenium/WEB-INF/lib/selenium-server-standalone-3.12.0.jar
See https://jenkins.io/redirect/security-144 for more details
at hudson.remoting.Channel.call(Channel.java:963)
at hudson.FilePath.act(FilePath.java:1071)
at hudson.FilePath.act(FilePath.java:1060)
at hudson.FilePath.copyTo(FilePath.java:2275)
at hudson.FilePath.copyTo(FilePath.java:2230)
... 11 more
Caused by: java.lang.SecurityException: agent may not read <JENKINS_HOME>/plugins/selenium/WEB-INF/lib/selenium-server-standalone-3.12.0.jar
See https://jenkins.io/redirect/security-144 for more details
at jenkins.SoloFilePathFilter.noFalse(SoloFilePathFilter.java:33)
at jenkins.SoloFilePathFilter.read(SoloFilePathFilter.java:43)
at hudson.FilePath.reading(FilePath.java:3218)
at hudson.FilePath.access$300(FilePath.java:212)
at hudson.FilePath$CopyTo.invoke(FilePath.java:2289)
at hudson.FilePath$CopyTo.invoke(FilePath.java:2281)
at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3085)
at hudson.remoting.UserRequest.perform(UserRequest.java:212)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:369)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at org.jenkinsci.remoting.CallableDecorator.call(CallableDecorator.java:19)
at hudson.remoting.CallableDecoratorList$1.call(CallableDecoratorList.java:21)
at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:71)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to channel
at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1741)
at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357)
at hudson.remoting.Channel.call(Channel.java:955)
at hudson.FilePath.act(FilePath.java:1071)
at hudson.FilePath.act(FilePath.java:1060)
at hudson.FilePath.copyTo(FilePath.java:2275)
at hudson.FilePath.copyTo(FilePath.java:2230)
at hudson.plugins.selenium.callables.SeleniumCallable.invoke(SeleniumCallable.java:76)
at hudson.plugins.selenium.callables.SeleniumCallable.invoke(SeleniumCallable.java:23)
at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3085)
at hudson.remoting.UserRequest.perform(UserRequest.java:212)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:369)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)