jenkinsci · MarkEWaite · Aug 3, 2024 · Aug 3, 2024 · Aug 3, 2024 · Aug 3, 2024
@@ -580,12 +580,6 @@ public void testDoNotifyCommitWithValidSha1AndValidApiToken() throws Exception {
         assertEquals(lastBuild.getNumber(), 1);
     }
 
-    @Test
-    @Issue("SECURITY-284")
-    public void testDoNotifyCommitWithInvalidApiToken() throws Exception {
-        // Test moved to GitStepTest#testDoNotifyCommitWithInvalidApiToken()
-    }
-
     @Test
     @Issue("SECURITY-284")
     public void testDoNotifyCommitWithUnauthenticatedPollingAllowed() throws Exception {
@@ -597,19 +591,6 @@ public void testDoNotifyCommitWithUnauthenticatedPollingAllowed() throws Excepti
         Mockito.verify(trigger).run();
     }
 
-    @Test
-    @Issue("SECURITY-284")
-    public void testDoNotifyCommitWithAllowModeRandomValue() throws Exception {
-        GitStatus.NOTIFY_COMMIT_ACCESS_CONTROL = "random";
-        setupProjectWithTrigger("a", "master", false);
-        StaplerResponse res = mock(StaplerResponse.class);
-
-        HttpResponse httpResponse = this.gitStatus.doNotifyCommit(requestWithNoParameter, "a", "master", null, null);
-        httpResponse.generateResponse(null, res, null);
-
-        Mockito.verify(res).sendError(401, "An access token is required. Please refer to Git plugin documentation (https://plugins.jenkins.io/git/#plugin-content-push-notification-from-repository) for details.");
-    }
-
     @Test
     @Issue("SECURITY-284")
     public void testDoNotifyCommitWithSha1AndAllowModePoll() throws Exception {
@@ -623,19 +604,6 @@ public void testDoNotifyCommitWithSha1AndAllowModePoll() throws Exception {
         Mockito.verify(res).sendError(401, "An access token is required when using the sha1 parameter. Please refer to Git plugin documentation (https://plugins.jenkins.io/git/#plugin-content-push-notification-from-repository) for details.");
     }
 
-    @Test
-    @Issue("SECURITY-284")
-    public void testDoNotifyCommitWithSha1AndAllowModePollWithInvalidToken() throws Exception {
-        GitStatus.NOTIFY_COMMIT_ACCESS_CONTROL = "disabled-for-polling";
-        setupProjectWithTrigger("a", "master", false);
-        StaplerResponse res = mock(StaplerResponse.class);
-
-        HttpResponse httpResponse = this.gitStatus.doNotifyCommit(requestWithNoParameter, "a", "master", sha1, "invalid");
-        httpResponse.generateResponse(null, res, null);
-
-        Mockito.verify(res).sendError(403, "Invalid access token");
-    }
-
     @Test
     @Issue("SECURITY-284")
     public void testDoNotifyCommitWithAllowModeSha1() throws Exception {

@@ -22,7 +22,7 @@
  * THE SOFTWARE.
  */
 
-package jenkins.plugins.git;
+package hudson.plugins.git;
 
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.CredentialsScope;
@@ -31,6 +31,7 @@
 import com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl;
 import hudson.model.Label;
 import hudson.plugins.git.GitSCM;
+import hudson.plugins.git.GitStatus;
 import hudson.plugins.git.GitTagAction;
 import hudson.plugins.git.util.BuildData;
 import hudson.scm.ChangeLogSet;
@@ -39,6 +40,10 @@
 import java.util.Iterator;
 import java.util.List;
 import jenkins.util.VirtualFile;
+import jenkins.plugins.git.CliGitCommand;
+import jenkins.plugins.git.GitSampleRepoRule;
+import jenkins.plugins.git.GitStep;
+import jenkins.plugins.git.RandomOrder;
 import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition;
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
@@ -47,10 +52,13 @@
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assume.assumeTrue;
+import org.junit.After;
+import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
 import org.junit.Rule;
@@ -97,6 +105,13 @@ private boolean isTimeAvailable() {
         return stopwatch.runtime(SECONDS) <= MAX_SECONDS_FOR_THESE_TESTS;
     }
 
+    private static String NOTIFY_COMMIT_ACCESS_CONTROL_ORIGINAL = GitStatus.NOTIFY_COMMIT_ACCESS_CONTROL;
+
+    @After
+    public void resetNotifyCommitAccessControl() {
+        GitStatus.NOTIFY_COMMIT_ACCESS_CONTROL = NOTIFY_COMMIT_ACCESS_CONTROL_ORIGINAL;
+    }
+
     @Test
     public void roundtrip() throws Exception {
         assumeTrue("Test class max time " + MAX_SECONDS_FOR_THESE_TESTS + " exceeded", isTimeAvailable());
@@ -297,19 +312,57 @@ public void commitToWorkspace() throws Exception {
         r.waitForMessage("+edited by build", b);
     }
 
-    @Test
-    @Issue("SECURITY-284")
-    public void testDoNotifyCommitWithInvalidApiToken() throws Exception {
-        assumeTrue("Test class max time " + MAX_SECONDS_FOR_THESE_TESTS + " exceeded", isTimeAvailable());
+    private WorkflowJob createJob() throws Exception {
         sampleRepo.init();
         WorkflowJob p = r.jenkins.createProject(WorkflowJob.class, "demo");
         p.addTrigger(new SCMTrigger("")); // no schedule, use notifyCommit only
         p.setDefinition(new CpsFlowDefinition(
             "node {\n" +
-            "    error('this echo should never be called')\n" +
+            "    error('this should never be called')\n" +
             "}", true));
+        return p;
+    }
+
+    @Test
+    @Issue("SECURITY-284")
+    public void testDoNotifyCommitWithInvalidApiToken() throws Exception {
+        assumeTrue("Test class max time " + MAX_SECONDS_FOR_THESE_TESTS + " exceeded", isTimeAvailable());
+        createJob();
         String response = sampleRepo.notifyCommit(r, GitSampleRepoRule.INVALID_NOTIFY_COMMIT_TOKEN);
         assertThat(response, containsString("Invalid access token"));
     }
 
+    @Test
+    @Issue("SECURITY-284")
+    public void testDoNotifyCommitWithAllowModeRandomValue() throws Exception {
+        assumeTrue("Test class max time " + MAX_SECONDS_FOR_THESE_TESTS + " exceeded", isTimeAvailable());
+        createJob();
+        String response = sampleRepo.notifyCommit(r, null);
+        assertThat(response, containsString("An access token is required. Please refer to Git plugin documentation (https://plugins.jenkins.io/git/#plugin-content-push-notification-from-repository) for details."));
+    }
+
+    @Test
+    @Issue("SECURITY-284")
+    public void testDoNotifyCommitWithSha1AndAllowModePollWithInvalidToken() throws Exception {
+        assumeTrue("Test class max time " + MAX_SECONDS_FOR_THESE_TESTS + " exceeded", isTimeAvailable());
+        GitStatus.NOTIFY_COMMIT_ACCESS_CONTROL = "disabled-for-polling";
+        createJob();
+        /* sha1 is ignored because no access token is provided */
+        String sha1 = "4b714b66959463a98e9dfb1983db5a39a39fa6d6";
+        String response = sampleRepo.notifyCommit(r, null, sha1);
+        assertThat(response, containsString("An access token is required when using the sha1 parameter"));
+    }
+
+    @Test
+    @Issue("SECURITY-284")
+    public void testDoNotifyCommitWithSha1AndAllowModePoll() throws Exception {
+        assumeTrue("Test class max time " + MAX_SECONDS_FOR_THESE_TESTS + " exceeded", isTimeAvailable());
+        GitStatus.NOTIFY_COMMIT_ACCESS_CONTROL = "disabled-for-polling";
+        createJob();
+        /* sha1 is ignored because invalid access token is provided */
+        String sha1 = "4b714b66959463a98e9dfb1983db5a39a39fa6d6";
+        String response = sampleRepo.notifyCommit(r, GitSampleRepoRule.INVALID_NOTIFY_COMMIT_TOKEN, sha1);
+        assertThat(response, containsString("Invalid access token"));
+    }
+
 }
@@ -24,6 +24,7 @@
 
 package jenkins.plugins.git;
 
+import edu.umd.cs.findbugs.annotations.CheckForNull;
 import org.htmlunit.WebResponse;
 import org.htmlunit.util.NameValuePair;
 import hudson.Launcher;
@@ -102,14 +103,31 @@ public final boolean mkdirs(String rel) throws IOException {
 
     public String notifyCommit(JenkinsRule r) throws Exception {
         String notifyCommitToken = ApiTokenPropertyConfiguration.get().generateApiToken("notifyCommit").getString("value");
-        return notifyCommit(r, notifyCommitToken);
+        return notifyCommit(r, notifyCommitToken, null);
     }
 
-    public String notifyCommit(JenkinsRule r, String notifyCommitToken) throws Exception {
-        /* If the caller expects an error and does not want an
-         * exception thrown by the web response, the notifyCommitToken
-         * must contain the invalid notifyCommit token string */
-        boolean expectError = notifyCommitToken.contains(INVALID_NOTIFY_COMMIT_TOKEN);
+    public String notifyCommit(JenkinsRule r, @CheckForNull String notifyCommitToken) throws Exception {
+        return notifyCommit(r, notifyCommitToken, null);
+    }
+
+    /**
+     * Use WebClient to call notifyCommit on the current repository.
+     *
+     * If the caller expects an error and does not want an
+     * exception thrown by the web response, the notifyCommitToken
+     * must contain the invalid notifyCommit token string.
+     *
+     * If the caller wants to pass no access token, the
+     * notifyCommitToken needs to be null
+     *
+     * If the caller wants to pass no SHA-1, the sha1 parameter needs to be null.
+     *
+     * @param r JenkinsRule to receive the commit notification
+     * @param notifyCommitToken token used for notifyCommit authentication
+     * @param sha1 SHA-1 hash to included in notifyCommit
+     **/
+    public String notifyCommit(JenkinsRule r, @CheckForNull String notifyCommitToken, @CheckForNull String sha1) throws Exception {
+        boolean expectError = notifyCommitToken == null || notifyCommitToken.contains(INVALID_NOTIFY_COMMIT_TOKEN);
         synchronousPolling(r);
         JenkinsRule.WebClient webClient = r.createWebClient();
         if (expectError) {
@@ -119,8 +137,10 @@ public String notifyCommit(JenkinsRule r, String notifyCommitToken) throws Excep
             webClient.getOptions().setPrintContentOnFailingStatusCode(false);
         }
         String responseFormat = expectError ? "text/html" : "text/plain";
+        String tokenArgument = notifyCommitToken != null ? "&token=" + notifyCommitToken : "";
+        String sha1Argument = sha1 != null ? "&sha1=" + sha1 : "";
 
-        WebResponse webResponse = webClient.goTo("git/notifyCommit?url=" + bareUrl() + "&token=" + notifyCommitToken, responseFormat).getWebResponse();
+        WebResponse webResponse = webClient.goTo("git/notifyCommit?url=" + bareUrl() + tokenArgument + sha1Argument, responseFormat).getWebResponse();
         StringBuilder sb = new StringBuilder(webResponse.getContentAsString());
         if (!expectError) {
             LOGGER.log(Level.FINE, sb.toString());