Improve unit test framework to execute in near sandboxed jenkins environment

griddynamics / mpl

[IT-36925] Jenkins Shared Modular Pipeline Library

https://blog.griddynamics.com/developing-a-modular-pipeline-library-to-improve-devops-collaboration/

Apache License 2.0

157 stars 97 forks source link

Improve unit test framework to execute in near sandboxed jenkins environment #32

Open sparshev opened 5 years ago

sparshev commented 5 years ago

Right now unit tests are executing in a quite relaxed environment, but we need a way to check that the same logic will work in jenkins sandbox (by using the original script-security plugin) and right now it's hard to say for sure.

sparshev commented 4 years ago

Ok, the thing is moving slightly - right now I'm going through mocking of CPS Script, hopefully this is possible.

sparshev commented 4 years ago

Prepared CPS test base #49 and posted a couple of issues to JenkinsPipelineUnit:

jenkinsci/JenkinsPipelineUnit#159 - related to JENKINS-59911
jenkinsci/JenkinsPipelineUnit#160 - to show the better exceptions

Still not used security plugin I think, but CPS is already something.

sparshev commented 4 years ago

JenkinsPipelineUnit don't allow to execute CPS tests on somehow complex pipelines that using groovy closures methods (.find/.findAll and many others) due to issue (for example [1,2,3].findAll { it > 1 } will return false instead of [2,3]), like the one was fixed here: jenkinsci/workflow-cps-plugin#124

sparshev commented 4 years ago

I tried a number of ways and seems just one is working well for us:

Running CPS tes base of the JenkinsPipelineUnit

Uses groovy-cps, but without improvements of workflow-cps plugin, so making not much sense.

Running JenkinsRule with intercepting CpsScript

Unfortunately will not work properly, because CpsScript is highly protected: final invokeMethod() and the other functions that could be changed - it requires too much support and not working without changes.

Running JenkinsRule with intercepting groovy-cps Invoker classes (SandboxInvoker, DefaultInvoker)

Working well with minimal changes and there is a minimal risk of some additional changes. Also allow to prepare rules for sandboxed or non-sandboxed scopes and choose the depth of the intercepting:

only CpsScript calls - like for JenkinsPipelineUnit
all calls in the CPS
maybe there is a way to narrow the scope to the loaded shared libraries...

So the last approach looks promising.

sparshev commented 4 years ago

Just completed JenkinsRule unit tests implementation, there is still some issues - but looks like it's working as expected.

sparshev commented 4 years ago

Asked here to help with some jenkins-related issues here: https://issues.jenkins-ci.org/browse/JENKINS-33925

sparshev commented 4 years ago

The issue with not proper placing of the Build.fileExists(openshift) could be related to some issues with MPLModule execution. Maybe it's not closing the block properly.

sparshev commented 4 years ago

Ok, found workaround - just use the current node (if it's BlockStartNode) together with enclosures - otherwise MPLModule for some reason will add extra trace items.

sparshev commented 1 year ago

Davin suggested a couple of other ways to achieve the same result to register the custom interceptor here: https://github.com/cloudbees/groovy-cps/pull/107#issuecomment-1294028093