[JENKINS-60866][JENKINS-71513] Apply Stapler update for CSP-compliant st:bind and renderOnDemand

[daniel-beck]

See JENKINS-60866.

Downstream of jenkinsci/stapler#385

This takes care of two different previously inline or eval'ed JS snippets that ended up calling makeStaplerProxy to bind objects to JS:

• st:bind emitted a script tag with inline script that assigns the result of makeStaplerProxy to a variable (if used with a variable name -- the other mode cannot be fixed, as it's intended for nesting in an inline script).
• renderOnDemand.jelly added the makeStaplerProxy call it needed to an HTML attribute, later eval'ing it in

  jenkins/war/src/main/webapp/scripts/hudson-behavior.js

  Line 793 in d977ee8

  var proxy = eval(e.getAttribute("proxy"));

This PR changes Stapler and Jenkins to no longer need either:

• st:bind now emits script tags with src. Stapler has been improved to have a separate URL that provides the previously inline script standalone.
• renderOnDemand now adds HTML attributes for the function name and its argument values, which are then read in hudson-behavior.js and used to invoke the specified method with the correct arguments.

Testing notes

• st:bind is used in core by progressiveRendering, which is used by the "Build History" view.
• renderOnDemand is used whenever a form has nontrivial dynamic content (e.g. adding build steps to a freestyle job, or the configuration of a security realm, authorization strategy, or markup formatter after selecting the type in a dropdown box.

Proposed changelog entries

• Developer: Update Stapler from 1822.v120278426e1c to 1839.ved17667b_a_eb_5 to no longer generate line JavaScript with Stapler bound objects to improve compatibility with Content-Security-Policy Plugin

Proposed upgrade guidelines

N/A

Submitter checklist

• (If applicable) Jira issue is well described
• Changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developer, depending on the change) and are in the imperative mood. Examples
  • Fill-in the Proposed changelog entries section only if there are breaking changes or other changes which may require extra steps from users during the upgrade
• Appropriate autotests or explanation to why this change has no tests
• New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadoc, as appropriate.
• New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO") if applicable.
• For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

• There are at least 2 approvals for the pull request and no outstanding requests for change
• Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
• Changelog entries in the PR title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood
• Proper changelog labels are set so that the changelog can be generated automatically
• If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
• If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

[daniel-beck]

Looks like the default branch of Stapler with a bunch of unreleased commits (for incrementals) is incompatible with core. Nice.

[2022-07-17T10:08:49.977Z] [INFO] --- maven-enforcer-plugin:3.1.0:enforce (display-info) @ jenkins-war ---
[2022-07-17T10:08:49.977Z] [INFO] Adding ignore: module-info
[2022-07-17T10:08:49.977Z] [INFO] Restricted to JDK 8 yet org.kohsuke.stapler:stapler:jar:1721.v6298feb_6eb_8f:compile contains org/kohsuke/stapler/framework/io/ByteBuffer$1.class targeted to JDK 11
[2022-07-17T10:08:49.977Z] [INFO] Restricted to JDK 8 yet org.kohsuke.stapler:stapler-groovy:jar:1721.v6298feb_6eb_8f:compile contains org/kohsuke/stapler/jelly/groovy/GroovyClassLoaderTearOff$1.class targeted to JDK 11
[2022-07-17T10:08:49.977Z] [INFO] Restricted to JDK 8 yet org.jenkins-ci:commons-jelly:jar:1.1-jenkins-20220630:compile contains org/apache/commons/jelly/util/TagUtils.class targeted to JDK 11
[2022-07-17T10:08:49.977Z] [INFO] Restricted to JDK 8 yet org.kohsuke.stapler:stapler-jelly:jar:1721.v6298feb_6eb_8f:compile contains org/kohsuke/stapler/jelly/package-info.class targeted to JDK 11
[2022-07-17T10:08:49.977Z] [ERROR] Rule 1: org.apache.maven.plugins.enforcer.EnforceBytecodeVersion failed with message:
[2022-07-17T10:08:49.977Z] Found Banned Dependency: org.kohsuke.stapler:stapler:jar:1721.v6298feb_6eb_8f
[2022-07-17T10:08:49.977Z] Found Banned Dependency: org.kohsuke.stapler:stapler-groovy:jar:1721.v6298feb_6eb_8f
[2022-07-17T10:08:49.977Z] Found Banned Dependency: org.jenkins-ci:commons-jelly:jar:1.1-jenkins-20220630
[2022-07-17T10:08:49.977Z] Found Banned Dependency: org.kohsuke.stapler:stapler-jelly:jar:1721.v6298feb_6eb_8f

[basil]

Looks like the default branch of Stapler with a bunch of unreleased commits (for incrementals) is incompatible with core. Nice.

@daniel-beck Why would it be “nice”? Your sarcasm is not appreciated. The corresponding changes have been ready for review in #6801 for 9 days.

[github-actions]

Please take a moment and address the merge conflicts of your pull request. Thanks!

[github-actions]

Please take a moment and address the merge conflicts of your pull request. Thanks!

[daniel-beck]

I plan to merge the upstream change and finalize the bom/pom.xml here shortly. Please review this PR if you're interested in it :)

[timja]

shouldn't these be const?

Suggested change

	let proxyMethod = e.getAttribute("data-proxy-method");
	let proxyUrl = e.getAttribute("data-proxy-url");
	let proxyCrumb = e.getAttribute("data-proxy-crumb");
	let proxyUrlNames = e.getAttribute("data-proxy-url-names").split(",");
	const proxyMethod = e.getAttribute("data-proxy-method");
	const proxyUrl = e.getAttribute("data-proxy-url");
	const proxyCrumb = e.getAttribute("data-proxy-crumb");
	const proxyUrlNames = e.getAttribute("data-proxy-url-names").split(",");

[jglick]

Not a very realistic example of course, because it is a singleton (the point of WithWellKnownURL would be to look up a specific object based on parsing out a path), but good enough for purposes of tests here I suppose.

[daniel-beck]

Given that this is the only implementation of WithWellKnownURL, we'll survive — if it weren't for your comments recently in the context of session serialization, I might have ripped it out entirely.

(Yes, there's another one in CloudBees, but it's long dead.)

[timja]

/label ready-for-merge

---

This PR is now ready for merge, after ~24 hours, we will merge it if there's no negative feedback.

Thanks!