Add telemetry for Content Security Policy (jenkinsci#23901)

* Add telemetry for Content Security Policy

* Add license header

* Add header length

---------

Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>

Author: daniel-beck

core/src/main/java/jenkins/telemetry/impl/ContentSecurityPolicy.java

@@ -0,0 +1,105 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2025, CloudBees, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package jenkins.telemetry.impl;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.ExtensionList;
+import java.time.LocalDate;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.stream.Collectors;
+import jenkins.security.csp.AdvancedConfigurationDescriptor;
+import jenkins.security.csp.Contributor;
+import jenkins.security.csp.CspBuilder;
+import jenkins.security.csp.CspHeader;
+import jenkins.security.csp.CspHeaderDecider;
+import jenkins.security.csp.impl.CspConfiguration;
+import jenkins.telemetry.Telemetry;
+import net.sf.json.JSONObject;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Collect information about Content Security Policy configuration.
+ *
+ */
+@Restricted(NoExternalUse.class)
+@Extension
+public class ContentSecurityPolicy extends Telemetry {
+
+    private static final Logger LOGGER = Logger.getLogger(ContentSecurityPolicy.class.getName());
+
+    @NonNull
+    @Override
+    public String getDisplayName() {
+        return "Content Security Policy";
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getStart() {
+        return LocalDate.of(2025, 12, 1);
+    }
+
+    @NonNull
+    @Override
+    public LocalDate getEnd() {
+        return LocalDate.of(2026, 6, 1);
+    }
+
+    @Override
+    public JSONObject createContent() {
+        final JSONObject data = new JSONObject();
+        data.put("enforce", ExtensionList.lookupSingleton(CspConfiguration.class).isEnforce());
+        final Optional<CspHeaderDecider> decider = CspHeaderDecider.getCurrentDecider();
+        data.put("decider", decider.map(Object::getClass).map(Class::getName).orElse(null));
+        data.put("header", decider.map(CspHeaderDecider::decide).filter(Optional::isPresent).map(Optional::get).map(CspHeader::getHeaderName).orElse(null));
+
+        Set<String> contributors = new TreeSet<>();
+        ExtensionList.lookup(Contributor.class).stream().map(Contributor::getClass).map(Class::getName).forEach(contributors::add);
+        data.put("contributors", contributors);
+
+        Set<String> configurations = new TreeSet<>();
+        ExtensionList.lookup(AdvancedConfigurationDescriptor.class).stream().map(AdvancedConfigurationDescriptor::getClass).map(Class::getName).forEach(configurations::add);
+        data.put("configurations", configurations);
+
+        try {
+            Map<String, Map<String, Integer>> directivesSize = new CspBuilder().withDefaultContributions().getMergedDirectives().stream()
+                    .map(d -> Map.entry(d.name(), Map.of("entries", d.values().size(), "chars", String.join(" ", d.values()).length())))
+                    .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+            data.put("directivesSize", directivesSize);
+        } catch (RuntimeException ex) {
+            LOGGER.log(Level.FINE, "Error during directive processing", ex);
+        }
+
+        data.put("components", buildComponentInformation());
+        return data;
+    }
+}

core/src/main/resources/jenkins/telemetry/impl/ContentSecurityPolicy/description.jelly

@@ -0,0 +1,20 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core">
+    This trial collects basic information about the current configuration of Content Security Policy (CSP):
+    <ul>
+        <li>Whether the user-facing configuration option is set to enforce CSP</li>
+        <li>The active <code>CspHeaderDecider</code>, which roughly corresponds to how Jenkins is run and whether system properties related to CSP are set</li>
+        <li>The current Content Security Policy header (<code>Content-Security-Policy</code> or <code>Content-Security-Policy-Report-Only</code>)</li>
+        <li>Which <code>Contributor</code>s are known, i.e., extensions that contribute to the CSP rules</li>
+        <li>Which <code>AdvancedConfiguration</code>s are known, i.e., extensions that add CSP configuration options</li>
+        <li>Which directives (e.g., <code>img-src</code>) are set, and the length in bytes of their values</li>
+    </ul>
+
+    <p>
+        <strong>This trial does not collect the actual CSP rules.</strong>
+    </p>
+    <p>
+        Additionally this trial collects the list of installed plugins, their version, and the version of Jenkins.
+        This data will be used to understand how widely CSP protection is used.
+    </p>
+</j:jelly>

test/src/test/java/jenkins/telemetry/impl/ContentSecurityPolicyTest.java

@@ -0,0 +1,68 @@
+package jenkins.telemetry.impl;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.is;
+
+import hudson.ExtensionList;
+import hudson.model.FreeStyleProject;
+import jenkins.security.csp.AvatarContributor;
+import jenkins.security.csp.Contributor;
+import jenkins.security.csp.CspBuilder;
+import jenkins.security.csp.CspHeader;
+import jenkins.security.csp.Directive;
+import jenkins.security.csp.impl.BaseContributor;
+import jenkins.security.csp.impl.CompatibleContributor;
+import jenkins.security.csp.impl.DevelopmentHeaderDecider;
+import jenkins.security.csp.impl.UserAvatarContributor;
+import net.sf.json.JSONObject;
+import org.junit.jupiter.api.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.jvnet.hudson.test.TestExtension;
+import org.jvnet.hudson.test.junit.jupiter.WithJenkins;
+
+@WithJenkins
+public class ContentSecurityPolicyTest {
+
+    @Test
+    void basics(JenkinsRule j) { // arg required to actually get a Jenkins
+        final ContentSecurityPolicy csp = ExtensionList.lookupSingleton(ContentSecurityPolicy.class);
+        final JSONObject content = csp.createContent();
+        assertThat(content.get("enforce"), is(false));
+        assertThat(content.get("decider"), is(DevelopmentHeaderDecider.class.getName()));
+        assertThat(content.get("header"), is(CspHeader.ContentSecurityPolicy.getHeaderName()));
+        assertThat(content.getJSONArray("contributors"),
+                containsInAnyOrder(BaseContributor.class.getName(), CompatibleContributor.class.getName(), AvatarContributor.class.getName(), UserAvatarContributor.class.getName()));
+        assertThat(content.getJSONArray("configurations"), is(empty()));
+        final JSONObject directivesSize = content.getJSONObject("directivesSize");
+        assertThat(directivesSize.keySet(), containsInAnyOrder(Directive.DEFAULT_SRC, Directive.SCRIPT_SRC, Directive.STYLE_SRC, Directive.IMG_SRC, Directive.FORM_ACTION, Directive.BASE_URI, Directive.FRAME_ANCESTORS));
+        assertThat(directivesSize.getJSONObject(Directive.IMG_SRC).get("entries"), is(2));
+        assertThat(directivesSize.getJSONObject(Directive.IMG_SRC).get("chars"), is(12)); // 'self' data:
+        assertThat(directivesSize.getJSONObject(Directive.SCRIPT_SRC).get("entries"), is(2));
+        assertThat(directivesSize.getJSONObject(Directive.SCRIPT_SRC).get("chars"), is(22)); // 'self' 'report-sample'
+    }
+
+
+    @Test
+    void withContributors(JenkinsRule j) throws Exception {
+        final FreeStyleProject freeStyleProject = j.createFreeStyleProject();
+
+        final ContentSecurityPolicy csp = ExtensionList.lookupSingleton(ContentSecurityPolicy.class);
+        final JSONObject content = csp.createContent();
+        final JSONObject directivesSize = content.getJSONObject("directivesSize");
+        assertThat(directivesSize.keySet(), containsInAnyOrder(Directive.DEFAULT_SRC, Directive.SCRIPT_SRC, Directive.STYLE_SRC, Directive.IMG_SRC, Directive.FORM_ACTION, Directive.BASE_URI, Directive.FRAME_ANCESTORS));
+        assertThat(directivesSize.getJSONObject(Directive.IMG_SRC).get("entries"), is(3));
+        assertThat(directivesSize.getJSONObject(Directive.IMG_SRC).get("chars"), is(28)); // 'self' data: img.example.com
+        assertThat(directivesSize.getJSONObject(Directive.SCRIPT_SRC).get("entries"), is(2));
+        assertThat(directivesSize.getJSONObject(Directive.SCRIPT_SRC).get("chars"), is(22)); // 'self' 'report-sample'
+    }
+
+    @TestExtension("withContributors")
+    public static class TestContributor implements Contributor {
+        @Override
+        public void apply(CspBuilder cspBuilder) {
+            cspBuilder.add(Directive.IMG_SRC, "img.example.com");
+        }
+    }
+}