actual example available in https://github.com/jenkinsci/configuration-as-code-plugin/pull/416/files
unclassified:
scriptApproval:
approvedSignatures:
- method java.net.URI getHost
- method java.net.URI getPort
- new java.net.URI java.lang.String
is not throwing errors but is not configuring approvedSignatures either 🤔
it seems we can put literally whatever under unclassified and it won't fail :)
and then I discovered commit with scriptApprovalConfigurator was reverted - @ndeloof you remember why?
oh, new PR waiting: https://github.com/jenkinsci/script-security-plugin/pull/219
(what I nice monologue I have here 🤦♀️ )
@ndeloof @ewelinawilkosz Given the developers at jenkinsci/script-security-plugin#219 don't want to merge the proposed changes, can we re-revert to support this functionality? Without this functionality we cannot move our Jenkins instance to CasC as we have many approved entries that would require "warming" up the instance after deployed by running pipelines and then manually approving. This is really not desirable at all 👎
I still think we need a fix on script-security-plugin. Just need to make an acceptable one, not relying on a custom configurator, but better make this plugin follow expected databinding conventions.
@ndeloof Thanks for the quick response. The file in question is: https://github.com/jenkinsci/script-security-plugin/blob/master/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java. I can start implementing the changes today, but can you provide some guidance? What do you think is needed in order to get that file to "follow expected databinding conventions"? I think this implementation is old, and needs to be updated to leverage Descriptor and DataBoundXX. Am I right?
@ndeloof @ewelinawilkosz I opened a PR to that enables this functionality without glue code: https://github.com/jenkinsci/script-security-plugin/pull/233
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
closing issue as work is ongoing in the rightful place.
Has this actually been fixed? I followed the example in JENKINS-57563 but I get the same results that @ewelinawilkosz reported to begin with; JCasC applies correctly but the settings don't actually seem to be applied in the scriptApproval page.
@cwiggs you did not mention the version of Script Security, so did you update Script Security?
Required 1.64 of Script security.
Yes, I'm running:
Jenkins 2.164.2
script-security 1.66
JCasC 1.32
I actually noticed some odd behavior with the scriptApproval setting.
Here is my JCasC security config:
security:
scriptApproval:
approvedSignatures:
- method java.lang.String indexOf int
- method io.jenkins.plugins.casc.ConfigurationAsCode configure
- staticMethod io.jenkins.plugins.casc.ConfigurationAsCode get
remotingCLI:
enabled: false
When I apply this config and cat out /var/jenkins_home/scriptApproval.xml It seems to show up correctly:
<?xml version='1.1' encoding='UTF-8'?>
<scriptApproval plugin="[email protected]">
<approvedScriptHashes/>
<approvedSignatures>
<string>method io.jenkins.plugins.casc.ConfigurationAsCode configure</string>
<string>method java.lang.String indexOf int</string>
<string>staticMethod io.jenkins.plugins.casc.ConfigurationAsCode get</string>
</approvedSignatures>
<aclApprovedSignatures/>
<approvedClasspathEntries/>
<pendingScripts/>
<pendingSignatures/>
<pendingClasspathEntries/>
</scriptApproval>
However the GUI does not reflect these changes. When I run the job that uses these signatures the job fails saying the signatures are not approved. After that If I cat out /var/jenkins_home/scriptApproval.xml It now shows:
<?xml version='1.1' encoding='UTF-8'?>
<scriptApproval plugin="[email protected]">
<approvedScriptHashes/>
<approvedSignatures/>
<aclApprovedSignatures/>
<approvedClasspathEntries/>
<pendingScripts/>
<pendingSignatures>
<pendingSignature>
<context/>
<signature>staticMethod io.jenkins.plugins.casc.ConfigurationAsCode get</signature>
<dangerous>false</dangerous>
</pendingSignature>
</pendingSignatures>
<pendingClasspathEntries/>
</scriptApproval>
If I manually approve the signatures the job will run successfully, even after I re-apply the JCasC config.
The job I'm running is just a job that reapplies the JCasC config:
jobs:
- script: >
folder('Management')
- script: >
job('JcasC') {
steps {
systemGroovyCommand('''
import io.jenkins.plugins.casc.ConfigurationAsCode;
ConfigurationAsCode.get().configure()
''') {
sandbox(true)
}
}
}
EDIT: It looks like If i restart Jenkins the config gets picked up correctly, reflecting correctly in the xml file and GUI, job runs successfully as well.
Feel free to report in the right please https://issues.jenkins-ci.org using the component script-security-plugin
Created JENKINS-59979 for this issue.
@ewelinawilkosz were you ever able to get scriptApproval setting to work?
@cwiggs and for anybody else searching - current working configuration is under security. See here.
security:
scriptApproval:
approvedSignatures:
- method java.net.URI getHost
And it works for me on Jenkins 2.190, casc plugin 1.36 and Script Security plugin 1.68.
Most helpful comment
oh, new PR waiting: https://github.com/jenkinsci/script-security-plugin/pull/219
(what I nice monologue I have here 🤦♀️ )