Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to approve script snippets from a jenkinsfile via the groovy script console?

In my jenkins pipeline file I use the JsonSlurperClassic to read build configurations from a .json file. This however introduces code that needs to be approved over the in-process Script Approval page. This works fine when I do it over the GUI.

However I also have a script that automatically sets up my jenkins machine which should create a ready-to-work machine that does not require further GUI operations. This script already uses the jenkins script console to approve slave start-up commands. The groovy code that is executed in the script console to do this looks like this.

def language = 'system-command';
def scriptSnippet = 'ssh me@slavemachine java -jar ~/bin/slave.jar';

def scriptApproval = Jenkins.instance.getExtensionList(
    'org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval')[0];
def scriptHash = scriptApproval.hash(scriptSnippet, language);
scriptApproval.approveScript(scriptHash);

This works fine, but now I want to use the same code to approve the script snippets that come from my pipeline. I exchanged the first two lines with

def language = 'groovy'
def scriptSnippet = 'new groovy.json.JsonSlurperClassic';

where the scriptSnippet is taken from the scriptApproval.xml file. Executing this adds a new <approvedScriptHashes> entry to the scriptApproval.xml file but does not remove the <pendingSignature> entry that contains the script snippet. This means it does not work.

My guess is, that the language is wrong, but other values I tried like groovy-sh or system-commands did not work either. Do you have any ideas why it does not work?

Thank you for your time.

like image 901
Knitschi Avatar asked Dec 21 '17 12:12

Knitschi


People also ask

What is script approval in Jenkins?

This protection is provided by the Script Security plugin. As soon as an unsafe method is used in any of the scripts, the administrator can use the "In-process Script Approval" action appears in Manage Jenkins to allow the unsafe method. Unsafe methods should not be enabled without careful consideration of the impact.

What type of script is accepted as input on the Jenkins script console?

Jenkins features a Groovy script console which allows one to run arbitrary Groovy scripts within the Jenkins controller runtime or in the runtime on agents.

Is Jenkinsfile written in Groovy?

The Jenkinsfile is written using the Groovy Domain-Specific Language and can be generated using a text editor or the Jenkins instance configuration tab. The Declarative Pipelines is a relatively new feature that supports the concept of code pipeline.


Video Answer


2 Answers

You can use ScriptApproval#approveSignature method. Here is an example that works on my Jenkins 2.85

def signature = 'new groovy.json.JsonSlurperClassic'
org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get().approveSignature(signature)
like image 126
Vitalii Vitrenko Avatar answered Oct 19 '22 12:10

Vitalii Vitrenko


import org.jenkinsci.plugins.scriptsecurity.scripts.*
toApprove = ScriptApproval.get().getPendingScripts().collect()
toApprove.each {pending -> ScriptApproval.get().approveScript(pending.getHash())}
like image 40
Anna Hr. Avatar answered Oct 19 '22 12:10

Anna Hr.