In my jenkins pipeline file I use the JsonSlurperClassic
to read build configurations from a .json file. This however introduces code that needs to be approved over the in-process Script Approval page. This works fine when I do it over the GUI.
However I also have a script that automatically sets up my jenkins machine which should create a ready-to-work machine that does not require further GUI operations. This script already uses the jenkins script console to approve slave start-up commands. The groovy code that is executed in the script console to do this looks like this.
def language = 'system-command';
def scriptSnippet = 'ssh me@slavemachine java -jar ~/bin/slave.jar';
def scriptApproval = Jenkins.instance.getExtensionList(
'org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval')[0];
def scriptHash = scriptApproval.hash(scriptSnippet, language);
scriptApproval.approveScript(scriptHash);
This works fine, but now I want to use the same code to approve the script snippets that come from my pipeline. I exchanged the first two lines with
def language = 'groovy'
def scriptSnippet = 'new groovy.json.JsonSlurperClassic';
where the scriptSnippet
is taken from the scriptApproval.xml
file.
Executing this adds a new <approvedScriptHashes>
entry to the scriptApproval.xml
file but does not remove the <pendingSignature>
entry that contains the script snippet. This means it does not work.
My guess is, that the language is wrong, but other values I tried like groovy-sh
or system-commands
did not work either. Do you have any ideas why it does not work?
Thank you for your time.
This protection is provided by the Script Security plugin. As soon as an unsafe method is used in any of the scripts, the administrator can use the "In-process Script Approval" action appears in Manage Jenkins to allow the unsafe method. Unsafe methods should not be enabled without careful consideration of the impact.
Jenkins features a Groovy script console which allows one to run arbitrary Groovy scripts within the Jenkins controller runtime or in the runtime on agents.
The Jenkinsfile is written using the Groovy Domain-Specific Language and can be generated using a text editor or the Jenkins instance configuration tab. The Declarative Pipelines is a relatively new feature that supports the concept of code pipeline.
You can use ScriptApproval#approveSignature
method. Here is an example that works on my Jenkins 2.85
def signature = 'new groovy.json.JsonSlurperClassic'
org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get().approveSignature(signature)
import org.jenkinsci.plugins.scriptsecurity.scripts.*
toApprove = ScriptApproval.get().getPendingScripts().collect()
toApprove.each {pending -> ScriptApproval.get().approveScript(pending.getHash())}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With