-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-62708] Add JCasC support for approved script hashes #329
Conversation
When this PR will be merged into master? |
I don't know the maintainers would have to merge it. The last few merges were done by @rsandell so maybe he could take a look. |
Why would you ever want to do this?! Whatever use case you are trying to enable, this does not sound like the right approach. |
We manage everything as code with JCasC across multiple Jenkins instances. There currently is no-way to whitelist scripts apart from the UI or manually modifying xml on disk. Using the UI is a not a maintainable auditable practice and bypasses SDLC verifications. Manually modifying the XML while at the same time using JCasC would result in a conflict of managing the file. Using a hash isn't the most user friendly (especially if no comments / commit messages say what it is for) but that's the way non-sandboxed scripts are whitelisted today with this plugin. I didn't set out to rewrite it - I just need a way to whitelist some scripts. |
If this is for Pipeline, you want to use a library. If for other stuff using Groovy, your best bet is a simple plugin offering some |
It is mostly for legacy freestyle jobs though the JCasC handles both freestyle and pipelines. I do not want to whitelist the methods because they are sensitive. I intentionally want to whitelist the scripts in a controlled manner and only the scripts. |
Yeah so the plugin with |
We need this also. Since allowing script hashes is a supported feature for this plugin, it should really also support the JCasC config as well. Either that or the script hash function should be removed completely but that is a completely different discussion. |
Hi all any update when this goes live? |
To add one more use case to what types of scripts are needed to be approved... We use the extended choice parameter plugin's groovy script option, which requires the given script to be approved. I don't think writing a plugin is a valid option to solve this use case. |
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/JcascTest.java
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java
Outdated
Show resolved
Hide resolved
Any updates on when this feature will be released? |
I have been able to take the hashes from the scriptApproval and it works fine however I am unable to compute my own hash of the same groovy job script, which would be ideal for when we add new scripts we can also add the hash to the
The approved hash in scriptsAproval.xml is different |
Try a Lines 381 to 391 in 0e7c803
Lines 40 to 42 in 0e7c803
|
I tried calculating hash for my script Am I missing something? sample.groovy generated hash - 78fc02e450ce259408eafa4cc09195bd5278536a |
I'm uploading approvedScriptHashes in SHA-1 format to the server using jcasc . I can literally watch in the "jcasc view page" how when the scriptler page is activated, the latter takes all the hashes and converts them to sha-512. The problem is that after that no script is approved. All scripts have green checkmarks, but inside the launch window there is a notification that the administrator must approve the script. How to get around or fix this? |
@rsandell @dwnusbaum ^^^ in reference (I guess) to 65867aa https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564 |
@jglick
UPD: |
Adds the ability to manage approved script hashes with JCasC. With the current UX to determine the hash you can either approve it and see what was added to the scriptApproval.xml file on disk or compute the SHA-1 of the script. There is an open effort to approve the UX with JENKINS-62448 #300.
Example:
Script:
println(jenkins.model.Jenkins.instance.getLabels())
See JENKINS-62708