19

In my jenkins pipeline file I use the JsonSlurperClassic to read build configurations from a .json file. This however introduces code that needs to be approved over the in-process Script Approval page. This works fine when I do it over the GUI.

However I also have a script that automatically sets up my jenkins machine which should create a ready-to-work machine that does not require further GUI operations. This script already uses the jenkins script console to approve slave start-up commands. The groovy code that is executed in the script console to do this looks like this.

def language = 'system-command';
def scriptSnippet = 'ssh me@slavemachine java -jar ~/bin/slave.jar';

def scriptApproval = Jenkins.instance.getExtensionList(
    'org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval')[0];
def scriptHash = scriptApproval.hash(scriptSnippet, language);
scriptApproval.approveScript(scriptHash);

This works fine, but now I want to use the same code to approve the script snippets that come from my pipeline. I exchanged the first two lines with

def language = 'groovy'
def scriptSnippet = 'new groovy.json.JsonSlurperClassic';

where the scriptSnippet is taken from the scriptApproval.xml file. Executing this adds a new <approvedScriptHashes> entry to the scriptApproval.xml file but does not remove the <pendingSignature> entry that contains the script snippet. This means it does not work.

My guess is, that the language is wrong, but other values I tried like groovy-sh or system-commands did not work either. Do you have any ideas why it does not work?

Thank you for your time.

Knitschi
  • 2,822
  • 3
  • 32
  • 51
  • Maybe the `approveClasspathEntry` method? What are you overall trying to accomplish here? – mkobit Jan 11 '18 at 16:02
  • @mkobit I have a script that sets up my jenkins instance from scratch. I want that my jenkins is ready to go after that script is executed. This means that the script needs to approve all code snippets from my pipeline job, or the pipeline-job will fail on the first run with the request to approve the scripts manually over the GUI. – Knitschi Jan 13 '18 at 14:17

3 Answers3

25

You can use ScriptApproval#approveSignature method. Here is an example that works on my Jenkins 2.85

def signature = 'new groovy.json.JsonSlurperClassic'
org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get().approveSignature(signature)
Vitalii Vitrenko
  • 9,763
  • 4
  • 43
  • 62
6
import org.jenkinsci.plugins.scriptsecurity.scripts.*
toApprove = ScriptApproval.get().getPendingScripts().collect()
toApprove.each {pending -> ScriptApproval.get().approveScript(pending.getHash())}
Jack Davidson
  • 4,613
  • 2
  • 27
  • 31
Anna Hr.
  • 69
  • 1
  • 2
  • I have not tried if this works, but it seems more convenient then the other solution to approve the scripts without having to know their exact signatures. – Knitschi Dec 13 '18 at 07:43
  • However, you don't know what those are until you run the script... It will fail as many times it runs... – Marcello DeSales Apr 23 '19 at 08:59
  • I get a `Caused: java.io.NotSerializableException: org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval$PendingScript` – papanito Apr 07 '20 at 16:42
  • You can mix the Permissive Script Security plugin and this solution, and you shouldn't have problems with any approval anymore. At least I am testing this solution and it looks promising. – Brandon X. Apr 06 '21 at 07:56
0

I know this is an old post, but I thought if anyone else is looking for answers then this could help. If you already have a list of known signatures for script approvals and if you would like to do all of the approvals at once, then the snippet mentioned in the below link works well.

Here's a groovy script to pre-populate script approvals

Sreehari
  • 49
  • 8