2

TLDR;

How to configure jenkins in a non-interactive way so people can use my shared library without me needing to go click on the approve button for the in-process script.

long story...

I have created a shared Library in Jenkins which looks something like this (simplified version):

def call(body) {
    // evaluate the body block, and collect configuration into the object
    def pipelineParams= [:]
    body.resolveStrategy = Closure.DELEGATE_FIRST
    body.delegate = pipelineParams
    body()

    pipeline { stages { stage { steps { script {
        pipelineParams.test()
    }
}

This way a user can just call my library like this:

@Library('my-shared-library@master') _
MyPipeline {
    test = {
        sh "./gradlew test"
    }
}

The library is also configured under jenkins/configure.

Trouble is jenkins is alway asking for in-process scrip approval for the signature:

signature : staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods invokeMethod java.lang.Object java.lang.String java.lang.Object

However in the documentation it says that shared-libraries are supposed to be trusted: https://jenkins.io/doc/book/pipeline/shared-libraries/#global-shared-libraries...

This is what I tried:

1. disable in-process script approval completely

this seems impossible: see How can I disable security checks for Jenkins pipeline builds and open jenkins ticket: https://issues.jenkins-ci.org/browse/JENKINS-28178

2. use Configuration As Code to pre-configure jenkins to allow this specific method

This is currently not yet possible... work seems mostly ready, but still needs to be merged into master as of today: https://github.com/jenkinsci/script-security-plugin/pull/250

3. GET and POST on jenkins/scriptApproval

I used the browser debugger to see what calls were made. A GET on the page got me the correct ID, and then a POST would have sufficed, but since both requests are made separately, the ID changes inbetween, and I get a 404 error...

import requests
id = [line for line in requests.get("http://localhost:8080/scriptApproval/").text.strip().split() if 'makeStaplerProxy' in line][0].split("'")[1]
postUrl = "http://localhost:8080" + id + "/approveSignature"
print(postUrl)
r = requests.post(postUrl)
print(r.status_code)

will give:

http://localhost:8080/$stapler/bound/8488d0c2-9fce-4091-8b9f-747ae0016421/approveSignature
404

4. load library implicitly

I load the library implicitly, and removed the 

@Library('my-shared-library@master') _

from the Jenkinsfile. Approval is still required.

out of ideas

I'm quite out of ideas. Normally a shared-pipeline is supposed to be trusted, so I don't really get why he is still asking for approval for these external calls... or am I doing something wrong in the implementation of my shared-library?

Chris Maes
  • 35,025
  • 12
  • 111
  • 136
  • How is the shared library being loaded? – Matthew Schuchard Jul 08 '19 at 16:05
  • It is configured in Jenkins, but also specified by the user with @library... – Chris Maes Jul 08 '19 at 16:07
  • If you have it loaded in through the plugin and are running in sandbox, then the library will be whitelisted. If you are seeing requests for approval, then probably something inside the library is untrusted. – Matthew Schuchard Jul 08 '19 at 16:17
  • The library is configured on Jenkins/configure, not inside the job. But the job jenkinsfile starts with @library... – Chris Maes Jul 08 '19 at 16:24
  • What's the message you get from approval table? – hakamairi Jul 09 '19 at 06:47
  • I have edited my question to note that the library is globally configured, but also imported in the Jenkinsfile. I have also added the exact signature that requires approval. – Chris Maes Jul 09 '19 at 07:35
  • I've been seeing this error as well. Found the following Jira issue: https://issues.jenkins-ci.org/browse/JENKINS-42129 There are work-arounds to the error in the ticket, I've not yet tried them out. – redfive Dec 13 '19 at 18:35

0 Answers0