Configure Script Approvals

[codiophile]

Your checklist for this issue

🚨 Please review the guidelines for contributing to this repository.

• [x] Link to any upstream changes that might be required (for example Jenkins Core pull request)

I don't think there are any dependencies to implement this, but I don't know enough about the internals to know for sure.

Feature Request

It is already possible to configure approvedSignatures:

security:
  scriptApproval:
    approvedSignatures:
      - "some signature"

But it isn't possible to configure approved scripts or hashes of approved scripts, which is what's technically being approved.

I'm working on migrating from jenkins-startup-scripts, where this is a built in feature. The implementation is quite simple, so I don't see why this couldn't be included in JCasC.

Obtaining the hashes is a bit of a pain, as it requires you to run the job that needs the script approvals, then approve them in the UI and finally grab the hashes from scriptApproval.xml in JENKINS_HOME. So we might want to simplify that by letting the user provide the whole script, but getting feature parity with the jenkins-startup-scripts is a good start.

So here is my suggestion:

security:
  scriptApproval:
    approvedScriptHashes:
      - "some hash"

To make life easier, we could also have:

security:
  scriptApproval:
    approvedScripts:
      - "some script"

However that is a bit more effort and mostly a nice to have. The first one is essential, though.

I'm happy to create a PR, but I don't have any experience with this code base, so I would be happy if someone wants to help out. Also, if there are any workarounds available right now, please let me know.

[jetersen]

This is not really a JCasC feature request. This is a script-security-plugin: https://github.com/jenkinsci/script-security-plugin Which uses jira issues: http://issues.jenkins-ci.org/

[jetersen]

Unless what your asking is some hashing logic much like base64 logic in #1408

[timja]

please raise with the script-security plugin maintainers,

cc @Wadeck who is doing some work their atm

[jetersen]

https://github.com/jenkinsci/script-security-plugin would need a DataBoundSetter for approvedScriptHashes which is currently not implemented.

Only a DataBoundSetter is available for approvedSignatures: https://github.com/jenkinsci/script-security-plugin/blob/3b77f808a71620a526a59a2e625d289b4c249234/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java#L664-L681

[codiophile]

@jetersen @timja Thanks for replying so quickly.

I don't have any experience with Jenkins plugin development and this is my first experience with JCasC. I think I will have a read through this documentation. Is there some other documentation that explains the architecture and can give me an overview of how JCasC works?

For now I have implemented a workaround using configuration-as-code-groovy-plugin. Should work fine while awaiting proper support.

[timja]

this explains more how it works from a code standpoint: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/IMPLEMENTATION.md

[jetersen]

@codepitbull please do share your workaround with JCasC groovy plugin

[codiophile]

@jetersen It's a bit crude, but here you go:

groovy:
  - script: |
      import org.jenkinsci.plugins.scriptsecurity.scripts.*
      ScriptApproval scriptApproval = ScriptApproval.get()
      scriptApproval.clearApprovedSignatures()
      [
        "003f7e63f60f4d2787313fbc4a4b12cd6ed75cf8",
        "017d0db438428731cd600b6ebda805065433520f",
        "07b027fd04a8f55c2b71529126a2eb44e77360c4",
        "0843bdaeb52dd48a96bc460f53c9ecaff0eccf25",
        "15b8e6fba9f8a32d1ef75a8e9c7c5dc5b240167d",
        "20f2ecd49fe9bf3c9cf927264c6fdfeea2cddb36",
        "3648fafa37c931ccb3f3687c67b956cb2b88b556",
        "3c37469928b478b666246aa59467b0abe97218f9",
        "3ce1f8cc7a8f4f9f9283fd65a5dc0ab56c5c7655",
        "439b29449e1dcff49b3251dd719191c6c7776bf9",
        "439dbe2c4962613241e7767ca6b1223cf400b79d",
        "60eba59930545aa492a316416eb03afaa275ed9c",
        "65b97048731be7199dfec2602444600ea90ba8b5",
        "66a4cbd2878bd5e757f9607de9239bde792eb3e2",
        "68d922a44a9f23d6eb63d32652d0f1dd3cc9f8b9",
        "71463010aef15ec76047f959ade7522ac6f0837b",
        "7f5d824bf98358ce62335a5240494f2fca95d76a",
        "85d5fe96d3c0a4c8fe60b4eb2b9432f2fdc94698",
        "8b68652d178acff42bd2c53efedfc9dbdecfb9e2",
        "8fb9d6669b1283ff3793b49d15349960884135ce",
        "9a5d3e27aed421a96493520a48492b8bceb498a8",
        "b23490b3b591c5c1a9c9045958f8b613582d7c9b",
        "c679377d0eb5206b9131f422a856435265d4d838",
        "c884241caff28ae7242147695971a3d5476dd984",
        "d7c32c183e9741cdd76678a954c80d5b24dc3d68",
        "e18fa1420291d30dcba96d461222ea34bee7a0f8",
        "ed29cb7b65903e19135e15a0564d9c7b5ceea2e9",
        "ff0b0e31cff78ab895a6084c2073140351ae82e2"
      ].each { hash ->
          scriptApproval.approveScript(hash)
      }
      scriptApproval.save()

[Wadeck]

Personally I think it's not a good idea to configure such approvals in an automatic way. What is acceptable in one instance will not be acceptable in another one.

by letting the user provide the whole script

Depending on your process, you are allowing user to elevate their own permission, be really careful when approving scripts. A non-admin user that can provide any script, is equivalent to an admin.

I am not a maintainer of script-security, just proposing a UX revamp. The PR does not require to have JCasC compatibility as it provides instance specific statistics and not configuration.

@dwnusbaum could be interested

[codiophile]

For anyone watching this issue, I reported it for the script-security-plugin in JIRA:

https://issues.jenkins-ci.org/browse/JENKINS-62708

[psimms-r7]

@jetersen It's a bit crude, but here you go:

groovy:
  - script: |
      import org.jenkinsci.plugins.scriptsecurity.scripts.*
      ScriptApproval scriptApproval = ScriptApproval.get()
      scriptApproval.clearApprovedSignatures()
      [
        "003f7e63f60f4d2787313fbc4a4b12cd6ed75cf8",
        "017d0db438428731cd600b6ebda805065433520f",
        "07b027fd04a8f55c2b71529126a2eb44e77360c4",
        "0843bdaeb52dd48a96bc460f53c9ecaff0eccf25",
        "15b8e6fba9f8a32d1ef75a8e9c7c5dc5b240167d",
        "20f2ecd49fe9bf3c9cf927264c6fdfeea2cddb36",
        "3648fafa37c931ccb3f3687c67b956cb2b88b556",
        "3c37469928b478b666246aa59467b0abe97218f9",
        "3ce1f8cc7a8f4f9f9283fd65a5dc0ab56c5c7655",
        "439b29449e1dcff49b3251dd719191c6c7776bf9",
        "439dbe2c4962613241e7767ca6b1223cf400b79d",
        "60eba59930545aa492a316416eb03afaa275ed9c",
        "65b97048731be7199dfec2602444600ea90ba8b5",
        "66a4cbd2878bd5e757f9607de9239bde792eb3e2",
        "68d922a44a9f23d6eb63d32652d0f1dd3cc9f8b9",
        "71463010aef15ec76047f959ade7522ac6f0837b",
        "7f5d824bf98358ce62335a5240494f2fca95d76a",
        "85d5fe96d3c0a4c8fe60b4eb2b9432f2fdc94698",
        "8b68652d178acff42bd2c53efedfc9dbdecfb9e2",
        "8fb9d6669b1283ff3793b49d15349960884135ce",
        "9a5d3e27aed421a96493520a48492b8bceb498a8",
        "b23490b3b591c5c1a9c9045958f8b613582d7c9b",
        "c679377d0eb5206b9131f422a856435265d4d838",
        "c884241caff28ae7242147695971a3d5476dd984",
        "d7c32c183e9741cdd76678a954c80d5b24dc3d68",
        "e18fa1420291d30dcba96d461222ea34bee7a0f8",
        "ed29cb7b65903e19135e15a0564d9c7b5ceea2e9",
        "ff0b0e31cff78ab895a6084c2073140351ae82e2"
      ].each { hash ->
          scriptApproval.approveScript(hash)
      }
      scriptApproval.save()

Where did you define this in under jcasc, I am getting the below, not sure where groovy block falls under?

No configurator for the following root elements groovy

[timja]

You need to install this plugin: https://github.com/jenkinsci/configuration-as-code-groovy-plugin

[psimms-r7]

You need to install this plugin: https://github.com/jenkinsci/configuration-as-code-groovy-plugin

thank you!