[JIRA] (JENKINS-55918) Add support for groovy sandbox mode in environmentVariables closure

3 views
Skip to first unread message

regs@akom.net (JIRA)

unread,
Feb 1, 2019, 11:14:02 AM2/1/19
to jenkinsc...@googlegroups.com
Alexander Komarov created an issue
 
Jenkins / Improvement JENKINS-55918
Add support for groovy sandbox mode in environmentVariables closure
Issue Type: Improvement Improvement
Assignee: Daniel Spilker
Attachments: Screenshot_2019-02-01_11-08-13.png, Screenshot_2019-02-01_11-12-05.png
Components: job-dsl-plugin
Created: 2019-02-01 16:13
Labels: plugin
Priority: Minor Minor
Reporter: Alexander Komarov

The "Prepare an Environment for the run" (environmentVariables {}) section supports a "sandbox" mode for the Groovy Script.  It would be useful for the DSL plugin to allow for setting the value of this checkbox.

Use case: I generate a slightly different version of the same job every few months.  The Groovy Script changes slightly, which makes Jenkins require in-process script approval and prevents the job from running.  With sandbox mode, this would not happen.

I'll try to submit a PR.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

regs@akom.net (JIRA)

unread,
Feb 1, 2019, 11:15:02 AM2/1/19
to jenkinsc...@googlegroups.com
Alexander Komarov updated an issue
Change By: Alexander Komarov
The "*Prepare an Environment for the run*" (environmentVariables {}) section supports a "sandbox" mode for the Groovy Script.  It would be useful for the DSL plugin to allow for setting the value of this checkbox.

*Use case*: I generate a slightly different version of the same job every few months.  The Groovy Script changes slightly, which makes Jenkins require in-process script approval and prevents the job from running.  With sandbox mode, this would not happen.   (Also, it would potentially be more secure)

I'll try to submit a PR.

regs@akom.net (JIRA)

unread,
Feb 1, 2019, 2:04:01 PM2/1/19
to jenkinsc...@googlegroups.com
Alexander Komarov updated an issue
The "*Prepare an Environment for the run*" (environmentVariables {}) section supports a "sandbox" mode for the Groovy Script.  It would be useful for the DSL plugin to allow for setting the value of this checkbox.

*Use case*: I generate a slightly different version of the same job every few months.  The Groovy Script changes slightly, which makes Jenkins require in-process script approval and prevents the job from running.  With sandbox mode, this would not happen.  (Also, it would potentially be more secure)
I'll try to submit a PR https://github . com/jenkinsci/job-dsl-plugin/pull/1165

regs@akom.net (JIRA)

unread,
Mar 1, 2019, 1:28:02 PM3/1/19
to jenkinsc...@googlegroups.com
Alexander Komarov updated an issue
The "*Prepare an Environment for the run*" (environmentVariables {}) section supports a "sandbox" mode for the Groovy Script.  It would be useful for the DSL plugin to allow for setting the value of this checkbox.

*Use case*: I (re) generate a slightly different version of the same job every few months periodically .  The Groovy Script changes slightly over time , which makes Jenkins require in-process script approval and prevents the job from running until someone approves the script and re-launches it .  With sandbox mode, this would not happen.  (Also, it would potentially be more secure)

PR:  [ https://github.com/jenkinsci/job-dsl-plugin/pull/1165 ]

mail@daniel-spilker.com (JIRA)

unread,
Mar 22, 2019, 10:11:02 AM3/22/19
to jenkinsc...@googlegroups.com
Daniel Spilker updated Improvement JENKINS-55918
 

This is already supported by Dynamic DSL:

job('example') {
    properties {
        envInjectJobProperty {
            info {
                propertiesFilePath('')
                propertiesContent('')
                scriptFilePath('')
                scriptContent('')
                loadFilesFromMaster(false)
                secureGroovyScript {
                    script('println "Hello')
                    sandbox(true)
                }
            }
        }
    }
}
Change By: Daniel Spilker
Status: Open Fixed but Unreleased
Resolution: Won't Fix

regs@akom.net (JIRA)

unread,
Mar 22, 2019, 10:28:01 AM3/22/19
to jenkinsc...@googlegroups.com
Alexander Komarov commented on Improvement JENKINS-55918
 
Re: Add support for groovy sandbox mode in environmentVariables closure

Thanks for that, I didn't realize that there are two different closures for envInject:

  • (root level) environmentVariables (what I was using)
  • (properties context) envInjectJobProperty (what you suggested)

For the record, for a clean switch from environmentVariables one to envInjectJobProperty, you also need an on(true):

// code placeholder
job('example') {
    properties {
        envInjectJobProperty {
            on(true)  // <---- This is off by default

            info {
                propertiesFilePath('')
                propertiesContent('')
                scriptFilePath('')
                scriptContent('')
                loadFilesFromMaster(false)
                secureGroovyScript {
                    script('println "Hello')
                    sandbox(true)
                }
            }
        }
    }
}

regs@akom.net (JIRA)

unread,
Mar 22, 2019, 10:55:03 AM3/22/19
to jenkinsc...@googlegroups.com
Alexander Komarov edited a comment on Improvement JENKINS-55918
Thanks for that, I didn't realize that there are two different closures for envInject:
* (root level) environmentVariables (what I was using)
* (properties context) envInjectJobProperty (what you suggested)

For the record, for a clean switch from environmentVariables one to envInjectJobProperty, you also need an *on(true)*:   (beware, keepSystemVariables default is also different)
{code :java }

// code placeholder
job('example') {
    properties {
        envInjectJobProperty {
            on(true)  // <---- This is off by default
            info {
                propertiesFilePath('')
                propertiesContent('')
                scriptFilePath('')
                scriptContent('')
                loadFilesFromMaster(false)
                secureGroovyScript {
                    script('println "Hello')
                    sandbox(true)
                }
            }
        }
    }
}
{code}

regs@akom.net (JIRA)

unread,
Mar 22, 2019, 10:56:01 AM3/22/19
to jenkinsc...@googlegroups.com
Alexander Komarov edited a comment on Improvement JENKINS-55918
Thanks for that, I didn't realize that there are two different closures for envInject:
* (root level) environmentVariables (what I was using)
* (properties context) envInjectJobProperty (what you suggested)

For the record, for a clean switch from environmentVariables one to envInjectJobProperty, you also need an *on(true)*: 

(beware, keepSystemVariables both Keep Variables default is settings are also different)

{code:java}
// code placeholder
job('example') {
    properties {
        envInjectJobProperty {
            on(true)  // <---- This is off by default
            info {
                propertiesFilePath('')
                propertiesContent('')
                scriptFilePath('')
                scriptContent('')
                loadFilesFromMaster(false)
                secureGroovyScript {
                    script('println "Hello')
                    sandbox(true)
                }
            }
        }
    }
}
{code}

mail@daniel-spilker.com (JIRA)

unread,
Mar 11, 2020, 9:08:05 AM3/11/20
to jenkinsc...@googlegroups.com
Change By: Daniel Spilker
Status: Fixed but Unreleased Closed
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages