Pre-approval of Groovy script files

[Clément]

Hi every one !

I'm preparing the migration of my Jenkins project on the Jenkins2 version
and it seems like groovy scripts are not managed the same way.

I have numerous jobs which use groovy scripts.

Some of them are very small, and "inlined" in job config.

For those scripts, current approval system is OK.

Some of them are a bit longer, and are managed in a git repository.

For those scripts, current approval system use "white box" method.

That's not very good for me, because these scripts go deep into Jenkins API.

It seems that the newer version of Jenkins is safer, but make things a bit difficult.
(i don't want to relaunch the same job XXX times to approve each method called)

I would like to find a plugin or a method that would allow me to approve a script file or
manage a list of groovy scripts that could then be used by my jobs without further approval.

If you're familiar with what I'm talking about, thanks to let me know.

Regards.

Clément.

[Darragh Bailey]

Hi,

Have a similar problem in upgrading to a more recent image, we were stuck on 2.19 for some time, and now trying to roll forward to the latest LTS.

We have a number of groovy scripts that are triggered by jobs that need to execute in a system context (system groovy build step from https://wiki.jenkins.io/display/JENKINS/Groovy+plugin).

Currently in testing I can just approve these scripts via the management console, but for automated deployment I'd like a way to manage which scripts are approved.

Hi,

Seeing a similar problem to yourself, wondering if there has been any progress in this area?

Looking around one approach seems to be to take the script, generate a hash and then add this to the list of approved hashes stored within Jenkins, using a similar API as mentioned https://stackoverflow.com/a/48234868/1597808 to approve script hashes dynamically and place this in the init groovy for the docker image. See https://github.com/cloudbees/jenkins-scripts/blob/master/pipeline-approval-scripts.groovy for examples of this.

However this means I need to keep a copy of the script with the Dockerfile or make sure to add the updated hash each time the groovy script definition changes and then update the image and update the jobs. As this this system groovy script is more like a lightweight custom plugin behaviour, it would seem to be more useful if I could have the script just be delivered with the Jenkins container image, and update the jobs to simply load and execute the script as provided.

Looking at the Managed Script plugin (https://wiki.jenkins.io/display/JENKINS/Managed+Script+Plugin) was initially promising, but there doesn't appear to be any way to execute managed files as system groovy scripts.

So far, the only thing I can think of is to change the jobs to use a small groovy script that runs under the system groovy build step and is set to load a predefined file from the master and execute it. Then use the same file in the master to generate the hash and pre-approve it on startup, and keep the main bulk of the script contents to be distributed along with the master.

This should avoid the main script being maintained in two places and is only pre-approving a smaller script that should have no need to change any time we update the main script.

Is there any better approach to this?

Thanks,

Darragh