simpleBuild - a pipeline DSL (and a sad tale about sandboxes)

[Michael Neale]

Inspired by Jesse's example DSL using docker workflow, I thought I would see how far I could take things in making DSLs. 

I wanted to make things that looked very similar to what people do with tools like travis - something at home in a Jenkinsfile that anyone can open, and read and immediately comprehend, for simple cases, what the build instructions are. 

This is mostly pretty easy: I have put it here for now https://github.com/michaelneale/jenkinsfile (until I sort out some issues). 

It can work with or without docker workflow (you just specify an image, or not), sends emails (even in failure), set environment variables etc, of course I would love for it to do more. 

However, one road block has been my use of literal maps and the sandbox. This all works grand if I don't use the sandbox, but use the sandbox (or multibranch/SCM, which enables sandbox), and sadness results that I can't work out how to get around:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use field java.util.HashMap$Node key

at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectField(StaticWhitelist.java:169)

at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.rejectField(SandboxInterceptor.java:195)

at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:

- this shows up when I enable the sandbox (sadbox?). 

It seems NOTHING in java.util.Map is whitelisted. I am using maps at the moment as it makes for a nice DSL similar to what people may see elsewhere. For example: 

simpleBuild {

    script = 'echo after $FOO'

    notifications = [

        email : "mne...@cloudbees.com"    

    ]

    env = [

        FOO = "well hello",

        BAR = "I don't even need to be here"

    ]

}

This is valid and works great *without* sandbox, but fails on notifications with sandbox on.  The notifications item (config.notifications in the DSL, from the closure passed into simpleBuild) is a java.util.Map. If I look closer, its actually a LinkedHashMap. 

Does any one have ideas on ways to get around this? the literal map notation is very neat, and would take no time for someone to glance at and follow, however, I don't see a way of working with a Map (I can call size() it seems, but nothing else, I can't get the values() or keySet() collections etc). 

Any ideas appreciated (perhaps using maps is inferior to another approach, which I would like to see, however, I love the idea of staying in pipieline-groovy script, with a DSL, as this takes away NONE of the power). 

[domi]

I guess you already tried to prove the required calls in the script security plugin?

https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin

/Domi

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/685d07ee-0748-4666-924b-015113392ad7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael Neale]

Did you mean "approve", if so, then yes. 

I should have mentioned I would like this to work with anyones setup, without adding special rules (if it was packaged as a plugin I guess it could provide its own whitelist, but I wonder why Map methods aren't on the static whitelist already, I assume there is a reason). 

[Jesse Glick]

Try `[k: v]` not `[k = v]`, and file bugs in `script-security-plugin` (label `workflow`) as needed.

[Robert Sandell]

I know by experience that map.isEmpty() is not whitelisted by default. But things like [k: v] and map[k] = v should work since I use it often for the parallel step and I don't remember tearing out what little hair I have left the first time I tried it. ;)

/B

On Thu, Feb 4, 2016 at 3:41 PM, Jesse Glick <jgl...@cloudbees.com> wrote:

Try `[k: v]` not `[k = v]`, and file bugs in `script-security-plugin` (label `workflow`) as needed.

--

You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0o91owSQrfyb7-o8dS2ftNZBP9Mb_CD7D%3Dvinp3A_cXA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Robert Sandell

Software Engineer

CloudBees Inc.

[Jesse Glick]

On Thu, Feb 4, 2016 at 9:51 AM, Robert Sandell <rsan...@cloudbees.com> wrote:
> I know by experience that map.isEmpty() is not whitelisted by default.

Just propose a PR in `script-security-plugin` where you run across
obvious cases. It takes just a few minutes.

[Michael Neale]

that was a copy paste error, I did use the correct map literal syntax of ":". 

As Bobby said, map does work, however you can't really access any of it without whitelisting (I will work on that, should be fine). 

[Michael Neale]

Only really needed to get to key and value of Map$Entry: 

https://github.com/jenkinsci/script-security-plugin/pull/44

I am also looking at putting this in a plugin - haven't quite worked out how to load a function (vs a class) into the global scope yet. 

My attempt so far: https://github.com/michaelneale/jenkinsfile/blob/topic/asplugin/src/main/java/org/jenkinsci/plugins/simplebuild/SimpleBuildDSL.java 

[James Dumay]

This is a really cool idea Michael - I'd love to see Pipeline DSL be easy for novices. Travis, etc have made it look so simple and I believe we could improve Pipeline adoption if we had a similar answer.