[workflow-plugin] Technical limitations for a workflow Groovy script

[Benjamin Muschko]

Hi,

I was wondering what the technical limitations are for a workflow Groovy script, more specifically:

1) Is is possible to use classes like StringBuilder?

Example:

stage 'tryout'

node {

    useStringBuilder() 

}

def useStringBuilder() {

    echo "Before usage"

    StringBuilder test = new StringBuilder()

    echo "After usage"

}

If I use this method my in my flow.groovy script, the job never seems to print out "After usage". Instead I get the message: "org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use new java.lang.StringBuilder". Are "restricted" classes documented somewhere? Why is there a restriction?

2) Can you define your own classes within the Groovy script? 

stage 'tryout'

node {

    new HelloWorld().printMessage()

}

class HelloWorld {

    def printMessage() {

        echo "Hello World"        

    }   

}

If I create an instance of a custom class, I get the following message: "org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object".

3) Is there a way to reuse methods or classes across multiple jobs? How do you envision reusable code?

In all of these cases, I'd like to consume an existing, checked-in Groovy script via "Groovy CPS DSL from SCM".

Thanks,

Ben

[Baptiste Mathus]

Hi,

As the inline documentation (see the question marks on the right), this is because your code runs in sandboxed mode/you're not an admin:

if Use Groovy Sandbox is checked, or you are not an administrator, not all APIs will be available.

(Though I somehow agree that at first sight StringBuilder could be whitelisted).

About sharing libraries, I guess this doc could help: https://github.com/jenkinsci/workflow-plugin/blob/master/cps-global-lib/README.md

HTH

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2410ce55-ad9d-4d2b-b63c-6ebd633b85b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Baptiste <Batmat> MATHUS - http://batmat.net
Sauvez un arbre,
Mangez un castor !

[Baptiste Mathus]

IIUC, for the moment only GStrings are whitelisted: see https://github.com/jenkinsci/workflow-plugin/blob/master/cps/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsWhitelist.java#L54

I guess we'll need feedback of Jesse or Kohsuke as to where they want to go about that: filing JIRAs for classes to be whitelisted? another way?

IMO this is still a WIP, as you can for example read in the changelog some weeks ago

• Flow scripts may now be run in a Groovy sandbox to allow regular users to define them without administrator approval. More work is likely needed to supply a reasonable method call whitelist out of the box.

Cheers

--

nbsp;!

[Benjamin Muschko]

On Saturday, February 7, 2015 at 2:46:12 AM UTC-5, Baptiste Mathus wrote:

Hi,

As the inline documentation (see the question marks on the right), this is because your code runs in sandboxed mode/you're not an admin:

if Use Groovy Sandbox is checked, or you are not an administrator, not all APIs will be available.

Based on the question mark description of the Script path element when "Groovy CPS DSL from SCM" is selected, the selected Groovy script is always run inside a sandbox. The description says:

Relative location within the checkout of your Workflow script. Note that it will always be run inside a Groovy sandbox.

 

Why is there a limitation for this option?

(Though I somehow agree that at first sight StringBuilder could be whitelisted).

OK.

 

About sharing libraries, I guess this doc could help: https://github.com/jenkinsci/workflow-plugin/blob/master/cps-global-lib/README.md

Thanks for link. It's not clear to me how I can reuse the logic across multiple jobs. The description says "This plugin adds that functionality by creating a "shared library script" Git repository inside Jenkins. Every workflow script in your Jenkins see these shared library scripts in their classpath." but where do I configure that?

[Timur Batyrshin]

Hi,

To allow certain signatures in Groovy Sandbox go to "Manage Jenkins -> In-process Script Approval".

Please note that if you catch this kind of exceptions the signatures will not appear there.

Timur

суббота, 7 февраля 2015 г., 10:57:08 UTC+3 пользователь Baptiste Mathus написал:

[Jesse Glick]

On Saturday, February 7, 2015 at 2:57:08 AM UTC-5, Baptiste Mathus wrote:

I guess we'll need feedback of Jesse or Kohsuke as to where they want to go about that: filing JIRAs for classes to be whitelisted?

There are so many obvious candidates that JIRA issues would be less than helpful, but a PR against script-security whitelisting some clearly safe calls would be welcome. (Preferably adding tests showing that example usages do run using the GenericWhitelist.)