-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JENKINS-73941 - Option to hide "Use Groovy Sandbox" for users without Administer permission globally in the system #584
Conversation
… Administer permission globally in the system
…andbox mode enabled
… in the system' help
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good, just small changes to some text
src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/Messages.properties
Outdated
Show resolved
Hide resolved
src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/Messages.properties
Outdated
Show resolved
Hide resolved
src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/config.jelly
Outdated
Show resolved
Hide resolved
...resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/help-forceSandbox.html
Outdated
Show resolved
Hide resolved
Co-authored-by: michael cirioli <mikecirioli@gmail.com>
We have some flaky tests failure, Closing and Reopening to force running again the checks. |
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalNote.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/UnapprovedUsageException.java
Outdated
Show resolved
Hide resolved
src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/config.jelly
Outdated
Show resolved
Hide resolved
...resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/help-forceSandbox.html
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java
Outdated
Show resolved
Hide resolved
src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java
Outdated
Show resolved
Hide resolved
Co-authored-by: Antonio Muniz <amuniz@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You forgot to conditionally hide
Lines 34 to 39 in 4778ca8
<f:entry field="sandbox"> | |
<f:checkbox title="${%Use Groovy Sandbox}" default="${!h.hasPermission(app.ADMINISTER)}" /> | |
</f:entry> | |
<f:entry title="${%Additional classpath}" field="classpath"> | |
<f:repeatableProperty add="${%Add entry}" header="${%Classpath entry}" field="classpath"/> | |
</f:entry> |
From searching around, for example try this plugin: https://github.com/jenkinsci/secure-post-script-plugin/blob/a8c196d18a8e034a66ee7cea13b8132a18e77197/src/main/resources/io/jenkins/plugins/securepostscript/SecurePostScriptConfiguration/config.jelly#L3-L6
...resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/help-forceSandbox.html
Outdated
Show resolved
Hide resolved
src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/config.jelly
Outdated
Show resolved
Hide resolved
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
1019813
to
4e97712
Compare
@jgarciacloudbees please avoid force-pushing to a PR branch as it sometimes breaks the GH feature of allowing reviewers to only display changes since the last review. |
...esources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/config.jelly
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java
Outdated
Show resolved
Hide resolved
src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/config.jelly
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#584 (comment) desirable while we are here
Co-authored-by: Jesse Glick <jglick@cloudbees.com>
JENKINS-73941
This is partially implemented in JENKINS-73470, where we created the new option "Hide Sandbox checkbox in pipeline jobs", but it was created in the scope of the workflow-cps-plugin.
The scope of this ticket is just to create the global option at the "script-security-plugin" scope and block the creation of new objects pending of approval.
This is usefull for highly secured environments where everything should be executed in SandBox, so we are removing the option to regular users to create pending to review scripts.
To do that, we have created the new option "forceSandbox" and created the method
To provide the new property to the dependand plugins using sandbox.
The next steps for this ticket is to modify the specific plugins to disable the sandbox checkbox based on this new property, forcing the nonadmin user to use the sandbox when creating new objects.
Workflow-cps-plugin PR:
jenkinsci/workflow-cps-plugin#948
Testing done
Created new testing cases when the new option is enabled, to make sure this is blocking the creating of new pending to approve objects.
Submitter checklist