Reputation: 3102
How to approve script snippets from a jenkinsfile via the groovy script console?
In my jenkins pipeline file I use the JsonSlurperClassic to read build configurations from a .json file. This however introduces code that needs to be approved over the in-process Script Approval page. This works fine when I do it over the GUI.
However I also have a script that automatically sets up my jenkins machine which should create a ready-to-work machine that does not require further GUI operations. This script already uses the jenkins script console to approve slave start-up commands. The groovy code that is executed in the script console to do this looks like this.
def language = 'system-command';
def scriptSnippet = 'ssh me@slavemachine java -jar ~/bin/slave.jar';
def scriptApproval = Jenkins.instance.getExtensionList(
'org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval')[0];
def scriptHash = scriptApproval.hash(scriptSnippet, language);
scriptApproval.approveScript(scriptHash);
This works fine, but now I want to use the same code to approve the script snippets that come from my pipeline. I exchanged the first two lines with
def language = 'groovy'
def scriptSnippet = 'new groovy.json.JsonSlurperClassic';
where the scriptSnippet is taken from the scriptApproval.xml file.
Executing this adds a new <approvedScriptHashes> entry to the scriptApproval.xml file but does not remove the <pendingSignature> entry that contains the script snippet. This means it does not work.
My guess is, that the language is wrong, but other values I tried like groovy-sh or system-commands did not work either. Do you have any ideas why it does not work?
Thank you for your time.
Upvotes: 19
Views: 12553
Answers (3)
Reputation: 49
I know this is an old post, but I thought if anyone else is looking for answers then this could help. If you already have a list of known signatures for script approvals and if you would like to do all of the approvals at once, then the snippet mentioned in the below link works well.
Here's a groovy script to pre-populate script approvals
Upvotes: 0
Reputation: 79
import org.jenkinsci.plugins.scriptsecurity.scripts.*
toApprove = ScriptApproval.get().getPendingScripts().collect()
toApprove.each {pending -> ScriptApproval.get().approveScript(pending.getHash())}
Upvotes: 7
Reputation: 10395
You can use ScriptApproval#approveSignature method. Here is an example that works on my Jenkins 2.85
def signature = 'new groovy.json.JsonSlurperClassic'
org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get().approveSignature(signature)
Upvotes: 25
Related Questions
- Jenkins in-process script approval
- Create Jenkins pipeline via Groovy script
- How to programmatically approve Jenkins System Groovy Script
- How to Approve Jenkins Scripted Pipeline RejectedAccessException for groovy.io.FileType FILES?
- Jenkins - where to approve the script
- Jenkins : how to run groovy script in pipeline
- Jenkins: "Execute system groovy script" in a pipeline step (SCM committed)
- Exporting and Importing Jenkins Pipeline script approvals
- Manual Approval in Jenkins Job
- Manual approval step in a jenkins DSL configured build pipeline