Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JENKINS-73941 - ForceSandbox - Unify logic in Script-Security for reducing techDeb #952

Merged
merged 5 commits into from
Nov 13, 2024
Merged

JENKINS-73941 - ForceSandbox - Unify logic in Script-Security for reducing techDeb #952

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bbf50ce
JENKINS-73941 - HideSandbox - Unify all the logic in Script-Security …
jgarciacloudbees Oct 31, 2024
75b1e72
JENKINS-73941 - HideSandbox - Unify all the logic in Script-Security …
jgarciacloudbees Oct 31, 2024
a5e0898
JENKINS-73941 - HideSandbox - Unify all the logic in Script-Security …
jgarciacloudbees Nov 5, 2024
cea198b
Update to release
jglick Nov 13, 2024
47e1491
Merge branch 'master' into JENKINS-73941
jglick Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion plugin/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
<dependency>
<groupId>org.jenkins-ci.plugins</groupId>
<artifactId>script-security</artifactId>
<version>1367.vdf2fc45f229c</version>
<version>1371.vc2f1467cb_d7e</version>
</dependency>
</dependencies>
</dependencyManagement>
Expand Down
11 changes: 2 additions & 9 deletions plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,11 +88,7 @@ public CpsFlowDefinition(String script) throws Descriptor.FormException {

@DataBoundConstructor
public CpsFlowDefinition(String script, boolean sandbox) throws Descriptor.FormException {
if (!sandbox && ScriptApproval.get().isForceSandboxForCurrentUser()) {
// this will end up in the /oops page until https://github.com/jenkinsci/jenkins/pull/9495 is picked up
throw new Descriptor.FormException("Sandbox cannot be disabled. This Jenkins instance has been configured to not " +
"allow regular users to disable the sandbox in pipelines", "sandbox");
}
ScriptApproval.validateSandbox(sandbox);
StaplerRequest req = Stapler.getCurrentRequest();
this.script = sandbox ? script : ScriptApproval.get().configuring(script, GroovyLanguage.get(),
ApprovalContext.create().withCurrentUser().withItemAsKey(req != null ? req.findAncestorObject(Item.class) : null), req == null);
Expand Down Expand Up @@ -192,10 +188,7 @@ public JSON doCheckScriptCompile(@AncestorInPath Item job, @QueryParameter Strin

@Restricted(NoExternalUse.class) // stapler
public boolean shouldHideSandbox(@CheckForNull CpsFlowDefinition instance) {
// sandbox checkbox is shown to admins even if the global configuration says otherwise
// it's also shown when sandbox == false, so regular users can enable it
return ScriptApproval.get().isForceSandboxForCurrentUser()
&& (instance == null || instance.sandbox);
return ScriptApproval.shouldHideSandbox(instance, CpsFlowDefinition::isSandbox);
}

}
Expand Down
Loading