Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74781

Jenkins asking for same script approval even after script is approved with the latest release plugin

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • script-security-plugin
    • None
    • 1366.vd44b_49a_5c85c

        [JENKINS-74781] Jenkins asking for same script approval even after script is approved with the latest release plugin

        Mark Waite added a comment -

        Please let me know if you need more information

        Please provide an example script that shows the failure. Others are much more likely to investigate if there is an example script that shows the issue.

        Mark Waite added a comment - Please let me know if you need more information Please provide an example script that shows the failure. Others are much more likely to investigate if there is an example script that shows the issue.

        FNU added a comment -

        Please find the sample script below.

         

        import groovy.json.JsonSlurperClassic

        pipeline {
            agent any
            stages {
                stage('List Credentials') {
                    steps {
                        script

        {                    input = "[\{\"test\":\"test12\"}

        ]"
                            println(input)
                            def inputJSON = new JsonSlurperClassic().parseText(input)
                            def keys = inputJSON.toSet() as List
                            println(keys)
                            }
                        }
                    }
                }
        }

         

        FNU added a comment - Please find the sample script below.   import groovy.json.JsonSlurperClassic pipeline {     agent any     stages {         stage('List Credentials') {             steps {                 script {                    input = "[\{\"test\":\"test12\"} ]"                     println(input)                     def inputJSON = new JsonSlurperClassic().parseText(input)                     def keys = inputJSON.toSet() as List                     println(keys)                     }                 }             }         } }  

        Mark Waite added a comment - - edited

        Thanks. Using that script, I can see the message the first time when it reports that JSONSlurper requires approval. After approval of that class, then the second run wants approval of a method on the JSONSlurper class. Once I've approved those two items, then no further approvals are required.

        I see no difference whether I use the previous release 1365.v4778ca_84b_de5 or the most recent release 1366.vd44b_49a_5c85c. With both releases, it requires two approvals for the JSONSlurper.parseText(String) method to be approved. Do you see something different?

        I modified your script slightly to be this:

        import groovy.json.JsonSlurperClassic
        
        pipeline {
            agent any
            stages {
                stage('Script approval test') {
                    steps {
                        script {
                            input = '[{"test":"test12"}]'
                            println(input)
                            def inputJSON = new JsonSlurperClassic().parseText(input)
                            def keys = inputJSON.toSet() as List
                            println(keys)
                        }
                    }
                }
            }
        }
        

        Mark Waite added a comment - - edited Thanks. Using that script, I can see the message the first time when it reports that JSONSlurper requires approval. After approval of that class, then the second run wants approval of a method on the JSONSlurper class. Once I've approved those two items, then no further approvals are required. I see no difference whether I use the previous release 1365.v4778ca_84b_de5 or the most recent release 1366.vd44b_49a_5c85c. With both releases, it requires two approvals for the JSONSlurper.parseText(String) method to be approved. Do you see something different? I modified your script slightly to be this: import groovy.json.JsonSlurperClassic pipeline { agent any stages { stage( 'Script approval test' ) { steps { script { input = '[{ "test" : "test12" }]' println(input) def inputJSON = new JsonSlurperClassic().parseText(input) def keys = inputJSON.toSet() as List println(keys) } } } } }

        FNU added a comment -

        This is the error we were getting in jenkins system console.

        FNU added a comment - This is the error we were getting in jenkins system console.

        Mark Waite added a comment - - edited

        That exception seems to point to StaticWhiteList.parse line175 where the line that is being parsed is not recognized as a valid line. The first token on the parsed line is expected to be either "method" or "new" or "staticMethod" or "field" or "staticField" but the first token seems to be "SHA512:..."

        I think that indicates that the scriptApproval.xml file in the Jenkins home directory has been damaged or contains incorrect content. After interactive testing of the two test jobs that I was using, my scriptApproval.xml file looks like this:

        <?xml version='1.1' encoding='UTF-8'?>
        <scriptApproval plugin="script-security@1365.v4778ca_84b_de5">
          <approvedScriptHashes/>
          <approvedSignatures>
            <string>method groovy.json.JsonSlurperClassic parseText java.lang.String</string>
            <string>new groovy.json.JsonSlurperClassic</string>
            <string>staticMethod org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval get</string>
          </approvedSignatures>
          <aclApprovedSignatures/>
          <approvedClasspathEntries/>
          <pendingScripts/>
          <pendingSignatures/>
          <pendingClasspathEntries/>
        </scriptApproval>
        

        However, I see in my own archived scriptApproval.xml file, I have lines that starts with "SHA152" as well, though they are in a configuration section called "approvedScriptHashes" and not in the section called "approvedSignatures".

        Mark Waite added a comment - - edited That exception seems to point to StaticWhiteList.parse line175 where the line that is being parsed is not recognized as a valid line. The first token on the parsed line is expected to be either "method" or "new" or "staticMethod" or "field" or "staticField" but the first token seems to be "SHA512:..." I think that indicates that the scriptApproval.xml file in the Jenkins home directory has been damaged or contains incorrect content. After interactive testing of the two test jobs that I was using, my scriptApproval.xml file looks like this: <?xml version= '1.1' encoding= 'UTF-8' ?> <scriptApproval plugin= "script-security@1365.v4778ca_84b_de5" > <approvedScriptHashes/> <approvedSignatures> <string> method groovy.json.JsonSlurperClassic parseText java.lang.String </string> <string> new groovy.json.JsonSlurperClassic </string> <string> staticMethod org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval get </string> </approvedSignatures> <aclApprovedSignatures/> <approvedClasspathEntries/> <pendingScripts/> <pendingSignatures/> <pendingClasspathEntries/> </scriptApproval> However, I see in my own archived scriptApproval.xml file, I have lines that starts with "SHA152" as well, though they are in a configuration section called "approvedScriptHashes" and not in the section called "approvedSignatures".

        FNU added a comment - - edited

        I think with the latest version of script security plugin the entry SHA152 was added. When we downgraded the plugin we had to delete this entry from the scriptApproval.xml for the downgraded version to work.

         

        I will try to replicate this on my local jenkins and update you.

        FNU added a comment - - edited I think with the latest version of script security plugin the entry SHA152 was added. When we downgraded the plugin we had to delete this entry from the scriptApproval.xml for the downgraded version to work.   I will try to replicate this on my local jenkins and update you.

        Mark Waite added a comment -

        I think that you have an entry in "approvedSignatures" that belongs in "approvedScriptHashes". There should be no "SHA512" entries in the XML section for "approvedSignatures"

        Mark Waite added a comment - I think that you have an entry in "approvedSignatures" that belongs in "approvedScriptHashes". There should be no "SHA512" entries in the XML section for "approvedSignatures"

        Basil Crow added a comment -

        Please provide steps to reproduce the problem from scratch on a clean Jenkins installation. For example, "install version X, run script Y, click button Z, and observe that a SHA512 entry is incorrectly present in the approved signatures section."

        Basil Crow added a comment - Please provide steps to reproduce the problem from scratch on a clean Jenkins installation. For example, "install version X, run script Y, click button Z, and observe that a SHA512 entry is incorrectly present in the approved signatures section."

        FNU added a comment -

        In our organization we update all the jenkins plugins every month. and we started observing this issue for the pipeline using groovy.json.JsonSlurperClassic

        after the script security plugin was updated last week(same pipeline was working before). And we downgraded the script security plugin to make it work for now.

         

        I will try to replicate this issue on by installing the jenkins on my personal computer and update you. 

        FNU added a comment - In our organization we update all the jenkins plugins every month. and we started observing this issue for the pipeline using groovy.json.JsonSlurperClassic after the script security plugin was updated last week(same pipeline was working before). And we downgraded the script security plugin to make it work for now.   I will try to replicate this issue on by installing the jenkins on my personal computer and update you. 

        Basil Crow added a comment -

        Thanks prakashshetty1990! Were you able to reproduce the problem?

        Basil Crow added a comment - Thanks prakashshetty1990 ! Were you able to reproduce the problem?

          Unassigned Unassigned
          prakashshetty1990 FNU
          Votes:
          0 Vote for this issue
          Watchers:
          3 Start watching this issue

            Created:
            Updated: