JENKINS-73941 - Option to hide "Use Groovy Sandbox" for users without Administer permission globally in the system

[jgarciacloudbees]

JENKINS-73941

This is partially implemented in JENKINS-73470, where we created the new option "Hide Sandbox checkbox in pipeline jobs", but it was created in the scope of the workflow-cps-plugin.

The scope of this ticket is just to create the global option at the "script-security-plugin" scope and block the creation of new objects pending of approval.

This is usefull for highly secured environments where everything should be executed in SandBox, so we are removing the option to regular users to create pending to review scripts.

To do that, we have created the new option "forceSandbox" and created the method

org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.isForceSandbox() 

To provide the new property to the dependand plugins using sandbox.

The next steps for this ticket is to modify the specific plugins to disable the sandbox checkbox based on this new property, forcing the nonadmin user to use the sandbox when creating new objects.

Workflow-cps-plugin PR:
jenkinsci/workflow-cps-plugin#948

Testing done

Created new testing cases when the new option is enabled, to make sure this is blocking the creating of new pending to approve objects.

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[mikecirioli]

looks good, just small changes to some text

[jgarciacloudbees]

We have some flaky tests failure, Closing and Reopening to force running again the checks.

[jglick]

You forgot to conditionally hide

script-security-plugin/src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript/config.jelly

Lines 34 to 39 in 4778ca8

	<f:entry field="sandbox">
	<f:checkbox title="${%Use Groovy Sandbox}" default="${!h.hasPermission(app.ADMINISTER)}" />
	</f:entry>
	<f:entry title="${%Additional classpath}" field="classpath">
	<f:repeatableProperty add="${%Add entry}" header="${%Classpath entry}" field="classpath"/>
	</f:entry>

From searching around, for example try this plugin: https://github.com/jenkinsci/secure-post-script-plugin/blob/a8c196d18a8e034a66ee7cea13b8132a18e77197/src/main/resources/io/jenkins/plugins/securepostscript/SecurePostScriptConfiguration/config.jelly#L3-L6

[jglick]

@jgarciacloudbees please avoid force-pushing to a PR branch as it sometimes breaks the GH feature of allowing reviewers to only display changes since the last review.

[jglick]

#584 (comment) desirable while we are here