jenkinsci · jglick · Oct 25, 2024 · Oct 16, 2024 · Oct 16, 2024 · Oct 16, 2024
@@ -85,6 +85,11 @@ Administrators in security-sensitive environments should carefully consider whic
 operations to whitelist. Operations which change state of persisted objects (such as 
 Jenkins jobs) should generally be denied. Most `getSomething` methods are harmless.
 
+In case of highly secured environments, where only sandbox scripts are allowed, the 
+option "Force the use of the sandbox globally in the system" allows forcing the use of the 
+sandbox globally in the system and will block the creation of new items in the 
+"In-process Script Approval" screen.
+
 ### ACL-aware methods
 Be aware however that even some “getter” methods are designed to check specific 
 permissions (using an ACL: access control list), whereas scripts are often run by a system 

@@ -285,6 +285,9 @@
     /** All external classpath entries allowed used for scripts. */
     private /*final*/ TreeSet<ApprovedClasspathEntry> approvedClasspathEntries;
 
+    /** when this mode is enabled, the full logic for accepting/rejecting scripts will be hidden **/
+    private boolean forceSandbox;
+
     /* for test */ synchronized void addApprovedClasspathEntry(ApprovedClasspathEntry acp) {
         approvedClasspathEntries.add(acp);
     }
@@ -514,7 +517,9 @@
     }
 
     /* for test */ void addPendingClasspathEntry(PendingClasspathEntry pcp) {
-        pendingClasspathEntries.add(pcp);
+        if(!forceSandboxForCurrentUser()) {
+            pendingClasspathEntries.add(pcp);
+        }
     }
 
     @DataBoundConstructor
@@ -652,7 +657,9 @@
                 if (key != null) {
                     pendingScripts.removeIf(pendingScript -> key.equals(pendingScript.getContext().getKey()));
                 }
-                pendingScripts.add(new PendingScript(script, language, context));
+                if(!forceSandboxForCurrentUser()) {
+                    pendingScripts.add(new PendingScript(script, language, context));
+                }
             }
             save();
         }
@@ -733,7 +740,7 @@
                 approvedClasspathEntries.add(acp);
                 shouldSave = true;
             } else {
-                if (pendingClasspathEntries.add(pcp)) {
+                if (!forceSandboxForCurrentUser() && pendingClasspathEntries.add(pcp)) {
                     LOG.log(Level.FINE, "{0} ({1}) is pending", new Object[] {url, result.newHash});
                     shouldSave = true;
                 }
@@ -784,7 +791,7 @@
         if (!result.approved) {
             // Never approve classpath here.
             ApprovalContext context = ApprovalContext.create();
-            if (pendingClasspathEntries.add(new PendingClasspathEntry(result.newHash, url, context))) {
+            if (!forceSandboxForCurrentUser() && pendingClasspathEntries.add(new PendingClasspathEntry(result.newHash, url, context))) {
                 LOG.log(Level.FINE, "{0} ({1}) is pending.", new Object[]{url, result.newHash});
                 save();
             }
@@ -815,7 +822,9 @@
         }
 
         if (!Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
-            return FormValidation.warningWithMarkup("A Jenkins administrator will need to approve this script before it can be used");
+            return FormValidation.warningWithMarkup(forceSandboxForCurrentUser()?
+                                                    Messages.ScriptApproval_ForceSandBoxMessage():
+                                                    Messages.ScriptApproval_PipelineMessage());
         } else {
             if ((ALLOW_ADMIN_APPROVAL_ENABLED && (willBeApproved || ADMIN_AUTO_APPROVAL_ENABLED)) || !Jenkins.get().isUseSecurity()) {
                 return FormValidation.okWithMarkup("The script has not yet been approved, but it will be approved on save.");
@@ -888,7 +897,7 @@
     @Deprecated
     public synchronized RejectedAccessException accessRejected(@NonNull RejectedAccessException x, @NonNull ApprovalContext context) {
         String signature = x.getSignature();
-        if (signature != null && pendingSignatures.add(new PendingSignature(signature, x.isDangerous(), context))) {
+        if (signature != null && !forceSandboxForCurrentUser() && pendingSignatures.add(new PendingSignature(signature, x.isDangerous(), context))) {
             save();
         }
         return x;
@@ -982,6 +991,22 @@
         reconfigure();
     }
 
+    @DataBoundSetter
+    public synchronized void setForceSandbox(boolean forceSandbox) {
+        this.forceSandbox = forceSandbox;
+        save();
+    }
+
+
+    public boolean isForceSandbox() {
+        return forceSandbox;
+    }
+
+    //ForceSandbox restrictions does not apply to ADMINISTER users.
+    public boolean forceSandboxForCurrentUser() {
+        return forceSandbox && !Jenkins.get().hasPermission(Jenkins.ADMINISTER);
+    }
+
     @Restricted(NoExternalUse.class) // Jelly, tests, implementation
     public synchronized String[] getApprovedScriptHashes() {
         return approvedScriptHashes.toArray(new String[approvedScriptHashes.size()]);

@@ -51,7 +51,8 @@ public class ScriptApprovalNote extends ConsoleNote<Object> {
 
     public static void print(TaskListener listener, RejectedAccessException x) {
         try {
-            String text = Messages.ScriptApprovalNote_message();
+            String text =  ScriptApproval.get().isForceSandbox()?
+                           Messages.ScriptApprovalNoteForceSandBox_message():Messages.ScriptApprovalNote_message();
             listener.getLogger().println(x.getMessage() + ". " + new ScriptApprovalNote(text.length()).encode() + text);
         } catch (IOException x2) {
             LOGGER.log(Level.WARNING, null, x2);

@@ -32,7 +32,7 @@ public final class UnapprovedUsageException extends SecurityException {
     private final String hash;
 
     UnapprovedUsageException(String hash) {
-        super("script not yet approved for use");
+        super(ScriptApproval.get().isForceSandbox()?Messages.UnapprovedUsage_ForceSandBox():Messages.UnapprovedUsage_NonApproved());
         this.hash = hash;
     }
 

@@ -2,7 +2,12 @@ ClasspathEntry.path.notExists=Specified path does not exist
 ClasspathEntry.path.notApproved=This classpath entry is not approved. Require an approval before execution.
 ClasspathEntry.path.noDirsAllowed=Class directories are not allowed as classpath entries.
 ScriptApprovalNote.message=Administrators can decide whether to approve or reject this signature.
+ScriptApprovalNoteForceSandBox.message=Script signature is not in the default whitelist.
 ScriptApprovalLink.outstandingScript={0} scripts pending approval
 ScriptApprovalLink.outstandingSignature={0} signatures pending approval
 ScriptApprovalLink.outstandingClasspath={0} classpath entries pending approval
-ScriptApprovalLink.dangerous={0} approved dangerous signatures
+ScriptApprovalLink.dangerous={0} approved dangerous signatures
+ScriptApproval.PipelineMessage=A Jenkins administrator will need to approve this script before it can be used
+ScriptApproval.ForceSandBoxMessage=Running scripts out of the sandbox is not allowed in the system
+UnapprovedUsage.NonApproved=script not yet approved for use
+UnapprovedUsage.ForceSandBox=Running scripts out of the sandbox is not allowed in the system
@@ -1,4 +1,9 @@
 <!-- Just ti satisfy GlobalConfiguration.getGlobalConfigPage() -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout" xmlns:f="/lib/form">
+    <f:section title="${%System Sandbox enablement}">
+        <f:entry field="forceSandbox" title="${%Force the use  of the sandbox globally in the system}">
+            <f:checkbox/>
+        </f:entry>
+    </f:section>
 </j:jelly>
@@ -0,0 +1,5 @@
+<div>
+    <p>Controls whether the "Use Groovy Sandbox" is shown in the system to users without Overall/Administer permission.</p>
+    <p>This can be used to simplify the UX in highly secured environments where all pipelines and other logics are
+        required to run in the sandbox (ie. running arbitrary code is never approved)</p>
+</div>
@@ -34,6 +34,7 @@
 import org.apache.tools.ant.AntClassLoader;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
 import org.jenkinsci.plugins.scriptsecurity.scripts.ClasspathEntry;
+import org.jenkinsci.plugins.scriptsecurity.scripts.Messages;
 import org.htmlunit.html.HtmlForm;
 import org.htmlunit.html.HtmlFormUtil;
 import org.htmlunit.html.HtmlPage;
@@ -224,7 +225,14 @@ private void addPostBuildAction(HtmlPage page) throws IOException {
         assertEquals(1, pendingScripts.size());
 
         // Test that the script is executable. If it's not, we will get an UnapprovedUsageException
-        assertThrows(UnapprovedUsageException.class, () -> ScriptApproval.get().using(groovy, GroovyLanguage.get()));
+        Exception ex = assertThrows(UnapprovedUsageException.class,
+                                    () -> ScriptApproval.get().using(groovy,GroovyLanguage.get()));
+        assertEquals(Messages.UnapprovedUsage_NonApproved(), ex.getMessage());
+
+        ScriptApproval.get().setForceSandbox(true);
+        ex = assertThrows(UnapprovedUsageException.class,
+                                    () -> ScriptApproval.get().using(groovy,GroovyLanguage.get()));
+        assertEquals(Messages.UnapprovedUsage_ForceSandBox(), ex.getMessage());
     }
 
     /**

@@ -19,6 +19,7 @@
 import static org.hamcrest.collection.IsIterableContainingInAnyOrder.containsInAnyOrder;
 import static org.hamcrest.core.StringContains.containsString;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 public class JcascTest {
 
@@ -43,6 +44,7 @@ public void smokeTestEntry() throws Exception {
         assertThat(logger.getMessages(), containsInAnyOrder(
                 containsString("Adding deprecated script hash " +
                         "that will be converted on next use: fccae58c5762bdd15daca97318e9d74333203106")));
+        assertTrue(ScriptApproval.get().isForceSandbox());
     }
 
     @Test

@@ -26,11 +26,19 @@
 
 import org.htmlunit.html.HtmlPage;
 import org.htmlunit.html.HtmlTextArea;
+import hudson.model.FreeStyleBuild;
 import hudson.model.FreeStyleProject;
+import hudson.model.Item;
 import hudson.model.Result;
+import hudson.model.User;
+import hudson.security.ACL;
+import hudson.security.ACLContext;
+import hudson.security.Permission;
 import hudson.util.VersionNumber;
+import hudson.util.FormValidation;
 import jenkins.model.Jenkins;
 import org.hamcrest.Matchers;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript;
 import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.TestGroovyRecorder;
@@ -40,10 +48,12 @@
 import org.jvnet.hudson.test.Issue;
 import org.jvnet.hudson.test.JenkinsRule;
 import org.jvnet.hudson.test.LoggerRule;
+import org.jvnet.hudson.test.MockAuthorizationStrategy;
 import org.jvnet.hudson.test.recipes.LocalData;
 import org.xml.sax.SAXException;
 
 import java.io.IOException;
+import java.net.URL;
 import java.util.List;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.logging.Level;
@@ -53,7 +63,9 @@
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.nullValue;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 public class ScriptApprovalTest extends AbstractApprovalTest<ScriptApprovalTest.Script> {
@@ -195,6 +207,119 @@ public void reload() throws Exception {
                 r.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0).get()));
     }
 
+    @Test
+    public void forceSandboxTests() throws Exception {
+        r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
+
+        ScriptApproval.get().setForceSandbox(true);
+
+        MockAuthorizationStrategy mockStrategy = new MockAuthorizationStrategy();
+        mockStrategy.grant(Jenkins.READ).everywhere().to("devel");
+        for (Permission p : Item.PERMISSIONS.getPermissions()) {
+            mockStrategy.grant(p).everywhere().to("devel");
+        }
+
+        mockStrategy.grant(Jenkins.READ).everywhere().to("admin");
+        mockStrategy.grant(Jenkins.ADMINISTER).everywhere().to("admin");
+        for (Permission p : Item.PERMISSIONS.getPermissions()) {
+            mockStrategy.grant(p).everywhere().to("admin");
+        }
+
+        r.jenkins.setAuthorizationStrategy(mockStrategy);
+
+        try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
+            assertTrue(ScriptApproval.get().isForceSandbox());
+            assertTrue(ScriptApproval.get().forceSandboxForCurrentUser());
+
+            final ApprovalContext ac = ApprovalContext.create();
+
+            //Insert new PendingScript - As the user is not admin and ForceSandbox is enabled, nothing should be added
+            {
+                ScriptApproval.get().configuring("testScript", GroovyLanguage.get(), ac, true);
+                assertTrue(ScriptApproval.get().getPendingScripts().isEmpty());
+            }
+
+            //Insert new PendingSignature - As the user is not admin and ForceSandbox is enabled, nothing should be added
+            {
+                ScriptApproval.get().accessRejected(
+                        new RejectedAccessException("testSignatureType", "testSignatureDetails"), ac);
+                assertTrue(ScriptApproval.get().getPendingSignatures().isEmpty());
+            }
+
+            //Insert new Pending ClassPatch - As the user is not admin and ForceSandbox is enabled, nothing should be added
+            {
+                ClasspathEntry cpe = new ClasspathEntry("https://www.jenkins.io");
+                ScriptApproval.get().configuring(cpe, ac);
+                ScriptApproval.get().addPendingClasspathEntry(
+                        new ScriptApproval.PendingClasspathEntry("hash", new URL("https://www.jenkins.io"), ac));
+                assertThrows(UnapprovedClasspathException.class, () -> ScriptApproval.get().using(cpe));
+                //As we are forcing sandbox, none of the previous operations are able to crete new pending ClasspathEntries
+                assertTrue(ScriptApproval.get().getPendingClasspathEntries().isEmpty());
+            }
+        }
+
+        try (ACLContext ctx = ACL.as(User.getById("admin", true))) {
+            assertTrue(ScriptApproval.get().isForceSandbox());
+            assertFalse(ScriptApproval.get().forceSandboxForCurrentUser());
+
+            final ApprovalContext ac = ApprovalContext.create();
+
+            //Insert new PendingScript - As the user is admin, the behavior does not change
+            {
+                ScriptApproval.get().configuring("testScript", GroovyLanguage.get(), ac, true);
+                assertEquals(1, ScriptApproval.get().getPendingScripts().size());
+            }
+
+            //Insert new PendingSignature -  - As the user is admin, the behavior does not change
+            {
+                ScriptApproval.get().accessRejected(
+                        new RejectedAccessException("testSignatureType", "testSignatureDetails"), ac);
+                assertEquals(1, ScriptApproval.get().getPendingSignatures().size());
+            }
+
+            //Insert new Pending ClassPatch -  - As the user is admin, the behavior does not change
+            {
+                ClasspathEntry cpe = new ClasspathEntry("https://www.jenkins.io");
+                ScriptApproval.get().configuring(cpe, ac);
+                ScriptApproval.get().addPendingClasspathEntry(
+                        new ScriptApproval.PendingClasspathEntry("hash", new URL("https://www.jenkins.io"), ac));
+                assertEquals(1, ScriptApproval.get().getPendingClasspathEntries().size());
+            }
+        }
+    }
+
+    @Test
+    public void forceSandboxScriptSignatureException() throws Exception {
+        ScriptApproval.get().setForceSandbox(true);
+        FreeStyleProject p = r.createFreeStyleProject("p");
+        p.getPublishersList().add(new TestGroovyRecorder(new SecureGroovyScript("jenkins.model.Jenkins.instance", true, null)));
+        FreeStyleBuild b = r.assertBuildStatus(Result.FAILURE, p.scheduleBuild2(0).get());
+        r.assertLogContains("Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance. " + Messages.ScriptApprovalNoteForceSandBox_message(), b);
+    }
+
+    @Test
+    public void forceSandboxFormValidation() throws Exception {
+        r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
+        r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy().
+            grant(Jenkins.READ, Item.READ).everywhere().to("dev"));
+
+        try (ACLContext ctx = ACL.as(User.getById("devel", true))) {
+            ScriptApproval.get().setForceSandbox(true);
+            {
+                FormValidation result = ScriptApproval.get().checking("test", GroovyLanguage.get(), false);
+                assertEquals(FormValidation.Kind.WARNING, result.kind);
+                assertEquals(Messages.ScriptApproval_ForceSandBoxMessage(), result.getMessage());
+            }
+
+            ScriptApproval.get().setForceSandbox(false);
+            {
+                FormValidation result = ScriptApproval.get().checking("test", GroovyLanguage.get(), false);
+                assertEquals(FormValidation.Kind.WARNING, result.kind);
+                assertEquals(Messages.ScriptApproval_PipelineMessage(), result.getMessage());
+            }
+        }
+    }
+
     private Script script(String groovy) {
         return new Script(groovy);
     }

@@ -4,3 +4,4 @@ security:
     - method java.net.URI getHost
     approvedScriptHashes:
     - fccae58c5762bdd15daca97318e9d74333203106
+    forceSandbox: true
@@ -2,3 +2,4 @@ approvedScriptHashes:
 - "fccae58c5762bdd15daca97318e9d74333203106"
 approvedSignatures:
 - "method java.net.URI getHost"
+forceSandbox: true