Run Restricted Groovy API in Jenkins
3 min read

Run Restricted Groovy API in Jenkins

Run Restricted Groovy API in Jenkins

The more recent versions of Jenkins have improved on security. Unfortunately, a side-effect is that scripts which were running before would fail now. An example is:

jenkins.model.Jenkins.getInstance().getAllItems().each {
  // MavenModule is superfluous project returned by getAllItems()
  if (!(it instanceof hudson.maven.MavenModule ||
        it instanceof hudson.matrix.MatrixConfiguration)) {
      println it
  }
}

... which would list the projects defined in Jenkins.

Fortunately, you can have access to theis API via the In-process Script Approval plugin (which is installed by default).

Jenkins in-script approval

If the script (pipeline) is versioned or executed in the sandbox, then you'll need to approve method by method. If the script is not versioned, then you have the option to execute it outside the sandbox. Then, you'll need an admin to approve the whole script for execution.

Jenkins in-script approval

If your script fails and you (the admin) don't see the In-process Script Approval entry in Jenkins configuration, then you might want to try this approach. It worked for me

The configuration file

The security plugin has its own configuration file located in Jenkins' home and named scriptApproval.xml. Its content is similar to:

<?xml version='1.1' encoding='UTF-8'?>
<scriptApproval plugin="[email protected]">
  <approvedScriptHashes>
    <string>705f896c68383ad71d10f70670298ec4f664b61f</string>
    <string>9b9b5196b15ba471895810c17e27001017edfb62</string>
  </approvedScriptHashes>
  <approvedSignatures>
    <string>field hudson.maven.reporters.MavenArtifact artifactId</string>
    <string>field hudson.maven.reporters.MavenArtifact canonicalName</string>
    <string>field hudson.maven.reporters.MavenArtifact classifier</string>
    <string>field hudson.maven.reporters.MavenArtifact groupId</string>
    <string>field hudson.maven.reporters.MavenArtifact type</string>
    <string>field hudson.maven.reporters.MavenArtifact version</string>
    <string>field hudson.maven.reporters.MavenArtifactRecord mainArtifact</string>
    <string>field hudson.model.Run$Summary message</string>
    <string>method groovy.lang.MetaObjectProtocol getMethods</string>
    <string>method hudson.maven.MavenBuild getMavenArtifacts</string>
    <string>method hudson.maven.MavenModule getArtifactId</string>
    <string>method hudson.maven.MavenModule getVersion</string>
    <string>method hudson.maven.MavenModuleSet getRootModule</string>
    <string>method hudson.model.Actionable getAction java.lang.Class</string>
    <string>method hudson.model.ItemGroup getAllItems</string>
    <string>method hudson.model.ItemGroup getItem java.lang.String</string>
    <string>method hudson.model.ItemGroup getItems</string>
    <string>method hudson.model.Job getBuilds</string>
    <string>method hudson.model.Run getArtifacts</string>
    <string>method hudson.model.Run getBuildStatusSummary</string>
    <string>method hudson.model.Run getCauses</string>
    <string>method hudson.model.Run getResult</string>
    <string>method hudson.model.Run getTime</string>
    <string>method java.lang.Class isInstance java.lang.Object</string>
    <string>method org.jenkinsci.plugins.workflow.cps.CpsClosure2 println java.lang.Object</string>
    <string>new org.jenkinsci.plugins.pipeline.modeldefinition.model.Agent java.util.Map</string>
    <string>new org.jenkinsci.plugins.pipeline.modeldefinition.model.Stages java.util.List</string>
    <string>new org.jenkinsci.plugins.pipeline.modeldefinition.model.Tools java.util.Map</string>
    <string>staticMethod groovy.time.TimeCategory minus java.util.Date java.util.Date</string>
    <string>staticMethod jenkins.model.Jenkins getInstance</string>
    <string>staticMethod org.jenkinsci.plugins.workflow.cps.Safepoint safepoint</string>
  </approvedSignatures>
  <aclApprovedSignatures/>
  <approvedClasspathEntries/>
  <pendingScripts/>
  <pendingSignatures/>
  <pendingClasspathEntries/>
</scriptApproval>

IMPORTANT NOTE: While you can just copy this to speed up your development, please note that e.g.

staticMethod jenkins.model.Jenkins getInstance

introduces a security issue.