Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32468

Pause script on sandbox rejection and give an admin a chance to approve & resume

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.util.Collection addAll java.util.Collection
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:79)
      	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
      	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
      	at WorkflowScript.withJavaEnv(WorkflowScript:94)
      	at WorkflowScript.run(WorkflowScript:42)
      	at ___cps.transform___(Native Method)
      	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:69)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
      	at sun.reflect.GeneratedMethodAccessor442.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      	at com.cloudbees.groovy.cps.impl.LocalVariableBlock$LocalVariable.get(LocalVariableBlock.java:33)
      	at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
      	at com.cloudbees.groovy.cps.impl.LocalVariableBlock.evalLValue(LocalVariableBlock.java:22)
      	at com.cloudbees.groovy.cps.LValueBlock$BlockImpl.eval(LValueBlock.java:55)
      	at com.cloudbees.groovy.cps.LValueBlock.eval(LValueBlock.java:16)
      	at com.cloudbees.groovy.cps.Next.step(Next.java:58)
      	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:145)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
      	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:274)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:74)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:183)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:181)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
      	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      Finished: FAILURE
      

      Apparently every method that I invoke, will one by one, throw an exception which says my method isn't approved but doesn't link to the "In-process Script Approval" page

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            Would be easy to display a link to the approval page if the viewer is an administrator.

            Ideally there would be an option to pause the script while an administrator decides whether to approve or reject the method. This would however require an API change in script-security and some other machinery in workflow-cps to throw CpsCallableInvocation with the right continuation.

            Show
            jglick Jesse Glick added a comment - Would be easy to display a link to the approval page if the viewer is an administrator. Ideally there would be an option to pause the script while an administrator decides whether to approve or reject the method. This would however require an API change in script-security and some other machinery in workflow-cps to throw CpsCallableInvocation with the right continuation.
            Hide
            jglick Jesse Glick added a comment -

            Or perhaps the call could simply block the Java thread. TBD how well this works w.r.t. (a) update of metadata about the build, such as WorkflowRun.copyLogs; (b) Jenkins restarts.

            Show
            jglick Jesse Glick added a comment - Or perhaps the call could simply block the Java thread. TBD how well this works w.r.t. (a) update of metadata about the build, such as WorkflowRun.copyLogs ; (b) Jenkins restarts.
            Hide
            jglick Jesse Glick added a comment -

            Since JENKINS-33614 is covering the link part, reinterpreting this as the pause approach.

            Show
            jglick Jesse Glick added a comment - Since  JENKINS-33614  is covering the link part, reinterpreting this as the pause approach.

              People

              • Assignee:
                Unassigned
                Reporter:
                rtyler R. Tyler Croy
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: