Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32468

Pause script on sandbox rejection and give an admin a chance to approve & resume

    Details

    • Similar Issues:

      Description

      org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.util.Collection addAll java.util.Collection
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:79)
      	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
      	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
      	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
      	at WorkflowScript.withJavaEnv(WorkflowScript:94)
      	at WorkflowScript.run(WorkflowScript:42)
      	at ___cps.transform___(Native Method)
      	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:69)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
      	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
      	at sun.reflect.GeneratedMethodAccessor442.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
      	at com.cloudbees.groovy.cps.impl.LocalVariableBlock$LocalVariable.get(LocalVariableBlock.java:33)
      	at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
      	at com.cloudbees.groovy.cps.impl.LocalVariableBlock.evalLValue(LocalVariableBlock.java:22)
      	at com.cloudbees.groovy.cps.LValueBlock$BlockImpl.eval(LValueBlock.java:55)
      	at com.cloudbees.groovy.cps.LValueBlock.eval(LValueBlock.java:16)
      	at com.cloudbees.groovy.cps.Next.step(Next.java:58)
      	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:145)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
      	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
      	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
      	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:274)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:74)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:183)
      	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:181)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
      	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      Finished: FAILURE
      

      Apparently every method that I invoke, will one by one, throw an exception which says my method isn't approved but doesn't link to the "In-process Script Approval" page

        Attachments

          Issue Links

            Activity

            rtyler R. Tyler Croy created issue -
            Hide
            jglick Jesse Glick added a comment -

            Would be easy to display a link to the approval page if the viewer is an administrator.

            Ideally there would be an option to pause the script while an administrator decides whether to approve or reject the method. This would however require an API change in script-security and some other machinery in workflow-cps to throw CpsCallableInvocation with the right continuation.

            Show
            jglick Jesse Glick added a comment - Would be easy to display a link to the approval page if the viewer is an administrator. Ideally there would be an option to pause the script while an administrator decides whether to approve or reject the method. This would however require an API change in script-security and some other machinery in workflow-cps to throw CpsCallableInvocation with the right continuation.
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Epic Link JENKINS-35391 [ 171184 ]
            Hide
            jglick Jesse Glick added a comment -

            Or perhaps the call could simply block the Java thread. TBD how well this works w.r.t. (a) update of metadata about the build, such as WorkflowRun.copyLogs; (b) Jenkins restarts.

            Show
            jglick Jesse Glick added a comment - Or perhaps the call could simply block the Java thread. TBD how well this works w.r.t. (a) update of metadata about the build, such as WorkflowRun.copyLogs ; (b) Jenkins restarts.
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 168104 ] JNJira + In-Review [ 182969 ]
            abayer Andrew Bayer made changes -
            Component/s pipeline-general [ 21692 ]
            abayer Andrew Bayer made changes -
            Component/s workflow-plugin [ 18820 ]
            jglick Jesse Glick made changes -
            Component/s workflow-cps-plugin [ 21713 ]
            Component/s pipeline [ 21692 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-33614 [ JENKINS-33614 ]
            Hide
            jglick Jesse Glick added a comment -

            Since JENKINS-33614 is covering the link part, reinterpreting this as the pause approach.

            Show
            jglick Jesse Glick added a comment - Since  JENKINS-33614  is covering the link part, reinterpreting this as the pause approach.
            jglick Jesse Glick made changes -
            Summary Using Groovy methods from a sandbox doesn't tell the user how to approve/deal with exceptions Pause script on sandbox rejection and give an admin a chance to approve & resume
            Issue Type Task [ 3 ] New Feature [ 2 ]
            Priority Minor [ 4 ] Major [ 3 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-49890 [ JENKINS-49890 ]
            jglick Jesse Glick made changes -
            Labels essentials
            jglick Jesse Glick made changes -
            Assignee Jesse Glick [ jglick ]
            batmat Baptiste Mathus made changes -
            Labels essentials essentials evergreen
            batmat Baptiste Mathus made changes -
            Labels essentials evergreen evergreen

              People

              • Assignee:
                Unassigned
                Reporter:
                rtyler R. Tyler Croy
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: