Examples with ScriptApproval org.jenkinsci.test.acceptance.plugins.script_security.ScriptApproval used on opensource projects

Example 1 with ScriptApproval

use of org.jenkinsci.test.acceptance.plugins.script_security.ScriptApproval in project acceptance-test-harness by jenkinsci.

the class JobDslPluginTest method should_use_grooy_sandbox_no_whitelisted_content.

/**
 * Verifies that if script security for Job DSL scripts is enabled,
 * scripts with not whitelisted content saved by non administrators
 * wont be executed even it should run in a Groovy sandbox.
 * Administrators can approve this content in the 'Script Approval' of the
 * 'Manage Jenkins' area. Approved scripts can be executed.
 */
@Test
@WithPlugins({ "matrix-auth@2.3", "mock-security-realm", "authorize-project" })
public void should_use_grooy_sandbox_no_whitelisted_content() {
    GlobalSecurityConfig sc = setUpSecurity();
    runBuildAsUserWhoTriggered(sc);
    jenkins.login().doLogin(USER);
    FreeStyleJob seedJob = createSeedJob();
    JobDslBuildStep jobDsl = seedJob.addBuildStep(JobDslBuildStep.class);
    jobDsl.setScript("def jobNames = [\"First_Job\", \"Second_Job\"].toArray()\n" + "\n" + "for(name in jobNames) {\n" + "  job(name)\n" + "}");
    jobDsl.setUseSandbox(true);
    seedJob.save();
    // Build should fail because script contains not whitelisted content.
    // It don't matter that the script runs in sandbox.
    Build build = seedJob.scheduleBuild().shouldFail();
    assertThat(build.getConsole(), containsString("Scripts not permitted to use method java.util.Collection toArray"));
    jenkins.logout();
    jenkins.login().doLogin(ADMIN);
    ScriptApproval sa = new ScriptApproval(jenkins);
    sa.open();
    sa.findSignature("toArray").approve();
    jenkins.logout();
    jenkins.login().doLogin(USER);
    // Build should succeed because the not whitelisted content was approved.
    seedJob.scheduleBuild().shouldSucceed();
}

Example 2 with ScriptApproval

use of org.jenkinsci.test.acceptance.plugins.script_security.ScriptApproval in project acceptance-test-harness by jenkinsci.

the class GroovyPluginTest method run_system_groovy_from_file.

@Test
public void run_system_groovy_from_file() {
    configureJob();
    job.addShellStep("echo println \\'running groovy file\\' > script.groovy");
    job.addBuildStep(SystemGroovyStep.class).file("script.groovy");
    /* TODO cf. FileSystemScriptSourceTest.smokes; when added to generic-whitelist, simplify to:
        shouldReport("running groovy file");
        */
    job.save();
    Build build = job.startBuild();
    if (build.isSuccess()) {
        build.shouldContainsConsoleOutput("running groovy file");
    } else {
        build.shouldContainsConsoleOutput("org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method groovy.lang.Script println java.lang.Object");
        ScriptApproval sa = new ScriptApproval(jenkins);
        sa.open();
        sa.findSignature("method groovy.lang.Script println java.lang.Object").approve();
        job.startBuild().shouldSucceed().shouldContainsConsoleOutput("running groovy file");
    }
}

Example 3 with ScriptApproval

use of org.jenkinsci.test.acceptance.plugins.script_security.ScriptApproval in project acceptance-test-harness by jenkinsci.

the class ScriptSecurityPluginTest method signatureNeedsApproval.

@Test
public void signatureNeedsApproval() throws Exception {
    final FreeStyleJob job = createFailedJob("def h = java.lang.System.getProperties()", true);
    login(ADMIN);
    {
        ScriptApproval sa = new ScriptApproval(jenkins);
        sa.open();
        sa.findSignature("getProperties").approve();
    }
    // Script approved
    shouldSucceed(job);
}

Example 4 with ScriptApproval

use of org.jenkinsci.test.acceptance.plugins.script_security.ScriptApproval in project acceptance-test-harness by jenkinsci.

the class ScriptSecurityPluginTest method scriptNeedsApproval.

@Test
public void scriptNeedsApproval() throws Exception {
    final FreeStyleJob job = createFailedJob("def a = 4", false);
    login(ADMIN);
    {
        ScriptApproval sa = new ScriptApproval(jenkins);
        sa.open();
        sa.find(job.name).approve();
    }
    // Script approved
    shouldSucceed(job);
}

Example 5 with ScriptApproval

use of org.jenkinsci.test.acceptance.plugins.script_security.ScriptApproval in project acceptance-test-harness by jenkinsci.

the class JobDslPluginTest method should_use_script_approval.

/**
 * Verifies that if script security for Job DSL scripts is enabled,
 * scripts saved by non administrators that not run in a Groovy sandbox
 * wont be executed.
 * Administrators can approve scripts in the 'Script Approval' of the
 * 'Manage Jenkins' area. Approved scripts can be executed.
 */
@Test
@WithPlugins({ "matrix-auth@2.3", "mock-security-realm" })
public void should_use_script_approval() {
    setUpSecurity();
    jenkins.login().doLogin(USER);
    FreeStyleJob seedJob = createSeedJob();
    JobDslBuildStep jobDsl = seedJob.addBuildStep(JobDslBuildStep.class);
    jobDsl.setScript("job('New_Job')");
    jobDsl.setUseSandbox(false);
    seedJob.save();
    // Build should fail because script is saved from non administrator an not yet approved
    Build build = seedJob.scheduleBuild().shouldFail();
    assertThat(build.getConsole(), containsString("script not yet approved for use"));
    jenkins.logout();
    jenkins.login().doLogin(ADMIN);
    // Build should fail because script is saved from non administrator an not yet approved
    Build build2 = seedJob.scheduleBuild().shouldFail();
    assertThat(build2.getConsole(), containsString("script not yet approved for use"));
    ScriptApproval sa = new ScriptApproval(jenkins);
    sa.open();
    sa.find(seedJob.name).approve();
    jenkins.logout();
    jenkins.login().doLogin(USER);
    // Build should succeed because script is approved now
    seedJob.scheduleBuild().shouldSucceed();
}