[JENKINS-62708] Add JCasC support for approved script hashes

[MarkRx]

Adds the ability to manage approved script hashes with JCasC. With the current UX to determine the hash you can either approve it and see what was added to the scriptApproval.xml file on disk or compute the SHA-1 of the script. There is an open effort to approve the UX with JENKINS-62448 #300.

Example:
Script:
println(jenkins.model.Jenkins.instance.getLabels())

security:
  scriptApproval:
    approvedScriptHashes:
      - fccae58c5762bdd15daca97318e9d74333203106 -- print all labels

See JENKINS-62708

[yanivpaz]

When this PR will be merged into master?

[MarkRx]

I don't know the maintainers would have to merge it. The last few merges were done by @rsandell so maybe he could take a look.

[jglick]

the ability to manage approved script hashes with JCasC

Why would you ever want to do this?! Whatever use case you are trying to enable, this does not sound like the right approach.

[MarkRx]

We manage everything as code with JCasC across multiple Jenkins instances. There currently is no-way to whitelist scripts apart from the UI or manually modifying xml on disk. Using the UI is a not a maintainable auditable practice and bypasses SDLC verifications. Manually modifying the XML while at the same time using JCasC would result in a conflict of managing the file.

Using a hash isn't the most user friendly (especially if no comments / commit messages say what it is for) but that's the way non-sandboxed scripts are whitelisted today with this plugin. I didn't set out to rewrite it - I just need a way to whitelist some scripts.

[jglick]

If this is for Pipeline, you want to use a library. If for other stuff using Groovy, your best bet is a simple plugin offering some public Java methods with the @Whitelisted annotation.

[MarkRx]

It is mostly for legacy freestyle jobs though the JCasC handles both freestyle and pipelines. I do not want to whitelist the methods because they are sensitive. I intentionally want to whitelist the scripts in a controlled manner and only the scripts.

[jglick]

Yeah so the plugin with @Whitelisted methods is the better approach in that case.

[lboclboc]

We need this also. Since allowing script hashes is a supported feature for this plugin, it should really also support the JCasC config as well. Either that or the script hash function should be removed completely but that is a completely different discussion.

[ofir-elementor]

Hi all any update when this goes live?

[philsttr]

To add one more use case to what types of scripts are needed to be approved... We use the extended choice parameter plugin's groovy script option, which requires the given script to be approved. I don't think writing a plugin is a valid option to solve this use case.

[mszabo]

Any updates on when this feature will be released?

[davidmackarill]

Adds the ability to manage approved script hashes with JCasC. With the current UX to determine the hash you can either approve it and see what was added to the scriptApproval.xml file on disk or compute the SHA-1 of the script.

I have been able to take the hashes from the scriptApproval and it works fine however I am unable to compute my own hash of the same groovy job script, which would be ideal for when we add new scripts we can also add the hash to the approvedScriptHashes: list

sha1sum script.groovy
c043b08a1cce0e6142bfc1269fc8e068b8570b01

The approved hash in scriptsAproval.xml is different 98a015976c7392bde86f3e35d526054b684f605f what am i missing?

[jglick]

Try a groovy: prefix:

script-security-plugin/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java

Lines 381 to 391 in 0e7c803

	private static String hash(String script, String language) {
	try {
	MessageDigest digest = MessageDigest.getInstance("SHA-1");
	digest.update(language.getBytes("UTF-8"));
	digest.update((byte) ':');
	digest.update(script.getBytes("UTF-8"));
	return Util.toHexString(digest.digest());
	} catch (NoSuchAlgorithmException | UnsupportedEncodingException x) {
	throw new AssertionError(x);
	}
	}

script-security-plugin/src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/languages/GroovyLanguage.java

Lines 40 to 42 in 0e7c803

	@Override public String getName() {
	return "groovy";
	}

[pmn3232]

I tried calculating hash for my script
The code generates a different hash than what I get by manually approving the same groovy script from jenkins console.

Am I missing something?

sample.groovy generated hash - 78fc02e450ce259408eafa4cc09195bd5278536a
Jenkins UI (/localhost/scriptApproval/) generated hash - ec1de1e53ca0110f4472848a68a906a79b650d01

[mcFilat]

I'm uploading approvedScriptHashes in SHA-1 format to the server using jcasc . I can literally watch in the "jcasc view page" how when the scriptler page is activated, the latter takes all the hashes and converts them to sha-512. The problem is that after that no script is approved. All scripts have green checkmarks, but inside the launch window there is a notification that the administrator must approve the script. How to get around or fix this?

[jglick]

@rsandell @dwnusbaum ^^^ in reference (I guess) to 65867aa https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564

[mcFilat]

@jglick
Thank you. Now the situation is this:

1. I make sure all scriptler scripts are approved.
2. I collect their sha-512 hashes into the jcasc config (from scriptApprove.xml )
3. After setting up, I do not need to run to the scriptApproval control window, because I can run scripts. But the yellow notifications are still hanging, and prevent non-administrators from working with the scriptler.
   How to make a complete update of the settings using jcasc, if the goal is to approve the scriptler scripts?
   Help me please!

UPD:
The combination of sha-1 and sha-512 hashes helps me to get all the approvals and green checks.
sha-512 is needed for approvals,
and sha-1 is needed for green checkmarks
I consider it a mess.