Class ScriptApproval

    • Field Detail

      • ADMIN_AUTO_APPROVAL_ENABLED

        public static boolean ADMIN_AUTO_APPROVAL_ENABLED
    • Constructor Detail

      • ScriptApproval

        @DataBoundConstructor
        public ScriptApproval()
    • Method Detail

      • get

        @NonNull
        public static ScriptApproval get()
        Gets the singleton instance.
      • isScriptApproved

        public boolean isScriptApproved​(@NonNull
                                        String script,
                                        @NonNull
                                        Language language)
      • hasDeprecatedApprovedScriptHashes

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public boolean hasDeprecatedApprovedScriptHashes()
      • countDeprecatedApprovedScriptHashes

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public int countDeprecatedApprovedScriptHashes()
      • countDeprecatedApprovedClasspathHashes

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public int countDeprecatedApprovedClasspathHashes()
      • hasDeprecatedApprovedClasspathHashes

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public boolean hasDeprecatedApprovedClasspathHashes()
      • configuring

        public String configuring​(@NonNull
                                  String script,
                                  @NonNull
                                  Language language,
                                  @NonNull
                                  ApprovalContext context,
                                  boolean approveIfAdmin)
        Used when someone is configuring a script. Typically you would call this from a DataBoundConstructor. It should also be called from a readResolve method (which may then simply return this), so that administrators can for example POST to config.xml and have their scripts be considered approved.

        If the script has already been approved, this does nothing. Otherwise, if this user has the Jenkins.ADMINISTER permission (and is not ACL.SYSTEM) and a corresponding flag is set to true, or Jenkins is running without security, it is added to the approved list. Otherwise, it is added to the pending list.

        Parameters:
        script - the text of a possibly novel script
        language - the language in which it is written
        context - any additional information about how where or by whom this is being configured
        approveIfAdmin - indicates whether script should be approved if current user has admin permissions
        Returns:
        script, for convenience
      • using

        public String using​(@NonNull
                            String script,
                            @NonNull
                            Language language)
                     throws UnapprovedUsageException
        Called when a script is about to be used (evaluated).
        Parameters:
        script - a possibly unapproved script
        language - the language in which it is written
        Returns:
        script, for convenience
        Throws:
        UnapprovedUsageException - in case it has not yet been approved
      • checking

        public FormValidation checking​(@NonNull
                                       ClasspathEntry entry)
        Like checking(String, Language, boolean) but for classpath entries. However, this method does not actually check whether the classpath entry is approved, because it would have to connect to the URL and download the contents, which may be unsafe if this is called via a web method by an unprivileged user (This is automatic if use ClasspathEntry as a configuration element.)
        Parameters:
        entry - the classpath entry to verify
        Returns:
        whether it will be approved
        Throws:
        IllegalStateException - Jenkins instance is not ready
      • checking

        public FormValidation checking​(@NonNull
                                       String script,
                                       @NonNull
                                       Language language,
                                       boolean willBeApproved)
        To be used from form validation, in a doCheckFieldName method.
        Parameters:
        script - a possibly unapproved script
        language - the language in which it is written
        willBeApproved - whether script is going to be approved after configuration is saved
        Returns:
        a warning indicating that admin approval will be needed in case current user does not have Jenkins.ADMINISTER permission; a warning indicating that script is not yet approved if user has such permission and willBeApproved is false; a message indicating that script will be approved if user has such permission and willBeApproved is true; nothing if script is empty; a corresponding message if script is approved
      • preapprove

        public String preapprove​(@NonNull
                                 String script,
                                 @NonNull
                                 Language language)
        Unconditionally approve a script. Does no access checks and does not automatically save changes to disk. Useful mainly for testing.
        Parameters:
        script - the text of a possibly novel script
        language - the language in which it is written
        Returns:
        script, for convenience
      • preapproveAll

        public void preapproveAll()
        Unconditionally approves all pending scripts. Does no access checks and does not automatically save changes to disk. Useful mainly for testing in combination with @LocalData.
      • accessRejected

        @Deprecated
        public RejectedAccessException accessRejected​(@NonNull
                                                      RejectedAccessException x,
                                                      @NonNull
                                                      ApprovalContext context)
        Deprecated.
        Unnecessary if using GroovySandbox.enter().
        To be called when a sandbox rejects access for a script not using manual approval. The signature of the failing method (if known) will be added to the pending list.
        Parameters:
        x - an exception with the details
        context - any additional information about where or by whom this script was run
        Returns:
        x, for convenience in rethrowing
      • maybeRegister

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public static void maybeRegister​(@NonNull
                                         RejectedAccessException x)
      • pushRegistrationCallback

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public static void pushRegistrationCallback​(Consumer<RejectedAccessException> callback)
      • popRegistrationCallback

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public static void popRegistrationCallback()
      • setApprovedSignatures

        @DataBoundSetter
        public void setApprovedSignatures​(String[] signatures)
                                   throws IOException
        Throws:
        IOException
      • getApprovedSignatures

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public String[] getApprovedSignatures()
      • getDangerousApprovedSignatures

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public String[] getDangerousApprovedSignatures()
      • getAclApprovedSignatures

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public String[] getAclApprovedSignatures()
      • setApprovedScriptHashes

        @DataBoundSetter
        public void setApprovedScriptHashes​(String[] scriptHashes)
                                     throws IOException
        Throws:
        IOException
      • getApprovedScriptHashes

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public String[] getApprovedScriptHashes()
      • approveScript

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public void approveScript​(String hash)
                           throws IOException
        Throws:
        IOException
      • denyScript

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public void denyScript​(String hash)
                        throws IOException
        Throws:
        IOException
      • clearApprovedScripts

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public void clearApprovedScripts()
                                  throws IOException
        Throws:
        IOException
      • clearDeprecatedApprovedScripts

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public void clearDeprecatedApprovedScripts()
                                            throws IOException
        Clears approvedScriptHashes from all entries not matching DEFAULT_HASHER.
        Throws:
        IOException - if so when saving to disk.
      • getSpinnerIconClassName

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public String getSpinnerIconClassName()
      • convertDeprecatedApprovedClasspathEntries

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public void convertDeprecatedApprovedClasspathEntries()
        Schedules a Thread task that rehashes/converts all approved classpath entries that are hashed not using DEFAULT_HASHER.
      • isConvertingDeprecatedApprovedClasspathEntries

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public boolean isConvertingDeprecatedApprovedClasspathEntries()
        Returns:
        true if so.
      • approveSignature

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public String[][] approveSignature​(String signature)
                                    throws IOException
        Throws:
        IOException
      • aclApproveSignature

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public String[][] aclApproveSignature​(String signature)
                                       throws IOException
        Throws:
        IOException
      • denySignature

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public void denySignature​(String signature)
                           throws IOException
        Throws:
        IOException
      • clearApprovedSignatures

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public String[][] clearApprovedSignatures()
                                           throws IOException
        Throws:
        IOException
      • clearDangerousApprovedSignatures

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public String[][] clearDangerousApprovedSignatures()
                                                    throws IOException
        Throws:
        IOException
      • getClasspathRenderInfo

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public net.sf.json.JSON getClasspathRenderInfo()
      • approveClasspathEntry

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public net.sf.json.JSON approveClasspathEntry​(String hash)
                                               throws IOException
        Throws:
        IOException
      • denyClasspathEntry

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public net.sf.json.JSON denyClasspathEntry​(String hash)
                                            throws IOException
        Throws:
        IOException
      • denyApprovedClasspathEntry

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public net.sf.json.JSON denyApprovedClasspathEntry​(String hash)
                                                    throws IOException
        Throws:
        IOException
      • clearApprovedClasspathEntries

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        @JavaScriptMethod
        public net.sf.json.JSON clearApprovedClasspathEntries()
                                                       throws IOException
        Throws:
        IOException