JENKINS-62708 add JCasC support for approved script hashes

Author: MarkRx

src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java

@@ -66,8 +66,9 @@
 import java.util.function.Consumer;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import edu.umd.cs.findbugs.annotations.CheckForNull;
-import edu.umd.cs.findbugs.annotations.NonNull;
+import java.util.regex.Pattern;
+import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
 import jenkins.model.Jenkins;
 import net.sf.json.JSON;
 import org.acegisecurity.context.SecurityContext;
@@ -701,6 +702,27 @@ public synchronized String[] getAclApprovedSignatures() {
         return aclApprovedSignatures.toArray(new String[aclApprovedSignatures.size()]);
     }
 
+    @DataBoundSetter
+    public synchronized void setApprovedScriptHashes(String[] scriptHashes) throws IOException {
+        Jenkins.getInstance().checkPermission(Jenkins.RUN_SCRIPTS);
+        approvedScriptHashes.clear();
+        Pattern sha1Pattern = Pattern.compile("[a-fA-F0-9]{40}");
+        for (String scriptHash : scriptHashes) {
+            if (scriptHash != null && sha1Pattern.matcher(scriptHash).matches()) {
+                approvedScriptHashes.add(scriptHash);
+            } else {
+                LOG.warning(() -> "Ignoring malformed script hash: " + scriptHash);
+            }
+        }
+        save();
+        reconfigure();
+    }
+
+    @Restricted(NoExternalUse.class) // Jelly, implementation
+    public synchronized String[] getApprovedScriptHashes() {
+        return approvedScriptHashes.toArray(new String[approvedScriptHashes.size()]);
+    }
+
     @Restricted(NoExternalUse.class) // implementation
     @Extension public static final class ApprovedWhitelist extends ProxyWhitelist {
         public ApprovedWhitelist() {

src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/JcascTest.java

@@ -26,6 +26,9 @@ public void smokeTestEntry() throws Exception {
         String[] approved = ScriptApproval.get().getApprovedSignatures();
         assertTrue(approved.length == 1);
         assertEquals(approved[0], "method java.net.URI getHost");
+        String[] approvedScriptHashes = ScriptApproval.get().getApprovedScriptHashes();
+        assertTrue(approvedScriptHashes.length == 1);
+        assertEquals(approvedScriptHashes[0], "fccae58c5762bdd15daca97318e9d74333203106");
     }
 
     @Test

src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java

@@ -162,16 +162,21 @@ public void malformedScriptApproval() throws Exception {
         assertEquals(0, sa.getDangerousApprovedSignatures().length);
     }
 
-    @Issue("JENKINS-57563")
-    @LocalData // Just a scriptApproval.xml that whitelists 'staticMethod jenkins.model.Jenkins getInstance'
+    @Issue({"JENKINS-57563", "JENKINS-62708"})
+    @LocalData // Just a scriptApproval.xml that whitelists 'staticMethod jenkins.model.Jenkins getInstance' and a script printing all labels
     @Test
     public void upgradeSmokes() throws Exception {
+        configureSecurity();
         FreeStyleProject p = r.createFreeStyleProject();
         p.getPublishersList().add(new TestGroovyRecorder(
                 new SecureGroovyScript("jenkins.model.Jenkins.instance", true, null)));
+        p.getPublishersList().add(new TestGroovyRecorder(
+                new SecureGroovyScript("println(jenkins.model.Jenkins.instance.getLabels())", false, null)));
         r.assertLogNotContains("org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: "
                         + "Scripts not permitted to use staticMethod jenkins.model.Jenkins getInstance",
                 r.assertBuildStatus(Result.SUCCESS, p.scheduleBuild2(0).get()));
+        r.assertLogNotContains("org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for use",
+                r.assertBuildStatus(Result.SUCCESS, p.scheduleBuild2(0).get()));
     }
 
     private Script script(String groovy) {

src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest/upgradeSmokes/scriptApproval.xml

@@ -1,6 +1,8 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <scriptApproval plugin="script-security@1.24">
-  <approvedScriptHashes/>
+  <approvedScriptHashes>
+    <string>fccae58c5762bdd15daca97318e9d74333203106</string>
+  </approvedScriptHashes>
   <approvedSignatures>
     <string>staticMethod jenkins.model.Jenkins getInstance</string>
   </approvedSignatures>

src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test.yaml

@@ -2,3 +2,5 @@ security:
   scriptApproval:
     approvedSignatures:
     - method java.net.URI getHost
+    approvedScriptHashes:
+    - fccae58c5762bdd15daca97318e9d74333203106

src/test/resources/org/jenkinsci/plugins/scriptsecurity/scripts/smoke_test_expected.yaml

@@ -1,2 +1,4 @@
+approvedScriptHashes:
+- "fccae58c5762bdd15daca97318e9d74333203106"
 approvedSignatures:
 - "method java.net.URI getHost"