From 064fecc84a77bcdf9df0165971052226de6e069d Mon Sep 17 00:00:00 2001 From: Tobias Richter Date: Fri, 14 Sep 2018 14:42:25 +0200 Subject: [PATCH 1/5] Add dependency to wcm_io_devops.jenkins_script_security, added needed signatures to whitelist --- README.md | 18 ++++++++++++++++++ defaults/main.yaml | 29 +++++++++++++++++++++++++++++ meta/main.yml | 11 +++++++++++ tests/requirements.yml | 2 ++ 4 files changed, 60 insertions(+) diff --git a/README.md b/README.md index fad8e33..f92d66b 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,9 @@ This role installs all necessary plugins in specific versions which ensures that the shared pipeline library is always running with the latest compatible plugins. +:exclamation: Starting with version 2.121.3-2 the role will also +configure the script security to allow some signatures! + Optionally the role also directly setups a Jenkins instance using [geerlingguy.jenkins](https://github.com/geerlingguy/ansible-role-jenkins). ## Versioning @@ -100,6 +103,11 @@ When set to enable the role will log some debug information. Plugins and their versions that must be present for jenkins-pipeline-library. + jenkins_pipeline_library_approved_signatures_present: + +Signatures that need to be approved for jenkins-pipeline-library, +otherwise the signatures will be blocked by script-security. + :bulb: Since this list is long please refer to [defaults](defaults/main.yaml) @@ -114,6 +122,16 @@ This role depends on the role to install/uninstall the plugins needed by the [jenkins-pipeline-library](https://github.com/wcm-io-devops/jenkins-pipeline-library) +In order to allow to run the +[jenkins-pipeline-library](https://github.com/wcm-io-devops/jenkins-pipeline-library) +with the Pipeline Supporting APIs 1.18+ (workflow-support) and with +Script Security ( script-security) 1.44+ this role also depends on +[wcm_io_devops.jenkins_script_plugin](https://github.com/wcm-io-devops/ansible-jenkins-script-security) +for whitelisting some signatures in the Groovy Sandbox. + +For installing a Jenkins on the target instance the role is using +[geerlingguy.jenkins](https://github.com/geerlingguy/ansible-role-jenkins). + As transitive dependency this role uses the [wcm_io_devops.jenkins_facts](https://github.com/wcm-io-devops/ansible-jenkins-facts) role to retrieve the list of installed plugins from the Jenkins diff --git a/defaults/main.yaml b/defaults/main.yaml index be5e8bc..efa1717 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -169,3 +169,32 @@ jenkins_pipeline_library_plugins_present: # Plugins that must be absent for jenkins-pipeline-library jenkins_pipeline_library_plugins_absent: [] + +# Signatures that need to be approved for jenkins-pipeline-library +jenkins_pipeline_library_approved_signatures_present: + # enable marking stage as skipped + - staticMethod org.jenkinsci.plugins.pipeline.modeldefinition.Utils markStageSkippedForConditional java.lang.String + # whitelisting for logging package + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel ALL + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel TRACE + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel DEBUG + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel INFO + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel DEPRECATED + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel WARN + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel ERROR + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel FATAL + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel NONE + - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel fromString java.lang.String + - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel fromInteger java.lang.Integer + - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel $INIT java.lang.Object[] + - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.Logger getClassName java.lang.Object + - field io.wcm.devops.jenkins.pipeline.utils.logging.Logger name + - new io.wcm.devops.jenkins.pipeline.utils.logging.Logger java.lang.Object + - new io.wcm.devops.jenkins.pipeline.utils.TypeUtils + # versioning package whitelisting + - field io.wcm.devops.jenkins.pipeline.versioning.IntegerItem INTEGER_ZER0 + - new io.wcm.devops.jenkins.pipeline.versioning.IntegerItem + - staticField io.wcm.devops.jenkins.pipeline.versioning.StringItem _QUALIFIERS + # native java function whitelisting + - method java.util.List indexOf java.lang.Object + - new java.util.ArrayList \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index 3bb6a6b..b3266af 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -46,3 +46,14 @@ dependencies: jenkins_plugins_present: "{{ jenkins_pipeline_library_plugins_present }}", jenkins_plugins_absent: "{{ jenkins_pipeline_library_plugins_absent }}", } + # configure script security for jenkins-pipeline-library + - { role: wcm_io_devops.jenkins_script_security, + version: 1.0.0, + jenkins_script_security_admin_username: "{{ jenkins_pipeline_library_admin_username }}", + jenkins_script_security_admin_password: "{{ jenkins_pipeline_library_admin_password }}", + jenkins_script_security_jenkins_home: "{{ jenkins_pipeline_library_jenkins_home }}", + jenkins_script_security_jenkins_hostname: "{{ jenkins_pipeline_library_jenkins_hostname }}", + jenkins_script_security_jenkins_port: "{{ jenkins_pipeline_library_jenkins_port }}", + jenkins_script_security_jenkins_url_prefix: "{{ jenkins_pipeline_library_jenkins_url_prefix }}", + jenkins_script_security_approved_signatures_present: "{{ jenkins_pipeline_library_approved_signatures_present }}" + } diff --git a/tests/requirements.yml b/tests/requirements.yml index 0953e76..8658354 100644 --- a/tests/requirements.yml +++ b/tests/requirements.yml @@ -4,5 +4,7 @@ version: master - name: wcm_io_devops.jenkins_plugins version: master +- name: wcm_io_devops.jenkins_script_security + version: master - name: geerlingguy.jenkins version: 3.5.0 \ No newline at end of file From 2278bc4c7700f75ae35732630bce40781956a61e Mon Sep 17 00:00:00 2001 From: Tobias Richter Date: Fri, 14 Sep 2018 16:32:48 +0200 Subject: [PATCH 2/5] Update Jenkins version to 2.138.1 --- README.md | 2 +- defaults/main.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f92d66b..2a45b19 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ This role installs all necessary plugins in specific versions which ensures that the shared pipeline library is always running with the latest compatible plugins. -:exclamation: Starting with version 2.121.3-2 the role will also +:exclamation: Starting with version 2.138.1-1 the role will also configure the script security to allow some signatures! Optionally the role also directly setups a Jenkins instance using [geerlingguy.jenkins](https://github.com/geerlingguy/ansible-role-jenkins). diff --git a/defaults/main.yaml b/defaults/main.yaml index efa1717..baaae2a 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -1,5 +1,5 @@ # The version of the jenkins when it is installed with the jenkins role dependency -jenkins_pipeline_library_jenkins_version: 2.121.3 +jenkins_pipeline_library_jenkins_version: 2.138.1 # Controls if the jenkins will be installed by the jenkins role dependency jenkins_pipeline_library_jenkins_install: false From b878d5a8d0e3cc6a6754acc7a5922e7e3ebbf0e9 Mon Sep 17 00:00:00 2001 From: Tobias Richter Date: Fri, 14 Sep 2018 17:51:13 +0200 Subject: [PATCH 3/5] Updated plugins --- defaults/main.yaml | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/defaults/main.yaml b/defaults/main.yaml index baaae2a..718536a 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -57,9 +57,9 @@ jenkins_pipeline_library_plugins_present: - name: branch-api version: "2.0.20" - name: cloudbees-folder - version: "6.5.1" + version: "6.6" - name: config-file-provider - version: "2.18" + version: "3.1" - name: credentials version: "2.1.18" - name: credentials-binding @@ -83,7 +83,7 @@ jenkins_pipeline_library_plugins_present: - name: jackson2-api version: "2.8.11.3" - name: junit - version: "1.24" + version: "1.25" - name: jquery-detached version: "1.2.1" - name: jsch @@ -113,17 +113,17 @@ jenkins_pipeline_library_plugins_present: - name: pipeline-model-declarative-agent version: "1.1.1" - name: pipeline-model-definition - version: "1.3.1" + version: "1.3.2" - name: pipeline-model-api - version: "1.3.1" + version: "1.3.2" - name: pipeline-model-extensions - version: "1.3.1" + version: "1.3.2" - name: pipeline-rest-api version: "2.10" - name: pipeline-stage-step version: "2.3" - name: pipeline-stage-tags-metadata - version: "1.3.1" + version: "1.3.2" - name: pipeline-stage-view version: "2.10" - name: pipeline-utility-steps @@ -136,7 +136,7 @@ jenkins_pipeline_library_plugins_present: version: "2.2.7" # 1.44 causes stack overflows with pipeline library - name: script-security - version: "1.43" + version: "1.46" - name: ssh-credentials version: "1.14" - name: structs @@ -146,26 +146,23 @@ jenkins_pipeline_library_plugins_present: - name: workflow-api version: "2.29" - name: workflow-basic-steps - version: "2.10" + version: "2.11" - name: workflow-cps - version: "2.54" + version: "2.55" - name: workflow-cps-global-lib - version: "2.10" - # do not upgrade, workflow-support 2.18+ is required, which can not be upgraded + version: "2.11" - name: workflow-durable-task-step - version: "2.19" - # do not upgrade, workflow-support 2.18+ is required, which can not be upgraded + version: "2.21" - name: workflow-job - version: "2.23" + version: "2.25" - name: workflow-multibranch version: "2.20" - name: workflow-scm-step version: "2.6" - name: workflow-step-api version: "2.16" - # do not upgrade further than 2.17, see: https://issues.jenkins-ci.org/browse/JENKINS-49597 - name: workflow-support - version: "2.17" + version: "2.20" # Plugins that must be absent for jenkins-pipeline-library jenkins_pipeline_library_plugins_absent: [] From 6636f3b676c09c44aa2d45c86e022c7fd3e56720 Mon Sep 17 00:00:00 2001 From: Tobias Richter Date: Mon, 17 Sep 2018 11:04:05 +0200 Subject: [PATCH 4/5] Optimize signature whitelisting --- defaults/main.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/defaults/main.yaml b/defaults/main.yaml index 718536a..945c9bb 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -173,14 +173,6 @@ jenkins_pipeline_library_approved_signatures_present: - staticMethod org.jenkinsci.plugins.pipeline.modeldefinition.Utils markStageSkippedForConditional java.lang.String # whitelisting for logging package - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel ALL - - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel TRACE - - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel DEBUG - - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel INFO - - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel DEPRECATED - - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel WARN - - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel ERROR - - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel FATAL - - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel NONE - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel fromString java.lang.String - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel fromInteger java.lang.Integer - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel $INIT java.lang.Object[] From 2602d1ca9f2977e9c2da312d1d8b20c369d52a40 Mon Sep 17 00:00:00 2001 From: Tobias Richter Date: Mon, 17 Sep 2018 11:21:39 +0200 Subject: [PATCH 5/5] Revert "Optimize signature whitelisting" This reverts commit 6636f3b676c09c44aa2d45c86e022c7fd3e56720. --- defaults/main.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/defaults/main.yaml b/defaults/main.yaml index 945c9bb..718536a 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -173,6 +173,14 @@ jenkins_pipeline_library_approved_signatures_present: - staticMethod org.jenkinsci.plugins.pipeline.modeldefinition.Utils markStageSkippedForConditional java.lang.String # whitelisting for logging package - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel ALL + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel TRACE + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel DEBUG + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel INFO + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel DEPRECATED + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel WARN + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel ERROR + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel FATAL + - staticField io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel NONE - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel fromString java.lang.String - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel fromInteger java.lang.Integer - staticMethod io.wcm.devops.jenkins.pipeline.utils.logging.LogLevel $INIT java.lang.Object[]