I have created a plugin with a step called DeployFromCatalogStep. This step returns a record describing the deployment. It's currently returned as an object of the Deployment class. This is purely a data carrier object (getters and setters). The step works fine, but when my pipeline tries to invoke a getter, I get a script security error. Here's the snippet I'm running:
def dep = vraDeployFromCatalog(
catalogItemName: 'plain-ubuntu-18',
count: 1,
deploymentName: 'Jenkins-#',
projectName: 'Pontus Project',
reason: 'Test',
timeout: 300,
version: '6',
inputs: '{ username: \'testuser\' }')
assert dep != null
def addr = vraWaitForAddress(dep[0].id)
The last line fails when I'm trying to pull out the ID on the last line of the snippet:
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method net.virtualviking.vra.jenkinsplugin.model.catalog.Deployment getId
I understand why I'm getting that error. I haven't explicitly allowed access to that method.
Here's my question: What's the best practice in this situation? I can think of a few options:
Map or some other "harmless" data type.Any ideas?
The script approval coming up here is not coming because of the return type of your methods. Even if you would use types like string as return value, you would end up in the error message.
Your plugin classes are considered as unsafe, no matter which data types you use in your methods. You could automatically pre-populate the whitelist for the script security signatures like mentioned here. This would not solve the issue but be a valid workaround.