JENKINS-73941 - Option to hide "Use Groovy Sandbox" for users without Administer permission globally in the system

plugin/pom.xml

@@ -57,7 +57,7 @@
             <dependency>
                 <groupId>org.jenkins-ci.plugins</groupId>
                 <artifactId>script-security</artifactId>
-                <version>1388.v9907110c2f80</version> <!-- https://github.com/jenkinsci/script-security-plugin/pull/584 -->
+                <version>1392.v64f458436d13</version> <!-- https://github.com/jenkinsci/script-security-plugin/pull/584 -->
             </dependency>
         </dependencies>
     </dependencyManagement>

plugin/src/main/java/org/jenkinsci/plugins/workflow/cps/config/CPSConfiguration.java

@@ -38,10 +38,7 @@
 /**
  * @deprecated
  * This class has been deprecated and its only configuration value is ignored. Do not rely on it or use it in any way.
- * In order to force using the system sandbox for pipelines, please use the flag
- * org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get().isForceSandbox
- * or
- * org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get().isForceSandboxForCurrentUser
+ * In order to force using the system sandbox for pipelines, please use {@link ScriptApproval#isForceSandbox} or {@link ScriptApproval#isForceSandboxForCurrentUser}
  **/
 @Symbol("cps")
 @Extension
@@ -69,6 +66,15 @@ public CPSConfiguration() {
         }
     }
 
+    public boolean isHideSandbox() {
+        return ScriptApproval.get().isForceSandbox();
+    }
+
+    public void setHideSandbox(boolean hideSandbox) {
+        this.hideSandbox = hideSandbox;
+        ScriptApproval.get().setForceSandbox(hideSandbox);
+    }
+
     @NonNull
     @Override
     public GlobalConfigurationCategory getCategory() {

plugin/src/test/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinitionTest.java

@@ -373,6 +373,18 @@ public void cpsScriptSandboxHide() throws Exception {
         }
     }
 
+    @Test
+    public void cpsConfigurationSandboxToScriptApprovalSandbox() throws Exception{
+        //Deprecated CPSConfiguration should update ScriptApproval forceSandbox logic to keep casc compatibility
+        ScriptApproval.get().setForceSandbox(false);
+
+        CPSConfiguration.get().setHideSandbox(true);
+        assertTrue(ScriptApproval.get().isForceSandbox());
+
+        ScriptApproval.get().setForceSandbox(false);
+        assertFalse(CPSConfiguration.get().isHideSandbox());
+    }
+
     @Test
     public void cpsScriptSignatureException() throws Exception {
         ScriptApproval.get().setForceSandbox(false);

plugin/src/test/java/org/jenkinsci/plugins/workflow/cps/JcascTest.java

@@ -0,0 +1,42 @@
+package org.jenkinsci.plugins.workflow.cps;
+
+import io.jenkins.plugins.casc.ConfigurationContext;
+import io.jenkins.plugins.casc.ConfiguratorRegistry;
+import io.jenkins.plugins.casc.misc.ConfiguredWithCode;
+import io.jenkins.plugins.casc.misc.JenkinsConfiguredWithCodeRule;
+import io.jenkins.plugins.casc.model.CNode;
+import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval;
+import org.junit.ClassRule;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static io.jenkins.plugins.casc.misc.Util.getSecurityRoot;
+import static io.jenkins.plugins.casc.misc.Util.toStringFromYamlFile;
+import static io.jenkins.plugins.casc.misc.Util.toYamlString;
+
+public class JcascTest {
+
+    @ClassRule(order = 1)
+    @ConfiguredWithCode("casc_test.yaml")
+    public static JenkinsConfiguredWithCodeRule j = new JenkinsConfiguredWithCodeRule();
+
+    /**
+     * Check that CASC for security.cps.hideSandbox is sending the value to ScriptApproval.get().isForceSandbox()
+     * @throws Exception
+     */
+    @Test
+    public void cascHideSandBox() throws Exception {
+        assertTrue(ScriptApproval.get().isForceSandbox());
+    }
+
+    @Test
+    public void cascExport() throws Exception {
+        ConfiguratorRegistry registry = ConfiguratorRegistry.get();
+        ConfigurationContext context = new ConfigurationContext(registry);
+        CNode yourAttribute = getSecurityRoot(context).get("cps");
+        String exported = toYamlString(yourAttribute);
+        String expected = toStringFromYamlFile(this, "casc_test_expected.yaml");
+        assertEquals(exported, expected);
+    }
+}

plugin/src/test/resources/org/jenkinsci/plugins/workflow/cps/casc_test.yaml

@@ -0,0 +1,3 @@
+security:
+  cps:
+    hideSandbox: true

plugin/src/test/resources/org/jenkinsci/plugins/workflow/cps/casc_test_expected.yaml

@@ -0,0 +1 @@
+hideSandbox: true