Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Git ssh private key binding(GSoC-21) #1111

Open
wants to merge 106 commits into
base: master
Choose a base branch
from

Conversation

arpoch
Copy link
Contributor

@arpoch arpoch commented Jul 23, 2021

JENKINS-28335 - Add Git Credentials binding for SSH Private Key

The gitSshPrivateKey implementation provides git authentication support over SSH protocol
using private key and passphrase credentials of a user. The binding uses two git specific environment
variables depending upon the minimum CLI-git version

  • GIT_SSH_COMMAND - If version is greater than 2.3, then the GIT_SSH_COMMAND environment variable provides ssh command including the necessary options which are: path to the private key and host key checking to authenticate and connect git server without using an executable script.

  • SSH_ASKPASS - If version is less than 2.3, an executable script is attached to the variable which provides ssh command including the necessary options which are: path to the private key and host key checking to authenticate and connect git serve

Please refer to the Project page for more details-
https://www.jenkins.io/projects/gsoc/2021/projects/git-credentials-binding/

Checklist

  • I have read the CONTRIBUTING doc
  • I have referenced the Jira issue related to my changes in one or more commit messages
  • Unit tests pass locally with my changes
  • No Javadoc warnings were introduced with my changes
  • No spotbugs warnings were introduced with my changes
  • Documentation in README has been updated as necessary
  • Online help has been added and reviewed for any new or modified fields
  • I have interactively tested my changes
  • Any dependent changes have been merged and published in upstream modules (like git-client-plugin)

Types of changes

  • New feature (non-breaking change which adds functionality)

arpoch added 30 commits July 19, 2021 11:52
The SSHPrivateKey binding will depend on Credential Binding Plugin
Support Git SSH protocol authentication
# Conflicts:
#	src/main/java/jenkins/plugins/git/GitCredentialBindings.java
Two dependencies are added namely Bouncycastle API Plugin and SSHJ library
This class provides the methods to decrypt a passphrase protected private key in openssh format
Use launcher.isUnix method value to check the current node os environment.
Add some formatting
Removing static keyword to support SSHkeyUtils methods
If workspace is provided launcher should not be null
Only supported for linux distro
Return Git SSH environment variables, perform SSH authentication on behalf of the user
Using newly updated getSSHExecutable method
This method provides path to ssh executable
PEMWriter is deprecated
Changing method getSSHCmd signature, ssh exe path papmeter added
pom.xml Outdated
@@ -266,8 +277,8 @@
<dependencies>
<dependency>
<groupId>io.jenkins.tools.bom</groupId>
<artifactId>bom-2.289.x</artifactId>
<version>987.v4ade2e49fe70</version>
<artifactId>bom-2.263.x</artifactId>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like a bad merge

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick review, made the changes.

pom.xml Outdated
<artifactId>bom-2.289.x</artifactId>
<version>987.v4ade2e49fe70</version>
<artifactId>bom-2.263.x</artifactId>
<version>950.v396cb834de1e</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here

@jimlindeman
Copy link

Not to nag the obvious, but It's Summer 2022, are any "Summer of Code 2022" students going to be assigned to complete this? We could really use this functionality in our Jenkins pipelines managing repos using ssh-keys in .gitmodules.

@github-actions github-actions bot added dependencies Dependency related change documentation Improvements or additions to documentation test labels Jun 22, 2022
@MarkEWaite
Copy link
Contributor

MarkEWaite commented Jun 22, 2022

Not to nag the obvious, but It's Summer 2022, are any "Summer of Code 2022" students going to be assigned to complete this? We could really use this functionality in our Jenkins pipelines managing repos using ssh-keys in .gitmodules.

No summer of code plan was received that proposed to complete it. You're welcome to test the implementation in your environment based on the build results from the build job on https://ci.jenkins.io/job/Plugins/job/git-plugin/job/PR-1111/

You can also achieve almost the same result for ssh private keys by using the ssh-agent plugin to wrap the shell, bat, and powershell steps with an ssh agent that provides the private key as a credential

@jimlindeman
Copy link

FYI, the I found the ssh-agent plugin by itself doesn't configure github host public-ssh-key in the known_hosts and will cause the git commands to hang until configured in there. For reference for others, I got it working with:

  withCredentials([sshUserPrivateKey(credentialsId: 'sample_ssh_privatekey', keyFileVariable: 'KEYFILE')]) {
    sh 'mkdir -p ~/.ssh'
    sh 'echo "Host github.ibm.com" >> ~/.ssh/config'
    sh 'echo "    Hostname github.ibm.com" >>  ~/.ssh/config'
    sh 'echo "    User git" >> ~/.ssh/config'
    sh 'echo "    IdentityFile $KEYFILE" >> ~/.ssh/config'
    sh 'touch ~/.ssh/known_hosts'
    sh 'ssh-keygen -R github.ibm.com'
    sh 'ssh-keyscan -H github.ibm.com >> ~/.ssh/known_hosts'
    sh 'git submodule update --init --recursive'
  }

(note this was IBM's internal github, but same concept with whatever the github url is).

}

@RequirePOST
public ListBoxModel doFillGitToolNameItems() {

Check warning

Code scanning / Jenkins Security Scan

Stapler: Missing permission check

Potential missing permission check in DescriptorImpl#doFillGitToolNameItems

public class OpenSSHKeyFormatImpl {

private final String privateKey;

Check warning

Code scanning / Jenkins Security Scan

Jenkins: Plaintext password storage

Variable should be reviewed whether it stored a password and is serialized to disk: privateKey
@MarkEWaite MarkEWaite added tests Automated test addition or improvement and removed test labels Sep 22, 2023
@MarkEWaite MarkEWaite removed dependencies Dependency related change tests Automated test addition or improvement labels Apr 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement Improvement or new feature
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants