Add support for SSH private key as json.

Author: pjdarton

docs/README.md

@@ -236,6 +236,28 @@ node {
 }
 ```
 
+### SSH User Private Key (JSON format)
+
+An SSH *private key*, with a *username* and optional *passphrase* for the private key.
+
+- Value: Valid JSON describing an object with a `username` field, `privatekey` field and optionally a `passphrase` field.
+- Tags:
+  - `jenkins:credentials:type` = `jsonSshUserPrivateKey`
+
+**Note:** Unlike the non-JSON-format version, the passphrase field is supported. This is because the passphrase is contained within the AWS secret data, not as a (non-secret) tag.
+
+#### Example
+
+AWS CLI:
+
+```bash
+ssh-keygen -t rsa -b 4096 -C '[email protected]' -f id_rsa -N mySecretPassPhrase
+jq -n --arg key "$(cat id_rsa)" '{ username: "joe", privatekey: $key, passphrase: "mySecretPassPhrase" }' >json
+aws secretsmanager create-secret --name 'ssh-key' --secret-string 'file://json' --tags 'Key=jenkins:credentials:type,Value=jsonSshUserPrivateKey' --description 'Acme Corp SSH key'
+```
+
+Declarative and Scripted Pipeline behavior is (exactly) the same as non-JSON-format SSH User Private Key.
+
 ### Certificate
 
 A client certificate *keystore* in PKCS#12 format, encrypted with a zero-length password.

src/main/java/io/jenkins/plugins/credentials/secretsmanager/factory/CredentialsFactory.java

@@ -12,6 +12,7 @@
 import io.jenkins.plugins.credentials.secretsmanager.Messages;
 import io.jenkins.plugins.credentials.secretsmanager.factory.certificate.AwsCertificateCredentials;
 import io.jenkins.plugins.credentials.secretsmanager.factory.file.AwsFileCredentials;
+import io.jenkins.plugins.credentials.secretsmanager.factory.ssh_user_private_key.AwsJsonSshUserPrivateKey;
 import io.jenkins.plugins.credentials.secretsmanager.factory.ssh_user_private_key.AwsSshUserPrivateKey;
 import io.jenkins.plugins.credentials.secretsmanager.factory.string.AwsStringCredentials;
 import io.jenkins.plugins.credentials.secretsmanager.factory.username_password.AwsJsonUsernamePasswordCredentials;
@@ -51,6 +52,8 @@ public static Optional<StandardCredentials> create(String arn, String name, Stri
                 return Optional.of(new AwsJsonUsernamePasswordCredentials(name, description, new SecretSupplier(client, arn)));
             case Type.sshUserPrivateKey:
                 return Optional.of(new AwsSshUserPrivateKey(name, description, new StringSupplier(client, arn), username));
+            case Type.jsonSshUserPrivateKey:
+                return Optional.of(new AwsJsonSshUserPrivateKey(name, description, new SecretSupplier(client, arn)));
             case Type.certificate:
                 return Optional.of(new AwsCertificateCredentials(name, description, new SecretBytesSupplier(client, arn)));
             case Type.file:

src/main/java/io/jenkins/plugins/credentials/secretsmanager/factory/Type.java

@@ -9,9 +9,9 @@ public abstract class Type {
     public static final String usernamePassword = "usernamePassword";
     public static final String jsonUsernamePassword = "jsonUsernamePassword";
     public static final String sshUserPrivateKey = "sshUserPrivateKey";
+    public static final String jsonSshUserPrivateKey = "jsonSshUserPrivateKey";
     public static final String string = "string";
 
     private Type() {
-
     }
 }

src/main/java/io/jenkins/plugins/credentials/secretsmanager/factory/ssh_user_private_key/AwsJsonSshUserPrivateKey.java

@@ -0,0 +1,117 @@
+package io.jenkins.plugins.credentials.secretsmanager.factory.ssh_user_private_key;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.function.Supplier;
+
+import javax.annotation.Nonnull;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+import com.cloudbees.jenkins.plugins.sshcredentials.SSHUserPrivateKey;
+import com.cloudbees.plugins.credentials.CredentialsProvider;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.util.Secret;
+import io.jenkins.plugins.credentials.secretsmanager.AwsCredentialsProvider;
+import io.jenkins.plugins.credentials.secretsmanager.Messages;
+import io.jenkins.plugins.credentials.secretsmanager.factory.BaseAwsJsonCredentials;
+
+public class AwsJsonSshUserPrivateKey extends BaseAwsJsonCredentials implements SSHUserPrivateKey {
+    /**
+     * Name of the JSON field that we expect to be present and to contain the
+     * credential's username.
+     */
+    @Restricted(NoExternalUse.class)
+    public static final String JSON_FIELDNAME_FOR_USERNAME = "username";
+    /**
+     * Name of the JSON field that we expect to be present and to contain the
+     * credential's private key.
+     */
+    @Restricted(NoExternalUse.class)
+    public static final String JSON_FIELDNAME_FOR_PRIVATE_KEY = "privatekey";
+    /**
+     * Name of the JSON field that we look for and, if present, expect it to contain
+     * the credential's password. If it isn't present then we assume no passphrase.
+     */
+    @Restricted(NoExternalUse.class)
+    public static final String JSON_FIELDNAME_FOR_PASSPHRASE = "passphrase";
+
+    /**
+     * Constructs a new instance.
+     * 
+     * @param id                       The value for {@link #getId()}.
+     * @param description              The value for {@link #getDescription()}.
+     * @param jsonContainingPrivateKey Supplies JSON containing a
+     *                                 {@value #JSON_FIELDNAME_FOR_USERNAME} field,
+     *                                 a {@value #JSON_FIELDNAME_FOR_PRIVATE_KEY}
+     *                                 field and optionally a
+     *                                 {@value #JSON_FIELDNAME_FOR_PASSPHRASE}
+     *                                 field.
+     */
+    public AwsJsonSshUserPrivateKey(String id, String description, Supplier<Secret> jsonContainingPrivateKey) {
+        super(id, description, jsonContainingPrivateKey);
+    }
+
+    /**
+     * Constructs a snapshot of an existing instance.
+     * 
+     * @param toBeSnapshotted The instance that contains the live data to be
+     *                        snapshotted.
+     */
+    @Restricted(NoExternalUse.class)
+    AwsJsonSshUserPrivateKey(AwsJsonSshUserPrivateKey toBeSnapshotted) {
+        super(toBeSnapshotted);
+    }
+
+    @NonNull
+    @Deprecated
+    @Override
+    public String getPrivateKey() {
+        return getMandatoryField(getSecretJson(), JSON_FIELDNAME_FOR_PRIVATE_KEY);
+    }
+
+    @Override
+    public Secret getPassphrase() {
+        return Secret.fromString(getOptionalField(getSecretJson(), JSON_FIELDNAME_FOR_PASSPHRASE));
+    }
+
+    @NonNull
+    @Override
+    public List<String> getPrivateKeys() {
+        return Collections.singletonList(getPrivateKey());
+    }
+
+    @NonNull
+    @Override
+    public String getUsername() {
+        return getMandatoryField(getSecretJson(), JSON_FIELDNAME_FOR_USERNAME);
+    }
+
+    @Override
+    public boolean isUsernameSecret() {
+        return true;
+    }
+
+    @Extension
+    @SuppressWarnings("unused")
+    public static class DescriptorImpl extends BaseStandardCredentialsDescriptor {
+        @Override
+        @Nonnull
+        public String getDisplayName() {
+            return Messages.sshUserPrivateKey();
+        }
+
+        @Override
+        public String getIconClassName() {
+            return "icon-ssh-credentials-ssh-key";
+        }
+
+        @Override
+        public boolean isApplicable(CredentialsProvider provider) {
+            return provider instanceof AwsCredentialsProvider;
+        }
+    }
+}

src/main/java/io/jenkins/plugins/credentials/secretsmanager/factory/ssh_user_private_key/AwsJsonSshUserPrivateKeySnapshotTaker.java

@@ -0,0 +1,19 @@
+package io.jenkins.plugins.credentials.secretsmanager.factory.ssh_user_private_key;
+
+import com.cloudbees.plugins.credentials.CredentialsSnapshotTaker;
+import hudson.Extension;
+import io.jenkins.plugins.credentials.secretsmanager.factory.Snapshot;
+
+@Extension
+@SuppressWarnings("unused")
+public class AwsJsonSshUserPrivateKeySnapshotTaker extends CredentialsSnapshotTaker<AwsJsonSshUserPrivateKey> {
+    @Override
+    public Class<AwsJsonSshUserPrivateKey> type() {
+        return AwsJsonSshUserPrivateKey.class;
+    }
+
+    @Override
+    public AwsJsonSshUserPrivateKey snapshot(AwsJsonSshUserPrivateKey credential) {
+        return new AwsJsonSshUserPrivateKey(credential);
+    }
+}

src/test/java/io/jenkins/plugins/credentials/secretsmanager/factory/ssh_user_private_key/AwsJsonSshUserPrivateKeyTest.java

@@ -0,0 +1,192 @@
+package io.jenkins.plugins.credentials.secretsmanager.factory.ssh_user_private_key;
+
+import static io.jenkins.plugins.credentials.secretsmanager.factory.BaseAwsJsonCredentialsTest.mkJson;
+import static io.jenkins.plugins.credentials.secretsmanager.factory.BaseAwsJsonCredentialsTest.assertThatJsonCredentialsDescriptorIsTheSameAsTheDescriptorForNonJsonCredentials;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.function.Supplier;
+
+import org.junit.Test;
+
+import com.cloudbees.plugins.credentials.CredentialsUnavailableException;
+
+import hudson.util.Secret;
+import io.jenkins.plugins.credentials.secretsmanager.Messages;
+import io.jenkins.plugins.credentials.secretsmanager.factory.BaseAwsJsonCredentialsTest.StubSingleShotSupplier;
+import io.jenkins.plugins.credentials.secretsmanager.factory.BaseAwsJsonCredentialsTest.StubSupplier;
+
+public class AwsJsonSshUserPrivateKeyTest {
+    @Test
+    public void getPassphraseGivenValidJsonThenReturnsSecretPassphrase() {
+        // Given
+        final String id = "testId";
+        final String description = "some test description";
+        final String expected = "mySecretPassphrase";
+        final String json = mkUsernameKeyAndPassphraseJson("myUsername", "myKey", expected);
+        final Secret stubSecret = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(stubSecret);
+        final AwsJsonSshUserPrivateKey instance = new AwsJsonSshUserPrivateKey(id, description, stubSupplier);
+
+        // When
+        final Secret actualSecret = instance.getPassphrase();
+        final String actualPassphrase = actualSecret.getPlainText();
+
+        // Then
+        assertThat(actualPassphrase).isEqualTo(expected);
+    }
+
+    @Test
+    public void getPassphraseGivenValidJsonWithNoPassphraseThenReturnsEmpty() {
+        // Given
+        final String id = "testId";
+        final String description = "some test description";
+        final String expected = "";
+        final String json = mkUsernameKeyAndNoPassphraseJson("myUsername", "myKey");
+        final Secret stubSecret = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(stubSecret);
+        final AwsJsonSshUserPrivateKey instance = new AwsJsonSshUserPrivateKey(id, description, stubSupplier);
+
+        // When
+        final Secret actualSecret = instance.getPassphrase();
+        final String actualPassphrase = actualSecret.getPlainText();
+
+        // Then
+        assertThat(actualPassphrase).isEqualTo(expected);
+    }
+
+    @Test
+    public void getPrivateKeysGivenValidJsonThenReturnsSingleKey() {
+        // Given
+        final String id = "testId";
+        final String description = "some test description";
+        final List<String> expected = Collections.singletonList("theKeyThatISet");
+        final String json = mkUsernameKeyAndPassphraseJson("myUsername", expected.get(0), "mySecretPassphrase");
+        final Secret stubSecret = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(stubSecret);
+        final AwsJsonSshUserPrivateKey instance = new AwsJsonSshUserPrivateKey(id, description, stubSupplier);
+
+        // When
+        final List<String> actual = instance.getPrivateKeys();
+
+        // Then
+        assertThat(actual).isEqualTo(expected);
+    }
+
+    @Test
+    public void getUsernameGivenValidJsonThenReturnsUsername() {
+        // Given
+        final String id = "testId";
+        final String description = "some test description";
+        final String expected = "myUsername";
+        final String json = mkUsernameKeyAndPassphraseJson(expected, "myKey", "mySecretPassphrase");
+        final Secret stubSecret = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(stubSecret);
+        final AwsJsonSshUserPrivateKey instance = new AwsJsonSshUserPrivateKey(id, description, stubSupplier);
+
+        // When
+        final String actual = instance.getUsername();
+
+        // Then
+        assertThat(actual).isEqualTo(expected);
+    }
+
+    @Test
+    public void isUsernameSecretGivenAnythingThenReturnsTrue() {
+        // Given
+        final String id = "testId";
+        final String description = "some test description";
+        final boolean expected = true;
+        final String json = mkUsernameKeyAndPassphraseJson("myUser", "myKey", "mySecretPassphrase");
+        final Secret stubSecret = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(stubSecret);
+        final AwsJsonSshUserPrivateKey instance = new AwsJsonSshUserPrivateKey(id, description, stubSupplier);
+
+        // When
+        final boolean actual = instance.isUsernameSecret();
+
+        // Then
+        assertThat(actual).isEqualTo(expected);
+    }
+
+    @Test
+    public void getUsernameGivenInvalidJsonThenReturnsThrows() {
+        // Given
+        final String id = "testId";
+        final String description = "some test description";
+        final String unexpectedFieldName = "potentiallySecretFieldName";
+        final String unexpectedValue = "potentiallySecretValue";
+        final String json = mkJson(unexpectedFieldName, unexpectedValue, unexpectedFieldName + "2", unexpectedValue);
+        final Secret stubSecret = Secret.fromString(json);
+        final Supplier<Secret> stubSupplier = new StubSupplier<>(stubSecret);
+        final AwsJsonSshUserPrivateKey instance = new AwsJsonSshUserPrivateKey(id, description, stubSupplier);
+
+        // When
+        CredentialsUnavailableException actual = null;
+        try {
+            instance.getUsername();
+        } catch (CredentialsUnavailableException ex) {
+            actual = ex;
+        }
+
+        // Then
+        assertThat(actual).isNotNull();
+        assertThat(actual.getProperty()).isEqualTo("secret");
+        assertThat(actual.getMessage()).contains(id);
+        assertThat(actual.getMessage()).contains(AwsJsonSshUserPrivateKey.JSON_FIELDNAME_FOR_USERNAME);
+        assertThat(actual.getMessage())
+                .contains(Messages.wrongJsonError(id, AwsJsonSshUserPrivateKey.JSON_FIELDNAME_FOR_USERNAME));
+        assertThat(actual.getMessage()).doesNotContain(unexpectedFieldName);
+        assertThat(actual.getMessage()).doesNotContain(unexpectedValue);
+    }
+
+    @Test
+    public void snapshotConstructorGivenInstanceToSnapshotThenReturnsClone() {
+        // Given
+        final String expectedUsername = "myUser";
+        final String expectedPassphrase = "mySecretPassphrase";
+        final String expectedId = "someId";
+        final String expectedDescription = "someDescription";
+        final String expectedKey = "someKeyThatIMade";
+        final String json = mkUsernameKeyAndPassphraseJson(expectedUsername, expectedKey, expectedPassphrase);
+        final Secret secretJson = Secret.fromString(json);
+        final StubSingleShotSupplier<Secret> stubSupplier = new StubSingleShotSupplier<Secret>(secretJson);
+        final AwsJsonSshUserPrivateKey original = new AwsJsonSshUserPrivateKey(expectedId, expectedDescription,
+                stubSupplier);
+
+        // When
+        final AwsJsonSshUserPrivateKey actual = new AwsJsonSshUserPrivateKey(original);
+
+        // Then
+        final String actualId = actual.getId();
+        assertThat(actualId).isEqualTo(expectedId);
+        final String actualDescription = actual.getDescription();
+        assertThat(actualDescription).isEqualTo(expectedDescription);
+        final String actualUsername = actual.getUsername();
+        assertThat(actualUsername).isEqualTo(expectedUsername);
+        final String actualPassphrase = actual.getPassphrase().getPlainText();
+        assertThat(actualPassphrase).isEqualTo(expectedPassphrase);
+        final String actualKey = actual.getPrivateKeys().get(0);
+        assertThat(actualKey).isEqualTo(expectedKey);
+    }
+
+    @Test
+    public void ourDescriptorIsTheSameAsDescriptorForNonJsonCredentials() {
+        // Given
+        final AwsSshUserPrivateKey.DescriptorImpl expected = new AwsSshUserPrivateKey.DescriptorImpl();
+        final AwsJsonSshUserPrivateKey.DescriptorImpl instance = new AwsJsonSshUserPrivateKey.DescriptorImpl();
+        assertThatJsonCredentialsDescriptorIsTheSameAsTheDescriptorForNonJsonCredentials(instance, expected);
+    }
+
+    private static String mkUsernameKeyAndPassphraseJson(String username, String key, String passphrase) {
+        return mkJson(AwsJsonSshUserPrivateKey.JSON_FIELDNAME_FOR_USERNAME, username,
+                AwsJsonSshUserPrivateKey.JSON_FIELDNAME_FOR_PASSPHRASE, passphrase,
+                AwsJsonSshUserPrivateKey.JSON_FIELDNAME_FOR_PRIVATE_KEY, key);
+    }
+
+    private static String mkUsernameKeyAndNoPassphraseJson(String username, String key) {
+        return mkJson(AwsJsonSshUserPrivateKey.JSON_FIELDNAME_FOR_USERNAME, username,
+                AwsJsonSshUserPrivateKey.JSON_FIELDNAME_FOR_PRIVATE_KEY, key);
+    }
+}